Talos Rules 2016-05-11
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-flash, file-identify, file-image, file-other, malware-cnc and server-other rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-05-11 22:16:12 UTC

Snort Subscriber Rules Update

Date: 2016-05-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38865 <-> ENABLED <-> FILE-IDENTIFY Hancom Hangul Office Document file magic detected (file-identify.rules)
 * 1:38864 <-> ENABLED <-> FILE-IDENTIFY Hancom Hangul Office Document file attachment detected (file-identify.rules)
 * 1:38853 <-> ENABLED <-> FILE-IDENTIFY Hancom Hangul HCell file attachment detected (file-identify.rules)
 * 1:38875 <-> ENABLED <-> FILE-FLASH Adobe Flash type confusion attempt (file-flash.rules)
 * 1:38873 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MSIMG32.dll dll-load exploit attempt (file-flash.rules)
 * 1:38866 <-> ENABLED <-> FILE-IDENTIFY Hancom Hangul Office Document file magic detected (file-identify.rules)
 * 1:38854 <-> ENABLED <-> FILE-IDENTIFY Hancom Hangul HCell file magic detected (file-identify.rules)
 * 1:38855 <-> ENABLED <-> FILE-IDENTIFY Hancom Hangul HCell file magic detected (file-identify.rules)
 * 1:38863 <-> ENABLED <-> FILE-IDENTIFY Hancom Hangul Office Document file attachment detected (file-identify.rules)
 * 1:38862 <-> ENABLED <-> FILE-IDENTIFY Hancom Hangul Office Document file download request (file-identify.rules)
 * 1:38874 <-> ENABLED <-> FILE-FLASH Adobe Flash type confusion attempt (file-flash.rules)
 * 1:38852 <-> ENABLED <-> FILE-IDENTIFY Hancom Hangul HCell file attachment detected (file-identify.rules)
 * 1:38872 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MSIMG32.dll dll-load exploit attempt (file-flash.rules)
 * 1:38851 <-> ENABLED <-> FILE-IDENTIFY Hancom Hangul HCell file download request (file-identify.rules)
 * 1:38871 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 3:38849 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-CAN-0166 attack attempt (os-windows.rules)
 * 3:38850 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-CAN-0166 attack attempt (os-windows.rules)
 * 3:38856 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0149 attack attempt (file-other.rules)
 * 3:38857 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0149 attack attempt (file-other.rules)
 * 3:38858 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0149 attack attempt (file-other.rules)
 * 3:38859 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0149 attack attempt (file-other.rules)
 * 3:38860 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0159 attack attempt (file-other.rules)
 * 3:38861 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0159 attack attempt (file-other.rules)
 * 3:38867 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-CAN-0135 attack attempt (server-other.rules)
 * 3:38868 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0144 attack attempt (file-other.rules)
 * 3:38869 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0144 attack attempt (file-other.rules)
 * 3:38870 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-CAN-0138 attack attempt (server-other.rules)

Modified Rules:


 * 1:38784 <-> ENABLED <-> MALWARE-CNC CryptXXX initial outbound connection (malware-cnc.rules)
 * 1:38744 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)

