Talos Rules 2016-07-21
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-ie, browser-other, exploit-kit, file-flash, file-image, file-other, file-pdf, malware-cnc, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2976

2016-07-21 22:06:08 UTC

Snort Subscriber Rules Update

Date: 2016-07-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39686 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection (malware-cnc.rules)
 * 1:39689 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39705 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus variant inbound connection attempt (malware-cnc.rules)
 * 1:39703 <-> ENABLED <-> FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt (file-pdf.rules)
 * 1:39704 <-> ENABLED <-> FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt (file-pdf.rules)
 * 1:39701 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MediaPlayerItemLoader out of bounds memory access attempt (file-flash.rules)
 * 1:39702 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MediaPlayerItemLoader out of bounds memory access attempt (file-flash.rules)
 * 1:39699 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (file-pdf.rules)
 * 1:39700 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (file-pdf.rules)
 * 1:39697 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39698 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39695 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39696 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39693 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39694 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39691 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39692 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39690 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39688 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (file-pdf.rules)
 * 1:39687 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (file-pdf.rules)
 * 1:39682 <-> DISABLED <-> PUA-ADWARE Win.Adware.EoRezo outbound ad download attempt (pua-adware.rules)
 * 1:39681 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript toString redim array use after free attempt (browser-ie.rules)
 * 1:39677 <-> ENABLED <-> EXPLOIT-KIT Pseudo-Darkleech gate redirect attempt (exploit-kit.rules)
 * 1:39707 <-> DISABLED <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt (browser-other.rules)
 * 1:39712 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PrintJobOptions use-after-free attempt (file-flash.rules)
 * 1:39706 <-> DISABLED <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt (browser-other.rules)
 * 1:39711 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PrintJobOptions use-after-free attempt (file-flash.rules)
 * 1:39710 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string mozilla/2.0 (blacklist.rules)
 * 1:39708 <-> DISABLED <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt (browser-other.rules)
 * 1:39680 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript toString redim array use after free attempt (browser-ie.rules)
 * 1:39685 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tinba variant outbound connection (malware-cnc.rules)
 * 1:39709 <-> DISABLED <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt (browser-other.rules)
 * 3:39678 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Performance Manager command injection attempt (server-webapp.rules)
 * 3:39679 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Performance Manager command injection attempt (server-webapp.rules)
 * 3:39683 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0186 attack attempt (file-image.rules)
 * 3:39684 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0186 attack attempt (file-image.rules)

Modified Rules:


 * 1:38982 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:19072 <-> DISABLED <-> SERVER-OTHER RealNetworks Helix Server NTLM authentication heap overflow attempt (server-other.rules)
 * 1:38983 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 3:38856 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0149 attack attempt (file-other.rules)
 * 3:38857 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0149 attack attempt (file-other.rules)
 * 3:38859 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0149 attack attempt (file-other.rules)
 * 3:38858 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0149 attack attempt (file-other.rules)

2982

2016-07-21 22:06:08 UTC

Snort Subscriber Rules Update

Date: 2016-07-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39705 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus variant inbound connection attempt (malware-cnc.rules)
 * 1:39703 <-> ENABLED <-> FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt (file-pdf.rules)
 * 1:39704 <-> ENABLED <-> FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt (file-pdf.rules)
 * 1:39701 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MediaPlayerItemLoader out of bounds memory access attempt (file-flash.rules)
 * 1:39702 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MediaPlayerItemLoader out of bounds memory access attempt (file-flash.rules)
 * 1:39699 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (file-pdf.rules)
 * 1:39700 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (file-pdf.rules)
 * 1:39697 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39698 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39695 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39696 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39693 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39694 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39691 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39692 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39690 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39688 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (file-pdf.rules)
 * 1:39687 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (file-pdf.rules)
 * 1:39682 <-> DISABLED <-> PUA-ADWARE Win.Adware.EoRezo outbound ad download attempt (pua-adware.rules)
 * 1:39681 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript toString redim array use after free attempt (browser-ie.rules)
 * 1:39677 <-> ENABLED <-> EXPLOIT-KIT Pseudo-Darkleech gate redirect attempt (exploit-kit.rules)
 * 1:39680 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript toString redim array use after free attempt (browser-ie.rules)
 * 1:39685 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tinba variant outbound connection (malware-cnc.rules)
 * 1:39686 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection (malware-cnc.rules)
 * 1:39689 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39712 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PrintJobOptions use-after-free attempt (file-flash.rules)
 * 1:39710 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string mozilla/2.0 (blacklist.rules)
 * 1:39711 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PrintJobOptions use-after-free attempt (file-flash.rules)
 * 1:39709 <-> DISABLED <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt (browser-other.rules)
 * 1:39708 <-> DISABLED <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt (browser-other.rules)
 * 1:39707 <-> DISABLED <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt (browser-other.rules)
 * 1:39706 <-> DISABLED <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt (browser-other.rules)
 * 3:39678 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Performance Manager command injection attempt (server-webapp.rules)
 * 3:39679 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Performance Manager command injection attempt (server-webapp.rules)
 * 3:39683 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0186 attack attempt (file-image.rules)
 * 3:39684 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0186 attack attempt (file-image.rules)

