Talos Rules 2015-08-06
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-firefox, browser-ie, browser-plugins, file-flash, file-identify, file-java, file-office, indicator-scan, malware-cnc, os-mobile and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2015-08-06 22:13:00 UTC

Snort Subscriber Rules Update

Date: 2015-08-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35436 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackCoffee outbound connection (malware-cnc.rules)
 * 1:35470 <-> ENABLED <-> BLACKLIST DNS request for known malware domain jctj.yongzhe.pw - Win.Trojan.Baisogu (blacklist.rules)
 * 1:35465 <-> ENABLED <-> FILE-FLASH Adobe flash player BitmapData.paletteMap use after free attempt (file-flash.rules)
 * 1:35432 <-> ENABLED <-> FILE-IDENTIFY MP4 file magic detected (file-identify.rules)
 * 1:35435 <-> DISABLED <-> OS-MOBILE Android MP4 buffer overflow attempt (os-mobile.rules)
 * 1:35433 <-> ENABLED <-> FILE-IDENTIFY MP4 file magic detected (file-identify.rules)
 * 1:35467 <-> ENABLED <-> FILE-JAVA Oracle Java VersionHelper loadClass sandbox bypass attempt (file-java.rules)
 * 1:35456 <-> ENABLED <-> FILE-IDENTIFY Adobe LZMA compressed Flash file attachment detected (file-identify.rules)
 * 1:35437 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Jrml variant outbound connection (malware-cnc.rules)
 * 1:35449 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt (file-flash.rules)
 * 1:35468 <-> ENABLED <-> FILE-JAVA Oracle Java VersionHelper loadClass sandbox bypass attempt (file-java.rules)
 * 1:35438 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules)
 * 1:35439 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules)
 * 1:35440 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint invalid OfficeArtSpContainer subrecord type confusion attempt (file-office.rules)
 * 1:35441 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint invalid OfficeArtSpContainer subrecord type confusion attempt (file-office.rules)
 * 1:35442 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint invalid OfficeArtSpContainer subrecord type confusion attempt (file-office.rules)
 * 1:35444 <-> DISABLED <-> BROWSER-PLUGINS Oracle Data Quality LoaderWizard DataPreview type confusion attempt (browser-plugins.rules)
 * 1:35443 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint invalid OfficeArtSpContainer subrecord type confusion attempt (file-office.rules)
 * 1:35445 <-> DISABLED <-> BROWSER-PLUGINS Oracle Data Quality LoaderWizard DataPreview type confusion attempt (browser-plugins.rules)
 * 1:35446 <-> DISABLED <-> BROWSER-PLUGINS Oracle Data Quality LoaderWizard DataPreview type confusion attempt (browser-plugins.rules)
 * 1:35447 <-> DISABLED <-> BROWSER-PLUGINS Oracle Data Quality LoaderWizard DataPreview type confusion attempt (browser-plugins.rules)
 * 1:35448 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bedep variant outbound connection (malware-cnc.rules)
 * 1:35450 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt (file-flash.rules)
 * 1:35451 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt (file-flash.rules)
 * 1:35452 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt (file-flash.rules)
 * 1:35453 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt (file-flash.rules)
 * 1:35455 <-> ENABLED <-> FILE-IDENTIFY Adobe LZMA compressed Flash file magic detected (file-identify.rules)
 * 1:35454 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt (file-flash.rules)
 * 1:35457 <-> ENABLED <-> FILE-IDENTIFY Adobe LZMA compressed Flash file attachment detected (file-identify.rules)
 * 1:35466 <-> ENABLED <-> FILE-FLASH Adobe flash player BitmapData.paletteMap use after free attempt (file-flash.rules)
 * 1:35469 <-> ENABLED <-> FILE-JAVA Oracle Java VersionHelper loadClass sandbox bypass attempt (file-java.rules)
 * 1:35471 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Baisogu outbound connection (malware-cnc.rules)
 * 1:35472 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bergard outbound connection (malware-cnc.rules)
 * 1:35458 <-> ENABLED <-> FILE-IDENTIFY Adobe LZMA compressed Flash file magic detected (file-identify.rules)
 * 1:35459 <-> ENABLED <-> FILE-IDENTIFY Adobe LZMA compressed Flash file download request (file-identify.rules)
 * 1:35460 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox InstallWrapper error handling code execution attempt (browser-firefox.rules)
 * 1:35461 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox InstallWrapper error handling code execution attempt (browser-firefox.rules)
 * 1:35462 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Kazy (blacklist.rules)
 * 1:35464 <-> ENABLED <-> FILE-FLASH Adobe flash player BitmapData.paletteMap use after free attempt (file-flash.rules)
 * 1:35463 <-> ENABLED <-> FILE-FLASH Adobe flash player BitmapData.paletteMap use after free attempt (file-flash.rules)
 * 1:35434 <-> DISABLED <-> OS-MOBILE Android MP4 buffer overflow attempt (os-mobile.rules)

