Talos Rules 2016-11-03
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-flash, file-office, file-pdf, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-11-03 15:03:50 UTC

Snort Subscriber Rules Update

Date: 2016-11-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40640 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA addInstance use after free attempt (file-pdf.rules)
 * 1:40639 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA addInstance use after free attempt (file-pdf.rules)
 * 1:40635 <-> DISABLED <-> FILE-OFFICE Microsoft Office RTF hex encoded WRLoader CLSID ASLR bypass download attempt (file-office.rules)
 * 1:40634 <-> DISABLED <-> FILE-OFFICE Microsoft Office RTF hex encoded WRAssembly CLSID ASLR bypass download attempt (file-office.rules)
 * 1:40633 <-> DISABLED <-> FILE-OFFICE Microsoft Office RTF hex encoded WRLoader CLSID ASLR bypass download attempt (file-office.rules)
 * 1:40632 <-> DISABLED <-> FILE-OFFICE Microsoft Office RTF hex encoded WRAssembly CLSID ASLR bypass download attempt (file-office.rules)
 * 1:40631 <-> DISABLED <-> FILE-OFFICE Microsoft Office RTF hex encoded wrLoader ASLR bypass download attempt (file-office.rules)
 * 1:40630 <-> DISABLED <-> FILE-OFFICE Microsoft Office RTF hex encoded WRLoader ASLR bypass download attempt (file-office.rules)
 * 1:40629 <-> DISABLED <-> FILE-OFFICE Microsoft Office RTF hex encoded WRAssembly ASLR bypass download attempt (file-office.rules)
 * 1:40628 <-> DISABLED <-> FILE-OFFICE Microsoft Office RTF hex encoded WRAsembly ASLR bypass download attempt (file-office.rules)
 * 1:40627 <-> DISABLED <-> FILE-OFFICE Microsoft Office RTF WRLoader CLSID ASLR bypass download attempt (file-office.rules)
 * 1:40626 <-> DISABLED <-> FILE-OFFICE Microsoft Office RTF WRLoader ASLR bypass download attempt (file-office.rules)
 * 1:40625 <-> DISABLED <-> FILE-OFFICE Microsoft Office RTF WRAssembly CLSID ASLR bypass download attempt (file-office.rules)
 * 1:40624 <-> DISABLED <-> FILE-OFFICE Microsoft Office RTF hex encoded wrLoader ASLR bypass download attempt (file-office.rules)
 * 1:40623 <-> DISABLED <-> FILE-OFFICE Microsoft Office RTF hex encoded WRLoader ASLR bypass download attempt (file-office.rules)
 * 1:40622 <-> DISABLED <-> FILE-OFFICE Microsoft Office RTF WRLoader CLSID ASLR bypass download attempt (file-office.rules)
 * 1:40621 <-> DISABLED <-> FILE-OFFICE Microsoft Office RTF WRLoader ASLR bypass download attempt (file-office.rules)
 * 1:40620 <-> DISABLED <-> FILE-OFFICE Microsoft Office RTF WRAssembly CLSID ASLR bypass download attempt (file-office.rules)
 * 1:40619 <-> ENABLED <-> FILE-PDF Adobe Reader XML Metadata memory corruption attempt (file-pdf.rules)
 * 1:40618 <-> ENABLED <-> FILE-PDF Adobe Reader XML Metadata memory corruption attempt (file-pdf.rules)
 * 1:40617 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite authentication bypass attempt (server-webapp.rules)
 * 1:40616 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite authentication bypass attempt (server-webapp.rules)
 * 1:40615 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite authentication bypass attempt (server-webapp.rules)
 * 1:40614 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite authentication bypass attempt (server-webapp.rules)
 * 1:40613 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite authentication bypass attempt (server-webapp.rules)
 * 3:40636 <-> ENABLED <-> POLICY-OTHER Cisco Prime Home API insecure SSO authentication detected (policy-other.rules)
 * 3:40637 <-> ENABLED <-> POLICY-OTHER TL1 ACT-USER login detected (policy-other.rules)
 * 3:40638 <-> ENABLED <-> PROTOCOL-VOIP Cisco Meeting Server SIP SDP media description buffer overflow attempt (protocol-voip.rules)

Modified Rules:


 * 1:40174 <-> DISABLED <-> FILE-FLASH Adobe Flash Player out of bounds memory access attempt (file-flash.rules)
 * 1:38676 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BBSwift variant outbound connection (malware-cnc.rules)
 * 1:18685 <-> DISABLED <-> FILE-OFFICE RTF file with embedded OLE object (file-office.rules)
 * 1:40175 <-> DISABLED <-> FILE-FLASH Adobe Flash Player out of bounds memory access attempt (file-flash.rules)

