Talos Rules 2016-05-05
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, exploit-kit, file-flash, file-image, file-multimedia, file-other, indicator-obfuscation, malware-backdoor, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-05-05 13:48:58 UTC

Snort Subscriber Rules Update

Date: 2016-05-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38744 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38743 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38742 <-> ENABLED <-> FILE-OTHER Microsoft Office ole object external file loading attempt (file-other.rules)
 * 1:38734 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header value without key evasion attempt (indicator-obfuscation.rules)
 * 1:38733 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ransom variant outbound connection (malware-cnc.rules)
 * 1:38732 <-> ENABLED <-> MALWARE-CNC Win.Trojan.VBDos Runtime Detection (malware-cnc.rules)
 * 1:38731 <-> ENABLED <-> SERVER-OTHER Squid Proxy range header denial of service attempt (server-other.rules)
 * 1:38730 <-> DISABLED <-> EXPLOIT-KIT Neutrino Exploit Kit Flash exploit download attempt (exploit-kit.rules)
 * 1:38729 <-> ENABLED <-> SERVER-OTHER Mediabridge Medialink MWN-WAPR300N and Tenda N3 Wireless N150 inbound admin attempt (server-other.rules)
 * 1:38728 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gowasstalpa.com - Win.Trojan.Poseidon (blacklist.rules)
 * 1:38727 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nasedrontit.com - Win.Trojan.Poseidon (blacklist.rules)
 * 1:38726 <-> ENABLED <-> BLACKLIST DNS request for known malware domain haduseeventsed.com - Win.Trojan.Poseidon (blacklist.rules)
 * 1:38725 <-> ENABLED <-> BLACKLIST DNS request for known malware domain evengtorsdodint.com - Win.Trojan.Poseidon (blacklist.rules)
 * 1:38724 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Renegin outbound GET attempt (malware-cnc.rules)
 * 1:38723 <-> DISABLED <-> SERVER-WEBAPP Wordpress Simple Ads Manager SQL injection attempt (server-webapp.rules)
 * 1:38722 <-> DISABLED <-> SERVER-WEBAPP Wordpress Simple Ads Manager SQL injection attempt (server-webapp.rules)
 * 1:38721 <-> DISABLED <-> SERVER-WEBAPP Wordpress Simple Ads Manager SQL injection attempt (server-webapp.rules)
 * 1:38720 <-> DISABLED <-> SERVER-WEBAPP Wordpress Simple Ads Manager SQL injection attempt (server-webapp.rules)
 * 1:38719 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38718 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38717 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38716 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38715 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38714 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38713 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38712 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38711 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38710 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38709 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38708 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38707 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38706 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38705 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38704 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38703 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38702 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38701 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38700 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38699 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38698 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38697 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38696 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38695 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38694 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38693 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38692 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38691 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38690 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38689 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38688 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38687 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38686 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38685 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38684 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38683 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38682 <-> ENABLED <-> EXPLOIT-KIT Angler Exploit Kit email gate (exploit-kit.rules)
 * 1:38681 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tooka POST attempt (malware-cnc.rules)
 * 1:38680 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tooka GET attempt (malware-cnc.rules)
 * 1:38679 <-> DISABLED <-> INDICATOR-OBFUSCATION non HTTP 1.1 version with 1.1 headers evasion attempt (indicator-obfuscation.rules)
 * 1:38678 <-> DISABLED <-> INDICATOR-OBFUSCATION UTF-8 evasion attempt (indicator-obfuscation.rules)
 * 1:38677 <-> DISABLED <-> INDICATOR-OBFUSCATION UTF-8 evasion attempt (indicator-obfuscation.rules)
 * 3:38735 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence XML API authentication bypass attempt (server-webapp.rules)
 * 3:38736 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence XML API authentication bypass attempt (server-webapp.rules)
 * 3:38737 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence XML API authentication bypass attempt (server-webapp.rules)
 * 3:38738 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence XML API authentication bypass attempt (server-webapp.rules)
 * 3:38739 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence XML API authentication bypass attempt (server-webapp.rules)
 * 3:38740 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence XML API authentication bypass attempt (server-webapp.rules)
 * 3:38741 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence XML API authentication bypass attempt (server-webapp.rules)
 * 3:38745 <-> ENABLED <-> MALWARE-OTHER known phishing x-mailer attempt (malware-other.rules)
 * 3:38746 <-> ENABLED <-> MALWARE-CNC CTFMONv4 beacon attempt (malware-cnc.rules)
 * 3:38747 <-> ENABLED <-> MALWARE-CNC FF-RAT outbound connection attempt (malware-cnc.rules)
 * 3:38748 <-> ENABLED <-> MALWARE-CNC FF-RAT outbound connection attempt (malware-cnc.rules)
 * 3:38749 <-> ENABLED <-> MALWARE-CNC FF-RAT outbound connection attempt (malware-cnc.rules)
 * 3:38750 <-> ENABLED <-> MALWARE-CNC FF-RAT outbound connection attempt (malware-cnc.rules)
 * 3:38751 <-> ENABLED <-> MALWARE-CNC Jimini outbound connection attempt (malware-cnc.rules)
 * 3:38752 <-> ENABLED <-> MALWARE-CNC HILIGHT outbound connection attempt (malware-cnc.rules)
 * 3:38753 <-> ENABLED <-> MALWARE-CNC 1.php outbound connection attempt (malware-cnc.rules)
 * 3:38754 <-> ENABLED <-> MALWARE-CNC XDOT outbound connection attempt (malware-cnc.rules)
 * 3:38755 <-> ENABLED <-> MALWARE-CNC PlugX outbound connection attempt (malware-cnc.rules)
 * 3:38756 <-> ENABLED <-> MALWARE-CNC PlugX outbound communication attempt (malware-cnc.rules)
 * 3:38757 <-> ENABLED <-> MALWARE-CNC PlugX outbound communication attempt (malware-cnc.rules)
 * 3:38758 <-> ENABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)

