Snort - Network Intrusion Detection & Prevention System

Talos Rules 2016-05-19

This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-flash, file-other, file-pdf, malware-cnc, malware-other, policy-other, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2976

2016-05-19 15:30:55 UTC

Snort Subscriber Rules Update

Date: 2016-05-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38964 <-> DISABLED <-> POLICY-OTHER VMware vCenter Chargeback Manager ImageUploadServlet arbitrary JSP file upload attempt (policy-other.rules)
 * 1:38959 <-> ENABLED <-> FILE-PDF Adobe Reader malformed Universal 3D stream memory corruption attempt (file-pdf.rules)
 * 1:38960 <-> ENABLED <-> FILE-PDF Adobe Reader malformed Universal 3D stream memory corruption attempt (file-pdf.rules)
 * 1:38951 <-> ENABLED <-> PUA-ADWARE Win.Adware.OpenSoftwareUpdater variant outbound connection attempt (pua-adware.rules)
 * 1:38954 <-> ENABLED <-> FILE-OTHER Adobe Acrobat DC invalid TIFF tagtype out of bounds read attempt (file-other.rules)
 * 1:38955 <-> ENABLED <-> FILE-OTHER Adobe Acrobat DC invalid TIFF tagtype out of bounds read attempt (file-other.rules)
 * 1:38953 <-> ENABLED <-> PUA-ADWARE Win.Adware.OpenSoftwareUpdater variant outbound connection attempt (pua-adware.rules)
 * 1:38956 <-> ENABLED <-> FILE-OTHER Adobe Acrobat DC invalid TIFF tagtype out of bounds read attempt (file-other.rules)
 * 1:38950 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PassStealer passwords exfiltration attempt (malware-cnc.rules)
 * 1:38949 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt variant outbound connection (malware-cnc.rules)
 * 1:38961 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - fsrhrsrg - Win.Trojan.Nemucod (blacklist.rules)
 * 1:38957 <-> ENABLED <-> FILE-OTHER Adobe Acrobat DC invalid TIFF tagtype out of bounds read attempt (file-other.rules)
 * 1:38962 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - uguogo - Win.Trojan.Nemucod (blacklist.rules)
 * 1:38965 <-> DISABLED <-> SERVER-WEBAPP VMware vCenter Chargeback Manager ImageUploadServlet arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:38963 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Nemucod file download (malware-other.rules)
 * 1:38952 <-> ENABLED <-> PUA-ADWARE Win.Adware.OpenSoftwareUpdater variant outbound connection attempt (pua-adware.rules)
 * 3:38958 <-> ENABLED <-> SERVER-OTHER Cisco Web Security Appliance socket exhaustion denial of service attempt (server-other.rules)

Modified Rules:


 * 1:38846 <-> DISABLED <-> FILE-PDF Adobe Reader out of bounds memory access violation attempt (file-pdf.rules)
 * 1:38845 <-> DISABLED <-> FILE-PDF Adobe Reader out of bounds memory access violation attempt (file-pdf.rules)
 * 1:17367 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer FTP Response Parsing Memory Corruption (browser-ie.rules)
 * 1:21322 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player version.dll dll-load exploit attempt (file-flash.rules)
 * 1:38885 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cerber outbound registration attempt (malware-cnc.rules)
 * 1:38133 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit gate redirector (exploit-kit.rules)

2980

2016-05-19 15:30:55 UTC

Snort Subscriber Rules Update

Date: 2016-05-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38951 <-> ENABLED <-> PUA-ADWARE Win.Adware.OpenSoftwareUpdater variant outbound connection attempt (pua-adware.rules)
 * 1:38953 <-> ENABLED <-> PUA-ADWARE Win.Adware.OpenSoftwareUpdater variant outbound connection attempt (pua-adware.rules)
 * 1:38952 <-> ENABLED <-> PUA-ADWARE Win.Adware.OpenSoftwareUpdater variant outbound connection attempt (pua-adware.rules)
 * 1:38954 <-> ENABLED <-> FILE-OTHER Adobe Acrobat DC invalid TIFF tagtype out of bounds read attempt (file-other.rules)
 * 1:38949 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt variant outbound connection (malware-cnc.rules)
 * 1:38956 <-> ENABLED <-> FILE-OTHER Adobe Acrobat DC invalid TIFF tagtype out of bounds read attempt (file-other.rules)
 * 1:38950 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PassStealer passwords exfiltration attempt (malware-cnc.rules)
 * 1:38955 <-> ENABLED <-> FILE-OTHER Adobe Acrobat DC invalid TIFF tagtype out of bounds read attempt (file-other.rules)
 * 1:38957 <-> ENABLED <-> FILE-OTHER Adobe Acrobat DC invalid TIFF tagtype out of bounds read attempt (file-other.rules)
 * 1:38959 <-> ENABLED <-> FILE-PDF Adobe Reader malformed Universal 3D stream memory corruption attempt (file-pdf.rules)
 * 1:38961 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - fsrhrsrg - Win.Trojan.Nemucod (blacklist.rules)
 * 1:38960 <-> ENABLED <-> FILE-PDF Adobe Reader malformed Universal 3D stream memory corruption attempt (file-pdf.rules)
 * 1:38962 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - uguogo - Win.Trojan.Nemucod (blacklist.rules)
 * 1:38963 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Nemucod file download (malware-other.rules)
 * 1:38965 <-> DISABLED <-> SERVER-WEBAPP VMware vCenter Chargeback Manager ImageUploadServlet arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:38964 <-> DISABLED <-> POLICY-OTHER VMware vCenter Chargeback Manager ImageUploadServlet arbitrary JSP file upload attempt (policy-other.rules)
 * 3:38958 <-> ENABLED <-> SERVER-OTHER Cisco Web Security Appliance socket exhaustion denial of service attempt (server-other.rules)