Modified Rules:


 * 1:19559 <-> DISABLED <-> INDICATOR-SCAN SSH brute force login attempt (indicator-scan.rules)
 * 1:25355 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint invalid OfficeArtSpContainer subrecord type confusion attempt (file-office.rules)
 * 1:34623 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize function integer overflow attempt (server-webapp.rules)
 * 1:20722 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint invalid OfficeArtSpContainer subrecord type confusion attempt (file-office.rules)
 * 1:25353 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint invalid OfficeArtSpContainer subrecord type confusion attempt (file-office.rules)
 * 1:16423 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 7/8 execute local file in Internet zone redirect attempt (browser-ie.rules)
 * 1:12713 <-> DISABLED <-> SERVER-ORACLE Oracle Database Server pitrig_dropmetadata buffer overflow attempt (server-oracle.rules)
 * 1:25354 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint invalid OfficeArtSpContainer subrecord type confusion attempt (file-office.rules)
 * 1:29802 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt (browser-ie.rules)
 * 1:29803 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt (browser-ie.rules)

2015-08-06 22:13:00 UTC

Snort Subscriber Rules Update

Date: 2015-08-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2972.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35470 <-> ENABLED <-> BLACKLIST DNS request for known malware domain jctj.yongzhe.pw - Win.Trojan.Baisogu (blacklist.rules)
 * 1:35465 <-> ENABLED <-> FILE-FLASH Adobe flash player BitmapData.paletteMap use after free attempt (file-flash.rules)
 * 1:35436 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackCoffee outbound connection (malware-cnc.rules)
 * 1:35433 <-> ENABLED <-> FILE-IDENTIFY MP4 file magic detected (file-identify.rules)
 * 1:35435 <-> DISABLED <-> OS-MOBILE Android MP4 buffer overflow attempt (os-mobile.rules)
 * 1:35432 <-> ENABLED <-> FILE-IDENTIFY MP4 file magic detected (file-identify.rules)
 * 1:35467 <-> ENABLED <-> FILE-JAVA Oracle Java VersionHelper loadClass sandbox bypass attempt (file-java.rules)
 * 1:35437 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Jrml variant outbound connection (malware-cnc.rules)
 * 1:35468 <-> ENABLED <-> FILE-JAVA Oracle Java VersionHelper loadClass sandbox bypass attempt (file-java.rules)
 * 1:35438 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules)
 * 1:35439 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules)
 * 1:35440 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint invalid OfficeArtSpContainer subrecord type confusion attempt (file-office.rules)
 * 1:35441 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint invalid OfficeArtSpContainer subrecord type confusion attempt (file-office.rules)
 * 1:35442 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint invalid OfficeArtSpContainer subrecord type confusion attempt (file-office.rules)
 * 1:35443 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint invalid OfficeArtSpContainer subrecord type confusion attempt (file-office.rules)
 * 1:35444 <-> DISABLED <-> BROWSER-PLUGINS Oracle Data Quality LoaderWizard DataPreview type confusion attempt (browser-plugins.rules)
 * 1:35445 <-> DISABLED <-> BROWSER-PLUGINS Oracle Data Quality LoaderWizard DataPreview type confusion attempt (browser-plugins.rules)
 * 1:35446 <-> DISABLED <-> BROWSER-PLUGINS Oracle Data Quality LoaderWizard DataPreview type confusion attempt (browser-plugins.rules)
 * 1:35447 <-> DISABLED <-> BROWSER-PLUGINS Oracle Data Quality LoaderWizard DataPreview type confusion attempt (browser-plugins.rules)
 * 1:35448 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bedep variant outbound connection (malware-cnc.rules)
 * 1:35449 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt (file-flash.rules)
 * 1:35466 <-> ENABLED <-> FILE-FLASH Adobe flash player BitmapData.paletteMap use after free attempt (file-flash.rules)
 * 1:35469 <-> ENABLED <-> FILE-JAVA Oracle Java VersionHelper loadClass sandbox bypass attempt (file-java.rules)
 * 1:35472 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bergard outbound connection (malware-cnc.rules)
 * 1:35471 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Baisogu outbound connection (malware-cnc.rules)
 * 1:35450 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt (file-flash.rules)
 * 1:35451 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt (file-flash.rules)
 * 1:35452 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt (file-flash.rules)
 * 1:35454 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt (file-flash.rules)
 * 1:35453 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt (file-flash.rules)
 * 1:35455 <-> ENABLED <-> FILE-IDENTIFY Adobe LZMA compressed Flash file magic detected (file-identify.rules)
 * 1:35456 <-> ENABLED <-> FILE-IDENTIFY Adobe LZMA compressed Flash file attachment detected (file-identify.rules)
 * 1:35457 <-> ENABLED <-> FILE-IDENTIFY Adobe LZMA compressed Flash file attachment detected (file-identify.rules)
 * 1:35458 <-> ENABLED <-> FILE-IDENTIFY Adobe LZMA compressed Flash file magic detected (file-identify.rules)
 * 1:35459 <-> ENABLED <-> FILE-IDENTIFY Adobe LZMA compressed Flash file download request (file-identify.rules)
 * 1:35460 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox InstallWrapper error handling code execution attempt (browser-firefox.rules)
 * 1:35461 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox InstallWrapper error handling code execution attempt (browser-firefox.rules)
 * 1:35462 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Kazy (blacklist.rules)
 * 1:35434 <-> DISABLED <-> OS-MOBILE Android MP4 buffer overflow attempt (os-mobile.rules)
 * 1:35464 <-> ENABLED <-> FILE-FLASH Adobe flash player BitmapData.paletteMap use after free attempt (file-flash.rules)
 * 1:35463 <-> ENABLED <-> FILE-FLASH Adobe flash player BitmapData.paletteMap use after free attempt (file-flash.rules)

