Talos Rules 2016-09-22
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, browser-plugins, file-flash, file-office, indicator-compromise, indicator-obfuscation, malware-cnc, server-mysql and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-09-22 15:04:03 UTC

Snort Subscriber Rules Update

Date: 2016-09-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40270 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules)
 * 1:40260 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant initial backdoor download attempt (malware-cnc.rules)
 * 1:40261 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant backdoor detected (malware-cnc.rules)
 * 1:40262 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant backdoor detected (malware-cnc.rules)
 * 1:40263 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules)
 * 1:40264 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules)
 * 1:40265 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules)
 * 1:40266 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules)
 * 1:40267 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules)
 * 1:40268 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules)
 * 1:40271 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules)
 * 1:40269 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules)
 * 1:40258 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant backdoor detected (malware-cnc.rules)
 * 1:40272 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules)
 * 1:40273 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules)
 * 1:40274 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules)
 * 1:40256 <-> DISABLED <-> SERVER-WEBAPP Idera Up.Time Monitoring Station post2file.php arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:40255 <-> DISABLED <-> SERVER-WEBAPP FreePBX Music Module ajax.php command injection attempt (server-webapp.rules)
 * 1:40259 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant backdoor detected (malware-cnc.rules)
 * 1:40254 <-> DISABLED <-> SERVER-MYSQL Multiple SQL products privilege escalation attempt (server-mysql.rules)
 * 1:40253 <-> DISABLED <-> SERVER-MYSQL Multiple SQL products privilege escalation attempt (server-mysql.rules)
 * 3:40275 <-> ENABLED <-> SERVER-WEBAPP Cisco ESA internal testing interface access attempt (server-webapp.rules)
 * 3:40257 <-> ENABLED <-> SERVER-WEBAPP Cisco Cloud Services Platform dnslookup command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:38070 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules)
 * 1:37652 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadPCMFromByteArray exception null pointer access attempt (file-flash.rules)
 * 1:38098 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TableCellLayoutArray use-after-free attempt (browser-ie.rules)
 * 1:38541 <-> DISABLED <-> INDICATOR-OBFUSCATION newline only separator evasion (indicator-obfuscation.rules)
 * 1:38099 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TableCellLayoutArray use-after-free attempt (browser-ie.rules)
 * 1:37363 <-> DISABLED <-> SERVER-OTHER Java Library SpringFramework unauthorized serialized object attempt (server-other.rules)
 * 1:37279 <-> DISABLED <-> BROWSER-IE Microsoft Edge mutation event memory corruption attempt (browser-ie.rules)
 * 1:37280 <-> DISABLED <-> BROWSER-IE Microsoft Edge mutation event memory corruption attempt (browser-ie.rules)
 * 1:37267 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Silverlight GetChar out of bounds read attempt (browser-plugins.rules)
 * 1:37268 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Silverlight GetChar out of bounds read attempt (browser-plugins.rules)
 * 1:36986 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CAttrArray use after free attempt (browser-ie.rules)
 * 1:36987 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CAttrArray use after free attempt (browser-ie.rules)
 * 1:36962 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CAttribute to CStyleAttrArray type confusion attempt (browser-ie.rules)
 * 1:36963 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CAttribute to CStyleAttrArray type confusion attempt (browser-ie.rules)
 * 1:36922 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:36923 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:36826 <-> ENABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 1:36759 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Internet Explorer setAttributeNS ASLR bypass attempt (indicator-compromise.rules)
 * 1:36760 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft Internet Explorer setAttributeNS ASLR bypass attempt (indicator-compromise.rules)
 * 1:36451 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RegExp object use-after-free attempt (browser-ie.rules)
 * 1:36463 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack Server opcode 1332 buffer overflow attempt (server-other.rules)
 * 1:36426 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel fileVersion use-after-free attempt (file-office.rules)
 * 1:36450 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RegExp object use-after-free attempt (browser-ie.rules)
 * 1:36184 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire group-summary cross site scripting attempt (server-webapp.rules)