Modified Rules:


 * 1:38133 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit gate redirector (exploit-kit.rules)
 * 1:17367 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer FTP Response Parsing Memory Corruption (browser-ie.rules)
 * 1:38885 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cerber outbound registration attempt (malware-cnc.rules)
 * 1:38845 <-> DISABLED <-> FILE-PDF Adobe Reader out of bounds memory access violation attempt (file-pdf.rules)
 * 1:21322 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player version.dll dll-load exploit attempt (file-flash.rules)
 * 1:38846 <-> DISABLED <-> FILE-PDF Adobe Reader out of bounds memory access violation attempt (file-pdf.rules)

2982

2016-05-19 15:30:55 UTC

Snort Subscriber Rules Update

Date: 2016-05-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38965 <-> DISABLED <-> SERVER-WEBAPP VMware vCenter Chargeback Manager ImageUploadServlet arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:38964 <-> DISABLED <-> POLICY-OTHER VMware vCenter Chargeback Manager ImageUploadServlet arbitrary JSP file upload attempt (policy-other.rules)
 * 1:38963 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Nemucod file download (malware-other.rules)
 * 1:38962 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - uguogo - Win.Trojan.Nemucod (blacklist.rules)
 * 1:38961 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - fsrhrsrg - Win.Trojan.Nemucod (blacklist.rules)
 * 1:38960 <-> ENABLED <-> FILE-PDF Adobe Reader malformed Universal 3D stream memory corruption attempt (file-pdf.rules)
 * 1:38959 <-> ENABLED <-> FILE-PDF Adobe Reader malformed Universal 3D stream memory corruption attempt (file-pdf.rules)
 * 1:38957 <-> ENABLED <-> FILE-OTHER Adobe Acrobat DC invalid TIFF tagtype out of bounds read attempt (file-other.rules)
 * 1:38956 <-> ENABLED <-> FILE-OTHER Adobe Acrobat DC invalid TIFF tagtype out of bounds read attempt (file-other.rules)
 * 1:38955 <-> ENABLED <-> FILE-OTHER Adobe Acrobat DC invalid TIFF tagtype out of bounds read attempt (file-other.rules)
 * 1:38954 <-> ENABLED <-> FILE-OTHER Adobe Acrobat DC invalid TIFF tagtype out of bounds read attempt (file-other.rules)
 * 1:38953 <-> ENABLED <-> PUA-ADWARE Win.Adware.OpenSoftwareUpdater variant outbound connection attempt (pua-adware.rules)
 * 1:38952 <-> ENABLED <-> PUA-ADWARE Win.Adware.OpenSoftwareUpdater variant outbound connection attempt (pua-adware.rules)
 * 1:38951 <-> ENABLED <-> PUA-ADWARE Win.Adware.OpenSoftwareUpdater variant outbound connection attempt (pua-adware.rules)
 * 1:38950 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PassStealer passwords exfiltration attempt (malware-cnc.rules)
 * 1:38949 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt variant outbound connection (malware-cnc.rules)
 * 3:38958 <-> ENABLED <-> SERVER-OTHER Cisco Web Security Appliance socket exhaustion denial of service attempt (server-other.rules)

Modified Rules:


 * 1:17367 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer FTP Response Parsing Memory Corruption (browser-ie.rules)
 * 1:38133 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit gate redirector (exploit-kit.rules)
 * 1:21322 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player version.dll dll-load exploit attempt (file-flash.rules)
 * 1:38846 <-> DISABLED <-> FILE-PDF Adobe Reader out of bounds memory access violation attempt (file-pdf.rules)
 * 1:38885 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cerber outbound registration attempt (malware-cnc.rules)
 * 1:38845 <-> DISABLED <-> FILE-PDF Adobe Reader out of bounds memory access violation attempt (file-pdf.rules)