Talos Rules 2016-10-06
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, exploit-kit, file-pdf, malware-cnc, protocol-dns and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2976

2016-10-06 15:01:26 UTC

Snort Subscriber Rules Update

Date: 2016-10-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40340 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cry variant outbound connection (malware-cnc.rules)
 * 1:40341 <-> DISABLED <-> SERVER-WEBAPP FreePBX Hotelwakeup Module ajax.php PHP code injection attempt (server-webapp.rules)
 * 1:40338 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bartallex outbound connection detected (malware-cnc.rules)
 * 1:40339 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cry variant outbound connection (malware-cnc.rules)
 * 1:40344 <-> ENABLED <-> PROTOCOL-DNS ISC BIND isc__buffer_add assertion failure denial of service attempt (protocol-dns.rules)
 * 1:40342 <-> DISABLED <-> SERVER-WEBAPP FreePBX Hotelwakeup Module ajax.php directory traversal attempt (server-webapp.rules)
 * 3:40337 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0200 attack attempt (file-pdf.rules)
 * 3:40287 <-> ENABLED <-> SERVER-OTHER Cisco prime collaboration provisioning web framework access control bypass attempt (server-other.rules)
 * 3:40336 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0200 attack attempt (file-pdf.rules)
 * 3:40343 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS malformed BGP UPDATE denial of service attempt (server-other.rules)

Modified Rules:


 * 1:36923 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:36922 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:40149 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer MSXML IDispatch use after free attempt (browser-ie.rules)
 * 1:40150 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer MSXML IDispatch use after free attempt (browser-ie.rules)
 * 1:33906 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound communication (exploit-kit.rules)
 * 3:37414 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS zero length DHCP VPN suboption denial of service attempt (server-other.rules)
 * 3:37426 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS DHCP option parsing denial of service attempt (server-other.rules)

2983

2016-10-06 15:01:26 UTC

Snort Subscriber Rules Update

Date: 2016-10-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40344 <-> ENABLED <-> PROTOCOL-DNS ISC BIND isc__buffer_add assertion failure denial of service attempt (protocol-dns.rules)
 * 1:40342 <-> DISABLED <-> SERVER-WEBAPP FreePBX Hotelwakeup Module ajax.php directory traversal attempt (server-webapp.rules)
 * 1:40341 <-> DISABLED <-> SERVER-WEBAPP FreePBX Hotelwakeup Module ajax.php PHP code injection attempt (server-webapp.rules)
 * 1:40340 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cry variant outbound connection (malware-cnc.rules)
 * 1:40339 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cry variant outbound connection (malware-cnc.rules)
 * 1:40338 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bartallex outbound connection detected (malware-cnc.rules)
 * 3:40337 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0200 attack attempt (file-pdf.rules)
 * 3:40287 <-> ENABLED <-> SERVER-OTHER Cisco prime collaboration provisioning web framework access control bypass attempt (server-other.rules)
 * 3:40336 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0200 attack attempt (file-pdf.rules)
 * 3:40343 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS malformed BGP UPDATE denial of service attempt (server-other.rules)

Modified Rules:


 * 1:36922 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:36923 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:40150 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer MSXML IDispatch use after free attempt (browser-ie.rules)
 * 1:40149 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer MSXML IDispatch use after free attempt (browser-ie.rules)
 * 1:33906 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound communication (exploit-kit.rules)
 * 3:37426 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS DHCP option parsing denial of service attempt (server-other.rules)
 * 3:37414 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS zero length DHCP VPN suboption denial of service attempt (server-other.rules)