Talos Rules 2017-02-24
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, file-flash, file-other, indicator-obfuscation, indicator-shellcode and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-02-24 21:53:03 UTC

Snort Subscriber Rules Update

Date: 2017-02-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41718 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed iframe buffer overflow attempt (browser-ie.rules)
 * 1:41716 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed iframe buffer overflow attempt (browser-ie.rules)
 * 1:41725 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol version command attempt (server-other.rules)
 * 1:41723 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol download config command attempt (server-other.rules)
 * 1:41724 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol download image command attempt (server-other.rules)
 * 1:41721 <-> DISABLED <-> SERVER-WEBAPP Mikrotik Syslog Server DoS attempt (server-webapp.rules)
 * 1:41722 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol backup config command attempt (server-other.rules)
 * 1:41719 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed iframe buffer overflow attempt (browser-ie.rules)
 * 1:41715 <-> DISABLED <-> BROWSER-IE Microsoft Health and Support Center iframe injection attempt (browser-ie.rules)
 * 1:41720 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed iframe buffer overflow attempt (browser-ie.rules)
 * 1:41717 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed object type buffer overflow attempt (browser-ie.rules)
 * 1:41714 <-> DISABLED <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt attempt (indicator-obfuscation.rules)

Modified Rules:


 * 1:41613 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder heap overflow attempt (file-other.rules)
 * 1:41632 <-> ENABLED <-> FILE-OTHER Adobe Flash Player mp4 h264 decompression routine out of bounds read attempt (file-other.rules)
 * 1:41614 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder heap overflow attempt (file-other.rules)
 * 1:41612 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder luminance adjustment out of bounds memory access attempt (file-other.rules)
 * 1:41619 <-> DISABLED <-> FILE-FLASH Adobe Flash Player addEventListener use after free attempt (file-flash.rules)
 * 1:41674 <-> ENABLED <-> FILE-FLASH Adobe Flash Player TextField object event handler use after free attempt (file-flash.rules)
 * 1:41616 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder heap overflow attempt (file-other.rules)
 * 1:41620 <-> DISABLED <-> FILE-FLASH Adobe Flash Player addEventListener use after free attempt (file-flash.rules)
 * 1:41615 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder heap overflow attempt (file-other.rules)
 * 1:41618 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder heap overflow attempt (file-other.rules)
 * 1:33339 <-> DISABLED <-> INDICATOR-SHELLCODE ASCII heapspray characters detected (indicator-shellcode.rules)
 * 1:41679 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShimContentResolver out of bounds memory access attempt (file-flash.rules)
 * 1:41621 <-> DISABLED <-> FILE-FLASH Adobe Flash malformed FLV heap overflow attempt (file-flash.rules)
 * 1:41673 <-> ENABLED <-> FILE-FLASH Adobe Flash Player TextField object event handler use after free attempt (file-flash.rules)
 * 1:15147 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed iframe buffer overflow attempt (browser-ie.rules)
 * 1:41628 <-> ENABLED <-> FILE-FLASH Adobe Flash Player garbage collection use after free attempt (file-flash.rules)
 * 1:41630 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK EventDispatch removeEventListener use after free attempt (file-flash.rules)
 * 1:41623 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MessageChannel type confusion attempt (file-flash.rules)
 * 1:41680 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShimContentResolver out of bounds memory access attempt (file-flash.rules)
 * 1:21037 <-> DISABLED <-> INDICATOR-OBFUSCATION randomized javascript encodings detected (indicator-obfuscation.rules)
 * 1:41627 <-> ENABLED <-> FILE-FLASH Adobe Flash Player garbage collection use after free attempt (file-flash.rules)
 * 1:41622 <-> DISABLED <-> FILE-FLASH Adobe Flash malformed FLV heap overflow attempt (file-flash.rules)
 * 1:41611 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder luminance adjustment out of bounds memory access attempt (file-other.rules)
 * 1:41629 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK EventDispatch removeEventListener use after free attempt (file-flash.rules)
 * 1:41603 <-> DISABLED <-> FILE-FLASH Adobe Flash player BitmapData class use after free attempt (file-flash.rules)
 * 1:41624 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MessageChannel type confusion attempt (file-flash.rules)
 * 1:41604 <-> DISABLED <-> FILE-FLASH Adobe Flash player BitmapData class use after free attempt (file-flash.rules)
 * 1:41617 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder heap overflow attempt (file-other.rules)
 * 1:41631 <-> ENABLED <-> FILE-OTHER Adobe Flash Player mp4 h264 decompression routine out of bounds read attempt (file-other.rules)

