Talos Rules 2015-07-02
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-firefox, browser-ie, browser-webkit, file-flash, file-multimedia, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-07-02 18:54:20 UTC

Snort Subscriber Rules Update

Date: 2015-07-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35029 <-> ENABLED <-> MALWARE-CNC Win.Keylogger.Lotronc variant outbound connection (malware-cnc.rules)
 * 1:35042 <-> DISABLED <-> POLICY-OTHER Apple Cups cupsd.conf change attempt (policy-other.rules)
 * 1:35039 <-> ENABLED <-> MALWARE-CNC Trojan.Linux.Linuxor outbound variant connection  (malware-cnc.rules)
 * 1:35045 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari URI spoofing attempt (browser-webkit.rules)
 * 1:35046 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gotrubs.us (blacklist.rules)
 * 1:35041 <-> DISABLED <-> SERVER-WEBAPP PHP php_parse_metadata heap corruption attempt (server-webapp.rules)
 * 1:35032 <-> DISABLED <-> SERVER-WEBAPP LANDesk Management Suite remote file include attempt (server-webapp.rules)
 * 1:35049 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:35047 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scar variant outbound connection (malware-cnc.rules)
 * 1:35050 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Elise variant outbound connection attempt (malware-cnc.rules)
 * 1:35051 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox IDL fragment privilege escalation attempt (browser-firefox.rules)
 * 1:35052 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox IDL fragment privilege escalation attempt (browser-firefox.rules)
 * 1:35053 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGMarkerElement use after free attempt  (browser-ie.rules)
 * 1:35043 <-> DISABLED <-> SERVER-OTHER Apple Cups cupsd privilege escalation attempt (server-other.rules)
 * 1:35031 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Konus outbound connection attempt (malware-cnc.rules)
 * 1:35026 <-> DISABLED <-> SERVER-WEBAPP Watchguard XCS mailqueue.spl command injection attempt (server-webapp.rules)
 * 1:35048 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:35034 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Boltolog variant outbound connection download request (malware-cnc.rules)
 * 1:35044 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari URI spoofing attempt (browser-webkit.rules)
 * 1:35035 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Taleretzbj outbound connection  (malware-cnc.rules)
 * 1:35036 <-> ENABLED <-> MALWARE-CNC Backdoor.Perl.Santy inbound variant connection  (malware-cnc.rules)
 * 1:35037 <-> ENABLED <-> MALWARE-CNC Backdoor.Perl.Santy outbound variant connection  (malware-cnc.rules)
 * 1:35038 <-> DISABLED <-> SERVER-OTHER Trustwave ModSecurity chunked transfer encoding policy bypass attempt  (server-other.rules)
 * 1:35027 <-> ENABLED <-> MALWARE-CNC known malicious SSL certificate - Troldesh C&C (malware-cnc.rules)
 * 1:35028 <-> ENABLED <-> BLACKLIST DNS request for known malware domain killer0709.pf-control.de - Win.Keylogger.Lotronc (blacklist.rules)
 * 1:35030 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:35033 <-> DISABLED <-> SERVER-WEBAPP LANDesk Management Suite remote file include attempt (server-webapp.rules)
 * 1:35025 <-> DISABLED <-> SERVER-WEBAPP Watchguard XCS mailqueue.spl command injection attempt (server-webapp.rules)
 * 1:35024 <-> DISABLED <-> SERVER-WEBAPP Watchguard XCS mailqueue.spl command injection attempt (server-webapp.rules)
 * 1:35040 <-> DISABLED <-> SERVER-WEBAPP PHP php_parse_metadata heap corruption attempt (server-webapp.rules)

Modified Rules:


 * 1:34988 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed FLV file buffer overflow attempt (file-flash.rules)
 * 1:34989 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed FLV file buffer overflow attempt (file-flash.rules)
 * 1:35022 <-> ENABLED <-> FILE-MULTIMEDIA Apple Quicktime corrupt stbl atom out of bounds read attempt (file-multimedia.rules)
 * 1:35023 <-> ENABLED <-> FILE-MULTIMEDIA Apple Quicktime corrupt stbl atom out of bounds read attempt (file-multimedia.rules)

2015-07-02 18:54:20 UTC

Snort Subscriber Rules Update

Date: 2015-07-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2972.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35053 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGMarkerElement use after free attempt  (browser-ie.rules)
 * 1:35052 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox IDL fragment privilege escalation attempt (browser-firefox.rules)
 * 1:35051 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox IDL fragment privilege escalation attempt (browser-firefox.rules)
 * 1:35050 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Elise variant outbound connection attempt (malware-cnc.rules)
 * 1:35049 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:35048 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:35047 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scar variant outbound connection (malware-cnc.rules)
 * 1:35046 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gotrubs.us (blacklist.rules)
 * 1:35045 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari URI spoofing attempt (browser-webkit.rules)
 * 1:35044 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari URI spoofing attempt (browser-webkit.rules)
 * 1:35043 <-> DISABLED <-> SERVER-OTHER Apple Cups cupsd privilege escalation attempt (server-other.rules)
 * 1:35042 <-> DISABLED <-> POLICY-OTHER Apple Cups cupsd.conf change attempt (policy-other.rules)
 * 1:35041 <-> DISABLED <-> SERVER-WEBAPP PHP php_parse_metadata heap corruption attempt (server-webapp.rules)
 * 1:35040 <-> DISABLED <-> SERVER-WEBAPP PHP php_parse_metadata heap corruption attempt (server-webapp.rules)
 * 1:35039 <-> ENABLED <-> MALWARE-CNC Trojan.Linux.Linuxor outbound variant connection  (malware-cnc.rules)
 * 1:35038 <-> DISABLED <-> SERVER-OTHER Trustwave ModSecurity chunked transfer encoding policy bypass attempt  (server-other.rules)
 * 1:35037 <-> ENABLED <-> MALWARE-CNC Backdoor.Perl.Santy outbound variant connection  (malware-cnc.rules)
 * 1:35036 <-> ENABLED <-> MALWARE-CNC Backdoor.Perl.Santy inbound variant connection  (malware-cnc.rules)
 * 1:35035 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Taleretzbj outbound connection  (malware-cnc.rules)
 * 1:35034 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Boltolog variant outbound connection download request (malware-cnc.rules)
 * 1:35033 <-> DISABLED <-> SERVER-WEBAPP LANDesk Management Suite remote file include attempt (server-webapp.rules)
 * 1:35032 <-> DISABLED <-> SERVER-WEBAPP LANDesk Management Suite remote file include attempt (server-webapp.rules)
 * 1:35031 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Konus outbound connection attempt (malware-cnc.rules)
 * 1:35030 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:35029 <-> ENABLED <-> MALWARE-CNC Win.Keylogger.Lotronc variant outbound connection (malware-cnc.rules)
 * 1:35028 <-> ENABLED <-> BLACKLIST DNS request for known malware domain killer0709.pf-control.de - Win.Keylogger.Lotronc (blacklist.rules)
 * 1:35027 <-> ENABLED <-> MALWARE-CNC known malicious SSL certificate - Troldesh C&C (malware-cnc.rules)
 * 1:35026 <-> DISABLED <-> SERVER-WEBAPP Watchguard XCS mailqueue.spl command injection attempt (server-webapp.rules)
 * 1:35025 <-> DISABLED <-> SERVER-WEBAPP Watchguard XCS mailqueue.spl command injection attempt (server-webapp.rules)
 * 1:30742 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:35024 <-> DISABLED <-> SERVER-WEBAPP Watchguard XCS mailqueue.spl command injection attempt (server-webapp.rules)
