Talos Rules 2016-07-05
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-other, file-flash, file-office, indicator-compromise, malware-cnc, protocol-tftp, pua-adware, server-mssql and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-07-05 21:08:54 UTC

Snort Subscriber Rules Update

Date: 2016-07-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39447 <-> ENABLED <-> BLACKLIST DNS request for known malware domain plusvan.com - Win.Trojan.Renos (blacklist.rules)
 * 1:39440 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer overflow attempt (file-flash.rules)
 * 1:39449 <-> DISABLED <-> SERVER-MSSQL Microsoft SQL Server sp_addsrvrolemember privilege escalation attempt (server-mssql.rules)
 * 1:39442 <-> DISABLED <-> SERVER-WEBAPP Oracle E-Business Suite Arbitrary Document Download attempt (server-webapp.rules)
 * 1:39444 <-> DISABLED <-> INDICATOR-COMPROMISE Netgear D6000 or D3600 password recovery page access attempt (indicator-compromise.rules)
 * 1:39443 <-> ENABLED <-> PUA-ADWARE Win.Adware.InstallFaster variant outbound connection attempt (pua-adware.rules)
 * 1:39441 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer overflow attempt (file-flash.rules)
 * 1:39450 <-> DISABLED <-> PROTOCOL-TFTP Firmware upgrade request (protocol-tftp.rules)
 * 1:39439 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer overflow attempt (file-flash.rules)
 * 1:39434 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zcryptor variant outbound connection (malware-cnc.rules)
 * 1:39433 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zcryptor variant outbound connection (malware-cnc.rules)
 * 1:39435 <-> DISABLED <-> SERVER-WEBAPP Advantech SQL injection attempt (server-webapp.rules)
 * 1:39436 <-> DISABLED <-> SERVER-WEBAPP Soitec Smart Energy SQL injection attempt (server-webapp.rules)
 * 1:39445 <-> ENABLED <-> BLACKLIST DNS request for known malware domain buyitave.com - Win.Trojan.Renos (blacklist.rules)
 * 1:39437 <-> DISABLED <-> SERVER-WEBAPP Advantech SQL injection attempt (server-webapp.rules)
 * 1:39446 <-> ENABLED <-> BLACKLIST DNS request for known malware domain homebuyline.com - Win.Trojan.Renos (blacklist.rules)
 * 1:39438 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer overflow attempt (file-flash.rules)
 * 1:39448 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Renos variant outbound connection (malware-cnc.rules)
 * 1:39451 <-> DISABLED <-> PROTOCOL-TFTP Comtrol RocketLinx switch reboot request (protocol-tftp.rules)
 * 1:39452 <-> DISABLED <-> PROTOCOL-TFTP Comtrol RocketLinx factory reset request (protocol-tftp.rules)

Modified Rules:


 * 1:26489 <-> ENABLED <-> BROWSER-OTHER Novell Messenger Client nim URI handler buffer overflow attempt (browser-other.rules)
 * 1:23385 <-> DISABLED <-> SERVER-WEBAPP Novell GroupWise Messenger nmma.exe login memory corruption attempt (server-webapp.rules)
 * 1:34975 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio UML string object heap buffer overflow attempt (file-office.rules)
 * 1:29105 <-> DISABLED <-> SERVER-WEBAPP ManageEngine DesktopCentral agentLogUploader servlet directory traversal attempt (server-webapp.rules)
 * 1:26490 <-> ENABLED <-> BROWSER-OTHER Novell Messenger Client nim URI handler buffer overflow attempt (browser-other.rules)
 * 1:35702 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager agentKey SQL injection attempt (server-webapp.rules)
 * 1:35701 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager agentKey SQL injection attempt (server-webapp.rules)
 * 1:35703 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager agentKey SQL injection attempt (server-webapp.rules)
 * 1:39380 <-> DISABLED <-> SERVER-OTHER Symantec MIME parser updateheader heap overflow attempt (server-other.rules)
 * 1:34974 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio UML string object heap buffer overflow attempt (file-office.rules)