2017-02-24 21:53:03 UTC

Snort Subscriber Rules Update

Date: 2017-02-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41725 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol version command attempt (server-other.rules)
 * 1:41723 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol download config command attempt (server-other.rules)
 * 1:41724 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol download image command attempt (server-other.rules)
 * 1:41721 <-> DISABLED <-> SERVER-WEBAPP Mikrotik Syslog Server DoS attempt (server-webapp.rules)
 * 1:41722 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol backup config command attempt (server-other.rules)
 * 1:41720 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed iframe buffer overflow attempt (browser-ie.rules)
 * 1:41718 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed iframe buffer overflow attempt (browser-ie.rules)
 * 1:41719 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed iframe buffer overflow attempt (browser-ie.rules)
 * 1:41716 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed iframe buffer overflow attempt (browser-ie.rules)
 * 1:41717 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed object type buffer overflow attempt (browser-ie.rules)
 * 1:41715 <-> DISABLED <-> BROWSER-IE Microsoft Health and Support Center iframe injection attempt (browser-ie.rules)
 * 1:41714 <-> DISABLED <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt attempt (indicator-obfuscation.rules)

Modified Rules:


 * 1:41629 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK EventDispatch removeEventListener use after free attempt (file-flash.rules)
 * 1:41630 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK EventDispatch removeEventListener use after free attempt (file-flash.rules)
 * 1:41628 <-> ENABLED <-> FILE-FLASH Adobe Flash Player garbage collection use after free attempt (file-flash.rules)
 * 1:41627 <-> ENABLED <-> FILE-FLASH Adobe Flash Player garbage collection use after free attempt (file-flash.rules)
 * 1:41624 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MessageChannel type confusion attempt (file-flash.rules)
 * 1:41622 <-> DISABLED <-> FILE-FLASH Adobe Flash malformed FLV heap overflow attempt (file-flash.rules)
 * 1:41623 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MessageChannel type confusion attempt (file-flash.rules)
 * 1:41620 <-> DISABLED <-> FILE-FLASH Adobe Flash Player addEventListener use after free attempt (file-flash.rules)
 * 1:41621 <-> DISABLED <-> FILE-FLASH Adobe Flash malformed FLV heap overflow attempt (file-flash.rules)
 * 1:41618 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder heap overflow attempt (file-other.rules)
 * 1:41619 <-> DISABLED <-> FILE-FLASH Adobe Flash Player addEventListener use after free attempt (file-flash.rules)
 * 1:41616 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder heap overflow attempt (file-other.rules)
 * 1:41617 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder heap overflow attempt (file-other.rules)
 * 1:41615 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder heap overflow attempt (file-other.rules)
 * 1:15147 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed iframe buffer overflow attempt (browser-ie.rules)
 * 1:21037 <-> DISABLED <-> INDICATOR-OBFUSCATION randomized javascript encodings detected (indicator-obfuscation.rules)
 * 1:41611 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder luminance adjustment out of bounds memory access attempt (file-other.rules)
 * 1:41613 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder heap overflow attempt (file-other.rules)
 * 1:41674 <-> ENABLED <-> FILE-FLASH Adobe Flash Player TextField object event handler use after free attempt (file-flash.rules)
 * 1:41612 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder luminance adjustment out of bounds memory access attempt (file-other.rules)
 * 1:41614 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder heap overflow attempt (file-other.rules)
 * 1:41673 <-> ENABLED <-> FILE-FLASH Adobe Flash Player TextField object event handler use after free attempt (file-flash.rules)
 * 1:41679 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShimContentResolver out of bounds memory access attempt (file-flash.rules)
 * 1:33339 <-> DISABLED <-> INDICATOR-SHELLCODE ASCII heapspray characters detected (indicator-shellcode.rules)
 * 1:41680 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShimContentResolver out of bounds memory access attempt (file-flash.rules)
 * 1:41632 <-> ENABLED <-> FILE-OTHER Adobe Flash Player mp4 h264 decompression routine out of bounds read attempt (file-other.rules)
 * 1:41604 <-> DISABLED <-> FILE-FLASH Adobe Flash player BitmapData class use after free attempt (file-flash.rules)
 * 1:41631 <-> ENABLED <-> FILE-OTHER Adobe Flash Player mp4 h264 decompression routine out of bounds read attempt (file-other.rules)
 * 1:41603 <-> DISABLED <-> FILE-FLASH Adobe Flash player BitmapData class use after free attempt (file-flash.rules)