Modified Rules:


 * 1:32313 <-> ENABLED <-> FILE-OTHER Microsoft Office ole object external file loading attempt (file-other.rules)
 * 1:37053 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tdrop2 variant dropper download attempt (malware-cnc.rules)
 * 1:38124 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Transport Stream Program Map Table Heap Overflow attempt (file-multimedia.rules)
 * 1:38125 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Transport Stream Program Map Table Heap Overflow attempt (file-multimedia.rules)
 * 1:38337 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header illegal character prior to encoding type evasion attempt (indicator-obfuscation.rules)

2016-05-05 13:48:58 UTC

Snort Subscriber Rules Update

Date: 2016-05-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38731 <-> ENABLED <-> SERVER-OTHER Squid Proxy range header denial of service attempt (server-other.rules)
 * 1:38718 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38717 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38713 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38712 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38707 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38708 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38703 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38702 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38698 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38678 <-> DISABLED <-> INDICATOR-OBFUSCATION UTF-8 evasion attempt (indicator-obfuscation.rules)
 * 1:38677 <-> DISABLED <-> INDICATOR-OBFUSCATION UTF-8 evasion attempt (indicator-obfuscation.rules)
 * 1:38683 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38684 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38681 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tooka POST attempt (malware-cnc.rules)
 * 1:38679 <-> DISABLED <-> INDICATOR-OBFUSCATION non HTTP 1.1 version with 1.1 headers evasion attempt (indicator-obfuscation.rules)
 * 1:38690 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38689 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38687 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38719 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38724 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Renegin outbound GET attempt (malware-cnc.rules)
 * 1:38691 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38742 <-> ENABLED <-> FILE-OTHER Microsoft Office ole object external file loading attempt (file-other.rules)
 * 1:38743 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38744 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38692 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38688 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38693 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38694 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38680 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tooka GET attempt (malware-cnc.rules)
 * 1:38695 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38697 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38696 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38699 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38700 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38701 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38704 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38705 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38706 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38709 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38710 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38711 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38714 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38715 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38716 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38720 <-> DISABLED <-> SERVER-WEBAPP Wordpress Simple Ads Manager SQL injection attempt (server-webapp.rules)
