Talos Rules 2016-09-08
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-ie, file-image, file-other, malware-cnc, malware-other, os-linux and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-09-08 15:09:45 UTC

Snort Subscriber Rules Update

Date: 2016-09-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40066 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Fareit (blacklist.rules)
 * 1:40067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit outbound connection attempt (malware-cnc.rules)
 * 1:40065 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NFS Server NULL pointer dereference denial-of-service attempt (os-windows.rules)
 * 1:40063 <-> DISABLED <-> OS-LINUX Linux Kernel Challenge ACK provocation attempt (os-linux.rules)
 * 1:40064 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NFS Server NULL pointer dereference denial-of-service attempt (os-windows.rules)
 * 1:40061 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Morel variant outbound connection (malware-cnc.rules)
 * 1:40062 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Morel variant inbound connection (malware-cnc.rules)
 * 1:40059 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hadsruda outbound connection detected (malware-cnc.rules)
 * 1:40060 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hadsruda outbound connection detected (malware-cnc.rules)
 * 1:40057 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40058 <-> DISABLED <-> SERVER-WEBAPP WordPress Quick-Post Widget GET request using Body cross-site scripting (server-webapp.rules)
 * 1:40055 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40056 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40053 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40054 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40051 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40052 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40050 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)

Modified Rules:


 * 1:39147 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:36952 <-> ENABLED <-> FILE-OTHER Microsoft Windows Font Viewer cmap offset integer underflow attempt (file-other.rules)
 * 1:36953 <-> ENABLED <-> FILE-OTHER Microsoft Windows Font Viewer cmap offset integer underflow attempt (file-other.rules)
 * 1:39112 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:39113 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:39114 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39115 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39136 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:39137 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:39138 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39139 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39140 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:39146 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39826 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CStr internal string use-after-free attempt (browser-ie.rules)
 * 1:39145 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39141 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:39144 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39827 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CStr internal string use-after-free attempt (browser-ie.rules)
 * 1:39142 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:39143 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)

2016-09-08 15:09:45 UTC

Snort Subscriber Rules Update

Date: 2016-09-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40065 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NFS Server NULL pointer dereference denial-of-service attempt (os-windows.rules)
 * 1:40050 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40051 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40054 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40052 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40053 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40055 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40056 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40057 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40058 <-> DISABLED <-> SERVER-WEBAPP WordPress Quick-Post Widget GET request using Body cross-site scripting (server-webapp.rules)
 * 1:40059 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hadsruda outbound connection detected (malware-cnc.rules)
 * 1:40060 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hadsruda outbound connection detected (malware-cnc.rules)
 * 1:40062 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Morel variant inbound connection (malware-cnc.rules)
 * 1:40061 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Morel variant outbound connection (malware-cnc.rules)
 * 1:40066 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Fareit (blacklist.rules)
 * 1:40067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit outbound connection attempt (malware-cnc.rules)
 * 1:40064 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NFS Server NULL pointer dereference denial-of-service attempt (os-windows.rules)
 * 1:40063 <-> DISABLED <-> OS-LINUX Linux Kernel Challenge ACK provocation attempt (os-linux.rules)

Modified Rules:


 * 1:39138 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39137 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:39115 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39136 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:39113 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:39114 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:36953 <-> ENABLED <-> FILE-OTHER Microsoft Windows Font Viewer cmap offset integer underflow attempt (file-other.rules)
 * 1:39112 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:36952 <-> ENABLED <-> FILE-OTHER Microsoft Windows Font Viewer cmap offset integer underflow attempt (file-other.rules)
 * 1:39146 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39826 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CStr internal string use-after-free attempt (browser-ie.rules)
 * 1:39147 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39141 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:39145 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39140 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:39827 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CStr internal string use-after-free attempt (browser-ie.rules)
 * 1:39139 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39142 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:39144 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39143 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)

2016-09-08 15:09:45 UTC

Snort Subscriber Rules Update

Date: 2016-09-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit outbound connection attempt (malware-cnc.rules)
 * 1:40066 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Fareit (blacklist.rules)
 * 1:40065 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NFS Server NULL pointer dereference denial-of-service attempt (os-windows.rules)
 * 1:40064 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NFS Server NULL pointer dereference denial-of-service attempt (os-windows.rules)
 * 1:40063 <-> DISABLED <-> OS-LINUX Linux Kernel Challenge ACK provocation attempt (os-linux.rules)
 * 1:40062 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Morel variant inbound connection (malware-cnc.rules)
 * 1:40061 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Morel variant outbound connection (malware-cnc.rules)
 * 1:40060 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hadsruda outbound connection detected (malware-cnc.rules)
 * 1:40059 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hadsruda outbound connection detected (malware-cnc.rules)
 * 1:40058 <-> DISABLED <-> SERVER-WEBAPP WordPress Quick-Post Widget GET request using Body cross-site scripting (server-webapp.rules)
 * 1:40057 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40056 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40055 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40054 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40053 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40052 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40051 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40050 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)

Modified Rules:


 * 1:39141 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:39827 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CStr internal string use-after-free attempt (browser-ie.rules)
 * 1:39826 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CStr internal string use-after-free attempt (browser-ie.rules)
 * 1:36952 <-> ENABLED <-> FILE-OTHER Microsoft Windows Font Viewer cmap offset integer underflow attempt (file-other.rules)
 * 1:36953 <-> ENABLED <-> FILE-OTHER Microsoft Windows Font Viewer cmap offset integer underflow attempt (file-other.rules)
 * 1:39112 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:39113 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:39147 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39114 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39115 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39136 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:39137 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:39138 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39139 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39140 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:39146 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39145 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39143 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:39144 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39142 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)