Talos Rules 2016-11-23
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, file-flash, file-office, indicator-compromise, malware-cnc, malware-other, pua-adware, pua-other, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-11-23 20:43:36 UTC

Snort Subscriber Rules Update

Date: 2016-11-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40861 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules)
 * 1:40859 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules)
 * 1:40860 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules)
 * 1:40857 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules)
 * 1:40858 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules)
 * 1:40855 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules)
 * 1:40856 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules)
 * 1:40853 <-> DISABLED <-> SERVER-WEBAPP VTSCADA WAP information disclosure attempt (server-webapp.rules)
 * 1:40854 <-> DISABLED <-> SERVER-WEBAPP VTSCADA WAP information disclosure attempt (server-webapp.rules)
 * 1:40851 <-> DISABLED <-> SERVER-WEBAPP VTSCADA WAP information disclosure attempt (server-webapp.rules)
 * 1:40852 <-> DISABLED <-> SERVER-WEBAPP VTSCADA WAP information disclosure attempt (server-webapp.rules)
 * 1:40849 <-> DISABLED <-> SERVER-APACHE Apache Subversion svnserve integer overflow attempt (server-apache.rules)
 * 1:40850 <-> DISABLED <-> SERVER-WEBAPP VTSCADA WAP information disclosure attempt (server-webapp.rules)
 * 1:40847 <-> DISABLED <-> SERVER-APACHE Apache Subversion svnserve integer overflow attempt (server-apache.rules)
 * 1:40848 <-> DISABLED <-> SERVER-APACHE Apache Subversion svnserve integer overflow attempt (server-apache.rules)
 * 1:40845 <-> DISABLED <-> SERVER-OTHER OpenSSL Invalid CMS structure null pointer dereference attempt (server-other.rules)
 * 1:40846 <-> DISABLED <-> SERVER-APACHE Apache Subversion svnserve integer overflow attempt (server-apache.rules)
 * 1:40843 <-> ENABLED <-> SERVER-OTHER OpenSSL SSLv3 warning denial of service attempt (server-other.rules)
 * 1:40844 <-> DISABLED <-> SERVER-OTHER OpenSSL Invalid CMS structure null pointer dereference attempt (server-other.rules)
 * 1:40841 <-> DISABLED <-> PUA-OTHER Bitcoin Mining authorize Stratum protocol client request attempt (pua-other.rules)
 * 1:40842 <-> DISABLED <-> PUA-OTHER Bitcoin Mining extranonce Stratum protocol subscribe client request attempt (pua-other.rules)
 * 1:40840 <-> DISABLED <-> PUA-OTHER Bitcoin Mining subscribe Stratum protocol client request attempt (pua-other.rules)
 * 1:40839 <-> DISABLED <-> PUA-ADWARE Sokuxuan outbound connection attempt (pua-adware.rules)
 * 1:40838 <-> DISABLED <-> SERVER-WEBAPP Veritas NetBackup Appliance getLicense command injection attempt (server-webapp.rules)
 * 1:40837 <-> DISABLED <-> SERVER-WEBAPP Veritas NetBackup Appliance getLicense command injection attempt (server-webapp.rules)
 * 1:40830 <-> ENABLED <-> INDICATOR-COMPROMISE potential Squiblydoo application whitelisting bypass attempt (indicator-compromise.rules)
 * 1:40831 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant initial outbound connection attempt (malware-cnc.rules)
 * 1:40832 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant keylogger inbound init command attempt (malware-cnc.rules)
 * 1:40833 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant screenshot inbound init command attempt (malware-cnc.rules)
 * 1:40834 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant screenshot inbound silence command attempt (malware-cnc.rules)
 * 1:40835 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant screen_thumb inbound init command attempt (malware-cnc.rules)
 * 1:40836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant file enumeration inbound init/root/faf command attempt (malware-cnc.rules)
 * 1:40871 <-> DISABLED <-> MALWARE-OTHER Virut CnC command reply (malware-other.rules)
 * 1:40870 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Virut (blacklist.rules)
 * 1:40869 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Virut (blacklist.rules)
 * 1:40868 <-> ENABLED <-> BLACKLIST DNS request for known malware domain core.ircgalaxy.pl - Virut (blacklist.rules)
 * 1:40867 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sys.zief.pl - Virut (blacklist.rules)
 * 1:40829 <-> ENABLED <-> INDICATOR-COMPROMISE potential Squiblydoo application whitelisting bypass attempt (indicator-compromise.rules)
 * 1:40865 <-> ENABLED <-> SERVER-WEBAPP Bassmaster Batch remote code execution attempt (server-webapp.rules)
 * 1:40864 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules)
 * 1:40863 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules)
 * 1:40862 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules)

Modified Rules:


 * 1:38204 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BitmapData.applyFilter access violation attempt (file-flash.rules)
 * 1:40008 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess DCERPC buffer overflow attempt (server-other.rules)
 * 1:31752 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook mailto injection attempt (file-office.rules)
 * 1:38203 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BitmapData.applyFilter access violation attempt (file-flash.rules)
 * 1:31751 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook mailto injection attempt (file-office.rules)

