Talos Rules 2015-07-20
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2015-2426: A coding deficiency exists in Microsoft Windows ATMFD that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 35304 through 35305.

Talos has added and modified multiple rules in the file-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-07-20 17:04:56 UTC

Snort Subscriber Rules Update

Date: 2015-07-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35300 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lpdsuite GET request (malware-cnc.rules)
 * 1:35303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ProxyChange (malware-cnc.rules)
 * 1:35302 <-> DISABLED <-> SERVER-WEBAPP Accellion FTA arbitrary file read attempt (server-webapp.rules)
 * 1:35304 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD kernel pool overflow attempt (file-other.rules)
 * 1:35305 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD kernel pool overflow attempt (file-other.rules)
 * 1:35301 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lpdsuite POST request (malware-cnc.rules)

Modified Rules:


 * 1:34287 <-> DISABLED <-> SERVER-WEBAPP vBulletin XSS redirect attempt (server-webapp.rules)

2015-07-20 17:04:56 UTC

Snort Subscriber Rules Update

Date: 2015-07-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2972.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35300 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lpdsuite GET request (malware-cnc.rules)
 * 1:35305 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD kernel pool overflow attempt (file-other.rules)
 * 1:35301 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lpdsuite POST request (malware-cnc.rules)
 * 1:35302 <-> DISABLED <-> SERVER-WEBAPP Accellion FTA arbitrary file read attempt (server-webapp.rules)
 * 1:35303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ProxyChange (malware-cnc.rules)
 * 1:35304 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD kernel pool overflow attempt (file-other.rules)

Modified Rules:


 * 1:34287 <-> DISABLED <-> SERVER-WEBAPP vBulletin XSS redirect attempt (server-webapp.rules)

2015-07-20 17:04:56 UTC

Snort Subscriber Rules Update

Date: 2015-07-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2973.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35305 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD kernel pool overflow attempt (file-other.rules)
 * 1:35304 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD kernel pool overflow attempt (file-other.rules)
 * 1:35303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ProxyChange (malware-cnc.rules)
 * 1:35302 <-> DISABLED <-> SERVER-WEBAPP Accellion FTA arbitrary file read attempt (server-webapp.rules)
 * 1:35301 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lpdsuite POST request (malware-cnc.rules)
 * 1:35300 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lpdsuite GET request (malware-cnc.rules)

Modified Rules:


 * 1:34287 <-> DISABLED <-> SERVER-WEBAPP vBulletin XSS redirect attempt (server-webapp.rules)