 * 1:38721 <-> DISABLED <-> SERVER-WEBAPP Wordpress Simple Ads Manager SQL injection attempt (server-webapp.rules)
 * 1:38722 <-> DISABLED <-> SERVER-WEBAPP Wordpress Simple Ads Manager SQL injection attempt (server-webapp.rules)
 * 1:38723 <-> DISABLED <-> SERVER-WEBAPP Wordpress Simple Ads Manager SQL injection attempt (server-webapp.rules)
 * 1:38727 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nasedrontit.com - Win.Trojan.Poseidon (blacklist.rules)
 * 1:38682 <-> ENABLED <-> EXPLOIT-KIT Angler Exploit Kit email gate (exploit-kit.rules)
 * 1:38685 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38734 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header value without key evasion attempt (indicator-obfuscation.rules)
 * 1:38726 <-> ENABLED <-> BLACKLIST DNS request for known malware domain haduseeventsed.com - Win.Trojan.Poseidon (blacklist.rules)
 * 1:38686 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38725 <-> ENABLED <-> BLACKLIST DNS request for known malware domain evengtorsdodint.com - Win.Trojan.Poseidon (blacklist.rules)
 * 1:38732 <-> ENABLED <-> MALWARE-CNC Win.Trojan.VBDos Runtime Detection (malware-cnc.rules)
 * 1:38729 <-> ENABLED <-> SERVER-OTHER Mediabridge Medialink MWN-WAPR300N and Tenda N3 Wireless N150 inbound admin attempt (server-other.rules)
 * 1:38730 <-> DISABLED <-> EXPLOIT-KIT Neutrino Exploit Kit Flash exploit download attempt (exploit-kit.rules)
 * 1:38733 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ransom variant outbound connection (malware-cnc.rules)
 * 1:38728 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gowasstalpa.com - Win.Trojan.Poseidon (blacklist.rules)
 * 3:38737 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence XML API authentication bypass attempt (server-webapp.rules)
 * 3:38738 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence XML API authentication bypass attempt (server-webapp.rules)
 * 3:38754 <-> ENABLED <-> MALWARE-CNC XDOT outbound connection attempt (malware-cnc.rules)
 * 3:38750 <-> ENABLED <-> MALWARE-CNC FF-RAT outbound connection attempt (malware-cnc.rules)
 * 3:38735 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence XML API authentication bypass attempt (server-webapp.rules)
 * 3:38736 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence XML API authentication bypass attempt (server-webapp.rules)
 * 3:38747 <-> ENABLED <-> MALWARE-CNC FF-RAT outbound connection attempt (malware-cnc.rules)
 * 3:38739 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence XML API authentication bypass attempt (server-webapp.rules)
 * 3:38740 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence XML API authentication bypass attempt (server-webapp.rules)
 * 3:38741 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence XML API authentication bypass attempt (server-webapp.rules)
 * 3:38749 <-> ENABLED <-> MALWARE-CNC FF-RAT outbound connection attempt (malware-cnc.rules)
 * 3:38748 <-> ENABLED <-> MALWARE-CNC FF-RAT outbound connection attempt (malware-cnc.rules)
 * 3:38751 <-> ENABLED <-> MALWARE-CNC Jimini outbound connection attempt (malware-cnc.rules)
 * 3:38758 <-> ENABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 3:38746 <-> ENABLED <-> MALWARE-CNC CTFMONv4 beacon attempt (malware-cnc.rules)
 * 3:38755 <-> ENABLED <-> MALWARE-CNC PlugX outbound connection attempt (malware-cnc.rules)
 * 3:38756 <-> ENABLED <-> MALWARE-CNC PlugX outbound communication attempt (malware-cnc.rules)
 * 3:38753 <-> ENABLED <-> MALWARE-CNC 1.php outbound connection attempt (malware-cnc.rules)
 * 3:38757 <-> ENABLED <-> MALWARE-CNC PlugX outbound communication attempt (malware-cnc.rules)
 * 3:38752 <-> ENABLED <-> MALWARE-CNC HILIGHT outbound connection attempt (malware-cnc.rules)
 * 3:38745 <-> ENABLED <-> MALWARE-OTHER known phishing x-mailer attempt (malware-other.rules)

