Talos Rules 2016-09-27
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-firefox, browser-ie, exploit-kit, file-image, file-office, indicator-shellcode, os-windows, protocol-dns and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-09-27 14:13:23 UTC

Snort Subscriber Rules Update

Date: 2016-09-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40278 <-> DISABLED <-> INDICATOR-SHELLCODE x86 OS agnostic dword additive feedback decoder (indicator-shellcode.rules)
 * 1:40280 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox file type memory corruption attempt (browser-firefox.rules)
 * 1:40279 <-> DISABLED <-> INDICATOR-SHELLCODE x86 OS agnostic dword additive feedback decoder (indicator-shellcode.rules)
 * 1:40282 <-> DISABLED <-> FILE-OFFICE Microsoft Wordpad font conversion buffer overflow attempt (file-office.rules)
 * 1:40281 <-> DISABLED <-> FILE-OFFICE Microsoft Wordpad font conversion buffer overflow attempt (file-office.rules)
 * 1:40284 <-> ENABLED <-> BLACKLIST DNS request for known malware domain microsoftware.xyz - Win.Trojan.Sapertilz (blacklist.rules)
 * 1:40283 <-> DISABLED <-> SERVER-WEBAPP Kaltura redirectWidgetCmd PHP object injection attempt (server-webapp.rules)
 * 1:40285 <-> ENABLED <-> BLACKLIST DNS request for known malware domain microsoftwindowsupdate.org - Win.Trojan.Sapertilz (blacklist.rules)
 * 1:40286 <-> ENABLED <-> BLACKLIST DNS request for known malware domain phoneupdates.xyz - Win.Trojan.Sapertilz (blacklist.rules)
 * 1:40277 <-> DISABLED <-> SERVER-WEBAPP SugarCRM SugarRestSerialize.php PHP object injection attempt (server-webapp.rules)
 * 1:40276 <-> DISABLED <-> SERVER-WEBAPP SugarCRM SugarRestSerialize.php PHP object injection attempt (server-webapp.rules)

Modified Rules:


 * 1:31380 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 onpropertychange remote code execution attempt (browser-ie.rules)
 * 1:40221 <-> ENABLED <-> SERVER-OTHER Cisco IOS Group-Prime MD5 memory disclosure attempt (server-other.rules)
 * 1:27149 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer beforeeditfocus use after free exploit attempt (browser-ie.rules)
 * 1:32803 <-> ENABLED <-> EXPLOIT-KIT CK exploit kit landing page (exploit-kit.rules)
 * 1:27844 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos object use-after-free attempt (browser-ie.rules)
 * 1:36097 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules)
 * 1:32804 <-> ENABLED <-> EXPLOIT-KIT known malicious javascript packer detected (exploit-kit.rules)
 * 1:36098 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules)
 * 1:40222 <-> ENABLED <-> SERVER-OTHER Cisco IOS Group-Prime SHA memory disclosure attempt (server-other.rules)
 * 1:40248 <-> DISABLED <-> FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt (file-image.rules)
 * 1:17603 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox file type memory corruption attempt (browser-firefox.rules)
 * 1:27148 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer beforeeditfocus use after free exploit attempt (browser-ie.rules)
 * 1:27843 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos object use-after-free attempt (browser-ie.rules)
 * 1:40246 <-> DISABLED <-> FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt (file-image.rules)
 * 1:36099 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules)
 * 1:40220 <-> ENABLED <-> SERVER-OTHER Cisco IOS Group-Prime memory disclosure exfiltration attempt (server-other.rules)
 * 1:31381 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 onpropertychange remote code execution attempt (browser-ie.rules)
 * 3:33053 <-> ENABLED <-> OS-WINDOWS Microsoft RADIUS Server invalid access-request username denial of service attempt (os-windows.rules)
 * 3:35942 <-> ENABLED <-> PROTOCOL-DNS ISC BIND TKEY query processing denial of service attempt (protocol-dns.rules)
 * 3:35943 <-> ENABLED <-> PROTOCOL-DNS ISC BIND TKEY query processing denial of service attempt (protocol-dns.rules)

