Talos Rules 2016-10-13
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-other, file-flash, file-office, file-pdf, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-10-13 17:47:14 UTC

Snort Subscriber Rules Update

Date: 2016-10-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40456 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG engine spurious object reference use after free attempt (file-pdf.rules)
 * 1:40446 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera authentication bypass attempt (server-webapp.rules)
 * 1:40444 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Agent variant outbound connection (malware-cnc.rules)
 * 1:40445 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Agent variant outbound connection (malware-cnc.rules)
 * 1:40447 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera search.cgi command injection attempt (server-webapp.rules)
 * 1:40448 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera search.cgi command injection attempt (server-webapp.rules)
 * 1:40449 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules)
 * 1:40450 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.Agent file download attempt (malware-cnc.rules)
 * 1:40451 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway KavaChart Component directory traversal attempt (server-webapp.rules)
 * 1:40452 <-> ENABLED <-> FILE-FLASH Adobe Standalone Flash Player AS3 Primetime timeline ShimContentResolver out of bounds read attempt (file-flash.rules)
 * 1:40453 <-> ENABLED <-> FILE-FLASH Adobe Standalone Flash Player AS3 Primetime timeline ShimContentResolver out of bounds read attempt (file-flash.rules)
 * 1:40454 <-> DISABLED <-> SERVER-WEBAPP Nibbleblog remote code execution attempt (server-webapp.rules)
 * 1:40455 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG engine spurious object reference use after free attempt (file-pdf.rules)
 * 1:40461 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Deshacop variant outbound connection (malware-cnc.rules)
 * 1:40459 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malicious cce value following a PtgMemFunc token (file-office.rules)
 * 1:40460 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malicious cce value following a PtgMemFunc token (file-office.rules)
 * 1:40457 <-> DISABLED <-> PUA-ADWARE Win.Downloader.OpenCandy variant outbound connection (pua-adware.rules)
 * 1:40458 <-> DISABLED <-> BROWSER-OTHER Android browser file exfiltration attempt (browser-other.rules)

Modified Rules:


 * 1:30242 <-> DISABLED <-> FILE-OFFICE Microsoft Excel malicious cce value following a PtgMemFunc token (file-office.rules)
 * 1:30243 <-> DISABLED <-> FILE-OFFICE Microsoft Excel malicious cce value following a PtgMemFunc token (file-office.rules)

2016-10-13 17:47:14 UTC

Snort Subscriber Rules Update

Date: 2016-10-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40461 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Deshacop variant outbound connection (malware-cnc.rules)
 * 1:40460 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malicious cce value following a PtgMemFunc token (file-office.rules)
 * 1:40459 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malicious cce value following a PtgMemFunc token (file-office.rules)
 * 1:40458 <-> DISABLED <-> BROWSER-OTHER Android browser file exfiltration attempt (browser-other.rules)
 * 1:40457 <-> DISABLED <-> PUA-ADWARE Win.Downloader.OpenCandy variant outbound connection (pua-adware.rules)
 * 1:40456 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG engine spurious object reference use after free attempt (file-pdf.rules)
 * 1:40455 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG engine spurious object reference use after free attempt (file-pdf.rules)
 * 1:40454 <-> DISABLED <-> SERVER-WEBAPP Nibbleblog remote code execution attempt (server-webapp.rules)
 * 1:40453 <-> ENABLED <-> FILE-FLASH Adobe Standalone Flash Player AS3 Primetime timeline ShimContentResolver out of bounds read attempt (file-flash.rules)
 * 1:40452 <-> ENABLED <-> FILE-FLASH Adobe Standalone Flash Player AS3 Primetime timeline ShimContentResolver out of bounds read attempt (file-flash.rules)
 * 1:40451 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway KavaChart Component directory traversal attempt (server-webapp.rules)
 * 1:40450 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.Agent file download attempt (malware-cnc.rules)
 * 1:40449 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules)
 * 1:40448 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera search.cgi command injection attempt (server-webapp.rules)
 * 1:40447 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera search.cgi command injection attempt (server-webapp.rules)
 * 1:40446 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera authentication bypass attempt (server-webapp.rules)
 * 1:40445 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Agent variant outbound connection (malware-cnc.rules)
 * 1:40444 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Agent variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:30242 <-> DISABLED <-> FILE-OFFICE Microsoft Excel malicious cce value following a PtgMemFunc token (file-office.rules)
 * 1:30243 <-> DISABLED <-> FILE-OFFICE Microsoft Excel malicious cce value following a PtgMemFunc token (file-office.rules)