Talos Rules 2016-08-04
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-flash, file-identify, file-other, file-pdf, malware-cnc, malware-other, protocol-voip and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-08-04 14:59:09 UTC

Snort Subscriber Rules Update

Date: 2016-08-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39804 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Dlhelper outbound connection detected (malware-other.rules)
 * 1:39777 <-> ENABLED <-> FILE-IDENTIFY Heroes of Might and Magic III map file attachment detected (file-identify.rules)
 * 1:39781 <-> DISABLED <-> FILE-OTHER Ubisoft Heroes of Might and Magic III .h3m map file buffer overflow attempt (file-other.rules)
 * 1:39782 <-> ENABLED <-> BLACKLIST DNS request for known malware domain file.anyoffice.info - Win.Trojan.Lientchtp (blacklist.rules)
 * 1:39784 <-> ENABLED <-> BLACKLIST DNS request for known malware domain yejia.blackbeny.com - Win.Trojan.Lientchtp (blacklist.rules)
 * 1:39802 <-> DISABLED <-> EXPLOIT-KIT Neutrino Exploit Kit Flash exploit download attempt (exploit-kit.rules)
 * 1:39803 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Dlhelper outbound connection detected (malware-other.rules)
 * 1:39800 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hancitor variant outbound connection (malware-cnc.rules)
 * 1:39799 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules)
 * 1:39789 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 TextField gridFitType use after free attempt (file-flash.rules)
 * 1:39798 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules)
 * 1:39787 <-> DISABLED <-> PUA-ADWARE Win.Dowadmin.Adware outbound connection detected (pua-adware.rules)
 * 1:39786 <-> DISABLED <-> PUA-ADWARE Win.Dowadmin.Adware outbound connection detected (pua-adware.rules)
 * 1:39780 <-> DISABLED <-> FILE-OTHER Ubisoft Heroes of Might and Magic III .h3m map file buffer overflow attempt (file-other.rules)
 * 1:39779 <-> DISABLED <-> FILE-OTHER Ubisoft Heroes of Might and Magic III .h3m map file buffer overflow attempt (file-other.rules)
 * 1:39778 <-> ENABLED <-> FILE-IDENTIFY Heroes of Might and Magic III map file download request (file-identify.rules)
 * 1:39783 <-> ENABLED <-> BLACKLIST DNS request for known malware domain tech.decipherment.net - Win.Trojan.Lientchtp (blacklist.rules)
 * 1:39785 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lientchtp variant outbound connection (malware-cnc.rules)
 * 1:39806 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Dlhelper outbound connection detected (malware-other.rules)
 * 1:39788 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 TextField gridFitType use after free attempt (file-flash.rules)
 * 1:39801 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Spyrat variant outbound connection (malware-cnc.rules)
 * 1:39805 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Dlhelper outbound connection detected (malware-other.rules)
 * 1:39776 <-> ENABLED <-> FILE-IDENTIFY Heroes of Might and Magic III map file attachment detected (file-identify.rules)
 * 3:39790 <-> ENABLED <-> SERVER-WEBAPP Cisco RV180 VPN Router platform.cgi command injection attempt (server-webapp.rules)
 * 3:39791 <-> ENABLED <-> SERVER-WEBAPP Cisco RV180 VPN Router platform.cgi command injection attempt (server-webapp.rules)
 * 3:39792 <-> ENABLED <-> SERVER-WEBAPP Cisco RV180 VPN Router platform.cgi command injection attempt (server-webapp.rules)
 * 3:39793 <-> ENABLED <-> SERVER-WEBAPP Cisco RV180 VPN Router platform.cgi directory traversal attempt (server-webapp.rules)
 * 3:39794 <-> ENABLED <-> SERVER-WEBAPP Cisco RV180 VPN Router platform.cgi directory traversal attempt (server-webapp.rules)
 * 3:39795 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers insecure guest account login attempt (server-webapp.rules)
 * 3:39796 <-> ENABLED <-> PROTOCOL-VOIP Cisco Unified Communications Manager null pointer dereference attempt (protocol-voip.rules)
 * 3:39797 <-> ENABLED <-> PROTOCOL-VOIP Cisco Unified Communications Manager null pointer dereference attempt (protocol-voip.rules)

Modified Rules:


 * 1:18539 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer event handling remote code execution attempt (browser-ie.rules)
 * 1:25531 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:38423 <-> DISABLED <-> FILE-FLASH Adobe Flash Player RASMan.dll dll-load exploit attempt (file-flash.rules)
 * 1:38950 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PassStealer passwords exfiltration attempt (malware-cnc.rules)

