Talos Rules 2016-09-15
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, exploit-kit, file-flash, malware-cnc, malware-other, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-09-15 14:51:20 UTC

Snort Subscriber Rules Update

Date: 2016-09-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40182 <-> DISABLED <-> SERVER-WEBAPP AirOS authentication bypass attempt (server-webapp.rules)
 * 1:40217 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - F.5.E.C (blacklist.rules)
 * 1:40216 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.VBInject (blacklist.rules)
 * 1:40213 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DarkShell external connection attempt (malware-cnc.rules)
 * 1:40212 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Darkshell (blacklist.rules)
 * 1:40214 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Ogimant outbound connection detected (malware-cnc.rules)
 * 1:40215 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Ogimant outbound connection detected (malware-cnc.rules)
 * 1:40186 <-> DISABLED <-> POLICY-OTHER SSL weak 3DES cipher suite use attempt (policy-other.rules)
 * 1:40187 <-> DISABLED <-> POLICY-OTHER SSL weak 3DES cipher suite use attempt (policy-other.rules)
 * 1:40188 <-> DISABLED <-> POLICY-OTHER SSL weak 3DES cipher suite use attempt (policy-other.rules)
 * 1:40185 <-> DISABLED <-> SERVER-WEBAPP WebNMS framework server .jsp file retrieval attempt (server-webapp.rules)
 * 1:40184 <-> DISABLED <-> EXPLOIT-KIT Phoenix Exploit Kit inbound geoip.php bdr exploit attempt (exploit-kit.rules)
 * 1:40189 <-> DISABLED <-> POLICY-OTHER SSH weak 3DES cipher suite use attempt (policy-other.rules)
 * 1:40190 <-> DISABLED <-> POLICY-OTHER SSH weak blowfish cipher suite use attempt (policy-other.rules)
 * 1:40191 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40192 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40193 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40194 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40195 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40196 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40197 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40198 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40199 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40202 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40200 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40203 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Drolnux variant outbound connection (malware-cnc.rules)
 * 1:40204 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qiwmonk outbound connection detected (malware-cnc.rules)
 * 1:40183 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Malex variant outbound connection (malware-cnc.rules)
 * 1:40205 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Comisproc outbound connection detected (malware-cnc.rules)
 * 1:40206 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Comisproc outbound connection detected (malware-cnc.rules)
 * 1:40208 <-> DISABLED <-> PUA-ADWARE Win.Adware.Penzievs outbound connection attempt (pua-adware.rules)
 * 1:40207 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Comisproc outbound connection detected (malware-cnc.rules)
 * 1:40211 <-> DISABLED <-> PUA-ADWARE Win.Adware.EoRezo outbound connection (pua-adware.rules)
 * 1:40210 <-> DISABLED <-> BLACKLIST DNS request from known malware domain g5wcesdfjzne7255.onion.to - Osx.Trojan.keydnap (blacklist.rules)
 * 1:40201 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40209 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bulta external connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:38733 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ransom variant outbound connection (malware-cnc.rules)
 * 1:39766 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Ogimant outbound connection detected (malware-other.rules)
 * 1:39589 <-> DISABLED <-> SERVER-WEBAPP WebNMS Framework arbitrary file upload attempt (server-webapp.rules)
 * 1:37734 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Point object integer overflow attempt (file-flash.rules)
 * 1:37736 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Point object integer overflow attempt (file-flash.rules)
 * 1:16600 <-> DISABLED <-> MALWARE-CNC Otlard Win.Trojan.activity (malware-cnc.rules)