 * 1:36425 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel fileVersion use-after-free attempt (file-office.rules)
 * 1:36183 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire create-bookmark cross site scripting attempt (server-webapp.rules)
 * 1:36100 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager default credentials authentication attempt (server-webapp.rules)
 * 1:36099 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules)
 * 1:36097 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules)
 * 1:36098 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules)
 * 1:36057 <-> DISABLED <-> SERVER-WEBAPP Apache ActiveMQ directory traversal attempt (server-webapp.rules)
 * 1:28955 <-> DISABLED <-> SERVER-OTHER Squid HTTP Host header port parameter denial of service attempt (server-other.rules)
 * 1:20864 <-> DISABLED <-> SERVER-WEBAPP Jive Software Openfire group-summary.jsp XSS attempt (server-webapp.rules)
 * 1:38247 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:38246 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:38622 <-> DISABLED <-> SERVER-OTHER ISC BIND malformed control channel authentication message denial of service attempt (server-other.rules)
 * 1:38805 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.prototype.fill out of bounds write attempt (browser-ie.rules)
 * 1:38806 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.prototype.fill out of bounds write attempt (browser-ie.rules)
 * 1:38894 <-> ENABLED <-> SERVER-WEBAPP Jenkins CI Server insecure deserialization command execution attempt (server-webapp.rules)
 * 1:39273 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (file-flash.rules)
 * 1:39274 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (file-flash.rules)
 * 1:35503 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word incomplete ActiveX control use-after-free attempt (file-office.rules)
 * 1:39567 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadPCMFromByteArray exception null pointer access attempt (file-flash.rules)
 * 1:39839 <-> ENABLED <-> BROWSER-IE Microsoft Windows Internet Explorer MSHTML.dll type confusion attempt (browser-ie.rules)
 * 1:39840 <-> ENABLED <-> BROWSER-IE Microsoft Windows Internet Explorer MSHTML.dll type confusion attempt (browser-ie.rules)
 * 1:39910 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:35504 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word incomplete ActiveX control use-after-free attempt (file-office.rules)
 * 1:35425 <-> DISABLED <-> SERVER-OTHER ISC BIND TKEY Query denial of service attempt (server-other.rules)
 * 1:35508 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer array prototype type confusion memory corruption attempt (browser-ie.rules)
 * 1:36182 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire server-session-details cross site scripting attempt (server-webapp.rules)
 * 1:38090 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt (browser-ie.rules)
 * 1:37860 <-> ENABLED <-> SERVER-WEBAPP Java Library CommonsCollection unauthorized serialized object attempt (server-webapp.rules)
 * 1:38086 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules)
 * 1:37859 <-> ENABLED <-> SERVER-WEBAPP Java Library CommonsCollection unauthorized serialized object attempt (server-webapp.rules)
 * 1:37503 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ shutdown command denial of service attempt (server-other.rules)
 * 1:37527 <-> DISABLED <-> SERVER-OTHER IBM WebSphere InvokerTransformer serialized Java object remote code execution attempt (server-other.rules)
 * 1:37608 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CallInvoke type confusion attempt (browser-ie.rules)
 * 1:37609 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CallInvoke type confusion attempt (browser-ie.rules)
 * 1:37610 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CallInvoke type confusion attempt (browser-ie.rules)
 * 1:37616 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel hlink.dll string duplication input validation information disclosure attempt (file-office.rules)
 * 1:35507 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer array prototype type confusion memory corruption attempt (browser-ie.rules)
 * 1:37611 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CallInvoke type confusion attempt (browser-ie.rules)
 * 1:37617 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel hlink.dll string duplication input validation information disclosure attempt (file-office.rules)
 * 1:38069 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules)
 * 1:33817 <-> DISABLED <-> SERVER-OTHER Lighttpd Host header directory traversal attempt (server-other.rules)
 * 1:38067 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules)
 * 1:38091 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt (browser-ie.rules)
 * 1:34416 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 compatibility mode enable attempt (browser-ie.rules)
 * 1:26850 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt (browser-ie.rules)
 * 1:38085 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules)
 * 1:24343 <-> ENABLED <-> SERVER-WEBAPP JBoss JMXInvokerServlet access attempt (server-webapp.rules)
 * 1:35424 <-> DISABLED <-> SERVER-OTHER ISC BIND TKEY Query denial of service attempt (server-other.rules)
 * 1:38068 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules)