2016-11-03 15:03:50 UTC

Snort Subscriber Rules Update

Date: 2016-11-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40630 <-> DISABLED <-> FILE-OFFICE Microsoft Office RTF hex encoded WRLoader ASLR bypass download attempt (file-office.rules)
 * 1:40621 <-> DISABLED <-> FILE-OFFICE Microsoft Office RTF WRLoader ASLR bypass download attempt (file-office.rules)
 * 1:40616 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite authentication bypass attempt (server-webapp.rules)
 * 1:40615 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite authentication bypass attempt (server-webapp.rules)
 * 1:40617 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite authentication bypass attempt (server-webapp.rules)
 * 1:40618 <-> ENABLED <-> FILE-PDF Adobe Reader XML Metadata memory corruption attempt (file-pdf.rules)
 * 1:40619 <-> ENABLED <-> FILE-PDF Adobe Reader XML Metadata memory corruption attempt (file-pdf.rules)
 * 1:40620 <-> DISABLED <-> FILE-OFFICE Microsoft Office RTF WRAssembly CLSID ASLR bypass download attempt (file-office.rules)
 * 1:40622 <-> DISABLED <-> FILE-OFFICE Microsoft Office RTF WRLoader CLSID ASLR bypass download attempt (file-office.rules)
 * 1:40623 <-> DISABLED <-> FILE-OFFICE Microsoft Office RTF hex encoded WRLoader ASLR bypass download attempt (file-office.rules)
 * 1:40624 <-> DISABLED <-> FILE-OFFICE Microsoft Office RTF hex encoded wrLoader ASLR bypass download attempt (file-office.rules)
 * 1:40625 <-> DISABLED <-> FILE-OFFICE Microsoft Office RTF WRAssembly CLSID ASLR bypass download attempt (file-office.rules)
 * 1:40626 <-> DISABLED <-> FILE-OFFICE Microsoft Office RTF WRLoader ASLR bypass download attempt (file-office.rules)
 * 1:40627 <-> DISABLED <-> FILE-OFFICE Microsoft Office RTF WRLoader CLSID ASLR bypass download attempt (file-office.rules)
 * 1:40628 <-> DISABLED <-> FILE-OFFICE Microsoft Office RTF hex encoded WRAsembly ASLR bypass download attempt (file-office.rules)
 * 1:40629 <-> DISABLED <-> FILE-OFFICE Microsoft Office RTF hex encoded WRAssembly ASLR bypass download attempt (file-office.rules)
 * 1:40613 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite authentication bypass attempt (server-webapp.rules)
 * 1:40639 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA addInstance use after free attempt (file-pdf.rules)
 * 1:40640 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA addInstance use after free attempt (file-pdf.rules)
 * 1:40635 <-> DISABLED <-> FILE-OFFICE Microsoft Office RTF hex encoded WRLoader CLSID ASLR bypass download attempt (file-office.rules)
 * 1:40634 <-> DISABLED <-> FILE-OFFICE Microsoft Office RTF hex encoded WRAssembly CLSID ASLR bypass download attempt (file-office.rules)
 * 1:40614 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite authentication bypass attempt (server-webapp.rules)
 * 1:40633 <-> DISABLED <-> FILE-OFFICE Microsoft Office RTF hex encoded WRLoader CLSID ASLR bypass download attempt (file-office.rules)
 * 1:40631 <-> DISABLED <-> FILE-OFFICE Microsoft Office RTF hex encoded wrLoader ASLR bypass download attempt (file-office.rules)
 * 1:40632 <-> DISABLED <-> FILE-OFFICE Microsoft Office RTF hex encoded WRAssembly CLSID ASLR bypass download attempt (file-office.rules)
 * 3:40636 <-> ENABLED <-> POLICY-OTHER Cisco Prime Home API insecure SSO authentication detected (policy-other.rules)
 * 3:40637 <-> ENABLED <-> POLICY-OTHER TL1 ACT-USER login detected (policy-other.rules)
 * 3:40638 <-> ENABLED <-> PROTOCOL-VOIP Cisco Meeting Server SIP SDP media description buffer overflow attempt (protocol-voip.rules)

Modified Rules:


 * 1:40174 <-> DISABLED <-> FILE-FLASH Adobe Flash Player out of bounds memory access attempt (file-flash.rules)
 * 1:18685 <-> DISABLED <-> FILE-OFFICE RTF file with embedded OLE object (file-office.rules)
 * 1:38676 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BBSwift variant outbound connection (malware-cnc.rules)
 * 1:40175 <-> DISABLED <-> FILE-FLASH Adobe Flash Player out of bounds memory access attempt (file-flash.rules)