2016-09-15 14:51:20 UTC

Snort Subscriber Rules Update

Date: 2016-09-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40210 <-> DISABLED <-> BLACKLIST DNS request from known malware domain g5wcesdfjzne7255.onion.to - Osx.Trojan.keydnap (blacklist.rules)
 * 1:40193 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40194 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40182 <-> DISABLED <-> SERVER-WEBAPP AirOS authentication bypass attempt (server-webapp.rules)
 * 1:40183 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Malex variant outbound connection (malware-cnc.rules)
 * 1:40184 <-> DISABLED <-> EXPLOIT-KIT Phoenix Exploit Kit inbound geoip.php bdr exploit attempt (exploit-kit.rules)
 * 1:40185 <-> DISABLED <-> SERVER-WEBAPP WebNMS framework server .jsp file retrieval attempt (server-webapp.rules)
 * 1:40186 <-> DISABLED <-> POLICY-OTHER SSL weak 3DES cipher suite use attempt (policy-other.rules)
 * 1:40187 <-> DISABLED <-> POLICY-OTHER SSL weak 3DES cipher suite use attempt (policy-other.rules)
 * 1:40188 <-> DISABLED <-> POLICY-OTHER SSL weak 3DES cipher suite use attempt (policy-other.rules)
 * 1:40189 <-> DISABLED <-> POLICY-OTHER SSH weak 3DES cipher suite use attempt (policy-other.rules)
 * 1:40190 <-> DISABLED <-> POLICY-OTHER SSH weak blowfish cipher suite use attempt (policy-other.rules)
 * 1:40191 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40192 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40195 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40196 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40197 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40198 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40199 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40200 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40201 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40202 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40203 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Drolnux variant outbound connection (malware-cnc.rules)
 * 1:40204 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qiwmonk outbound connection detected (malware-cnc.rules)
 * 1:40205 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Comisproc outbound connection detected (malware-cnc.rules)
 * 1:40206 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Comisproc outbound connection detected (malware-cnc.rules)
 * 1:40207 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Comisproc outbound connection detected (malware-cnc.rules)
 * 1:40208 <-> DISABLED <-> PUA-ADWARE Win.Adware.Penzievs outbound connection attempt (pua-adware.rules)
 * 1:40217 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - F.5.E.C (blacklist.rules)
 * 1:40216 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.VBInject (blacklist.rules)
 * 1:40215 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Ogimant outbound connection detected (malware-cnc.rules)
 * 1:40214 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Ogimant outbound connection detected (malware-cnc.rules)
 * 1:40213 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DarkShell external connection attempt (malware-cnc.rules)
 * 1:40211 <-> DISABLED <-> PUA-ADWARE Win.Adware.EoRezo outbound connection (pua-adware.rules)
 * 1:40212 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Darkshell (blacklist.rules)
 * 1:40209 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bulta external connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:16600 <-> DISABLED <-> MALWARE-CNC Otlard Win.Trojan.activity (malware-cnc.rules)
 * 1:37734 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Point object integer overflow attempt (file-flash.rules)
 * 1:37736 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Point object integer overflow attempt (file-flash.rules)
 * 1:38733 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ransom variant outbound connection (malware-cnc.rules)
 * 1:39589 <-> DISABLED <-> SERVER-WEBAPP WebNMS Framework arbitrary file upload attempt (server-webapp.rules)
 * 1:39766 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Ogimant outbound connection detected (malware-other.rules)

2016-09-15 14:51:20 UTC

Snort Subscriber Rules Update

Date: 2016-09-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40217 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - F.5.E.C (blacklist.rules)
 * 1:40216 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.VBInject (blacklist.rules)
 * 1:40215 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Ogimant outbound connection detected (malware-cnc.rules)
 * 1:40214 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Ogimant outbound connection detected (malware-cnc.rules)
 * 1:40213 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DarkShell external connection attempt (malware-cnc.rules)
 * 1:40212 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Darkshell (blacklist.rules)
 * 1:40211 <-> DISABLED <-> PUA-ADWARE Win.Adware.EoRezo outbound connection (pua-adware.rules)
 * 1:40210 <-> DISABLED <-> BLACKLIST DNS request from known malware domain g5wcesdfjzne7255.onion.to - Osx.Trojan.keydnap (blacklist.rules)
 * 1:40209 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bulta external connection attempt (malware-cnc.rules)
 * 1:40208 <-> DISABLED <-> PUA-ADWARE Win.Adware.Penzievs outbound connection attempt (pua-adware.rules)
 * 1:40207 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Comisproc outbound connection detected (malware-cnc.rules)
 * 1:40206 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Comisproc outbound connection detected (malware-cnc.rules)
 * 1:40205 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Comisproc outbound connection detected (malware-cnc.rules)
 * 1:40204 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qiwmonk outbound connection detected (malware-cnc.rules)
 * 1:40203 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Drolnux variant outbound connection (malware-cnc.rules)
 * 1:40202 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40201 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40200 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40199 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40198 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40197 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40196 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40195 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40194 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40193 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40192 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40191 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules)
 * 1:40190 <-> DISABLED <-> POLICY-OTHER SSH weak blowfish cipher suite use attempt (policy-other.rules)
 * 1:40189 <-> DISABLED <-> POLICY-OTHER SSH weak 3DES cipher suite use attempt (policy-other.rules)
 * 1:40188 <-> DISABLED <-> POLICY-OTHER SSL weak 3DES cipher suite use attempt (policy-other.rules)
 * 1:40187 <-> DISABLED <-> POLICY-OTHER SSL weak 3DES cipher suite use attempt (policy-other.rules)
 * 1:40186 <-> DISABLED <-> POLICY-OTHER SSL weak 3DES cipher suite use attempt (policy-other.rules)
 * 1:40185 <-> DISABLED <-> SERVER-WEBAPP WebNMS framework server .jsp file retrieval attempt (server-webapp.rules)
 * 1:40184 <-> DISABLED <-> EXPLOIT-KIT Phoenix Exploit Kit inbound geoip.php bdr exploit attempt (exploit-kit.rules)
 * 1:40183 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Malex variant outbound connection (malware-cnc.rules)
 * 1:40182 <-> DISABLED <-> SERVER-WEBAPP AirOS authentication bypass attempt (server-webapp.rules)

Modified Rules:


 * 1:16600 <-> DISABLED <-> MALWARE-CNC Otlard Win.Trojan.activity (malware-cnc.rules)
 * 1:37734 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Point object integer overflow attempt (file-flash.rules)
 * 1:37736 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Point object integer overflow attempt (file-flash.rules)
 * 1:38733 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ransom variant outbound connection (malware-cnc.rules)
 * 1:39589 <-> DISABLED <-> SERVER-WEBAPP WebNMS Framework arbitrary file upload attempt (server-webapp.rules)
 * 1:39766 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Ogimant outbound connection detected (malware-other.rules)