Talos Rules 2016-07-19
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, exploit-kit, file-flash, file-image, file-other, file-pdf, malware-cnc, malware-other, malware-tools and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2016-07-19 16:07:08 UTC

Snort Subscriber Rules Update

Date: 2016-07-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39652 <-> ENABLED <-> FILE-FLASH Adobe Flash Player swapDepths use after free attempt (file-flash.rules)
 * 1:39650 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kirts variant CNC IRC response attempt (malware-cnc.rules)
 * 1:39636 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Ranscam request.html response (malware-cnc.rules)
 * 1:39651 <-> ENABLED <-> FILE-FLASH Adobe Flash Player swapDepths use after free attempt (file-flash.rules)
 * 1:39657 <-> ENABLED <-> FILE-FLASH Adobe Acrobat Reader JPEG handling memory corruption attempt (file-flash.rules)
 * 1:39648 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gettort1.net - Win.Trojan.ZeusPanda (blacklist.rules)
 * 1:39640 <-> DISABLED <-> SERVER-WEBAPP WebNMS Framework directory traversal attempt (server-webapp.rules)
 * 1:39649 <-> ENABLED <-> BLACKLIST DNS request for known malware domain denoted-chioces.com - Win.Trojan.ZeusPanda (blacklist.rules)
 * 1:39637 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Ranscam initial download attempt (malware-other.rules)
 * 1:39647 <-> ENABLED <-> BLACKLIST DNS request for known malware domain secpressnetwork.com - Win.Trojan.ZeusPanda (blacklist.rules)
 * 1:39656 <-> ENABLED <-> FILE-FLASH Adobe Acrobat Reader JPEG handling memory corruption attempt (file-flash.rules)
 * 1:39645 <-> ENABLED <-> SERVER-WEBAPP Drupal Coder Module insecure remote file deserialization attempt (server-webapp.rules)
 * 1:39638 <-> DISABLED <-> MALWARE-TOOLS Win.Packer.ConfuserEx packed .NET executable attempt (malware-tools.rules)
 * 1:39643 <-> ENABLED <-> FILE-PDF Adobe Reader malformed CID identity-H font file out of bounds read attempt (file-pdf.rules)
 * 1:39642 <-> DISABLED <-> SERVER-WEBAPP WebNMS framework server credential disclosure attempt (server-webapp.rules)
 * 1:39639 <-> DISABLED <-> SERVER-WEBAPP WebNMS Framework directory traversal attempt (server-webapp.rules)
 * 1:39641 <-> DISABLED <-> SERVER-WEBAPP WebNMS Framework directory traversal attempt (server-webapp.rules)
 * 1:39653 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mangit initial outbound connection (malware-cnc.rules)
 * 1:39654 <-> ENABLED <-> SERVER-MAIL IBM Lotus Domino Server nrouter.exe malformed GIF parsing remote exploit attempt (server-mail.rules)
 * 1:39655 <-> ENABLED <-> SERVER-MAIL IBM Lotus Domino Server nrouter.exe malformed GIF parsing remote exploit attempt (server-mail.rules)
 * 1:39644 <-> ENABLED <-> FILE-PDF Adobe Reader malformed CID identity-H font file out of bounds read attempt (file-pdf.rules)
 * 1:39658 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Transform getter use after free attempt (file-flash.rules)
 * 1:39659 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Transform getter use after free attempt (file-flash.rules)
 * 1:39646 <-> ENABLED <-> BLACKLIST DNS request for known malware domain alwaysonline.pw - Win.Trojan.ZeusPanda (blacklist.rules)
 * 1:39662 <-> DISABLED <-> SERVER-WEBAPP PHP phar extension remote code execution attempt (server-webapp.rules)
 * 1:39670 <-> DISABLED <-> FILE-PDF Adobe Reader submitForm SOP bypass attempt (file-pdf.rules)
 * 1:39669 <-> DISABLED <-> FILE-PDF Adobe Reader submitForm SOP bypass attempt (file-pdf.rules)
 * 3:39661 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0162 attack attempt (file-other.rules)
 * 3:39672 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0156 attack attempt (file-other.rules)
 * 3:39673 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0104 attack attempt (file-image.rules)
 * 3:39663 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0157 attack attempt (file-other.rules)
 * 3:39674 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0104 attack attempt (file-image.rules)
 * 3:39671 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0156 attack attempt (file-other.rules)
 * 3:39664 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0157 attack attempt (file-other.rules)
 * 3:39675 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0104 attack attempt (file-image.rules)
 * 3:39665 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0158 attack attempt (file-other.rules)
 * 3:39676 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0104 attack attempt (file-image.rules)
 * 3:39667 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0158 attack attempt (file-other.rules)
 * 3:39666 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0158 attack attempt (file-other.rules)
 * 3:39660 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0162 attack attempt (file-other.rules)
 * 3:39668 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0158 attack attempt (file-other.rules)