2017-02-24 21:53:03 UTC

Snort Subscriber Rules Update

Date: 2017-02-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41725 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol version command attempt (server-other.rules)
 * 1:41724 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol download image command attempt (server-other.rules)
 * 1:41723 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol download config command attempt (server-other.rules)
 * 1:41722 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol backup config command attempt (server-other.rules)
 * 1:41721 <-> DISABLED <-> SERVER-WEBAPP Mikrotik Syslog Server DoS attempt (server-webapp.rules)
 * 1:41720 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed iframe buffer overflow attempt (browser-ie.rules)
 * 1:41719 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed iframe buffer overflow attempt (browser-ie.rules)
 * 1:41718 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed iframe buffer overflow attempt (browser-ie.rules)
 * 1:41717 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed object type buffer overflow attempt (browser-ie.rules)
 * 1:41716 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed iframe buffer overflow attempt (browser-ie.rules)
 * 1:41715 <-> DISABLED <-> BROWSER-IE Microsoft Health and Support Center iframe injection attempt (browser-ie.rules)
 * 1:41714 <-> DISABLED <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt attempt (indicator-obfuscation.rules)

Modified Rules:


 * 1:41680 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShimContentResolver out of bounds memory access attempt (file-flash.rules)
 * 1:33339 <-> DISABLED <-> INDICATOR-SHELLCODE ASCII heapspray characters detected (indicator-shellcode.rules)
 * 1:41679 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShimContentResolver out of bounds memory access attempt (file-flash.rules)
 * 1:41674 <-> ENABLED <-> FILE-FLASH Adobe Flash Player TextField object event handler use after free attempt (file-flash.rules)
 * 1:41673 <-> ENABLED <-> FILE-FLASH Adobe Flash Player TextField object event handler use after free attempt (file-flash.rules)
 * 1:41631 <-> ENABLED <-> FILE-OTHER Adobe Flash Player mp4 h264 decompression routine out of bounds read attempt (file-other.rules)
 * 1:41632 <-> ENABLED <-> FILE-OTHER Adobe Flash Player mp4 h264 decompression routine out of bounds read attempt (file-other.rules)
 * 1:41630 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK EventDispatch removeEventListener use after free attempt (file-flash.rules)
 * 1:41629 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK EventDispatch removeEventListener use after free attempt (file-flash.rules)
 * 1:41628 <-> ENABLED <-> FILE-FLASH Adobe Flash Player garbage collection use after free attempt (file-flash.rules)
 * 1:41627 <-> ENABLED <-> FILE-FLASH Adobe Flash Player garbage collection use after free attempt (file-flash.rules)
 * 1:41624 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MessageChannel type confusion attempt (file-flash.rules)
 * 1:41623 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MessageChannel type confusion attempt (file-flash.rules)
 * 1:41622 <-> DISABLED <-> FILE-FLASH Adobe Flash malformed FLV heap overflow attempt (file-flash.rules)
 * 1:41621 <-> DISABLED <-> FILE-FLASH Adobe Flash malformed FLV heap overflow attempt (file-flash.rules)
 * 1:41620 <-> DISABLED <-> FILE-FLASH Adobe Flash Player addEventListener use after free attempt (file-flash.rules)
 * 1:41619 <-> DISABLED <-> FILE-FLASH Adobe Flash Player addEventListener use after free attempt (file-flash.rules)
 * 1:41618 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder heap overflow attempt (file-other.rules)
 * 1:41617 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder heap overflow attempt (file-other.rules)
 * 1:41616 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder heap overflow attempt (file-other.rules)
 * 1:41615 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder heap overflow attempt (file-other.rules)
 * 1:41614 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder heap overflow attempt (file-other.rules)
 * 1:41612 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder luminance adjustment out of bounds memory access attempt (file-other.rules)
 * 1:15147 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed iframe buffer overflow attempt (browser-ie.rules)
 * 1:21037 <-> DISABLED <-> INDICATOR-OBFUSCATION randomized javascript encodings detected (indicator-obfuscation.rules)
 * 1:41613 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder heap overflow attempt (file-other.rules)
 * 1:41611 <-> ENABLED <-> FILE-OTHER Adobe Flash Player h264 decoder luminance adjustment out of bounds memory access attempt (file-other.rules)
 * 1:41604 <-> DISABLED <-> FILE-FLASH Adobe Flash player BitmapData class use after free attempt (file-flash.rules)
 * 1:41603 <-> DISABLED <-> FILE-FLASH Adobe Flash player BitmapData class use after free attempt (file-flash.rules)