Talos Rules 2016-11-30
Talos is aware of a vulnerability affecting Mozilla Firefox.

Mozilla Firefox 0day Vulnerability: A coding deficiency exists in Mozilla Firefox that may lead to remote code execution.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 40888.

Talos has also added and modified multiple rules in the browser-firefox, file-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2016-11-30 21:30:54 UTC

Snort Subscriber Rules Update

Date: 2016-11-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40890 <-> DISABLED <-> SERVER-WEBAPP Flexense DiskPulse Disk Change Monitor login buffer overflow attempt (server-webapp.rules)
 * 1:40889 <-> DISABLED <-> SERVER-WEBAPP Barracuda WAF UPDATE_scan_information_in_use command injection attempt (server-webapp.rules)
 * 1:40888 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox ESR uninitialized pointer use attempt (browser-firefox.rules)
 * 1:40887 <-> ENABLED <-> OS-WINDOWS Microsoft Windows keybd_event type confusion code execution attempt (os-windows.rules)
 * 1:40886 <-> ENABLED <-> OS-WINDOWS Microsoft Windows keybd_event type confusion code execution attempt (os-windows.rules)
 * 1:40885 <-> DISABLED <-> FILE-OTHER Microsoft Office ole object external file loading attempt (file-other.rules)
 * 1:40884 <-> DISABLED <-> FILE-OTHER Microsoft Office ole object external file loading attempt (file-other.rules)

Modified Rules:



2016-11-30 21:30:54 UTC

Snort Subscriber Rules Update

Date: 2016-11-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40888 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox ESR uninitialized pointer use attempt (browser-firefox.rules)
 * 1:40884 <-> DISABLED <-> FILE-OTHER Microsoft Office ole object external file loading attempt (file-other.rules)
 * 1:40885 <-> DISABLED <-> FILE-OTHER Microsoft Office ole object external file loading attempt (file-other.rules)
 * 1:40886 <-> ENABLED <-> OS-WINDOWS Microsoft Windows keybd_event type confusion code execution attempt (os-windows.rules)
 * 1:40887 <-> ENABLED <-> OS-WINDOWS Microsoft Windows keybd_event type confusion code execution attempt (os-windows.rules)
 * 1:40890 <-> DISABLED <-> SERVER-WEBAPP Flexense DiskPulse Disk Change Monitor login buffer overflow attempt (server-webapp.rules)
 * 1:40889 <-> DISABLED <-> SERVER-WEBAPP Barracuda WAF UPDATE_scan_information_in_use command injection attempt (server-webapp.rules)

Modified Rules: