Talos Rules 2015-08-04
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-plugins, file-office, file-pdf, malware-cnc, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-08-04 15:53:01 UTC

Snort Subscriber Rules Update

Date: 2015-08-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2972.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35421 <-> DISABLED <-> BROWSER-PLUGINS Scneider Electric IsObjectModel RemoveParameter buffer overflow attempt (browser-plugins.rules)
 * 1:35417 <-> DISABLED <-> SERVER-OTHER Fortinet Single Sign On hello message denial of service attempt (server-other.rules)
 * 1:35430 <-> ENABLED <-> FILE-PDF Adobe Reader nested events use-after-free attempt (file-pdf.rules)
 * 1:35428 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager customerName SQL injection attempt (server-webapp.rules)
 * 1:35429 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager customerName SQL injection attempt (server-webapp.rules)
 * 1:35426 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Heur outbound connection (malware-cnc.rules)
 * 1:35425 <-> DISABLED <-> SERVER-OTHER ISC BIND TKEY Query denial of service attempt (server-other.rules)
 * 1:35419 <-> DISABLED <-> BROWSER-PLUGINS Scneider Electric IsObjectModel RemoveParameter buffer overflow attempt (browser-plugins.rules)
 * 1:35427 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager customerName SQL injection attempt (server-webapp.rules)
 * 1:35420 <-> DISABLED <-> BROWSER-PLUGINS Scneider Electric IsObjectModel RemoveParameter buffer overflow attempt (browser-plugins.rules)
 * 1:35422 <-> DISABLED <-> BROWSER-PLUGINS Scneider Electric IsObjectModel RemoveParameter buffer overflow attempt (browser-plugins.rules)
 * 1:35418 <-> DISABLED <-> SERVER-OTHER Fortinet Single Sign On hello message denial of service attempt (server-other.rules)
 * 1:35423 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Basic Charts ActiveX function call access (browser-plugins.rules)
 * 1:35424 <-> DISABLED <-> SERVER-OTHER ISC BIND TKEY Query denial of service attempt (server-other.rules)
 * 1:35431 <-> ENABLED <-> FILE-PDF Adobe Reader nested events use-after-free attempt (file-pdf.rules)

Modified Rules:


 * 1:15090 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Basic Charts ActiveX function call access (browser-plugins.rules)
 * 1:17051 <-> DISABLED <-> BROWSER-PLUGINS Symantec AppStream Client LaunchObj ActiveX clsid access attempt (browser-plugins.rules)
 * 1:17052 <-> DISABLED <-> BROWSER-PLUGINS Symantec AppStream Client LaunchObj ActiveX clsid access attempt (browser-plugins.rules)
 * 1:17053 <-> DISABLED <-> BROWSER-PLUGINS Symantec AppStream Client LaunchObj ActiveX clsid access attempt (browser-plugins.rules)
 * 1:17054 <-> DISABLED <-> BROWSER-PLUGINS Symantec AppStream Client LaunchObj ActiveX clsid access attempt (browser-plugins.rules)
 * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules)
 * 1:31771 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules)
 * 1:35169 <-> DISABLED <-> FILE-OFFICE Microsoft Office rapi.dll dll-load exploit attempt (file-office.rules)