Modified Rules:


 * 1:20722 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint invalid OfficeArtSpContainer subrecord type confusion attempt (file-office.rules)
 * 1:12713 <-> DISABLED <-> SERVER-ORACLE Oracle Database Server pitrig_dropmetadata buffer overflow attempt (server-oracle.rules)
 * 1:16423 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 7/8 execute local file in Internet zone redirect attempt (browser-ie.rules)
 * 1:19559 <-> DISABLED <-> INDICATOR-SCAN SSH brute force login attempt (indicator-scan.rules)
 * 1:25353 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint invalid OfficeArtSpContainer subrecord type confusion attempt (file-office.rules)
 * 1:25354 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint invalid OfficeArtSpContainer subrecord type confusion attempt (file-office.rules)
 * 1:25355 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint invalid OfficeArtSpContainer subrecord type confusion attempt (file-office.rules)
 * 1:29802 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt (browser-ie.rules)
 * 1:29803 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt (browser-ie.rules)
 * 1:34623 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize function integer overflow attempt (server-webapp.rules)

2015-08-06 22:13:00 UTC

Snort Subscriber Rules Update

Date: 2015-08-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2973.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35435 <-> DISABLED <-> OS-MOBILE Android MP4 buffer overflow attempt (os-mobile.rules)
 * 1:35433 <-> ENABLED <-> FILE-IDENTIFY MP4 file magic detected (file-identify.rules)
 * 1:35432 <-> ENABLED <-> FILE-IDENTIFY MP4 file magic detected (file-identify.rules)
 * 1:35436 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackCoffee outbound connection (malware-cnc.rules)
 * 1:35438 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules)
 * 1:35439 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules)
 * 1:35440 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint invalid OfficeArtSpContainer subrecord type confusion attempt (file-office.rules)
 * 1:35441 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint invalid OfficeArtSpContainer subrecord type confusion attempt (file-office.rules)
 * 1:35442 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint invalid OfficeArtSpContainer subrecord type confusion attempt (file-office.rules)
 * 1:35444 <-> DISABLED <-> BROWSER-PLUGINS Oracle Data Quality LoaderWizard DataPreview type confusion attempt (browser-plugins.rules)
 * 1:35443 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint invalid OfficeArtSpContainer subrecord type confusion attempt (file-office.rules)
 * 1:35445 <-> DISABLED <-> BROWSER-PLUGINS Oracle Data Quality LoaderWizard DataPreview type confusion attempt (browser-plugins.rules)
 * 1:35446 <-> DISABLED <-> BROWSER-PLUGINS Oracle Data Quality LoaderWizard DataPreview type confusion attempt (browser-plugins.rules)
 * 1:35447 <-> DISABLED <-> BROWSER-PLUGINS Oracle Data Quality LoaderWizard DataPreview type confusion attempt (browser-plugins.rules)
 * 1:35448 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bedep variant outbound connection (malware-cnc.rules)
 * 1:35449 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt (file-flash.rules)
 * 1:35450 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt (file-flash.rules)
 * 1:35451 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt (file-flash.rules)
 * 1:35452 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt (file-flash.rules)
 * 1:35454 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt (file-flash.rules)
 * 1:35453 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt (file-flash.rules)
 * 1:35455 <-> ENABLED <-> FILE-IDENTIFY Adobe LZMA compressed Flash file magic detected (file-identify.rules)
 * 1:35456 <-> ENABLED <-> FILE-IDENTIFY Adobe LZMA compressed Flash file attachment detected (file-identify.rules)
 * 1:35457 <-> ENABLED <-> FILE-IDENTIFY Adobe LZMA compressed Flash file attachment detected (file-identify.rules)
 * 1:35458 <-> ENABLED <-> FILE-IDENTIFY Adobe LZMA compressed Flash file magic detected (file-identify.rules)
 * 1:35459 <-> ENABLED <-> FILE-IDENTIFY Adobe LZMA compressed Flash file download request (file-identify.rules)
 * 1:35460 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox InstallWrapper error handling code execution attempt (browser-firefox.rules)
 * 1:35461 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox InstallWrapper error handling code execution attempt (browser-firefox.rules)
 * 1:35462 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Kazy (blacklist.rules)
 * 1:35434 <-> DISABLED <-> OS-MOBILE Android MP4 buffer overflow attempt (os-mobile.rules)
 * 1:35472 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bergard outbound connection (malware-cnc.rules)
 * 1:35471 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Baisogu outbound connection (malware-cnc.rules)
 * 1:35470 <-> ENABLED <-> BLACKLIST DNS request for known malware domain jctj.yongzhe.pw - Win.Trojan.Baisogu (blacklist.rules)
 * 1:35469 <-> ENABLED <-> FILE-JAVA Oracle Java VersionHelper loadClass sandbox bypass attempt (file-java.rules)
 * 1:35468 <-> ENABLED <-> FILE-JAVA Oracle Java VersionHelper loadClass sandbox bypass attempt (file-java.rules)
 * 1:35437 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Jrml variant outbound connection (malware-cnc.rules)
 * 1:35467 <-> ENABLED <-> FILE-JAVA Oracle Java VersionHelper loadClass sandbox bypass attempt (file-java.rules)
 * 1:35465 <-> ENABLED <-> FILE-FLASH Adobe flash player BitmapData.paletteMap use after free attempt (file-flash.rules)
 * 1:35466 <-> ENABLED <-> FILE-FLASH Adobe flash player BitmapData.paletteMap use after free attempt (file-flash.rules)
 * 1:35464 <-> ENABLED <-> FILE-FLASH Adobe flash player BitmapData.paletteMap use after free attempt (file-flash.rules)
 * 1:35463 <-> ENABLED <-> FILE-FLASH Adobe flash player BitmapData.paletteMap use after free attempt (file-flash.rules)

