Talos Rules 2016-10-27
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-pdf, indicator-compromise, malware-cnc, os-linux, os-windows and server-other rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2016-10-27 18:03:22 UTC

Snort Subscriber Rules Update

Date: 2016-10-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40571 <-> ENABLED <-> FILE-PDF Adobe Reader corrupt bookmark use after free attempt (file-pdf.rules)
 * 1:40572 <-> ENABLED <-> FILE-PDF Adobe Reader corrupt bookmark use after free attempt (file-pdf.rules)
 * 1:40570 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA relayoutPageArea memory corruption attempt (file-pdf.rules)
 * 1:40569 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA relayoutPageArea memory corruption attempt (file-pdf.rules)
 * 1:40567 <-> DISABLED <-> MALWARE-CNC known malicious SSL certificate - Odinaff C&C (malware-cnc.rules)
 * 1:40568 <-> DISABLED <-> INDICATOR-COMPROMISE wsf inside zip potential malicious file download attempt (indicator-compromise.rules)
 * 1:40565 <-> ENABLED <-> OS-LINUX Linux kernel madvise race condition attempt (os-linux.rules)
 * 1:40566 <-> ENABLED <-> OS-LINUX Linux kernel madvise race condition attempt (os-linux.rules)
 * 1:40563 <-> ENABLED <-> OS-LINUX Linux kernel madvise race condition attempt (os-linux.rules)
 * 1:40564 <-> DISABLED <-> OS-LINUX Linux kernel madvise race condition attempt (os-linux.rules)
 * 1:40559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpy variant outbound connection attempt (malware-cnc.rules)
 * 1:40560 <-> ENABLED <-> OS-LINUX Linux kernel madvise race condition attempt (os-linux.rules)
 * 1:40558 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed object stream memory corruption attempt (file-pdf.rules)
 * 1:40546 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript API privileged function bypass attempt (file-pdf.rules)
 * 1:40548 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Redosdru variant outbound connection (malware-cnc.rules)
 * 1:40547 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript API privileged function bypass attempt (file-pdf.rules)
 * 1:40549 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryPy ransomware variant outbound connection (malware-cnc.rules)
 * 1:40551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dexter Banker variant successful installation report attempt (malware-cnc.rules)
 * 1:40555 <-> ENABLED <-> OS-WINDOWS Microsoft Windows AHCACHE.SYS remote denial of service attempt (os-windows.rules)
 * 1:40556 <-> ENABLED <-> OS-WINDOWS Microsoft Windows AHCACHE.SYS remote denial of service attempt (os-windows.rules)
 * 1:40557 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed object stream memory corruption attempt (file-pdf.rules)
 * 1:40561 <-> ENABLED <-> OS-LINUX Linux kernel madvise race condition attempt (os-linux.rules)
 * 1:40562 <-> DISABLED <-> OS-LINUX Linux kernel madvise race condition attempt (os-linux.rules)
 * 1:40579 <-> ENABLED <-> SERVER-OTHER ISC BIND 9 DNS query overly long name denial of service attempt (server-other.rules)
 * 1:40577 <-> ENABLED <-> FILE-PDF Adobe Reader XFA remerge JavaScript use after free attempt (file-pdf.rules)
 * 1:40550 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dexter Banker variant second stage download attempt (malware-cnc.rules)
 * 1:40578 <-> ENABLED <-> FILE-PDF Adobe Reader XFA remerge JavaScript use after free attempt (file-pdf.rules)
 * 1:40576 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA excelGroup memory corruption attempt (file-pdf.rules)
 * 1:40575 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA excelGroup memory corruption attempt (file-pdf.rules)
 * 1:40574 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA resolveNode memory corruption attempt (file-pdf.rules)
 * 1:40573 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA resolveNode memory corruption attempt (file-pdf.rules)
 * 3:40552 <-> ENABLED <-> SERVER-OTHER Cisco ESA lzw attachment parsing denial of service attempt (server-other.rules)
 * 3:40553 <-> ENABLED <-> SERVER-OTHER Cisco ESA uuencode attachment processing exception denial of service attempt (server-other.rules)
 * 3:40554 <-> ENABLED <-> SERVER-OTHER Cisco ESA uuencode attachment processing exception denial of service attempt (server-other.rules)
 * 3:40580 <-> ENABLED <-> POLICY-OTHER Cisco Universal Media Services potentially unauthorized API access detected (policy-other.rules)

Modified Rules:


 * 1:38966 <-> ENABLED <-> FILE-PDF Adobe Reader malformed JPEG2000 image invalid NumberComponents out of bounds read attempt (file-pdf.rules)
 * 1:35779 <-> ENABLED <-> FILE-PDF Adobe Reader out of bounds memory read attempt (file-pdf.rules)
 * 1:39851 <-> ENABLED <-> INDICATOR-COMPROMISE Connection to malware sinkhole - CERT.PL (indicator-compromise.rules)
 * 1:38967 <-> ENABLED <-> FILE-PDF Adobe Reader malformed JPEG2000 image invalid NumberComponents out of bounds read attempt (file-pdf.rules)
 * 1:40500 <-> ENABLED <-> MALWARE-CNC Andr.Tool.Snowfox Androidbauts/snowfox outbound connection (malware-cnc.rules)
 * 1:35780 <-> ENABLED <-> FILE-PDF Adobe Reader out of bounds memory read attempt (file-pdf.rules)