Modified Rules:


 * 1:32313 <-> ENABLED <-> FILE-OTHER Microsoft Office ole object external file loading attempt (file-other.rules)
 * 1:38124 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Transport Stream Program Map Table Heap Overflow attempt (file-multimedia.rules)
 * 1:38125 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Transport Stream Program Map Table Heap Overflow attempt (file-multimedia.rules)
 * 1:37053 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tdrop2 variant dropper download attempt (malware-cnc.rules)
 * 1:38337 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header illegal character prior to encoding type evasion attempt (indicator-obfuscation.rules)

2016-05-05 13:48:58 UTC

Snort Subscriber Rules Update

Date: 2016-05-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38681 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tooka POST attempt (malware-cnc.rules)
 * 1:38679 <-> DISABLED <-> INDICATOR-OBFUSCATION non HTTP 1.1 version with 1.1 headers evasion attempt (indicator-obfuscation.rules)
 * 1:38689 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38690 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38687 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38683 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38685 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38684 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38691 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38692 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38693 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38677 <-> DISABLED <-> INDICATOR-OBFUSCATION UTF-8 evasion attempt (indicator-obfuscation.rules)
 * 1:38678 <-> DISABLED <-> INDICATOR-OBFUSCATION UTF-8 evasion attempt (indicator-obfuscation.rules)
 * 1:38680 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tooka GET attempt (malware-cnc.rules)
 * 1:38694 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38695 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38682 <-> ENABLED <-> EXPLOIT-KIT Angler Exploit Kit email gate (exploit-kit.rules)
 * 1:38696 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38697 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38698 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38699 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38700 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38701 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38702 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38703 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38704 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38705 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38707 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38706 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38708 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38709 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38710 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38712 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38711 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38713 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38714 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38715 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38716 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38717 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38718 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38719 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38720 <-> DISABLED <-> SERVER-WEBAPP Wordpress Simple Ads Manager SQL injection attempt (server-webapp.rules)
 * 1:38722 <-> DISABLED <-> SERVER-WEBAPP Wordpress Simple Ads Manager SQL injection attempt (server-webapp.rules)
 * 1:38721 <-> DISABLED <-> SERVER-WEBAPP Wordpress Simple Ads Manager SQL injection attempt (server-webapp.rules)
 * 1:38723 <-> DISABLED <-> SERVER-WEBAPP Wordpress Simple Ads Manager SQL injection attempt (server-webapp.rules)
 * 1:38724 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Renegin outbound GET attempt (malware-cnc.rules)
 * 1:38725 <-> ENABLED <-> BLACKLIST DNS request for known malware domain evengtorsdodint.com - Win.Trojan.Poseidon (blacklist.rules)