Modified Rules:


 * 1:38275 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit redirection attempt (exploit-kit.rules)
 * 1:39241 <-> DISABLED <-> EXPLOIT-KIT Neutrino Exploit Kit exploitation attempt (exploit-kit.rules)
 * 1:39565 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed tag parsing memory corruption attempt (file-flash.rules)
 * 1:39566 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed tag parsing memory corruption attempt (file-flash.rules)
 * 1:39240 <-> DISABLED <-> EXPLOIT-KIT Neutrino Exploit Kit exploitation attempt (exploit-kit.rules)
 * 3:35829 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0051 attack attempt (file-other.rules)
 * 3:35828 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0051 attack attempt (file-other.rules)

2016-07-19 16:07:08 UTC

Snort Subscriber Rules Update

Date: 2016-07-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39657 <-> ENABLED <-> FILE-FLASH Adobe Acrobat Reader JPEG handling memory corruption attempt (file-flash.rules)
 * 1:39648 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gettort1.net - Win.Trojan.ZeusPanda (blacklist.rules)
 * 1:39645 <-> ENABLED <-> SERVER-WEBAPP Drupal Coder Module insecure remote file deserialization attempt (server-webapp.rules)
 * 1:39643 <-> ENABLED <-> FILE-PDF Adobe Reader malformed CID identity-H font file out of bounds read attempt (file-pdf.rules)
 * 1:39642 <-> DISABLED <-> SERVER-WEBAPP WebNMS framework server credential disclosure attempt (server-webapp.rules)
 * 1:39647 <-> ENABLED <-> BLACKLIST DNS request for known malware domain secpressnetwork.com - Win.Trojan.ZeusPanda (blacklist.rules)
 * 1:39636 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Ranscam request.html response (malware-cnc.rules)
 * 1:39637 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Ranscam initial download attempt (malware-other.rules)
 * 1:39638 <-> DISABLED <-> MALWARE-TOOLS Win.Packer.ConfuserEx packed .NET executable attempt (malware-tools.rules)
 * 1:39650 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kirts variant CNC IRC response attempt (malware-cnc.rules)
 * 1:39639 <-> DISABLED <-> SERVER-WEBAPP WebNMS Framework directory traversal attempt (server-webapp.rules)
 * 1:39651 <-> ENABLED <-> FILE-FLASH Adobe Flash Player swapDepths use after free attempt (file-flash.rules)
 * 1:39641 <-> DISABLED <-> SERVER-WEBAPP WebNMS Framework directory traversal attempt (server-webapp.rules)
 * 1:39652 <-> ENABLED <-> FILE-FLASH Adobe Flash Player swapDepths use after free attempt (file-flash.rules)
 * 1:39644 <-> ENABLED <-> FILE-PDF Adobe Reader malformed CID identity-H font file out of bounds read attempt (file-pdf.rules)
 * 1:39653 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mangit initial outbound connection (malware-cnc.rules)
 * 1:39654 <-> ENABLED <-> SERVER-MAIL IBM Lotus Domino Server nrouter.exe malformed GIF parsing remote exploit attempt (server-mail.rules)
 * 1:39655 <-> ENABLED <-> SERVER-MAIL IBM Lotus Domino Server nrouter.exe malformed GIF parsing remote exploit attempt (server-mail.rules)
 * 1:39656 <-> ENABLED <-> FILE-FLASH Adobe Acrobat Reader JPEG handling memory corruption attempt (file-flash.rules)
 * 1:39658 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Transform getter use after free attempt (file-flash.rules)
 * 1:39659 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Transform getter use after free attempt (file-flash.rules)
 * 1:39649 <-> ENABLED <-> BLACKLIST DNS request for known malware domain denoted-chioces.com - Win.Trojan.ZeusPanda (blacklist.rules)
 * 1:39640 <-> DISABLED <-> SERVER-WEBAPP WebNMS Framework directory traversal attempt (server-webapp.rules)
 * 1:39670 <-> DISABLED <-> FILE-PDF Adobe Reader submitForm SOP bypass attempt (file-pdf.rules)
 * 1:39662 <-> DISABLED <-> SERVER-WEBAPP PHP phar extension remote code execution attempt (server-webapp.rules)
 * 1:39646 <-> ENABLED <-> BLACKLIST DNS request for known malware domain alwaysonline.pw - Win.Trojan.ZeusPanda (blacklist.rules)
 * 1:39669 <-> DISABLED <-> FILE-PDF Adobe Reader submitForm SOP bypass attempt (file-pdf.rules)
 * 3:39673 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0104 attack attempt (file-image.rules)
 * 3:39660 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0162 attack attempt (file-other.rules)
 * 3:39663 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0157 attack attempt (file-other.rules)
 * 3:39664 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0157 attack attempt (file-other.rules)
 * 3:39666 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0158 attack attempt (file-other.rules)
 * 3:39668 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0158 attack attempt (file-other.rules)
 * 3:39671 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0156 attack attempt (file-other.rules)
 * 3:39672 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0156 attack attempt (file-other.rules)
 * 3:39665 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0158 attack attempt (file-other.rules)
 * 3:39674 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0104 attack attempt (file-image.rules)
 * 3:39675 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0104 attack attempt (file-image.rules)
 * 3:39676 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0104 attack attempt (file-image.rules)
 * 3:39661 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0162 attack attempt (file-other.rules)
 * 3:39667 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0158 attack attempt (file-other.rules)