2016-10-27 18:03:22 UTC

Snort Subscriber Rules Update

Date: 2016-10-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40579 <-> ENABLED <-> SERVER-OTHER ISC BIND 9 DNS query overly long name denial of service attempt (server-other.rules)
 * 1:40578 <-> ENABLED <-> FILE-PDF Adobe Reader XFA remerge JavaScript use after free attempt (file-pdf.rules)
 * 1:40577 <-> ENABLED <-> FILE-PDF Adobe Reader XFA remerge JavaScript use after free attempt (file-pdf.rules)
 * 1:40576 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA excelGroup memory corruption attempt (file-pdf.rules)
 * 1:40575 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA excelGroup memory corruption attempt (file-pdf.rules)
 * 1:40574 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA resolveNode memory corruption attempt (file-pdf.rules)
 * 1:40573 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA resolveNode memory corruption attempt (file-pdf.rules)
 * 1:40572 <-> ENABLED <-> FILE-PDF Adobe Reader corrupt bookmark use after free attempt (file-pdf.rules)
 * 1:40571 <-> ENABLED <-> FILE-PDF Adobe Reader corrupt bookmark use after free attempt (file-pdf.rules)
 * 1:40570 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA relayoutPageArea memory corruption attempt (file-pdf.rules)
 * 1:40569 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA relayoutPageArea memory corruption attempt (file-pdf.rules)
 * 1:40568 <-> DISABLED <-> INDICATOR-COMPROMISE wsf inside zip potential malicious file download attempt (indicator-compromise.rules)
 * 1:40567 <-> DISABLED <-> MALWARE-CNC known malicious SSL certificate - Odinaff C&C (malware-cnc.rules)
 * 1:40566 <-> ENABLED <-> OS-LINUX Linux kernel madvise race condition attempt (os-linux.rules)
 * 1:40565 <-> ENABLED <-> OS-LINUX Linux kernel madvise race condition attempt (os-linux.rules)
 * 1:40564 <-> DISABLED <-> OS-LINUX Linux kernel madvise race condition attempt (os-linux.rules)
 * 1:40563 <-> ENABLED <-> OS-LINUX Linux kernel madvise race condition attempt (os-linux.rules)
 * 1:40562 <-> DISABLED <-> OS-LINUX Linux kernel madvise race condition attempt (os-linux.rules)
 * 1:40561 <-> ENABLED <-> OS-LINUX Linux kernel madvise race condition attempt (os-linux.rules)
 * 1:40560 <-> ENABLED <-> OS-LINUX Linux kernel madvise race condition attempt (os-linux.rules)
 * 1:40559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpy variant outbound connection attempt (malware-cnc.rules)
 * 1:40558 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed object stream memory corruption attempt (file-pdf.rules)
 * 1:40557 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed object stream memory corruption attempt (file-pdf.rules)
 * 1:40556 <-> ENABLED <-> OS-WINDOWS Microsoft Windows AHCACHE.SYS remote denial of service attempt (os-windows.rules)
 * 1:40555 <-> ENABLED <-> OS-WINDOWS Microsoft Windows AHCACHE.SYS remote denial of service attempt (os-windows.rules)
 * 1:40551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dexter Banker variant successful installation report attempt (malware-cnc.rules)
 * 1:40550 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dexter Banker variant second stage download attempt (malware-cnc.rules)
 * 1:40549 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryPy ransomware variant outbound connection (malware-cnc.rules)
 * 1:40548 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Redosdru variant outbound connection (malware-cnc.rules)
 * 1:40547 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript API privileged function bypass attempt (file-pdf.rules)
 * 1:40546 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript API privileged function bypass attempt (file-pdf.rules)
 * 3:40552 <-> ENABLED <-> SERVER-OTHER Cisco ESA lzw attachment parsing denial of service attempt (server-other.rules)
 * 3:40553 <-> ENABLED <-> SERVER-OTHER Cisco ESA uuencode attachment processing exception denial of service attempt (server-other.rules)
 * 3:40554 <-> ENABLED <-> SERVER-OTHER Cisco ESA uuencode attachment processing exception denial of service attempt (server-other.rules)
 * 3:40580 <-> ENABLED <-> POLICY-OTHER Cisco Universal Media Services potentially unauthorized API access detected (policy-other.rules)

Modified Rules:


 * 1:35780 <-> ENABLED <-> FILE-PDF Adobe Reader out of bounds memory read attempt (file-pdf.rules)
 * 1:38966 <-> ENABLED <-> FILE-PDF Adobe Reader malformed JPEG2000 image invalid NumberComponents out of bounds read attempt (file-pdf.rules)
 * 1:40500 <-> ENABLED <-> MALWARE-CNC Andr.Tool.Snowfox Androidbauts/snowfox outbound connection (malware-cnc.rules)
 * 1:35779 <-> ENABLED <-> FILE-PDF Adobe Reader out of bounds memory read attempt (file-pdf.rules)
 * 1:39851 <-> ENABLED <-> INDICATOR-COMPROMISE Connection to malware sinkhole - CERT.PL (indicator-compromise.rules)
 * 1:38967 <-> ENABLED <-> FILE-PDF Adobe Reader malformed JPEG2000 image invalid NumberComponents out of bounds read attempt (file-pdf.rules)