Talos Rules 2016-12-13
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-flash, indicator-compromise and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-12-14 00:33:00 UTC

Snort Subscriber Rules Update

Date: 2016-12-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41025 <-> DISABLED <-> FILE-FLASH Adobe Flash Player addProperty use after free attempt (file-flash.rules)
 * 1:41024 <-> DISABLED <-> FILE-FLASH Adobe Flash Player addProperty use after free attempt (file-flash.rules)
 * 1:41023 <-> DISABLED <-> FILE-FLASH Adobe Flash Player addProperty use after free attempt (file-flash.rules)
 * 1:41022 <-> DISABLED <-> FILE-FLASH Adobe Flash Player addProperty use after free attempt (file-flash.rules)
 * 1:41021 <-> DISABLED <-> FILE-FLASH Adobe Flash Player onSetFocus movie clip use after free attempt (file-flash.rules)
 * 1:41020 <-> DISABLED <-> FILE-FLASH Adobe Flash Player onSetFocus movie clip use after free attempt (file-flash.rules)
 * 1:41019 <-> DISABLED <-> SERVER-WEBAPP Nagios XI Incident Manager SQL command injection attempt (server-webapp.rules)
 * 1:41018 <-> DISABLED <-> SERVER-WEBAPP Nagios XI Incident Manager SQL command injection attempt (server-webapp.rules)
 * 1:41017 <-> DISABLED <-> FILE-FLASH Adobe Flash Player writeDynamicProperties use-after-free attempt (file-flash.rules)
 * 1:41016 <-> DISABLED <-> FILE-FLASH Adobe Flash Player writeDynamicProperties use-after-free attempt (file-flash.rules)
 * 1:41015 <-> ENABLED <-> FILE-FLASH Acrobat Flash WorkerDomain memory corruption attempt (file-flash.rules)
 * 1:41014 <-> ENABLED <-> FILE-FLASH Acrobat Flash WorkerDomain memory corruption attempt (file-flash.rules)
 * 1:41013 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection use after free attempt (file-flash.rules)
 * 1:41012 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection use after free attempt (file-flash.rules)
 * 1:41011 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BitmapData applyFilter integer overflow attempt (file-flash.rules)
 * 1:41010 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BitmapData applyFilter integer overflow attempt (file-flash.rules)
 * 1:41009 <-> DISABLED <-> INDICATOR-COMPROMISE Adobe Flash Player ActionScript vulnerable RegExp verb usage detected (indicator-compromise.rules)
 * 1:41008 <-> DISABLED <-> INDICATOR-COMPROMISE Adobe Flash Player ActionScript vulnerable RegExp verb usage detected (indicator-compromise.rules)
 * 1:41007 <-> DISABLED <-> INDICATOR-COMPROMISE Adobe Flash Player ActionScript vulnerable RegExp verb usage detected (indicator-compromise.rules)
 * 1:41006 <-> DISABLED <-> INDICATOR-COMPROMISE Adobe Flash Player ActionScript vulnerable RegExp verb usage detected (indicator-compromise.rules)
 * 1:41005 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime MediaPlayerItemLoader QOSProvider object use after free attempt (file-flash.rules)
 * 1:41004 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime MediaPlayerItemLoader QOSProvider object use after free attempt (file-flash.rules)
 * 1:41003 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime SDK out of bounds read attempt (file-flash.rules)
 * 1:41002 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime SDK out of bounds read attempt (file-flash.rules)
 * 1:41001 <-> DISABLED <-> INDICATOR-COMPROMISE Adobe Flash Player ActionScript vulnerable RegExp verb usage detected (indicator-compromise.rules)
 * 1:41000 <-> DISABLED <-> INDICATOR-COMPROMISE Adobe Flash Player ActionScript vulnerable RegExp verb usage detected (indicator-compromise.rules)
 * 1:40999 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection proxyType invalid value out of bounds read attempt (file-flash.rules)
 * 1:40998 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection proxyType invalid value out of bounds read attempt (file-flash.rules)
 * 1:40997 <-> DISABLED <-> INDICATOR-COMPROMISE Adobe Flash Player ActionScript vulnerable RegExp verb usage detected (indicator-compromise.rules)
 * 1:40996 <-> DISABLED <-> INDICATOR-COMPROMISE Adobe Flash Player ActionScript vulnerable RegExp verb usage detected (indicator-compromise.rules)
 * 1:40995 <-> ENABLED <-> SERVER-OTHER Alcatel Lucent OmniVista arbitrary command execution attempt (server-other.rules)
 * 1:40994 <-> DISABLED <-> SERVER-WEBAPP Sony IPELA IP Cameras prima-factory.cgi telnet backdoor access attempt (server-webapp.rules)

Modified Rules:


 * 1:38511 <-> DISABLED <-> SERVER-WEBAPP Novell Service Desk directory traversal attempt (server-webapp.rules)