 * 1:30741 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:30740 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:30739 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:30738 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:30737 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:30736 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:30735 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:30734 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.2 heartbeat read overrun attempt (server-other.rules)
 * 1:30732 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.1 heartbeat read overrun attempt (server-other.rules)
 * 1:30733 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.2 heartbeat read overrun attempt (server-other.rules)
 * 1:30731 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.1 heartbeat read overrun attempt (server-other.rules)
 * 1:30730 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1 heartbeat read overrun attempt (server-other.rules)
 * 1:30729 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1 heartbeat read overrun attempt (server-other.rules)
 * 1:30727 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL SSLv3 heartbeat read overrun attempt (server-other.rules)
 * 1:30728 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL SSLv3 heartbeat read overrun attempt (server-other.rules)
 * 1:30726 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:30725 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:30724 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:30722 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:30723 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:30721 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:30720 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:30719 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:30718 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.2 heartbeat read overrun attempt (server-other.rules)
 * 1:30717 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.2 heartbeat read overrun attempt (server-other.rules)
 * 1:30716 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.1 heartbeat read overrun attempt (server-other.rules)
 * 1:30715 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.1 heartbeat read overrun attempt (server-other.rules)
 * 1:30714 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1 heartbeat read overrun attempt (server-other.rules)
 * 1:30712 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL SSLv3 heartbeat read overrun attempt (server-other.rules)
 * 1:30713 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1 heartbeat read overrun attempt (server-other.rules)
 * 1:30711 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL SSLv3 heartbeat read overrun attempt (server-other.rules)
 * 1:25550 <-> ENABLED <-> SERVER-OTHER Novell eDirectory NCP stack buffer overflow attempt (server-other.rules)
 * 1:25664 <-> DISABLED <-> SERVER-OTHER MiniUPnPd SSDP request buffer overflow attempt (server-other.rules)
 * 1:25620 <-> ENABLED <-> SERVER-OTHER libupnp command buffer overflow attempt (server-other.rules)
 * 1:25619 <-> ENABLED <-> SERVER-OTHER libupnp command buffer overflow attempt (server-other.rules)
 * 1:25618 <-> ENABLED <-> SERVER-OTHER libupnp command buffer overflow attempt (server-other.rules)
 * 1:25617 <-> ENABLED <-> SERVER-OTHER libupnp command buffer overflow attempt (server-other.rules)
 * 1:25612 <-> ENABLED <-> SERVER-OTHER libupnp command buffer overflow attempt (server-other.rules)
 * 1:25601 <-> ENABLED <-> SERVER-OTHER libupnp command buffer overflow attempt (server-other.rules)
 * 1:25589 <-> ENABLED <-> SERVER-OTHER libupnp command buffer overflow attempt (server-other.rules)
 * 1:25549 <-> ENABLED <-> SERVER-OTHER Novell eDirectory NCP stack buffer overflow attempt (server-other.rules)
 * 1:12786 <-> DISABLED <-> SERVER-OTHER CA ARCserve LGServer stack buffer overflow attempt (server-other.rules)
 * 1:12785 <-> DISABLED <-> SERVER-OTHER CA ARCserve LGServer stack buffer overflow attempt (server-other.rules)
 * 1:12784 <-> DISABLED <-> SERVER-OTHER CA ARCserve LGServer stack buffer overflow attempt (server-other.rules)