2015-08-04 15:53:01 UTC

Snort Subscriber Rules Update

Date: 2015-08-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2973.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35420 <-> DISABLED <-> BROWSER-PLUGINS Scneider Electric IsObjectModel RemoveParameter buffer overflow attempt (browser-plugins.rules)
 * 1:35421 <-> DISABLED <-> BROWSER-PLUGINS Scneider Electric IsObjectModel RemoveParameter buffer overflow attempt (browser-plugins.rules)
 * 1:35419 <-> DISABLED <-> BROWSER-PLUGINS Scneider Electric IsObjectModel RemoveParameter buffer overflow attempt (browser-plugins.rules)
 * 1:35417 <-> DISABLED <-> SERVER-OTHER Fortinet Single Sign On hello message denial of service attempt (server-other.rules)
 * 1:35418 <-> DISABLED <-> SERVER-OTHER Fortinet Single Sign On hello message denial of service attempt (server-other.rules)
 * 1:35424 <-> DISABLED <-> SERVER-OTHER ISC BIND TKEY Query denial of service attempt (server-other.rules)
 * 1:35423 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Basic Charts ActiveX function call access (browser-plugins.rules)
 * 1:35425 <-> DISABLED <-> SERVER-OTHER ISC BIND TKEY Query denial of service attempt (server-other.rules)
 * 1:35426 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Heur outbound connection (malware-cnc.rules)
 * 1:35427 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager customerName SQL injection attempt (server-webapp.rules)
 * 1:35428 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager customerName SQL injection attempt (server-webapp.rules)
 * 1:35429 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager customerName SQL injection attempt (server-webapp.rules)
 * 1:35430 <-> ENABLED <-> FILE-PDF Adobe Reader nested events use-after-free attempt (file-pdf.rules)
 * 1:35422 <-> DISABLED <-> BROWSER-PLUGINS Scneider Electric IsObjectModel RemoveParameter buffer overflow attempt (browser-plugins.rules)
 * 1:35431 <-> ENABLED <-> FILE-PDF Adobe Reader nested events use-after-free attempt (file-pdf.rules)

Modified Rules:


 * 1:15090 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Basic Charts ActiveX function call access (browser-plugins.rules)
 * 1:17051 <-> DISABLED <-> BROWSER-PLUGINS Symantec AppStream Client LaunchObj ActiveX clsid access attempt (browser-plugins.rules)
 * 1:17052 <-> DISABLED <-> BROWSER-PLUGINS Symantec AppStream Client LaunchObj ActiveX clsid access attempt (browser-plugins.rules)
 * 1:17053 <-> DISABLED <-> BROWSER-PLUGINS Symantec AppStream Client LaunchObj ActiveX clsid access attempt (browser-plugins.rules)
 * 1:17054 <-> DISABLED <-> BROWSER-PLUGINS Symantec AppStream Client LaunchObj ActiveX clsid access attempt (browser-plugins.rules)
 * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules)
 * 1:31771 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules)
 * 1:35169 <-> DISABLED <-> FILE-OFFICE Microsoft Office rapi.dll dll-load exploit attempt (file-office.rules)

2015-08-04 15:53:01 UTC

Snort Subscriber Rules Update

Date: 2015-08-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35431 <-> ENABLED <-> FILE-PDF Adobe Reader nested events use-after-free attempt (file-pdf.rules)
 * 1:35430 <-> ENABLED <-> FILE-PDF Adobe Reader nested events use-after-free attempt (file-pdf.rules)
 * 1:35429 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager customerName SQL injection attempt (server-webapp.rules)
 * 1:35428 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager customerName SQL injection attempt (server-webapp.rules)
 * 1:35427 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager customerName SQL injection attempt (server-webapp.rules)
 * 1:35426 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Heur outbound connection (malware-cnc.rules)
 * 1:35425 <-> DISABLED <-> SERVER-OTHER ISC BIND TKEY Query denial of service attempt (server-other.rules)
 * 1:35424 <-> DISABLED <-> SERVER-OTHER ISC BIND TKEY Query denial of service attempt (server-other.rules)
 * 1:35423 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Basic Charts ActiveX function call access (browser-plugins.rules)
 * 1:35422 <-> DISABLED <-> BROWSER-PLUGINS Scneider Electric IsObjectModel RemoveParameter buffer overflow attempt (browser-plugins.rules)
 * 1:35421 <-> DISABLED <-> BROWSER-PLUGINS Scneider Electric IsObjectModel RemoveParameter buffer overflow attempt (browser-plugins.rules)
 * 1:35420 <-> DISABLED <-> BROWSER-PLUGINS Scneider Electric IsObjectModel RemoveParameter buffer overflow attempt (browser-plugins.rules)
 * 1:35419 <-> DISABLED <-> BROWSER-PLUGINS Scneider Electric IsObjectModel RemoveParameter buffer overflow attempt (browser-plugins.rules)
 * 1:35418 <-> DISABLED <-> SERVER-OTHER Fortinet Single Sign On hello message denial of service attempt (server-other.rules)
 * 1:35417 <-> DISABLED <-> SERVER-OTHER Fortinet Single Sign On hello message denial of service attempt (server-other.rules)

