Talos Rules 2016-10-18
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-executable, file-office, file-pdf, malware-cnc, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-10-18 15:55:25 UTC

Snort Subscriber Rules Update

Date: 2016-10-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40462 <-> DISABLED <-> SERVER-WEBAPP Magento Cms_Wysiwyg SQL injection attempt (server-webapp.rules)
 * 1:40466 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kapahyku variant outbound connection (malware-cnc.rules)
 * 1:40465 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kapahyku variant outbound connection (malware-cnc.rules)
 * 1:40467 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hades outbound connection (malware-cnc.rules)
 * 1:40464 <-> DISABLED <-> SERVER-WEBAPP Magento Cms_Wysiwyg SQL injection attempt (server-webapp.rules)
 * 1:40463 <-> DISABLED <-> SERVER-WEBAPP Magento Cms_Wysiwyg SQL injection attempt (server-webapp.rules)
 * 3:40491 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-CAN-0199 attack attempt (file-office.rules)
 * 3:40468 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-CAN-0219 attack attempt (server-other.rules)
 * 3:40477 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-CAN-0220 attack attempt (server-other.rules)
 * 3:40476 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-CAN-0220 attack attempt (server-other.rules)
 * 3:40474 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-CAN-0219 attack attempt (server-other.rules)
 * 3:40475 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-CAN-0219 attack attempt (server-other.rules)
 * 3:40471 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-CAN-0219 attack attempt (server-other.rules)
 * 3:40469 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-CAN-0219 attack attempt (server-other.rules)
 * 3:40472 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-CAN-0219 attack attempt (server-other.rules)
 * 3:40473 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-CAN-0219 attack attempt (server-other.rules)
 * 3:40484 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0202 attack attempt (file-pdf.rules)
 * 3:40478 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-CAN-0220 attack attempt (server-other.rules)
 * 3:40479 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-CAN-0220 attack attempt (server-other.rules)
 * 3:40481 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-CAN-0220 attack attempt (server-other.rules)
 * 3:40480 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-CAN-0220 attack attempt (server-other.rules)
 * 3:40489 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0222 attack attempt (file-executable.rules)
 * 3:40488 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0222 attack attempt (file-executable.rules)
 * 3:40470 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-CAN-0219 attack attempt (server-other.rules)
 * 3:40482 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-CAN-0221 attack attempt (server-other.rules)
 * 3:40486 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0202 attack attempt (file-pdf.rules)
 * 3:40485 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0202 attack attempt (file-pdf.rules)
 * 3:40487 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0202 attack attempt (file-pdf.rules)
 * 3:40490 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-CAN-0199 attack attempt (file-office.rules)
 * 3:40483 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-CAN-0221 attack attempt (server-other.rules)

Modified Rules:


 * 1:40011 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules)
 * 1:40234 <-> ENABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes ping reply (malware-cnc.rules)
 * 1:40235 <-> ENABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes ping request (malware-cnc.rules)
 * 1:40380 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32kfull.sys FBitsTouch use after free attempt (os-windows.rules)
 * 1:40381 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32kfull.sys FBitsTouch use after free attempt (os-windows.rules)

2016-10-18 15:55:25 UTC

Snort Subscriber Rules Update

Date: 2016-10-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40467 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hades outbound connection (malware-cnc.rules)
 * 1:40466 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kapahyku variant outbound connection (malware-cnc.rules)
 * 1:40465 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kapahyku variant outbound connection (malware-cnc.rules)
 * 1:40464 <-> DISABLED <-> SERVER-WEBAPP Magento Cms_Wysiwyg SQL injection attempt (server-webapp.rules)
 * 1:40463 <-> DISABLED <-> SERVER-WEBAPP Magento Cms_Wysiwyg SQL injection attempt (server-webapp.rules)
 * 1:40462 <-> DISABLED <-> SERVER-WEBAPP Magento Cms_Wysiwyg SQL injection attempt (server-webapp.rules)
 * 3:40491 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-CAN-0199 attack attempt (file-office.rules)
 * 3:40490 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-CAN-0199 attack attempt (file-office.rules)
 * 3:40489 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0222 attack attempt (file-executable.rules)
 * 3:40488 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0222 attack attempt (file-executable.rules)
 * 3:40487 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0202 attack attempt (file-pdf.rules)
 * 3:40486 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0202 attack attempt (file-pdf.rules)
 * 3:40485 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0202 attack attempt (file-pdf.rules)
 * 3:40484 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0202 attack attempt (file-pdf.rules)
 * 3:40483 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-CAN-0221 attack attempt (server-other.rules)
 * 3:40482 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-CAN-0221 attack attempt (server-other.rules)
 * 3:40481 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-CAN-0220 attack attempt (server-other.rules)
 * 3:40480 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-CAN-0220 attack attempt (server-other.rules)
 * 3:40479 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-CAN-0220 attack attempt (server-other.rules)
 * 3:40478 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-CAN-0220 attack attempt (server-other.rules)
 * 3:40477 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-CAN-0220 attack attempt (server-other.rules)
 * 3:40476 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-CAN-0220 attack attempt (server-other.rules)
 * 3:40475 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-CAN-0219 attack attempt (server-other.rules)
 * 3:40474 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-CAN-0219 attack attempt (server-other.rules)
 * 3:40473 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-CAN-0219 attack attempt (server-other.rules)
 * 3:40472 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-CAN-0219 attack attempt (server-other.rules)
 * 3:40471 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-CAN-0219 attack attempt (server-other.rules)
 * 3:40470 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-CAN-0219 attack attempt (server-other.rules)
 * 3:40468 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-CAN-0219 attack attempt (server-other.rules)
 * 3:40469 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-CAN-0219 attack attempt (server-other.rules)

Modified Rules:


 * 1:40011 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules)
 * 1:40234 <-> ENABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes ping reply (malware-cnc.rules)
 * 1:40235 <-> ENABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes ping request (malware-cnc.rules)
 * 1:40380 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32kfull.sys FBitsTouch use after free attempt (os-windows.rules)
 * 1:40381 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32kfull.sys FBitsTouch use after free attempt (os-windows.rules)