 * 1:38727 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nasedrontit.com - Win.Trojan.Poseidon (blacklist.rules)
 * 1:38726 <-> ENABLED <-> BLACKLIST DNS request for known malware domain haduseeventsed.com - Win.Trojan.Poseidon (blacklist.rules)
 * 1:38728 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gowasstalpa.com - Win.Trojan.Poseidon (blacklist.rules)
 * 1:38686 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38744 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38743 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38742 <-> ENABLED <-> FILE-OTHER Microsoft Office ole object external file loading attempt (file-other.rules)
 * 1:38734 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header value without key evasion attempt (indicator-obfuscation.rules)
 * 1:38688 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules)
 * 1:38731 <-> ENABLED <-> SERVER-OTHER Squid Proxy range header denial of service attempt (server-other.rules)
 * 1:38732 <-> ENABLED <-> MALWARE-CNC Win.Trojan.VBDos Runtime Detection (malware-cnc.rules)
 * 1:38733 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ransom variant outbound connection (malware-cnc.rules)
 * 1:38729 <-> ENABLED <-> SERVER-OTHER Mediabridge Medialink MWN-WAPR300N and Tenda N3 Wireless N150 inbound admin attempt (server-other.rules)
 * 1:38730 <-> DISABLED <-> EXPLOIT-KIT Neutrino Exploit Kit Flash exploit download attempt (exploit-kit.rules)
 * 3:38756 <-> ENABLED <-> MALWARE-CNC PlugX outbound communication attempt (malware-cnc.rules)
 * 3:38741 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence XML API authentication bypass attempt (server-webapp.rules)
 * 3:38740 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence XML API authentication bypass attempt (server-webapp.rules)
 * 3:38735 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence XML API authentication bypass attempt (server-webapp.rules)
 * 3:38737 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence XML API authentication bypass attempt (server-webapp.rules)
 * 3:38738 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence XML API authentication bypass attempt (server-webapp.rules)
 * 3:38739 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence XML API authentication bypass attempt (server-webapp.rules)
 * 3:38746 <-> ENABLED <-> MALWARE-CNC CTFMONv4 beacon attempt (malware-cnc.rules)
 * 3:38748 <-> ENABLED <-> MALWARE-CNC FF-RAT outbound connection attempt (malware-cnc.rules)
 * 3:38747 <-> ENABLED <-> MALWARE-CNC FF-RAT outbound connection attempt (malware-cnc.rules)
 * 3:38749 <-> ENABLED <-> MALWARE-CNC FF-RAT outbound connection attempt (malware-cnc.rules)
 * 3:38750 <-> ENABLED <-> MALWARE-CNC FF-RAT outbound connection attempt (malware-cnc.rules)
 * 3:38751 <-> ENABLED <-> MALWARE-CNC Jimini outbound connection attempt (malware-cnc.rules)
 * 3:38752 <-> ENABLED <-> MALWARE-CNC HILIGHT outbound connection attempt (malware-cnc.rules)
 * 3:38753 <-> ENABLED <-> MALWARE-CNC 1.php outbound connection attempt (malware-cnc.rules)
 * 3:38754 <-> ENABLED <-> MALWARE-CNC XDOT outbound connection attempt (malware-cnc.rules)
 * 3:38755 <-> ENABLED <-> MALWARE-CNC PlugX outbound connection attempt (malware-cnc.rules)
 * 3:38757 <-> ENABLED <-> MALWARE-CNC PlugX outbound communication attempt (malware-cnc.rules)
 * 3:38758 <-> ENABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 3:38745 <-> ENABLED <-> MALWARE-OTHER known phishing x-mailer attempt (malware-other.rules)
 * 3:38736 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence XML API authentication bypass attempt (server-webapp.rules)

Modified Rules:


 * 1:38124 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Transport Stream Program Map Table Heap Overflow attempt (file-multimedia.rules)
 * 1:38125 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Transport Stream Program Map Table Heap Overflow attempt (file-multimedia.rules)
 * 1:38337 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header illegal character prior to encoding type evasion attempt (indicator-obfuscation.rules)
 * 1:32313 <-> ENABLED <-> FILE-OTHER Microsoft Office ole object external file loading attempt (file-other.rules)
 * 1:37053 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tdrop2 variant dropper download attempt (malware-cnc.rules)