Talos Rules 2016-09-06
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, exploit-kit, file-flash, file-identify, malware-cnc, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-09-06 19:53:35 UTC

Snort Subscriber Rules Update

Date: 2016-09-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40034 <-> DISABLED <-> EXPLOIT-KIT Exploit kit embedded iframe redirection attempt (exploit-kit.rules)
 * 1:40032 <-> DISABLED <-> SERVER-WEBAPP FreePBX Module Administration config.php remotemod command injection attempt (server-webapp.rules)
 * 1:40036 <-> ENABLED <-> FILE-IDENTIFY XLSB file magic detected (file-identify.rules)
 * 1:40035 <-> ENABLED <-> FILE-IDENTIFY XLSB file magic detected (file-identify.rules)
 * 1:40046 <-> DISABLED <-> SERVER-OTHER PHP locale_accept_from_http out of bounds read attempt (server-other.rules)
 * 1:40033 <-> DISABLED <-> SERVER-WEBAPP FreePBX Module Administration config.php remotemod command injection attempt (server-webapp.rules)
 * 1:40031 <-> DISABLED <-> SERVER-WEBAPP FreePBX Module Administration config.php remotemod command injection attempt (server-webapp.rules)
 * 1:40030 <-> DISABLED <-> SERVER-WEBAPP FreePBX Module Administration config.php remotemod command injection attempt (server-webapp.rules)
 * 1:40037 <-> DISABLED <-> PUA-ADWARE Google Chrome Google Contacts extension adware (pua-adware.rules)
 * 1:40045 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Fantom post encryption outbound connection (malware-cnc.rules)
 * 1:40042 <-> DISABLED <-> SERVER-WEBAPP Meinberg LANTIME NTP appliance stack buffer overflow attempt (server-webapp.rules)
 * 1:40039 <-> DISABLED <-> SERVER-WEBAPP FreePBX config.php unauthenticated SQL injection attempt (server-webapp.rules)
 * 1:40047 <-> ENABLED <-> SERVER-WEBAPP Belkin F9K1122 webpage buffer overflow attempt (server-webapp.rules)
 * 1:40038 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize var_hash use-after-free attempt (server-webapp.rules)
 * 1:40044 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Fantom post encryption outbound connection (malware-cnc.rules)
 * 1:40040 <-> DISABLED <-> SERVER-WEBAPP FreePBX config.php unauthenticated SQL injection attempt (server-webapp.rules)
 * 1:40041 <-> DISABLED <-> SERVER-WEBAPP Meinberg LANTIME NTP appliance stack buffer overflow attempt (server-webapp.rules)
 * 1:40043 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Fantom outbound connection (malware-cnc.rules)
 * 3:40048 <-> ENABLED <-> SERVER-OTHER Cisco Application Control Engine SSL handshake parsing denial of service attempt (server-other.rules)
 * 3:40049 <-> ENABLED <-> SERVER-OTHER Cisco IOS PPTP control message response information disclosure detected (server-other.rules)

Modified Rules:


 * 1:39900 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules)
 * 1:39901 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules)
 * 1:39902 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules)
 * 1:28883 <-> ENABLED <-> PUA-ADWARE Apponic CIS file retrieval attempt (pua-adware.rules)
 * 1:6512 <-> DISABLED <-> SERVER-OTHER symantec antivirus realtime virusscan overflow attempt (server-other.rules)
 * 1:36402 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuickLinks object use-after-free attempt (browser-ie.rules)
 * 1:39888 <-> DISABLED <-> PUA-ADWARE Dorv Adware variant outbound connection (pua-adware.rules)
 * 1:35825 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)
 * 1:35821 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)
 * 1:35822 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)
 * 1:30507 <-> DISABLED <-> SERVER-OTHER MiniUPnPd ExecuteSoapAction buffer overflow attempt (server-other.rules)
 * 1:36401 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuickLinks object use-after-free attempt (browser-ie.rules)
 * 1:28885 <-> ENABLED <-> PUA-ADWARE Apponic encapsulated installer outbound connection (pua-adware.rules)
 * 1:35820 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)
 * 1:28884 <-> ENABLED <-> PUA-ADWARE Apponic encapsulated installer outbound connection (pua-adware.rules)
 * 1:25780 <-> ENABLED <-> SERVER-OTHER MiniUPnPd ExecuteSoapAction buffer overflow attempt (server-other.rules)
 * 1:39899 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules)