2016-09-22 15:04:03 UTC

Snort Subscriber Rules Update

Date: 2016-09-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40255 <-> DISABLED <-> SERVER-WEBAPP FreePBX Music Module ajax.php command injection attempt (server-webapp.rules)
 * 1:40256 <-> DISABLED <-> SERVER-WEBAPP Idera Up.Time Monitoring Station post2file.php arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:40258 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant backdoor detected (malware-cnc.rules)
 * 1:40259 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant backdoor detected (malware-cnc.rules)
 * 1:40260 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant initial backdoor download attempt (malware-cnc.rules)
 * 1:40261 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant backdoor detected (malware-cnc.rules)
 * 1:40262 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant backdoor detected (malware-cnc.rules)
 * 1:40263 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules)
 * 1:40264 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules)
 * 1:40265 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules)
 * 1:40266 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules)
 * 1:40267 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules)
 * 1:40268 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules)
 * 1:40269 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules)
 * 1:40270 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules)
 * 1:40271 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules)
 * 1:40272 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules)
 * 1:40273 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules)
 * 1:40274 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules)
 * 1:40254 <-> DISABLED <-> SERVER-MYSQL Multiple SQL products privilege escalation attempt (server-mysql.rules)
 * 1:40253 <-> DISABLED <-> SERVER-MYSQL Multiple SQL products privilege escalation attempt (server-mysql.rules)
 * 3:40257 <-> ENABLED <-> SERVER-WEBAPP Cisco Cloud Services Platform dnslookup command injection attempt (server-webapp.rules)
 * 3:40275 <-> ENABLED <-> SERVER-WEBAPP Cisco ESA internal testing interface access attempt (server-webapp.rules)

Modified Rules:


 * 1:34416 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 compatibility mode enable attempt (browser-ie.rules)
 * 1:38069 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules)
 * 1:37610 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CallInvoke type confusion attempt (browser-ie.rules)
 * 1:37608 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CallInvoke type confusion attempt (browser-ie.rules)
 * 1:37609 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CallInvoke type confusion attempt (browser-ie.rules)
 * 1:37503 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ shutdown command denial of service attempt (server-other.rules)
 * 1:37527 <-> DISABLED <-> SERVER-OTHER IBM WebSphere InvokerTransformer serialized Java object remote code execution attempt (server-other.rules)
 * 1:36182 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire server-session-details cross site scripting attempt (server-webapp.rules)
 * 1:20864 <-> DISABLED <-> SERVER-WEBAPP Jive Software Openfire group-summary.jsp XSS attempt (server-webapp.rules)
 * 1:35425 <-> DISABLED <-> SERVER-OTHER ISC BIND TKEY Query denial of service attempt (server-other.rules)
 * 1:35503 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word incomplete ActiveX control use-after-free attempt (file-office.rules)
 * 1:35504 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word incomplete ActiveX control use-after-free attempt (file-office.rules)
 * 1:35507 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer array prototype type confusion memory corruption attempt (browser-ie.rules)
 * 1:35508 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer array prototype type confusion memory corruption attempt (browser-ie.rules)
 * 1:36057 <-> DISABLED <-> SERVER-WEBAPP Apache ActiveMQ directory traversal attempt (server-webapp.rules)
 * 1:36097 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules)
 * 1:36098 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules)
 * 1:36099 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules)
 * 1:36100 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager default credentials authentication attempt (server-webapp.rules)
 * 1:37652 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadPCMFromByteArray exception null pointer access attempt (file-flash.rules)
 * 1:38090 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt (browser-ie.rules)
 * 1:36183 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire create-bookmark cross site scripting attempt (server-webapp.rules)
 * 1:36184 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire group-summary cross site scripting attempt (server-webapp.rules)
 * 1:36425 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel fileVersion use-after-free attempt (file-office.rules)
 * 1:36426 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel fileVersion use-after-free attempt (file-office.rules)
 * 1:36451 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RegExp object use-after-free attempt (browser-ie.rules)
 * 1:36450 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RegExp object use-after-free attempt (browser-ie.rules)
 * 1:36463 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack Server opcode 1332 buffer overflow attempt (server-other.rules)
 * 1:36759 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Internet Explorer setAttributeNS ASLR bypass attempt (indicator-compromise.rules)
 * 1:36760 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft Internet Explorer setAttributeNS ASLR bypass attempt (indicator-compromise.rules)
 * 1:36826 <-> ENABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 1:36922 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:36923 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:36962 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CAttribute to CStyleAttrArray type confusion attempt (browser-ie.rules)
 * 1:36963 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CAttribute to CStyleAttrArray type confusion attempt (browser-ie.rules)
 * 1:36986 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CAttrArray use after free attempt (browser-ie.rules)
 * 1:36987 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CAttrArray use after free attempt (browser-ie.rules)
 * 1:37267 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Silverlight GetChar out of bounds read attempt (browser-plugins.rules)
 * 1:37268 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Silverlight GetChar out of bounds read attempt (browser-plugins.rules)
 * 1:37279 <-> DISABLED <-> BROWSER-IE Microsoft Edge mutation event memory corruption attempt (browser-ie.rules)
 * 1:37280 <-> DISABLED <-> BROWSER-IE Microsoft Edge mutation event memory corruption attempt (browser-ie.rules)
 * 1:37363 <-> DISABLED <-> SERVER-OTHER Java Library SpringFramework unauthorized serialized object attempt (server-other.rules)
 * 1:38070 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules)
 * 1:38086 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules)
 * 1:37611 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CallInvoke type confusion attempt (browser-ie.rules)
 * 1:38246 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:38247 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:37616 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel hlink.dll string duplication input validation information disclosure attempt (file-office.rules)
 * 1:38541 <-> DISABLED <-> INDICATOR-OBFUSCATION newline only separator evasion (indicator-obfuscation.rules)
 * 1:38622 <-> DISABLED <-> SERVER-OTHER ISC BIND malformed control channel authentication message denial of service attempt (server-other.rules)
 * 1:38805 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.prototype.fill out of bounds write attempt (browser-ie.rules)
 * 1:37617 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel hlink.dll string duplication input validation information disclosure attempt (file-office.rules)
 * 1:38806 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.prototype.fill out of bounds write attempt (browser-ie.rules)
 * 1:38894 <-> ENABLED <-> SERVER-WEBAPP Jenkins CI Server insecure deserialization command execution attempt (server-webapp.rules)
 * 1:39273 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (file-flash.rules)
 * 1:39274 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (file-flash.rules)
 * 1:39567 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadPCMFromByteArray exception null pointer access attempt (file-flash.rules)
 * 1:39839 <-> ENABLED <-> BROWSER-IE Microsoft Windows Internet Explorer MSHTML.dll type confusion attempt (browser-ie.rules)
 * 1:39840 <-> ENABLED <-> BROWSER-IE Microsoft Windows Internet Explorer MSHTML.dll type confusion attempt (browser-ie.rules)
 * 1:37859 <-> ENABLED <-> SERVER-WEBAPP Java Library CommonsCollection unauthorized serialized object attempt (server-webapp.rules)
 * 1:39910 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:38099 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TableCellLayoutArray use-after-free attempt (browser-ie.rules)
 * 1:37860 <-> ENABLED <-> SERVER-WEBAPP Java Library CommonsCollection unauthorized serialized object attempt (server-webapp.rules)
 * 1:38091 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt (browser-ie.rules)
 * 1:38067 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules)
 * 1:38068 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules)
 * 1:38098 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TableCellLayoutArray use-after-free attempt (browser-ie.rules)
 * 1:38085 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules)
 * 1:26850 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt (browser-ie.rules)
 * 1:28955 <-> DISABLED <-> SERVER-OTHER Squid HTTP Host header port parameter denial of service attempt (server-other.rules)
 * 1:33817 <-> DISABLED <-> SERVER-OTHER Lighttpd Host header directory traversal attempt (server-other.rules)
 * 1:35424 <-> DISABLED <-> SERVER-OTHER ISC BIND TKEY Query denial of service attempt (server-other.rules)
 * 1:24343 <-> ENABLED <-> SERVER-WEBAPP JBoss JMXInvokerServlet access attempt (server-webapp.rules)