2016-07-05 21:08:54 UTC

Snort Subscriber Rules Update

Date: 2016-07-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39441 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer overflow attempt (file-flash.rules)
 * 1:39439 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer overflow attempt (file-flash.rules)
 * 1:39438 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer overflow attempt (file-flash.rules)
 * 1:39442 <-> DISABLED <-> SERVER-WEBAPP Oracle E-Business Suite Arbitrary Document Download attempt (server-webapp.rules)
 * 1:39433 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zcryptor variant outbound connection (malware-cnc.rules)
 * 1:39434 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zcryptor variant outbound connection (malware-cnc.rules)
 * 1:39444 <-> DISABLED <-> INDICATOR-COMPROMISE Netgear D6000 or D3600 password recovery page access attempt (indicator-compromise.rules)
 * 1:39435 <-> DISABLED <-> SERVER-WEBAPP Advantech SQL injection attempt (server-webapp.rules)
 * 1:39436 <-> DISABLED <-> SERVER-WEBAPP Soitec Smart Energy SQL injection attempt (server-webapp.rules)
 * 1:39437 <-> DISABLED <-> SERVER-WEBAPP Advantech SQL injection attempt (server-webapp.rules)
 * 1:39445 <-> ENABLED <-> BLACKLIST DNS request for known malware domain buyitave.com - Win.Trojan.Renos (blacklist.rules)
 * 1:39446 <-> ENABLED <-> BLACKLIST DNS request for known malware domain homebuyline.com - Win.Trojan.Renos (blacklist.rules)
 * 1:39443 <-> ENABLED <-> PUA-ADWARE Win.Adware.InstallFaster variant outbound connection attempt (pua-adware.rules)
 * 1:39447 <-> ENABLED <-> BLACKLIST DNS request for known malware domain plusvan.com - Win.Trojan.Renos (blacklist.rules)
 * 1:39448 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Renos variant outbound connection (malware-cnc.rules)
 * 1:39450 <-> DISABLED <-> PROTOCOL-TFTP Firmware upgrade request (protocol-tftp.rules)
 * 1:39449 <-> DISABLED <-> SERVER-MSSQL Microsoft SQL Server sp_addsrvrolemember privilege escalation attempt (server-mssql.rules)
 * 1:39440 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer overflow attempt (file-flash.rules)
 * 1:39452 <-> DISABLED <-> PROTOCOL-TFTP Comtrol RocketLinx factory reset request (protocol-tftp.rules)
 * 1:39451 <-> DISABLED <-> PROTOCOL-TFTP Comtrol RocketLinx switch reboot request (protocol-tftp.rules)

Modified Rules:


 * 1:23385 <-> DISABLED <-> SERVER-WEBAPP Novell GroupWise Messenger nmma.exe login memory corruption attempt (server-webapp.rules)
 * 1:26489 <-> ENABLED <-> BROWSER-OTHER Novell Messenger Client nim URI handler buffer overflow attempt (browser-other.rules)
 * 1:26490 <-> ENABLED <-> BROWSER-OTHER Novell Messenger Client nim URI handler buffer overflow attempt (browser-other.rules)
 * 1:34974 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio UML string object heap buffer overflow attempt (file-office.rules)
 * 1:29105 <-> DISABLED <-> SERVER-WEBAPP ManageEngine DesktopCentral agentLogUploader servlet directory traversal attempt (server-webapp.rules)
 * 1:34975 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio UML string object heap buffer overflow attempt (file-office.rules)
 * 1:35701 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager agentKey SQL injection attempt (server-webapp.rules)
 * 1:35702 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager agentKey SQL injection attempt (server-webapp.rules)
 * 1:35703 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager agentKey SQL injection attempt (server-webapp.rules)
 * 1:39380 <-> DISABLED <-> SERVER-OTHER Symantec MIME parser updateheader heap overflow attempt (server-other.rules)