2016-11-23 20:43:36 UTC

Snort Subscriber Rules Update

Date: 2016-11-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40871 <-> DISABLED <-> MALWARE-OTHER Virut CnC command reply (malware-other.rules)
 * 1:40870 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Virut (blacklist.rules)
 * 1:40869 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Virut (blacklist.rules)
 * 1:40868 <-> ENABLED <-> BLACKLIST DNS request for known malware domain core.ircgalaxy.pl - Virut (blacklist.rules)
 * 1:40867 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sys.zief.pl - Virut (blacklist.rules)
 * 1:40865 <-> ENABLED <-> SERVER-WEBAPP Bassmaster Batch remote code execution attempt (server-webapp.rules)
 * 1:40864 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules)
 * 1:40863 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules)
 * 1:40862 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules)
 * 1:40861 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules)
 * 1:40860 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules)
 * 1:40859 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules)
 * 1:40858 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules)
 * 1:40857 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules)
 * 1:40856 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules)
 * 1:40855 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules)
 * 1:40854 <-> DISABLED <-> SERVER-WEBAPP VTSCADA WAP information disclosure attempt (server-webapp.rules)
 * 1:40853 <-> DISABLED <-> SERVER-WEBAPP VTSCADA WAP information disclosure attempt (server-webapp.rules)
 * 1:40852 <-> DISABLED <-> SERVER-WEBAPP VTSCADA WAP information disclosure attempt (server-webapp.rules)
 * 1:40851 <-> DISABLED <-> SERVER-WEBAPP VTSCADA WAP information disclosure attempt (server-webapp.rules)
 * 1:40850 <-> DISABLED <-> SERVER-WEBAPP VTSCADA WAP information disclosure attempt (server-webapp.rules)
 * 1:40849 <-> DISABLED <-> SERVER-APACHE Apache Subversion svnserve integer overflow attempt (server-apache.rules)
 * 1:40848 <-> DISABLED <-> SERVER-APACHE Apache Subversion svnserve integer overflow attempt (server-apache.rules)
 * 1:40847 <-> DISABLED <-> SERVER-APACHE Apache Subversion svnserve integer overflow attempt (server-apache.rules)
 * 1:40846 <-> DISABLED <-> SERVER-APACHE Apache Subversion svnserve integer overflow attempt (server-apache.rules)
 * 1:40845 <-> DISABLED <-> SERVER-OTHER OpenSSL Invalid CMS structure null pointer dereference attempt (server-other.rules)
 * 1:40844 <-> DISABLED <-> SERVER-OTHER OpenSSL Invalid CMS structure null pointer dereference attempt (server-other.rules)
 * 1:40843 <-> ENABLED <-> SERVER-OTHER OpenSSL SSLv3 warning denial of service attempt (server-other.rules)
 * 1:40842 <-> DISABLED <-> PUA-OTHER Bitcoin Mining extranonce Stratum protocol subscribe client request attempt (pua-other.rules)
 * 1:40841 <-> DISABLED <-> PUA-OTHER Bitcoin Mining authorize Stratum protocol client request attempt (pua-other.rules)
 * 1:40840 <-> DISABLED <-> PUA-OTHER Bitcoin Mining subscribe Stratum protocol client request attempt (pua-other.rules)
 * 1:40839 <-> DISABLED <-> PUA-ADWARE Sokuxuan outbound connection attempt (pua-adware.rules)
 * 1:40838 <-> DISABLED <-> SERVER-WEBAPP Veritas NetBackup Appliance getLicense command injection attempt (server-webapp.rules)
 * 1:40837 <-> DISABLED <-> SERVER-WEBAPP Veritas NetBackup Appliance getLicense command injection attempt (server-webapp.rules)
 * 1:40836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant file enumeration inbound init/root/faf command attempt (malware-cnc.rules)
 * 1:40835 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant screen_thumb inbound init command attempt (malware-cnc.rules)
 * 1:40834 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant screenshot inbound silence command attempt (malware-cnc.rules)
 * 1:40833 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant screenshot inbound init command attempt (malware-cnc.rules)
 * 1:40832 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant keylogger inbound init command attempt (malware-cnc.rules)
 * 1:40831 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant initial outbound connection attempt (malware-cnc.rules)
 * 1:40830 <-> ENABLED <-> INDICATOR-COMPROMISE potential Squiblydoo application whitelisting bypass attempt (indicator-compromise.rules)
 * 1:40829 <-> ENABLED <-> INDICATOR-COMPROMISE potential Squiblydoo application whitelisting bypass attempt (indicator-compromise.rules)

Modified Rules:


 * 1:31751 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook mailto injection attempt (file-office.rules)
 * 1:31752 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook mailto injection attempt (file-office.rules)
 * 1:38203 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BitmapData.applyFilter access violation attempt (file-flash.rules)
 * 1:38204 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BitmapData.applyFilter access violation attempt (file-flash.rules)
 * 1:40008 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess DCERPC buffer overflow attempt (server-other.rules)