2016-08-04 14:59:09 UTC

Snort Subscriber Rules Update

Date: 2016-08-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39779 <-> DISABLED <-> FILE-OTHER Ubisoft Heroes of Might and Magic III .h3m map file buffer overflow attempt (file-other.rules)
 * 1:39783 <-> ENABLED <-> BLACKLIST DNS request for known malware domain tech.decipherment.net - Win.Trojan.Lientchtp (blacklist.rules)
 * 1:39784 <-> ENABLED <-> BLACKLIST DNS request for known malware domain yejia.blackbeny.com - Win.Trojan.Lientchtp (blacklist.rules)
 * 1:39776 <-> ENABLED <-> FILE-IDENTIFY Heroes of Might and Magic III map file attachment detected (file-identify.rules)
 * 1:39777 <-> ENABLED <-> FILE-IDENTIFY Heroes of Might and Magic III map file attachment detected (file-identify.rules)
 * 1:39780 <-> DISABLED <-> FILE-OTHER Ubisoft Heroes of Might and Magic III .h3m map file buffer overflow attempt (file-other.rules)
 * 1:39778 <-> ENABLED <-> FILE-IDENTIFY Heroes of Might and Magic III map file download request (file-identify.rules)
 * 1:39786 <-> DISABLED <-> PUA-ADWARE Win.Dowadmin.Adware outbound connection detected (pua-adware.rules)
 * 1:39787 <-> DISABLED <-> PUA-ADWARE Win.Dowadmin.Adware outbound connection detected (pua-adware.rules)
 * 1:39788 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 TextField gridFitType use after free attempt (file-flash.rules)
 * 1:39798 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules)
 * 1:39789 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 TextField gridFitType use after free attempt (file-flash.rules)
 * 1:39799 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules)
 * 1:39800 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hancitor variant outbound connection (malware-cnc.rules)
 * 1:39801 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Spyrat variant outbound connection (malware-cnc.rules)
 * 1:39803 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Dlhelper outbound connection detected (malware-other.rules)
 * 1:39802 <-> DISABLED <-> EXPLOIT-KIT Neutrino Exploit Kit Flash exploit download attempt (exploit-kit.rules)
 * 1:39785 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lientchtp variant outbound connection (malware-cnc.rules)
 * 1:39806 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Dlhelper outbound connection detected (malware-other.rules)
 * 1:39782 <-> ENABLED <-> BLACKLIST DNS request for known malware domain file.anyoffice.info - Win.Trojan.Lientchtp (blacklist.rules)
 * 1:39804 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Dlhelper outbound connection detected (malware-other.rules)
 * 1:39805 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Dlhelper outbound connection detected (malware-other.rules)
 * 1:39781 <-> DISABLED <-> FILE-OTHER Ubisoft Heroes of Might and Magic III .h3m map file buffer overflow attempt (file-other.rules)
 * 3:39790 <-> ENABLED <-> SERVER-WEBAPP Cisco RV180 VPN Router platform.cgi command injection attempt (server-webapp.rules)
 * 3:39791 <-> ENABLED <-> SERVER-WEBAPP Cisco RV180 VPN Router platform.cgi command injection attempt (server-webapp.rules)
 * 3:39792 <-> ENABLED <-> SERVER-WEBAPP Cisco RV180 VPN Router platform.cgi command injection attempt (server-webapp.rules)
 * 3:39793 <-> ENABLED <-> SERVER-WEBAPP Cisco RV180 VPN Router platform.cgi directory traversal attempt (server-webapp.rules)
 * 3:39794 <-> ENABLED <-> SERVER-WEBAPP Cisco RV180 VPN Router platform.cgi directory traversal attempt (server-webapp.rules)
 * 3:39795 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers insecure guest account login attempt (server-webapp.rules)
 * 3:39796 <-> ENABLED <-> PROTOCOL-VOIP Cisco Unified Communications Manager null pointer dereference attempt (protocol-voip.rules)
 * 3:39797 <-> ENABLED <-> PROTOCOL-VOIP Cisco Unified Communications Manager null pointer dereference attempt (protocol-voip.rules)

Modified Rules:


 * 1:18539 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer event handling remote code execution attempt (browser-ie.rules)
 * 1:25531 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:38423 <-> DISABLED <-> FILE-FLASH Adobe Flash Player RASMan.dll dll-load exploit attempt (file-flash.rules)
 * 1:38950 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PassStealer passwords exfiltration attempt (malware-cnc.rules)

2016-08-04 14:59:09 UTC

Snort Subscriber Rules Update

Date: 2016-08-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39806 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Dlhelper outbound connection detected (malware-other.rules)
 * 1:39805 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Dlhelper outbound connection detected (malware-other.rules)
 * 1:39804 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Dlhelper outbound connection detected (malware-other.rules)
 * 1:39803 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Dlhelper outbound connection detected (malware-other.rules)
 * 1:39802 <-> DISABLED <-> EXPLOIT-KIT Neutrino Exploit Kit Flash exploit download attempt (exploit-kit.rules)
 * 1:39801 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Spyrat variant outbound connection (malware-cnc.rules)
 * 1:39800 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hancitor variant outbound connection (malware-cnc.rules)
 * 1:39799 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules)
 * 1:39798 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules)
 * 1:39789 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 TextField gridFitType use after free attempt (file-flash.rules)
 * 1:39788 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 TextField gridFitType use after free attempt (file-flash.rules)
 * 1:39787 <-> DISABLED <-> PUA-ADWARE Win.Dowadmin.Adware outbound connection detected (pua-adware.rules)
 * 1:39786 <-> DISABLED <-> PUA-ADWARE Win.Dowadmin.Adware outbound connection detected (pua-adware.rules)
 * 1:39785 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lientchtp variant outbound connection (malware-cnc.rules)
 * 1:39784 <-> ENABLED <-> BLACKLIST DNS request for known malware domain yejia.blackbeny.com - Win.Trojan.Lientchtp (blacklist.rules)
 * 1:39783 <-> ENABLED <-> BLACKLIST DNS request for known malware domain tech.decipherment.net - Win.Trojan.Lientchtp (blacklist.rules)
 * 1:39782 <-> ENABLED <-> BLACKLIST DNS request for known malware domain file.anyoffice.info - Win.Trojan.Lientchtp (blacklist.rules)
 * 1:39781 <-> DISABLED <-> FILE-OTHER Ubisoft Heroes of Might and Magic III .h3m map file buffer overflow attempt (file-other.rules)
 * 1:39780 <-> DISABLED <-> FILE-OTHER Ubisoft Heroes of Might and Magic III .h3m map file buffer overflow attempt (file-other.rules)
 * 1:39779 <-> DISABLED <-> FILE-OTHER Ubisoft Heroes of Might and Magic III .h3m map file buffer overflow attempt (file-other.rules)
 * 1:39778 <-> ENABLED <-> FILE-IDENTIFY Heroes of Might and Magic III map file download request (file-identify.rules)
 * 1:39777 <-> ENABLED <-> FILE-IDENTIFY Heroes of Might and Magic III map file attachment detected (file-identify.rules)
 * 1:39776 <-> ENABLED <-> FILE-IDENTIFY Heroes of Might and Magic III map file attachment detected (file-identify.rules)
 * 3:39790 <-> ENABLED <-> SERVER-WEBAPP Cisco RV180 VPN Router platform.cgi command injection attempt (server-webapp.rules)
 * 3:39791 <-> ENABLED <-> SERVER-WEBAPP Cisco RV180 VPN Router platform.cgi command injection attempt (server-webapp.rules)
 * 3:39792 <-> ENABLED <-> SERVER-WEBAPP Cisco RV180 VPN Router platform.cgi command injection attempt (server-webapp.rules)
 * 3:39793 <-> ENABLED <-> SERVER-WEBAPP Cisco RV180 VPN Router platform.cgi directory traversal attempt (server-webapp.rules)
 * 3:39794 <-> ENABLED <-> SERVER-WEBAPP Cisco RV180 VPN Router platform.cgi directory traversal attempt (server-webapp.rules)
 * 3:39795 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers insecure guest account login attempt (server-webapp.rules)
 * 3:39796 <-> ENABLED <-> PROTOCOL-VOIP Cisco Unified Communications Manager null pointer dereference attempt (protocol-voip.rules)
 * 3:39797 <-> ENABLED <-> PROTOCOL-VOIP Cisco Unified Communications Manager null pointer dereference attempt (protocol-voip.rules)

Modified Rules:


 * 1:18539 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer event handling remote code execution attempt (browser-ie.rules)
 * 1:25531 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:38423 <-> DISABLED <-> FILE-FLASH Adobe Flash Player RASMan.dll dll-load exploit attempt (file-flash.rules)
 * 1:38950 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PassStealer passwords exfiltration attempt (malware-cnc.rules)