2016-07-05 21:08:54 UTC

Snort Subscriber Rules Update

Date: 2016-07-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39452 <-> DISABLED <-> PROTOCOL-TFTP Comtrol RocketLinx factory reset request (protocol-tftp.rules)
 * 1:39451 <-> DISABLED <-> PROTOCOL-TFTP Comtrol RocketLinx switch reboot request (protocol-tftp.rules)
 * 1:39450 <-> DISABLED <-> PROTOCOL-TFTP Firmware upgrade request (protocol-tftp.rules)
 * 1:39449 <-> DISABLED <-> SERVER-MSSQL Microsoft SQL Server sp_addsrvrolemember privilege escalation attempt (server-mssql.rules)
 * 1:39448 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Renos variant outbound connection (malware-cnc.rules)
 * 1:39447 <-> ENABLED <-> BLACKLIST DNS request for known malware domain plusvan.com - Win.Trojan.Renos (blacklist.rules)
 * 1:39446 <-> ENABLED <-> BLACKLIST DNS request for known malware domain homebuyline.com - Win.Trojan.Renos (blacklist.rules)
 * 1:39445 <-> ENABLED <-> BLACKLIST DNS request for known malware domain buyitave.com - Win.Trojan.Renos (blacklist.rules)
 * 1:39444 <-> DISABLED <-> INDICATOR-COMPROMISE Netgear D6000 or D3600 password recovery page access attempt (indicator-compromise.rules)
 * 1:39443 <-> ENABLED <-> PUA-ADWARE Win.Adware.InstallFaster variant outbound connection attempt (pua-adware.rules)
 * 1:39442 <-> DISABLED <-> SERVER-WEBAPP Oracle E-Business Suite Arbitrary Document Download attempt (server-webapp.rules)
 * 1:39441 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer overflow attempt (file-flash.rules)
 * 1:39440 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer overflow attempt (file-flash.rules)
 * 1:39439 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer overflow attempt (file-flash.rules)
 * 1:39438 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer overflow attempt (file-flash.rules)
 * 1:39437 <-> DISABLED <-> SERVER-WEBAPP Advantech SQL injection attempt (server-webapp.rules)
 * 1:39436 <-> DISABLED <-> SERVER-WEBAPP Soitec Smart Energy SQL injection attempt (server-webapp.rules)
 * 1:39435 <-> DISABLED <-> SERVER-WEBAPP Advantech SQL injection attempt (server-webapp.rules)
 * 1:39434 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zcryptor variant outbound connection (malware-cnc.rules)
 * 1:39433 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zcryptor variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:23385 <-> DISABLED <-> SERVER-WEBAPP Novell GroupWise Messenger nmma.exe login memory corruption attempt (server-webapp.rules)
 * 1:26489 <-> ENABLED <-> BROWSER-OTHER Novell Messenger Client nim URI handler buffer overflow attempt (browser-other.rules)
 * 1:26490 <-> ENABLED <-> BROWSER-OTHER Novell Messenger Client nim URI handler buffer overflow attempt (browser-other.rules)
 * 1:29105 <-> DISABLED <-> SERVER-WEBAPP ManageEngine DesktopCentral agentLogUploader servlet directory traversal attempt (server-webapp.rules)
 * 1:34974 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio UML string object heap buffer overflow attempt (file-office.rules)
 * 1:34975 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio UML string object heap buffer overflow attempt (file-office.rules)
 * 1:35701 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager agentKey SQL injection attempt (server-webapp.rules)
 * 1:35702 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager agentKey SQL injection attempt (server-webapp.rules)
 * 1:35703 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager agentKey SQL injection attempt (server-webapp.rules)
 * 1:39380 <-> DISABLED <-> SERVER-OTHER Symantec MIME parser updateheader heap overflow attempt (server-other.rules)