2016-12-14 00:33:00 UTC

Snort Subscriber Rules Update

Date: 2016-12-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40994 <-> DISABLED <-> SERVER-WEBAPP Sony IPELA IP Cameras prima-factory.cgi telnet backdoor access attempt (server-webapp.rules)
 * 1:40995 <-> ENABLED <-> SERVER-OTHER Alcatel Lucent OmniVista arbitrary command execution attempt (server-other.rules)
 * 1:40996 <-> DISABLED <-> INDICATOR-COMPROMISE Adobe Flash Player ActionScript vulnerable RegExp verb usage detected (indicator-compromise.rules)
 * 1:40997 <-> DISABLED <-> INDICATOR-COMPROMISE Adobe Flash Player ActionScript vulnerable RegExp verb usage detected (indicator-compromise.rules)
 * 1:40998 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection proxyType invalid value out of bounds read attempt (file-flash.rules)
 * 1:40999 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection proxyType invalid value out of bounds read attempt (file-flash.rules)
 * 1:41000 <-> DISABLED <-> INDICATOR-COMPROMISE Adobe Flash Player ActionScript vulnerable RegExp verb usage detected (indicator-compromise.rules)
 * 1:41001 <-> DISABLED <-> INDICATOR-COMPROMISE Adobe Flash Player ActionScript vulnerable RegExp verb usage detected (indicator-compromise.rules)
 * 1:41002 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime SDK out of bounds read attempt (file-flash.rules)
 * 1:41003 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime SDK out of bounds read attempt (file-flash.rules)
 * 1:41004 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime MediaPlayerItemLoader QOSProvider object use after free attempt (file-flash.rules)
 * 1:41005 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime MediaPlayerItemLoader QOSProvider object use after free attempt (file-flash.rules)
 * 1:41006 <-> DISABLED <-> INDICATOR-COMPROMISE Adobe Flash Player ActionScript vulnerable RegExp verb usage detected (indicator-compromise.rules)
 * 1:41007 <-> DISABLED <-> INDICATOR-COMPROMISE Adobe Flash Player ActionScript vulnerable RegExp verb usage detected (indicator-compromise.rules)
 * 1:41008 <-> DISABLED <-> INDICATOR-COMPROMISE Adobe Flash Player ActionScript vulnerable RegExp verb usage detected (indicator-compromise.rules)
 * 1:41009 <-> DISABLED <-> INDICATOR-COMPROMISE Adobe Flash Player ActionScript vulnerable RegExp verb usage detected (indicator-compromise.rules)
 * 1:41010 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BitmapData applyFilter integer overflow attempt (file-flash.rules)
 * 1:41011 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BitmapData applyFilter integer overflow attempt (file-flash.rules)
 * 1:41012 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection use after free attempt (file-flash.rules)
 * 1:41013 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection use after free attempt (file-flash.rules)
 * 1:41014 <-> ENABLED <-> FILE-FLASH Acrobat Flash WorkerDomain memory corruption attempt (file-flash.rules)
 * 1:41015 <-> ENABLED <-> FILE-FLASH Acrobat Flash WorkerDomain memory corruption attempt (file-flash.rules)
 * 1:41016 <-> DISABLED <-> FILE-FLASH Adobe Flash Player writeDynamicProperties use-after-free attempt (file-flash.rules)
 * 1:41025 <-> DISABLED <-> FILE-FLASH Adobe Flash Player addProperty use after free attempt (file-flash.rules)
 * 1:41024 <-> DISABLED <-> FILE-FLASH Adobe Flash Player addProperty use after free attempt (file-flash.rules)
 * 1:41023 <-> DISABLED <-> FILE-FLASH Adobe Flash Player addProperty use after free attempt (file-flash.rules)
 * 1:41021 <-> DISABLED <-> FILE-FLASH Adobe Flash Player onSetFocus movie clip use after free attempt (file-flash.rules)
 * 1:41020 <-> DISABLED <-> FILE-FLASH Adobe Flash Player onSetFocus movie clip use after free attempt (file-flash.rules)
 * 1:41022 <-> DISABLED <-> FILE-FLASH Adobe Flash Player addProperty use after free attempt (file-flash.rules)
 * 1:41017 <-> DISABLED <-> FILE-FLASH Adobe Flash Player writeDynamicProperties use-after-free attempt (file-flash.rules)
 * 1:41019 <-> DISABLED <-> SERVER-WEBAPP Nagios XI Incident Manager SQL command injection attempt (server-webapp.rules)
 * 1:41018 <-> DISABLED <-> SERVER-WEBAPP Nagios XI Incident Manager SQL command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:38511 <-> DISABLED <-> SERVER-WEBAPP Novell Service Desk directory traversal attempt (server-webapp.rules)