Modified Rules:


 * 1:38982 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:19072 <-> DISABLED <-> SERVER-OTHER RealNetworks Helix Server NTLM authentication heap overflow attempt (server-other.rules)
 * 1:38983 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 3:38856 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0149 attack attempt (file-other.rules)
 * 3:38857 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0149 attack attempt (file-other.rules)
 * 3:38859 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0149 attack attempt (file-other.rules)
 * 3:38858 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0149 attack attempt (file-other.rules)

2983

2016-07-21 22:06:08 UTC

Snort Subscriber Rules Update

Date: 2016-07-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39712 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PrintJobOptions use-after-free attempt (file-flash.rules)
 * 1:39711 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PrintJobOptions use-after-free attempt (file-flash.rules)
 * 1:39710 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string mozilla/2.0 (blacklist.rules)
 * 1:39709 <-> DISABLED <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt (browser-other.rules)
 * 1:39708 <-> DISABLED <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt (browser-other.rules)
 * 1:39707 <-> DISABLED <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt (browser-other.rules)
 * 1:39706 <-> DISABLED <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt (browser-other.rules)
 * 1:39705 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus variant inbound connection attempt (malware-cnc.rules)
 * 1:39704 <-> ENABLED <-> FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt (file-pdf.rules)
 * 1:39703 <-> ENABLED <-> FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt (file-pdf.rules)
 * 1:39702 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MediaPlayerItemLoader out of bounds memory access attempt (file-flash.rules)
 * 1:39701 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MediaPlayerItemLoader out of bounds memory access attempt (file-flash.rules)
 * 1:39700 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (file-pdf.rules)
 * 1:39699 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (file-pdf.rules)
 * 1:39698 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39697 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39696 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39695 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39694 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39693 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39692 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39691 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39690 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39689 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39688 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (file-pdf.rules)
 * 1:39687 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (file-pdf.rules)
 * 1:39686 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection (malware-cnc.rules)
 * 1:39685 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tinba variant outbound connection (malware-cnc.rules)
 * 1:39682 <-> DISABLED <-> PUA-ADWARE Win.Adware.EoRezo outbound ad download attempt (pua-adware.rules)
 * 1:39681 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript toString redim array use after free attempt (browser-ie.rules)
 * 1:39680 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript toString redim array use after free attempt (browser-ie.rules)
 * 1:39677 <-> ENABLED <-> EXPLOIT-KIT Pseudo-Darkleech gate redirect attempt (exploit-kit.rules)
 * 3:39678 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Performance Manager command injection attempt (server-webapp.rules)
 * 3:39679 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Performance Manager command injection attempt (server-webapp.rules)
 * 3:39683 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0186 attack attempt (file-image.rules)
 * 3:39684 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0186 attack attempt (file-image.rules)

Modified Rules:


 * 1:19072 <-> DISABLED <-> SERVER-OTHER RealNetworks Helix Server NTLM authentication heap overflow attempt (server-other.rules)
 * 1:38982 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:38983 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 3:38856 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0149 attack attempt (file-other.rules)
 * 3:38858 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0149 attack attempt (file-other.rules)
 * 3:38857 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0149 attack attempt (file-other.rules)
 * 3:38859 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0149 attack attempt (file-other.rules)