2016-09-27 14:13:23 UTC

Snort Subscriber Rules Update

Date: 2016-09-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40286 <-> ENABLED <-> BLACKLIST DNS request for known malware domain phoneupdates.xyz - Win.Trojan.Sapertilz (blacklist.rules)
 * 1:40285 <-> ENABLED <-> BLACKLIST DNS request for known malware domain microsoftwindowsupdate.org - Win.Trojan.Sapertilz (blacklist.rules)
 * 1:40284 <-> ENABLED <-> BLACKLIST DNS request for known malware domain microsoftware.xyz - Win.Trojan.Sapertilz (blacklist.rules)
 * 1:40283 <-> DISABLED <-> SERVER-WEBAPP Kaltura redirectWidgetCmd PHP object injection attempt (server-webapp.rules)
 * 1:40282 <-> DISABLED <-> FILE-OFFICE Microsoft Wordpad font conversion buffer overflow attempt (file-office.rules)
 * 1:40281 <-> DISABLED <-> FILE-OFFICE Microsoft Wordpad font conversion buffer overflow attempt (file-office.rules)
 * 1:40280 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox file type memory corruption attempt (browser-firefox.rules)
 * 1:40279 <-> DISABLED <-> INDICATOR-SHELLCODE x86 OS agnostic dword additive feedback decoder (indicator-shellcode.rules)
 * 1:40278 <-> DISABLED <-> INDICATOR-SHELLCODE x86 OS agnostic dword additive feedback decoder (indicator-shellcode.rules)
 * 1:40277 <-> DISABLED <-> SERVER-WEBAPP SugarCRM SugarRestSerialize.php PHP object injection attempt (server-webapp.rules)
 * 1:40276 <-> DISABLED <-> SERVER-WEBAPP SugarCRM SugarRestSerialize.php PHP object injection attempt (server-webapp.rules)

Modified Rules:


 * 1:40248 <-> DISABLED <-> FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt (file-image.rules)
 * 1:40246 <-> DISABLED <-> FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt (file-image.rules)
 * 1:40222 <-> ENABLED <-> SERVER-OTHER Cisco IOS Group-Prime SHA memory disclosure attempt (server-other.rules)
 * 1:40221 <-> ENABLED <-> SERVER-OTHER Cisco IOS Group-Prime MD5 memory disclosure attempt (server-other.rules)
 * 1:40220 <-> ENABLED <-> SERVER-OTHER Cisco IOS Group-Prime memory disclosure exfiltration attempt (server-other.rules)
 * 1:36099 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules)
 * 1:36098 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules)
 * 1:17603 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox file type memory corruption attempt (browser-firefox.rules)
 * 1:27148 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer beforeeditfocus use after free exploit attempt (browser-ie.rules)
 * 1:32804 <-> ENABLED <-> EXPLOIT-KIT known malicious javascript packer detected (exploit-kit.rules)
 * 1:27149 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer beforeeditfocus use after free exploit attempt (browser-ie.rules)
 * 1:27843 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos object use-after-free attempt (browser-ie.rules)
 * 1:27844 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos object use-after-free attempt (browser-ie.rules)
 * 1:36097 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules)
 * 1:32803 <-> ENABLED <-> EXPLOIT-KIT CK exploit kit landing page (exploit-kit.rules)
 * 1:31381 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 onpropertychange remote code execution attempt (browser-ie.rules)
 * 1:31380 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 onpropertychange remote code execution attempt (browser-ie.rules)
 * 3:33053 <-> ENABLED <-> OS-WINDOWS Microsoft RADIUS Server invalid access-request username denial of service attempt (os-windows.rules)
 * 3:35942 <-> ENABLED <-> PROTOCOL-DNS ISC BIND TKEY query processing denial of service attempt (protocol-dns.rules)
 * 3:35943 <-> ENABLED <-> PROTOCOL-DNS ISC BIND TKEY query processing denial of service attempt (protocol-dns.rules)