Modified Rules:


 * 1:39566 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed tag parsing memory corruption attempt (file-flash.rules)
 * 1:39565 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed tag parsing memory corruption attempt (file-flash.rules)
 * 1:39241 <-> DISABLED <-> EXPLOIT-KIT Neutrino Exploit Kit exploitation attempt (exploit-kit.rules)
 * 1:38275 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit redirection attempt (exploit-kit.rules)
 * 1:39240 <-> DISABLED <-> EXPLOIT-KIT Neutrino Exploit Kit exploitation attempt (exploit-kit.rules)
 * 3:35829 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0051 attack attempt (file-other.rules)
 * 3:35828 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0051 attack attempt (file-other.rules)

2016-07-19 16:07:08 UTC

Snort Subscriber Rules Update

Date: 2016-07-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39670 <-> DISABLED <-> FILE-PDF Adobe Reader submitForm SOP bypass attempt (file-pdf.rules)
 * 1:39669 <-> DISABLED <-> FILE-PDF Adobe Reader submitForm SOP bypass attempt (file-pdf.rules)
 * 1:39662 <-> DISABLED <-> SERVER-WEBAPP PHP phar extension remote code execution attempt (server-webapp.rules)
 * 1:39659 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Transform getter use after free attempt (file-flash.rules)
 * 1:39658 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Transform getter use after free attempt (file-flash.rules)
 * 1:39657 <-> ENABLED <-> FILE-FLASH Adobe Acrobat Reader JPEG handling memory corruption attempt (file-flash.rules)
 * 1:39656 <-> ENABLED <-> FILE-FLASH Adobe Acrobat Reader JPEG handling memory corruption attempt (file-flash.rules)
 * 1:39655 <-> ENABLED <-> SERVER-MAIL IBM Lotus Domino Server nrouter.exe malformed GIF parsing remote exploit attempt (server-mail.rules)
 * 1:39654 <-> ENABLED <-> SERVER-MAIL IBM Lotus Domino Server nrouter.exe malformed GIF parsing remote exploit attempt (server-mail.rules)
 * 1:39653 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mangit initial outbound connection (malware-cnc.rules)
 * 1:39652 <-> ENABLED <-> FILE-FLASH Adobe Flash Player swapDepths use after free attempt (file-flash.rules)
 * 1:39651 <-> ENABLED <-> FILE-FLASH Adobe Flash Player swapDepths use after free attempt (file-flash.rules)
 * 1:39650 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kirts variant CNC IRC response attempt (malware-cnc.rules)
 * 1:39649 <-> ENABLED <-> BLACKLIST DNS request for known malware domain denoted-chioces.com - Win.Trojan.ZeusPanda (blacklist.rules)
 * 1:39648 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gettort1.net - Win.Trojan.ZeusPanda (blacklist.rules)
 * 1:39647 <-> ENABLED <-> BLACKLIST DNS request for known malware domain secpressnetwork.com - Win.Trojan.ZeusPanda (blacklist.rules)
 * 1:39646 <-> ENABLED <-> BLACKLIST DNS request for known malware domain alwaysonline.pw - Win.Trojan.ZeusPanda (blacklist.rules)
 * 1:39645 <-> ENABLED <-> SERVER-WEBAPP Drupal Coder Module insecure remote file deserialization attempt (server-webapp.rules)
 * 1:39644 <-> ENABLED <-> FILE-PDF Adobe Reader malformed CID identity-H font file out of bounds read attempt (file-pdf.rules)