2016-05-11 22:16:12 UTC

Snort Subscriber Rules Update

Date: 2016-05-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38854 <-> ENABLED <-> FILE-IDENTIFY Hancom Hangul HCell file magic detected (file-identify.rules)
 * 1:38874 <-> ENABLED <-> FILE-FLASH Adobe Flash type confusion attempt (file-flash.rules)
 * 1:38853 <-> ENABLED <-> FILE-IDENTIFY Hancom Hangul HCell file attachment detected (file-identify.rules)
 * 1:38864 <-> ENABLED <-> FILE-IDENTIFY Hancom Hangul Office Document file attachment detected (file-identify.rules)
 * 1:38865 <-> ENABLED <-> FILE-IDENTIFY Hancom Hangul Office Document file magic detected (file-identify.rules)
 * 1:38862 <-> ENABLED <-> FILE-IDENTIFY Hancom Hangul Office Document file download request (file-identify.rules)
 * 1:38863 <-> ENABLED <-> FILE-IDENTIFY Hancom Hangul Office Document file attachment detected (file-identify.rules)
 * 1:38872 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MSIMG32.dll dll-load exploit attempt (file-flash.rules)
 * 1:38871 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38873 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MSIMG32.dll dll-load exploit attempt (file-flash.rules)
 * 1:38851 <-> ENABLED <-> FILE-IDENTIFY Hancom Hangul HCell file download request (file-identify.rules)
 * 1:38852 <-> ENABLED <-> FILE-IDENTIFY Hancom Hangul HCell file attachment detected (file-identify.rules)
 * 1:38855 <-> ENABLED <-> FILE-IDENTIFY Hancom Hangul HCell file magic detected (file-identify.rules)
 * 1:38875 <-> ENABLED <-> FILE-FLASH Adobe Flash type confusion attempt (file-flash.rules)
 * 1:38866 <-> ENABLED <-> FILE-IDENTIFY Hancom Hangul Office Document file magic detected (file-identify.rules)
 * 3:38849 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-CAN-0166 attack attempt (os-windows.rules)
 * 3:38850 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-CAN-0166 attack attempt (os-windows.rules)
 * 3:38856 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0149 attack attempt (file-other.rules)
 * 3:38857 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0149 attack attempt (file-other.rules)
 * 3:38858 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0149 attack attempt (file-other.rules)
 * 3:38859 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0149 attack attempt (file-other.rules)
 * 3:38860 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0159 attack attempt (file-other.rules)
 * 3:38861 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0159 attack attempt (file-other.rules)
 * 3:38867 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-CAN-0135 attack attempt (server-other.rules)
 * 3:38868 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0144 attack attempt (file-other.rules)
 * 3:38870 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-CAN-0138 attack attempt (server-other.rules)
 * 3:38869 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0144 attack attempt (file-other.rules)

Modified Rules:


 * 1:38744 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38784 <-> ENABLED <-> MALWARE-CNC CryptXXX initial outbound connection (malware-cnc.rules)

2016-05-11 22:16:12 UTC

Snort Subscriber Rules Update

Date: 2016-05-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38875 <-> ENABLED <-> FILE-FLASH Adobe Flash type confusion attempt (file-flash.rules)
 * 1:38874 <-> ENABLED <-> FILE-FLASH Adobe Flash type confusion attempt (file-flash.rules)
 * 1:38873 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MSIMG32.dll dll-load exploit attempt (file-flash.rules)
 * 1:38872 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MSIMG32.dll dll-load exploit attempt (file-flash.rules)
 * 1:38871 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38866 <-> ENABLED <-> FILE-IDENTIFY Hancom Hangul Office Document file magic detected (file-identify.rules)
 * 1:38865 <-> ENABLED <-> FILE-IDENTIFY Hancom Hangul Office Document file magic detected (file-identify.rules)
 * 1:38864 <-> ENABLED <-> FILE-IDENTIFY Hancom Hangul Office Document file attachment detected (file-identify.rules)
 * 1:38863 <-> ENABLED <-> FILE-IDENTIFY Hancom Hangul Office Document file attachment detected (file-identify.rules)
 * 1:38862 <-> ENABLED <-> FILE-IDENTIFY Hancom Hangul Office Document file download request (file-identify.rules)
 * 1:38855 <-> ENABLED <-> FILE-IDENTIFY Hancom Hangul HCell file magic detected (file-identify.rules)
 * 1:38854 <-> ENABLED <-> FILE-IDENTIFY Hancom Hangul HCell file magic detected (file-identify.rules)
 * 1:38853 <-> ENABLED <-> FILE-IDENTIFY Hancom Hangul HCell file attachment detected (file-identify.rules)
 * 1:38852 <-> ENABLED <-> FILE-IDENTIFY Hancom Hangul HCell file attachment detected (file-identify.rules)
 * 1:38851 <-> ENABLED <-> FILE-IDENTIFY Hancom Hangul HCell file download request (file-identify.rules)
 * 3:38849 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-CAN-0166 attack attempt (os-windows.rules)
 * 3:38850 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-CAN-0166 attack attempt (os-windows.rules)
 * 3:38856 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0149 attack attempt (file-other.rules)
 * 3:38857 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0149 attack attempt (file-other.rules)
 * 3:38858 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0149 attack attempt (file-other.rules)
 * 3:38859 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0149 attack attempt (file-other.rules)
 * 3:38860 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0159 attack attempt (file-other.rules)
 * 3:38861 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0159 attack attempt (file-other.rules)
 * 3:38867 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-CAN-0135 attack attempt (server-other.rules)
 * 3:38868 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0144 attack attempt (file-other.rules)
 * 3:38870 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-CAN-0138 attack attempt (server-other.rules)
 * 3:38869 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0144 attack attempt (file-other.rules)

Modified Rules:


 * 1:38744 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38784 <-> ENABLED <-> MALWARE-CNC CryptXXX initial outbound connection (malware-cnc.rules)