2016-09-06 19:53:35 UTC

Snort Subscriber Rules Update

Date: 2016-09-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40036 <-> ENABLED <-> FILE-IDENTIFY XLSB file magic detected (file-identify.rules)
 * 1:40037 <-> DISABLED <-> PUA-ADWARE Google Chrome Google Contacts extension adware (pua-adware.rules)
 * 1:40034 <-> DISABLED <-> EXPLOIT-KIT Exploit kit embedded iframe redirection attempt (exploit-kit.rules)
 * 1:40035 <-> ENABLED <-> FILE-IDENTIFY XLSB file magic detected (file-identify.rules)
 * 1:40032 <-> DISABLED <-> SERVER-WEBAPP FreePBX Module Administration config.php remotemod command injection attempt (server-webapp.rules)
 * 1:40033 <-> DISABLED <-> SERVER-WEBAPP FreePBX Module Administration config.php remotemod command injection attempt (server-webapp.rules)
 * 1:40030 <-> DISABLED <-> SERVER-WEBAPP FreePBX Module Administration config.php remotemod command injection attempt (server-webapp.rules)
 * 1:40031 <-> DISABLED <-> SERVER-WEBAPP FreePBX Module Administration config.php remotemod command injection attempt (server-webapp.rules)
 * 1:40044 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Fantom post encryption outbound connection (malware-cnc.rules)
 * 1:40046 <-> DISABLED <-> SERVER-OTHER PHP locale_accept_from_http out of bounds read attempt (server-other.rules)
 * 1:40042 <-> DISABLED <-> SERVER-WEBAPP Meinberg LANTIME NTP appliance stack buffer overflow attempt (server-webapp.rules)
 * 1:40045 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Fantom post encryption outbound connection (malware-cnc.rules)
 * 1:40047 <-> ENABLED <-> SERVER-WEBAPP Belkin F9K1122 webpage buffer overflow attempt (server-webapp.rules)
 * 1:40039 <-> DISABLED <-> SERVER-WEBAPP FreePBX config.php unauthenticated SQL injection attempt (server-webapp.rules)
 * 1:40038 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize var_hash use-after-free attempt (server-webapp.rules)
 * 1:40041 <-> DISABLED <-> SERVER-WEBAPP Meinberg LANTIME NTP appliance stack buffer overflow attempt (server-webapp.rules)
 * 1:40040 <-> DISABLED <-> SERVER-WEBAPP FreePBX config.php unauthenticated SQL injection attempt (server-webapp.rules)
 * 1:40043 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Fantom outbound connection (malware-cnc.rules)
 * 3:40048 <-> ENABLED <-> SERVER-OTHER Cisco Application Control Engine SSL handshake parsing denial of service attempt (server-other.rules)
 * 3:40049 <-> ENABLED <-> SERVER-OTHER Cisco IOS PPTP control message response information disclosure detected (server-other.rules)

Modified Rules:


 * 1:39888 <-> DISABLED <-> PUA-ADWARE Dorv Adware variant outbound connection (pua-adware.rules)
 * 1:28884 <-> ENABLED <-> PUA-ADWARE Apponic encapsulated installer outbound connection (pua-adware.rules)
 * 1:39902 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules)
 * 1:39901 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules)
 * 1:28885 <-> ENABLED <-> PUA-ADWARE Apponic encapsulated installer outbound connection (pua-adware.rules)
 * 1:30507 <-> DISABLED <-> SERVER-OTHER MiniUPnPd ExecuteSoapAction buffer overflow attempt (server-other.rules)
 * 1:35820 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)
 * 1:28883 <-> ENABLED <-> PUA-ADWARE Apponic CIS file retrieval attempt (pua-adware.rules)
 * 1:6512 <-> DISABLED <-> SERVER-OTHER symantec antivirus realtime virusscan overflow attempt (server-other.rules)
 * 1:25780 <-> ENABLED <-> SERVER-OTHER MiniUPnPd ExecuteSoapAction buffer overflow attempt (server-other.rules)
 * 1:35821 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)
 * 1:35822 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)
 * 1:35825 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)
 * 1:36401 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuickLinks object use-after-free attempt (browser-ie.rules)
 * 1:36402 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuickLinks object use-after-free attempt (browser-ie.rules)
 * 1:39900 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules)
 * 1:39899 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules)