Modified Rules:


 * 1:34988 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed FLV file buffer overflow attempt (file-flash.rules)
 * 1:34989 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed FLV file buffer overflow attempt (file-flash.rules)
 * 1:35022 <-> ENABLED <-> FILE-MULTIMEDIA Apple Quicktime corrupt stbl atom out of bounds read attempt (file-multimedia.rules)
 * 1:35023 <-> ENABLED <-> FILE-MULTIMEDIA Apple Quicktime corrupt stbl atom out of bounds read attempt (file-multimedia.rules)

2015-07-02 18:54:20 UTC

Snort Subscriber Rules Update

Date: 2015-07-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2973.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35053 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGMarkerElement use after free attempt  (browser-ie.rules)
 * 1:35052 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox IDL fragment privilege escalation attempt (browser-firefox.rules)
 * 1:35051 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox IDL fragment privilege escalation attempt (browser-firefox.rules)
 * 1:35050 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Elise variant outbound connection attempt (malware-cnc.rules)
 * 1:35049 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:35048 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules)
 * 1:35047 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scar variant outbound connection (malware-cnc.rules)
 * 1:35046 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gotrubs.us (blacklist.rules)
 * 1:35045 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari URI spoofing attempt (browser-webkit.rules)
 * 1:35044 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari URI spoofing attempt (browser-webkit.rules)
 * 1:35043 <-> DISABLED <-> SERVER-OTHER Apple Cups cupsd privilege escalation attempt (server-other.rules)
 * 1:35042 <-> DISABLED <-> POLICY-OTHER Apple Cups cupsd.conf change attempt (policy-other.rules)
 * 1:35041 <-> DISABLED <-> SERVER-WEBAPP PHP php_parse_metadata heap corruption attempt (server-webapp.rules)
 * 1:35040 <-> DISABLED <-> SERVER-WEBAPP PHP php_parse_metadata heap corruption attempt (server-webapp.rules)
 * 1:35039 <-> ENABLED <-> MALWARE-CNC Trojan.Linux.Linuxor outbound variant connection  (malware-cnc.rules)
 * 1:35038 <-> DISABLED <-> SERVER-OTHER Trustwave ModSecurity chunked transfer encoding policy bypass attempt  (server-other.rules)
 * 1:35037 <-> ENABLED <-> MALWARE-CNC Backdoor.Perl.Santy outbound variant connection  (malware-cnc.rules)
 * 1:35036 <-> ENABLED <-> MALWARE-CNC Backdoor.Perl.Santy inbound variant connection  (malware-cnc.rules)
 * 1:35035 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Taleretzbj outbound connection  (malware-cnc.rules)
 * 1:35034 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Boltolog variant outbound connection download request (malware-cnc.rules)
 * 1:35033 <-> DISABLED <-> SERVER-WEBAPP LANDesk Management Suite remote file include attempt (server-webapp.rules)
 * 1:35032 <-> DISABLED <-> SERVER-WEBAPP LANDesk Management Suite remote file include attempt (server-webapp.rules)
 * 1:35031 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Konus outbound connection attempt (malware-cnc.rules)
 * 1:35030 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:35029 <-> ENABLED <-> MALWARE-CNC Win.Keylogger.Lotronc variant outbound connection (malware-cnc.rules)
 * 1:35028 <-> ENABLED <-> BLACKLIST DNS request for known malware domain killer0709.pf-control.de - Win.Keylogger.Lotronc (blacklist.rules)
 * 1:35027 <-> ENABLED <-> MALWARE-CNC known malicious SSL certificate - Troldesh C&C (malware-cnc.rules)
 * 1:35026 <-> DISABLED <-> SERVER-WEBAPP Watchguard XCS mailqueue.spl command injection attempt (server-webapp.rules)
 * 1:35025 <-> DISABLED <-> SERVER-WEBAPP Watchguard XCS mailqueue.spl command injection attempt (server-webapp.rules)
 * 1:35024 <-> DISABLED <-> SERVER-WEBAPP Watchguard XCS mailqueue.spl command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:34988 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed FLV file buffer overflow attempt (file-flash.rules)
 * 1:34989 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed FLV file buffer overflow attempt (file-flash.rules)
 * 1:35022 <-> ENABLED <-> FILE-MULTIMEDIA Apple Quicktime corrupt stbl atom out of bounds read attempt (file-multimedia.rules)
 * 1:35023 <-> ENABLED <-> FILE-MULTIMEDIA Apple Quicktime corrupt stbl atom out of bounds read attempt (file-multimedia.rules)