Modified Rules:


 * 1:15090 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Basic Charts ActiveX function call access (browser-plugins.rules)
 * 1:17051 <-> DISABLED <-> BROWSER-PLUGINS Symantec AppStream Client LaunchObj ActiveX clsid access attempt (browser-plugins.rules)
 * 1:17052 <-> DISABLED <-> BROWSER-PLUGINS Symantec AppStream Client LaunchObj ActiveX clsid access attempt (browser-plugins.rules)
 * 1:17053 <-> DISABLED <-> BROWSER-PLUGINS Symantec AppStream Client LaunchObj ActiveX clsid access attempt (browser-plugins.rules)
 * 1:17054 <-> DISABLED <-> BROWSER-PLUGINS Symantec AppStream Client LaunchObj ActiveX clsid access attempt (browser-plugins.rules)
 * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules)
 * 1:31771 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules)
 * 1:35169 <-> DISABLED <-> FILE-OFFICE Microsoft Office rapi.dll dll-load exploit attempt (file-office.rules)

2015-08-04 15:53:01 UTC

Snort Subscriber Rules Update

Date: 2015-08-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35423 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Basic Charts ActiveX function call access (browser-plugins.rules)
 * 1:35427 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager customerName SQL injection attempt (server-webapp.rules)
 * 1:35425 <-> DISABLED <-> SERVER-OTHER ISC BIND TKEY Query denial of service attempt (server-other.rules)
 * 1:35426 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Heur outbound connection (malware-cnc.rules)
 * 1:35418 <-> DISABLED <-> SERVER-OTHER Fortinet Single Sign On hello message denial of service attempt (server-other.rules)
 * 1:35419 <-> DISABLED <-> BROWSER-PLUGINS Scneider Electric IsObjectModel RemoveParameter buffer overflow attempt (browser-plugins.rules)
 * 1:35421 <-> DISABLED <-> BROWSER-PLUGINS Scneider Electric IsObjectModel RemoveParameter buffer overflow attempt (browser-plugins.rules)
 * 1:35417 <-> DISABLED <-> SERVER-OTHER Fortinet Single Sign On hello message denial of service attempt (server-other.rules)
 * 1:35420 <-> DISABLED <-> BROWSER-PLUGINS Scneider Electric IsObjectModel RemoveParameter buffer overflow attempt (browser-plugins.rules)
 * 1:35422 <-> DISABLED <-> BROWSER-PLUGINS Scneider Electric IsObjectModel RemoveParameter buffer overflow attempt (browser-plugins.rules)
 * 1:35428 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager customerName SQL injection attempt (server-webapp.rules)
 * 1:35424 <-> DISABLED <-> SERVER-OTHER ISC BIND TKEY Query denial of service attempt (server-other.rules)
 * 1:35429 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager customerName SQL injection attempt (server-webapp.rules)
 * 1:35431 <-> ENABLED <-> FILE-PDF Adobe Reader nested events use-after-free attempt (file-pdf.rules)
 * 1:35430 <-> ENABLED <-> FILE-PDF Adobe Reader nested events use-after-free attempt (file-pdf.rules)

Modified Rules:


 * 1:15090 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Basic Charts ActiveX function call access (browser-plugins.rules)
 * 1:17051 <-> DISABLED <-> BROWSER-PLUGINS Symantec AppStream Client LaunchObj ActiveX clsid access attempt (browser-plugins.rules)
 * 1:17052 <-> DISABLED <-> BROWSER-PLUGINS Symantec AppStream Client LaunchObj ActiveX clsid access attempt (browser-plugins.rules)
 * 1:17053 <-> DISABLED <-> BROWSER-PLUGINS Symantec AppStream Client LaunchObj ActiveX clsid access attempt (browser-plugins.rules)
 * 1:17054 <-> DISABLED <-> BROWSER-PLUGINS Symantec AppStream Client LaunchObj ActiveX clsid access attempt (browser-plugins.rules)
 * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules)
 * 1:31771 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules)
 * 1:35169 <-> DISABLED <-> FILE-OFFICE Microsoft Office rapi.dll dll-load exploit attempt (file-office.rules)