 * 1:39643 <-> ENABLED <-> FILE-PDF Adobe Reader malformed CID identity-H font file out of bounds read attempt (file-pdf.rules)
 * 1:39642 <-> DISABLED <-> SERVER-WEBAPP WebNMS framework server credential disclosure attempt (server-webapp.rules)
 * 1:39641 <-> DISABLED <-> SERVER-WEBAPP WebNMS Framework directory traversal attempt (server-webapp.rules)
 * 1:39640 <-> DISABLED <-> SERVER-WEBAPP WebNMS Framework directory traversal attempt (server-webapp.rules)
 * 1:39639 <-> DISABLED <-> SERVER-WEBAPP WebNMS Framework directory traversal attempt (server-webapp.rules)
 * 1:39638 <-> DISABLED <-> MALWARE-TOOLS Win.Packer.ConfuserEx packed .NET executable attempt (malware-tools.rules)
 * 1:39637 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Ranscam initial download attempt (malware-other.rules)
 * 1:39636 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Ranscam request.html response (malware-cnc.rules)
 * 3:39660 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0162 attack attempt (file-other.rules)
 * 3:39661 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0162 attack attempt (file-other.rules)
 * 3:39663 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0157 attack attempt (file-other.rules)
 * 3:39664 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0157 attack attempt (file-other.rules)
 * 3:39665 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0158 attack attempt (file-other.rules)
 * 3:39666 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0158 attack attempt (file-other.rules)
 * 3:39667 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0158 attack attempt (file-other.rules)
 * 3:39668 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0158 attack attempt (file-other.rules)
 * 3:39671 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0156 attack attempt (file-other.rules)
 * 3:39672 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0156 attack attempt (file-other.rules)
 * 3:39673 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0104 attack attempt (file-image.rules)
 * 3:39674 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0104 attack attempt (file-image.rules)
 * 3:39675 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0104 attack attempt (file-image.rules)
 * 3:39676 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0104 attack attempt (file-image.rules)

Modified Rules:


 * 1:39565 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed tag parsing memory corruption attempt (file-flash.rules)
 * 1:39566 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed tag parsing memory corruption attempt (file-flash.rules)
 * 1:39240 <-> DISABLED <-> EXPLOIT-KIT Neutrino Exploit Kit exploitation attempt (exploit-kit.rules)
 * 1:39241 <-> DISABLED <-> EXPLOIT-KIT Neutrino Exploit Kit exploitation attempt (exploit-kit.rules)
 * 1:38275 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit redirection attempt (exploit-kit.rules)
 * 3:35828 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0051 attack attempt (file-other.rules)
 * 3:35829 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0051 attack attempt (file-other.rules)