2016-12-14 00:33:00 UTC

Snort Subscriber Rules Update

Date: 2016-12-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41018 <-> DISABLED <-> SERVER-WEBAPP Nagios XI Incident Manager SQL command injection attempt (server-webapp.rules)
 * 1:41023 <-> DISABLED <-> FILE-FLASH Adobe Flash Player addProperty use after free attempt (file-flash.rules)
 * 1:41021 <-> DISABLED <-> FILE-FLASH Adobe Flash Player onSetFocus movie clip use after free attempt (file-flash.rules)
 * 1:41024 <-> DISABLED <-> FILE-FLASH Adobe Flash Player addProperty use after free attempt (file-flash.rules)
 * 1:40994 <-> DISABLED <-> SERVER-WEBAPP Sony IPELA IP Cameras prima-factory.cgi telnet backdoor access attempt (server-webapp.rules)
 * 1:40995 <-> ENABLED <-> SERVER-OTHER Alcatel Lucent OmniVista arbitrary command execution attempt (server-other.rules)
 * 1:40996 <-> DISABLED <-> INDICATOR-COMPROMISE Adobe Flash Player ActionScript vulnerable RegExp verb usage detected (indicator-compromise.rules)
 * 1:40997 <-> DISABLED <-> INDICATOR-COMPROMISE Adobe Flash Player ActionScript vulnerable RegExp verb usage detected (indicator-compromise.rules)
 * 1:40998 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection proxyType invalid value out of bounds read attempt (file-flash.rules)
 * 1:40999 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection proxyType invalid value out of bounds read attempt (file-flash.rules)
 * 1:41000 <-> DISABLED <-> INDICATOR-COMPROMISE Adobe Flash Player ActionScript vulnerable RegExp verb usage detected (indicator-compromise.rules)
 * 1:41001 <-> DISABLED <-> INDICATOR-COMPROMISE Adobe Flash Player ActionScript vulnerable RegExp verb usage detected (indicator-compromise.rules)
 * 1:41002 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime SDK out of bounds read attempt (file-flash.rules)
 * 1:41003 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime SDK out of bounds read attempt (file-flash.rules)
 * 1:41004 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime MediaPlayerItemLoader QOSProvider object use after free attempt (file-flash.rules)
 * 1:41005 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime MediaPlayerItemLoader QOSProvider object use after free attempt (file-flash.rules)
 * 1:41010 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BitmapData applyFilter integer overflow attempt (file-flash.rules)
 * 1:41006 <-> DISABLED <-> INDICATOR-COMPROMISE Adobe Flash Player ActionScript vulnerable RegExp verb usage detected (indicator-compromise.rules)
 * 1:41007 <-> DISABLED <-> INDICATOR-COMPROMISE Adobe Flash Player ActionScript vulnerable RegExp verb usage detected (indicator-compromise.rules)
 * 1:41008 <-> DISABLED <-> INDICATOR-COMPROMISE Adobe Flash Player ActionScript vulnerable RegExp verb usage detected (indicator-compromise.rules)
 * 1:41022 <-> DISABLED <-> FILE-FLASH Adobe Flash Player addProperty use after free attempt (file-flash.rules)
 * 1:41011 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BitmapData applyFilter integer overflow attempt (file-flash.rules)
 * 1:41012 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection use after free attempt (file-flash.rules)
 * 1:41025 <-> DISABLED <-> FILE-FLASH Adobe Flash Player addProperty use after free attempt (file-flash.rules)
 * 1:41015 <-> ENABLED <-> FILE-FLASH Acrobat Flash WorkerDomain memory corruption attempt (file-flash.rules)
 * 1:41014 <-> ENABLED <-> FILE-FLASH Acrobat Flash WorkerDomain memory corruption attempt (file-flash.rules)
 * 1:41017 <-> DISABLED <-> FILE-FLASH Adobe Flash Player writeDynamicProperties use-after-free attempt (file-flash.rules)
 * 1:41013 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection use after free attempt (file-flash.rules)
 * 1:41016 <-> DISABLED <-> FILE-FLASH Adobe Flash Player writeDynamicProperties use-after-free attempt (file-flash.rules)
 * 1:41019 <-> DISABLED <-> SERVER-WEBAPP Nagios XI Incident Manager SQL command injection attempt (server-webapp.rules)
 * 1:41020 <-> DISABLED <-> FILE-FLASH Adobe Flash Player onSetFocus movie clip use after free attempt (file-flash.rules)
 * 1:41009 <-> DISABLED <-> INDICATOR-COMPROMISE Adobe Flash Player ActionScript vulnerable RegExp verb usage detected (indicator-compromise.rules)

Modified Rules:


 * 1:38511 <-> DISABLED <-> SERVER-WEBAPP Novell Service Desk directory traversal attempt (server-webapp.rules)