2016-09-06 19:53:35 UTC

Snort Subscriber Rules Update

Date: 2016-09-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40047 <-> ENABLED <-> SERVER-WEBAPP Belkin F9K1122 webpage buffer overflow attempt (server-webapp.rules)
 * 1:40046 <-> DISABLED <-> SERVER-OTHER PHP locale_accept_from_http out of bounds read attempt (server-other.rules)
 * 1:40045 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Fantom post encryption outbound connection (malware-cnc.rules)
 * 1:40044 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Fantom post encryption outbound connection (malware-cnc.rules)
 * 1:40043 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Fantom outbound connection (malware-cnc.rules)
 * 1:40042 <-> DISABLED <-> SERVER-WEBAPP Meinberg LANTIME NTP appliance stack buffer overflow attempt (server-webapp.rules)
 * 1:40041 <-> DISABLED <-> SERVER-WEBAPP Meinberg LANTIME NTP appliance stack buffer overflow attempt (server-webapp.rules)
 * 1:40040 <-> DISABLED <-> SERVER-WEBAPP FreePBX config.php unauthenticated SQL injection attempt (server-webapp.rules)
 * 1:40039 <-> DISABLED <-> SERVER-WEBAPP FreePBX config.php unauthenticated SQL injection attempt (server-webapp.rules)
 * 1:40038 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize var_hash use-after-free attempt (server-webapp.rules)
 * 1:40037 <-> DISABLED <-> PUA-ADWARE Google Chrome Google Contacts extension adware (pua-adware.rules)
 * 1:40036 <-> ENABLED <-> FILE-IDENTIFY XLSB file magic detected (file-identify.rules)
 * 1:40035 <-> ENABLED <-> FILE-IDENTIFY XLSB file magic detected (file-identify.rules)
 * 1:40034 <-> DISABLED <-> EXPLOIT-KIT Exploit kit embedded iframe redirection attempt (exploit-kit.rules)
 * 1:40033 <-> DISABLED <-> SERVER-WEBAPP FreePBX Module Administration config.php remotemod command injection attempt (server-webapp.rules)
 * 1:40032 <-> DISABLED <-> SERVER-WEBAPP FreePBX Module Administration config.php remotemod command injection attempt (server-webapp.rules)
 * 1:40031 <-> DISABLED <-> SERVER-WEBAPP FreePBX Module Administration config.php remotemod command injection attempt (server-webapp.rules)
 * 1:40030 <-> DISABLED <-> SERVER-WEBAPP FreePBX Module Administration config.php remotemod command injection attempt (server-webapp.rules)
 * 3:40048 <-> ENABLED <-> SERVER-OTHER Cisco Application Control Engine SSL handshake parsing denial of service attempt (server-other.rules)
 * 3:40049 <-> ENABLED <-> SERVER-OTHER Cisco IOS PPTP control message response information disclosure detected (server-other.rules)

Modified Rules:


 * 1:39888 <-> DISABLED <-> PUA-ADWARE Dorv Adware variant outbound connection (pua-adware.rules)
 * 1:25780 <-> ENABLED <-> SERVER-OTHER MiniUPnPd ExecuteSoapAction buffer overflow attempt (server-other.rules)
 * 1:28883 <-> ENABLED <-> PUA-ADWARE Apponic CIS file retrieval attempt (pua-adware.rules)
 * 1:28884 <-> ENABLED <-> PUA-ADWARE Apponic encapsulated installer outbound connection (pua-adware.rules)
 * 1:28885 <-> ENABLED <-> PUA-ADWARE Apponic encapsulated installer outbound connection (pua-adware.rules)
 * 1:30507 <-> DISABLED <-> SERVER-OTHER MiniUPnPd ExecuteSoapAction buffer overflow attempt (server-other.rules)
 * 1:35820 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)
 * 1:35821 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)
 * 1:35822 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)
 * 1:35825 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)
 * 1:36401 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuickLinks object use-after-free attempt (browser-ie.rules)
 * 1:36402 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuickLinks object use-after-free attempt (browser-ie.rules)
 * 1:39902 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules)
 * 1:6512 <-> DISABLED <-> SERVER-OTHER symantec antivirus realtime virusscan overflow attempt (server-other.rules)
 * 1:39901 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules)
 * 1:39900 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules)
 * 1:39899 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules)