Talos Rules 2016-08-18
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-plugins, file-office, file-pdf, malware-cnc, malware-other, os-linux, protocol-snmp and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2016-08-18 15:56:04 UTC

Snort Subscriber Rules Update

Date: 2016-08-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39906 <-> DISABLED <-> MALWARE-OTHER Rtf.Dropper.Agent-1404614 download attempt (malware-other.rules)
 * 1:39904 <-> DISABLED <-> MALWARE-OTHER Rtf.Dropper.Agent-1404614 download attempt (malware-other.rules)
 * 1:39903 <-> ENABLED <-> FILE-OFFICE Microsoft Windows RTF file with embedded object package SMTP upload attempt (file-office.rules)
 * 1:39901 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules)
 * 1:39890 <-> DISABLED <-> FILE-PDF Adobe Acrobat invalid embedded font memory corruption attempt (file-pdf.rules)
 * 1:39900 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules)
 * 1:39889 <-> DISABLED <-> FILE-PDF Adobe Acrobat invalid embedded font memory corruption attempt (file-pdf.rules)
 * 1:39886 <-> ENABLED <-> BLACKLIST User-Agent known Adware user-agent string - Win.Adware.Prepscram (blacklist.rules)
 * 1:39888 <-> DISABLED <-> PUA-ADWARE Dorv Adware variant outbound connection (pua-adware.rules)
 * 1:39892 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric SCADA Expert ClearSCADA ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39907 <-> DISABLED <-> MALWARE-OTHER Rtf.Dropper.Agent-1404614 SMTP upload attempt (malware-other.rules)
 * 1:39896 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET Extension ActiveX function call access (browser-plugins.rules)
 * 1:39891 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric SCADA Expert ClearSCADA ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39899 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules)
 * 1:39902 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules)
 * 1:39887 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Toga variant outbound connection (malware-cnc.rules)
 * 1:39894 <-> ENABLED <-> OS-LINUX Linux Kernel USBIP out of bounds write attempt (os-linux.rules)
 * 1:39905 <-> DISABLED <-> MALWARE-OTHER Rtf.Dropper.Agent-1404614 SMTP upload attempt (malware-other.rules)
 * 1:39895 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET exetension ActiveX clsid access (browser-plugins.rules)
 * 1:39893 <-> ENABLED <-> OS-LINUX Linux Kernel USBIP out of bounds write attempt (os-linux.rules)
 * 3:39898 <-> ENABLED <-> SERVER-WEBAPP Cisco FirePOWER Management Center pjb.cgi privilege escalation attempt (server-webapp.rules)
 * 3:39897 <-> ENABLED <-> SERVER-WEBAPP Cisco FirePOWER Management Center sajaxintf.cgi command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:24644 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX clsid access attempt (browser-plugins.rules)
 * 1:24646 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX clsid access attempt (browser-plugins.rules)
 * 1:24691 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX clsid access attempt (browser-plugins.rules)
 * 1:24645 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX clsid access attempt (browser-plugins.rules)
 * 1:24643 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX function call access attempt (browser-plugins.rules)
 * 1:24689 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX function call access attempt (browser-plugins.rules)
 * 1:8445 <-> ENABLED <-> FILE-OFFICE Microsoft Windows RTF file with embedded object package download attempt (file-office.rules)
 * 1:24690 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX clsid access attempt (browser-plugins.rules)
 * 1:24692 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX clsid access attempt (browser-plugins.rules)
 * 3:39885 <-> ENABLED <-> PROTOCOL-SNMP Cisco ASA SNMP OID parsing stack buffer overflow attempt (protocol-snmp.rules)

2016-08-18 15:56:04 UTC

Snort Subscriber Rules Update

Date: 2016-08-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39895 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET exetension ActiveX clsid access (browser-plugins.rules)
 * 1:39892 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric SCADA Expert ClearSCADA ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39886 <-> ENABLED <-> BLACKLIST User-Agent known Adware user-agent string - Win.Adware.Prepscram (blacklist.rules)
 * 1:39891 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric SCADA Expert ClearSCADA ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39890 <-> DISABLED <-> FILE-PDF Adobe Acrobat invalid embedded font memory corruption attempt (file-pdf.rules)
 * 1:39894 <-> ENABLED <-> OS-LINUX Linux Kernel USBIP out of bounds write attempt (os-linux.rules)
 * 1:39893 <-> ENABLED <-> OS-LINUX Linux Kernel USBIP out of bounds write attempt (os-linux.rules)
 * 1:39888 <-> DISABLED <-> PUA-ADWARE Dorv Adware variant outbound connection (pua-adware.rules)
 * 1:39896 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET Extension ActiveX function call access (browser-plugins.rules)
 * 1:39889 <-> DISABLED <-> FILE-PDF Adobe Acrobat invalid embedded font memory corruption attempt (file-pdf.rules)
 * 1:39899 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules)
 * 1:39900 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules)
 * 1:39901 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules)
 * 1:39902 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules)
 * 1:39903 <-> ENABLED <-> FILE-OFFICE Microsoft Windows RTF file with embedded object package SMTP upload attempt (file-office.rules)
 * 1:39904 <-> DISABLED <-> MALWARE-OTHER Rtf.Dropper.Agent-1404614 download attempt (malware-other.rules)
 * 1:39887 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Toga variant outbound connection (malware-cnc.rules)
 * 1:39905 <-> DISABLED <-> MALWARE-OTHER Rtf.Dropper.Agent-1404614 SMTP upload attempt (malware-other.rules)
 * 1:39907 <-> DISABLED <-> MALWARE-OTHER Rtf.Dropper.Agent-1404614 SMTP upload attempt (malware-other.rules)
 * 1:39906 <-> DISABLED <-> MALWARE-OTHER Rtf.Dropper.Agent-1404614 download attempt (malware-other.rules)
 * 3:39897 <-> ENABLED <-> SERVER-WEBAPP Cisco FirePOWER Management Center sajaxintf.cgi command injection attempt (server-webapp.rules)
 * 3:39898 <-> ENABLED <-> SERVER-WEBAPP Cisco FirePOWER Management Center pjb.cgi privilege escalation attempt (server-webapp.rules)

Modified Rules:


 * 1:24690 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX clsid access attempt (browser-plugins.rules)
 * 1:24645 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX clsid access attempt (browser-plugins.rules)
 * 1:24646 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX clsid access attempt (browser-plugins.rules)
 * 1:24644 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX clsid access attempt (browser-plugins.rules)
 * 1:24689 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX function call access attempt (browser-plugins.rules)
 * 1:24691 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX clsid access attempt (browser-plugins.rules)
 * 1:24692 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX clsid access attempt (browser-plugins.rules)
 * 1:8445 <-> ENABLED <-> FILE-OFFICE Microsoft Windows RTF file with embedded object package download attempt (file-office.rules)
 * 1:24643 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX function call access attempt (browser-plugins.rules)
 * 3:39885 <-> ENABLED <-> PROTOCOL-SNMP Cisco ASA SNMP OID parsing stack buffer overflow attempt (protocol-snmp.rules)

2016-08-18 15:56:04 UTC

Snort Subscriber Rules Update

Date: 2016-08-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39907 <-> DISABLED <-> MALWARE-OTHER Rtf.Dropper.Agent-1404614 SMTP upload attempt (malware-other.rules)
 * 1:39906 <-> DISABLED <-> MALWARE-OTHER Rtf.Dropper.Agent-1404614 download attempt (malware-other.rules)
 * 1:39905 <-> DISABLED <-> MALWARE-OTHER Rtf.Dropper.Agent-1404614 SMTP upload attempt (malware-other.rules)
 * 1:39904 <-> DISABLED <-> MALWARE-OTHER Rtf.Dropper.Agent-1404614 download attempt (malware-other.rules)
 * 1:39903 <-> ENABLED <-> FILE-OFFICE Microsoft Windows RTF file with embedded object package SMTP upload attempt (file-office.rules)
 * 1:39902 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules)
 * 1:39901 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules)
 * 1:39900 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules)
 * 1:39899 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules)
 * 1:39896 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET Extension ActiveX function call access (browser-plugins.rules)
 * 1:39895 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET exetension ActiveX clsid access (browser-plugins.rules)
 * 1:39894 <-> ENABLED <-> OS-LINUX Linux Kernel USBIP out of bounds write attempt (os-linux.rules)
 * 1:39893 <-> ENABLED <-> OS-LINUX Linux Kernel USBIP out of bounds write attempt (os-linux.rules)
 * 1:39892 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric SCADA Expert ClearSCADA ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39891 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric SCADA Expert ClearSCADA ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39890 <-> DISABLED <-> FILE-PDF Adobe Acrobat invalid embedded font memory corruption attempt (file-pdf.rules)
 * 1:39889 <-> DISABLED <-> FILE-PDF Adobe Acrobat invalid embedded font memory corruption attempt (file-pdf.rules)
 * 1:39888 <-> DISABLED <-> PUA-ADWARE Dorv Adware variant outbound connection (pua-adware.rules)
 * 1:39887 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Toga variant outbound connection (malware-cnc.rules)
 * 1:39886 <-> ENABLED <-> BLACKLIST User-Agent known Adware user-agent string - Win.Adware.Prepscram (blacklist.rules)
 * 3:39897 <-> ENABLED <-> SERVER-WEBAPP Cisco FirePOWER Management Center sajaxintf.cgi command injection attempt (server-webapp.rules)
 * 3:39898 <-> ENABLED <-> SERVER-WEBAPP Cisco FirePOWER Management Center pjb.cgi privilege escalation attempt (server-webapp.rules)

Modified Rules:


 * 1:24645 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX clsid access attempt (browser-plugins.rules)
 * 1:24644 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX clsid access attempt (browser-plugins.rules)
 * 1:24646 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX clsid access attempt (browser-plugins.rules)
 * 1:24690 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX clsid access attempt (browser-plugins.rules)
 * 1:24689 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX function call access attempt (browser-plugins.rules)
 * 1:24691 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX clsid access attempt (browser-plugins.rules)
 * 1:24692 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX clsid access attempt (browser-plugins.rules)
 * 1:8445 <-> ENABLED <-> FILE-OFFICE Microsoft Windows RTF file with embedded object package download attempt (file-office.rules)
 * 1:24643 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX function call access attempt (browser-plugins.rules)
 * 3:39885 <-> ENABLED <-> PROTOCOL-SNMP Cisco ASA SNMP OID parsing stack buffer overflow attempt (protocol-snmp.rules)