Snort - Network Intrusion Detection & Prevention System

Talos Rules 2016-11-01

This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-flash, file-pdf, indicator-compromise, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2976

2016-11-01 18:51:09 UTC

Snort Subscriber Rules Update

Date: 2016-11-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40604 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:40586 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader SaveAs use-after-free attempt (file-pdf.rules)
 * 1:40584 <-> ENABLED <-> FILE-FLASH Adobe Flash Player event handler out of bounds memory access attempt (file-flash.rules)
 * 1:40587 <-> ENABLED <-> FILE-PDF Adobe Reader XLST parsing engine use after free attempt (file-pdf.rules)
 * 1:40588 <-> ENABLED <-> FILE-PDF Adobe Reader XLST parsing engine use after free attempt (file-pdf.rules)
 * 1:40589 <-> DISABLED <-> SERVER-WEBAPP DaloRADIUS config-maint-disconnect-user.php command injection attempt (server-webapp.rules)
 * 1:40590 <-> DISABLED <-> SERVER-WEBAPP DaloRADIUS config-maint-disconnect-user.php command injection attempt (server-webapp.rules)
 * 1:40591 <-> DISABLED <-> SERVER-WEBAPP DaloRADIUS config-maint-disconnect-user.php command injection attempt (server-webapp.rules)
 * 1:40592 <-> DISABLED <-> SERVER-WEBAPP DaloRADIUS notificationsBatchDetails.php SQL injection attempt (server-webapp.rules)
 * 1:40593 <-> DISABLED <-> PUA-ADWARE Win.Adware.CoolMirage outbound ad download attempt (pua-adware.rules)
 * 1:40594 <-> DISABLED <-> PUA-ADWARE Win.Adware.CoolMirage outbound ad download attempt (pua-adware.rules)
 * 1:40595 <-> DISABLED <-> PUA-ADWARE Win.Adware.CoolMirage outbound ad download attempt (pua-adware.rules)
 * 1:40596 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Berbew variant outbound connection (malware-cnc.rules)
 * 1:40597 <-> DISABLED <-> INDICATOR-COMPROMISE shell script download with wget from external source (indicator-compromise.rules)
 * 1:40598 <-> DISABLED <-> INDICATOR-COMPROMISE shell script download with curl from external source (indicator-compromise.rules)
 * 1:40599 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise echo loader attempt (malware-cnc.rules)
 * 1:40601 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise activity (malware-cnc.rules)
 * 1:40600 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise echo loader attempt (malware-cnc.rules)
 * 1:40602 <-> ENABLED <-> FILE-PDF Adobe Reader XFA exclGroup JavaScript out of bounds memory access attempt (file-pdf.rules)
 * 1:40603 <-> ENABLED <-> FILE-PDF Adobe Reader XFA exclGroup JavaScript out of bounds memory access attempt (file-pdf.rules)
 * 1:40581 <-> ENABLED <-> FILE-FLASH Adobe Flash Player sentEvent use after free attempt (file-flash.rules)
 * 1:40585 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader SaveAs use-after-free attempt (file-pdf.rules)
 * 1:40612 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download attempt (malware-cnc.rules)
 * 1:40611 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus variant download attempt (malware-cnc.rules)
 * 1:40610 <-> DISABLED <-> INDICATOR-COMPROMISE DNS response points to sinkholed domain (indicator-compromise.rules)
 * 1:40609 <-> ENABLED <-> SERVER-WEBAPP Joomla UsersController non-standard insecure account registration method access attempt (server-webapp.rules)
 * 1:40607 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:40608 <-> ENABLED <-> SERVER-WEBAPP Joomla UsersController non-standard insecure account registration method access attempt (server-webapp.rules)
 * 1:40582 <-> ENABLED <-> FILE-FLASH Adobe Flash Player sentEvent use after free attempt (file-flash.rules)
 * 1:40583 <-> ENABLED <-> FILE-FLASH Adobe Flash Player event handler out of bounds memory access attempt (file-flash.rules)
 * 1:40606 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:40605 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:33941 <-> DISABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules)
 * 1:38845 <-> DISABLED <-> FILE-PDF Adobe Reader out of bounds memory access violation attempt (file-pdf.rules)
 * 1:38846 <-> DISABLED <-> FILE-PDF Adobe Reader out of bounds memory access violation attempt (file-pdf.rules)
 * 1:40356 <-> ENABLED <-> PUA-ADWARE Win.Trojan.InstantAccess variant outbound connection (pua-adware.rules)
 * 1:40357 <-> ENABLED <-> PUA-ADWARE Win.Trojan.InstantAccess variant outbound connection (pua-adware.rules)
 * 1:40522 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise fingerprinting (malware-cnc.rules)
 * 1:40523 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise echo loader attempt (malware-cnc.rules)
 * 1:40546 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript API privileged function bypass attempt (file-pdf.rules)
 * 1:40547 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript API privileged function bypass attempt (file-pdf.rules)

2983