2016-09-22 15:04:03 UTC

Snort Subscriber Rules Update

Date: 2016-09-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40274 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules)
 * 1:40273 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules)
 * 1:40272 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules)
 * 1:40271 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules)
 * 1:40270 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules)
 * 1:40269 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules)
 * 1:40268 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules)
 * 1:40267 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules)
 * 1:40266 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules)
 * 1:40265 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules)
 * 1:40264 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules)
 * 1:40263 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules)
 * 1:40262 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant backdoor detected (malware-cnc.rules)
 * 1:40261 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant backdoor detected (malware-cnc.rules)
 * 1:40260 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant initial backdoor download attempt (malware-cnc.rules)
 * 1:40259 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant backdoor detected (malware-cnc.rules)
 * 1:40258 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant backdoor detected (malware-cnc.rules)
 * 1:40256 <-> DISABLED <-> SERVER-WEBAPP Idera Up.Time Monitoring Station post2file.php arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:40255 <-> DISABLED <-> SERVER-WEBAPP FreePBX Music Module ajax.php command injection attempt (server-webapp.rules)
 * 1:40254 <-> DISABLED <-> SERVER-MYSQL Multiple SQL products privilege escalation attempt (server-mysql.rules)
 * 1:40253 <-> DISABLED <-> SERVER-MYSQL Multiple SQL products privilege escalation attempt (server-mysql.rules)
 * 3:40257 <-> ENABLED <-> SERVER-WEBAPP Cisco Cloud Services Platform dnslookup command injection attempt (server-webapp.rules)
 * 3:40275 <-> ENABLED <-> SERVER-WEBAPP Cisco ESA internal testing interface access attempt (server-webapp.rules)

Modified Rules:


 * 1:39910 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:39840 <-> ENABLED <-> BROWSER-IE Microsoft Windows Internet Explorer MSHTML.dll type confusion attempt (browser-ie.rules)
 * 1:39839 <-> ENABLED <-> BROWSER-IE Microsoft Windows Internet Explorer MSHTML.dll type confusion attempt (browser-ie.rules)
 * 1:39567 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadPCMFromByteArray exception null pointer access attempt (file-flash.rules)
 * 1:39274 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (file-flash.rules)
 * 1:39273 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (file-flash.rules)
 * 1:38894 <-> ENABLED <-> SERVER-WEBAPP Jenkins CI Server insecure deserialization command execution attempt (server-webapp.rules)
 * 1:38806 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.prototype.fill out of bounds write attempt (browser-ie.rules)
 * 1:38805 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.prototype.fill out of bounds write attempt (browser-ie.rules)
 * 1:38622 <-> DISABLED <-> SERVER-OTHER ISC BIND malformed control channel authentication message denial of service attempt (server-other.rules)
 * 1:38541 <-> DISABLED <-> INDICATOR-OBFUSCATION newline only separator evasion (indicator-obfuscation.rules)
 * 1:38247 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:38246 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:38099 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TableCellLayoutArray use-after-free attempt (browser-ie.rules)
 * 1:38098 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TableCellLayoutArray use-after-free attempt (browser-ie.rules)
 * 1:38091 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt (browser-ie.rules)
 * 1:38090 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt (browser-ie.rules)
 * 1:38086 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules)
 * 1:38085 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules)
 * 1:38070 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules)
 * 1:38069 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules)
 * 1:38068 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules)
 * 1:38067 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules)
 * 1:37860 <-> ENABLED <-> SERVER-WEBAPP Java Library CommonsCollection unauthorized serialized object attempt (server-webapp.rules)
 * 1:37859 <-> ENABLED <-> SERVER-WEBAPP Java Library CommonsCollection unauthorized serialized object attempt (server-webapp.rules)
 * 1:37652 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadPCMFromByteArray exception null pointer access attempt (file-flash.rules)
 * 1:37617 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel hlink.dll string duplication input validation information disclosure attempt (file-office.rules)
 * 1:37616 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel hlink.dll string duplication input validation information disclosure attempt (file-office.rules)
 * 1:37611 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CallInvoke type confusion attempt (browser-ie.rules)
 * 1:37610 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CallInvoke type confusion attempt (browser-ie.rules)
 * 1:37609 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CallInvoke type confusion attempt (browser-ie.rules)
 * 1:37608 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CallInvoke type confusion attempt (browser-ie.rules)
 * 1:37527 <-> DISABLED <-> SERVER-OTHER IBM WebSphere InvokerTransformer serialized Java object remote code execution attempt (server-other.rules)
 * 1:37503 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ shutdown command denial of service attempt (server-other.rules)
 * 1:37363 <-> DISABLED <-> SERVER-OTHER Java Library SpringFramework unauthorized serialized object attempt (server-other.rules)
 * 1:37280 <-> DISABLED <-> BROWSER-IE Microsoft Edge mutation event memory corruption attempt (browser-ie.rules)
 * 1:37279 <-> DISABLED <-> BROWSER-IE Microsoft Edge mutation event memory corruption attempt (browser-ie.rules)
 * 1:37268 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Silverlight GetChar out of bounds read attempt (browser-plugins.rules)
 * 1:37267 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Silverlight GetChar out of bounds read attempt (browser-plugins.rules)
 * 1:36987 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CAttrArray use after free attempt (browser-ie.rules)
 * 1:36986 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CAttrArray use after free attempt (browser-ie.rules)
 * 1:36963 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CAttribute to CStyleAttrArray type confusion attempt (browser-ie.rules)
 * 1:36962 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CAttribute to CStyleAttrArray type confusion attempt (browser-ie.rules)
 * 1:36923 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:36922 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:36826 <-> ENABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 1:36760 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft Internet Explorer setAttributeNS ASLR bypass attempt (indicator-compromise.rules)
 * 1:36759 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Internet Explorer setAttributeNS ASLR bypass attempt (indicator-compromise.rules)
 * 1:36463 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack Server opcode 1332 buffer overflow attempt (server-other.rules)
 * 1:36451 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RegExp object use-after-free attempt (browser-ie.rules)
 * 1:36450 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RegExp object use-after-free attempt (browser-ie.rules)
 * 1:36426 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel fileVersion use-after-free attempt (file-office.rules)
 * 1:36425 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel fileVersion use-after-free attempt (file-office.rules)
 * 1:36184 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire group-summary cross site scripting attempt (server-webapp.rules)
 * 1:36183 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire create-bookmark cross site scripting attempt (server-webapp.rules)
 * 1:36182 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire server-session-details cross site scripting attempt (server-webapp.rules)
 * 1:36100 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager default credentials authentication attempt (server-webapp.rules)
 * 1:36099 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules)
 * 1:36098 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules)
 * 1:36097 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules)
 * 1:36057 <-> DISABLED <-> SERVER-WEBAPP Apache ActiveMQ directory traversal attempt (server-webapp.rules)
 * 1:35508 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer array prototype type confusion memory corruption attempt (browser-ie.rules)
 * 1:35507 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer array prototype type confusion memory corruption attempt (browser-ie.rules)
 * 1:35504 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word incomplete ActiveX control use-after-free attempt (file-office.rules)
 * 1:35503 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word incomplete ActiveX control use-after-free attempt (file-office.rules)
 * 1:35425 <-> DISABLED <-> SERVER-OTHER ISC BIND TKEY Query denial of service attempt (server-other.rules)
 * 1:20864 <-> DISABLED <-> SERVER-WEBAPP Jive Software Openfire group-summary.jsp XSS attempt (server-webapp.rules)
 * 1:35424 <-> DISABLED <-> SERVER-OTHER ISC BIND TKEY Query denial of service attempt (server-other.rules)
 * 1:34416 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 compatibility mode enable attempt (browser-ie.rules)
 * 1:33817 <-> DISABLED <-> SERVER-OTHER Lighttpd Host header directory traversal attempt (server-other.rules)
 * 1:28955 <-> DISABLED <-> SERVER-OTHER Squid HTTP Host header port parameter denial of service attempt (server-other.rules)
 * 1:24343 <-> ENABLED <-> SERVER-WEBAPP JBoss JMXInvokerServlet access attempt (server-webapp.rules)
 * 1:26850 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt (browser-ie.rules)