Modified Rules:


 * 1:34623 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize function integer overflow attempt (server-webapp.rules)
 * 1:25354 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint invalid OfficeArtSpContainer subrecord type confusion attempt (file-office.rules)
 * 1:12713 <-> DISABLED <-> SERVER-ORACLE Oracle Database Server pitrig_dropmetadata buffer overflow attempt (server-oracle.rules)
 * 1:16423 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 7/8 execute local file in Internet zone redirect attempt (browser-ie.rules)
 * 1:19559 <-> DISABLED <-> INDICATOR-SCAN SSH brute force login attempt (indicator-scan.rules)
 * 1:20722 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint invalid OfficeArtSpContainer subrecord type confusion attempt (file-office.rules)
 * 1:25353 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint invalid OfficeArtSpContainer subrecord type confusion attempt (file-office.rules)
 * 1:29802 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt (browser-ie.rules)
 * 1:25355 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint invalid OfficeArtSpContainer subrecord type confusion attempt (file-office.rules)
 * 1:29803 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt (browser-ie.rules)

2015-08-06 22:13:00 UTC

Snort Subscriber Rules Update

Date: 2015-08-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35472 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bergard outbound connection (malware-cnc.rules)
 * 1:35471 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Baisogu outbound connection (malware-cnc.rules)
 * 1:35470 <-> ENABLED <-> BLACKLIST DNS request for known malware domain jctj.yongzhe.pw - Win.Trojan.Baisogu (blacklist.rules)
 * 1:35469 <-> ENABLED <-> FILE-JAVA Oracle Java VersionHelper loadClass sandbox bypass attempt (file-java.rules)
 * 1:35468 <-> ENABLED <-> FILE-JAVA Oracle Java VersionHelper loadClass sandbox bypass attempt (file-java.rules)
 * 1:35467 <-> ENABLED <-> FILE-JAVA Oracle Java VersionHelper loadClass sandbox bypass attempt (file-java.rules)
 * 1:35466 <-> ENABLED <-> FILE-FLASH Adobe flash player BitmapData.paletteMap use after free attempt (file-flash.rules)
 * 1:35465 <-> ENABLED <-> FILE-FLASH Adobe flash player BitmapData.paletteMap use after free attempt (file-flash.rules)
 * 1:35464 <-> ENABLED <-> FILE-FLASH Adobe flash player BitmapData.paletteMap use after free attempt (file-flash.rules)
 * 1:35463 <-> ENABLED <-> FILE-FLASH Adobe flash player BitmapData.paletteMap use after free attempt (file-flash.rules)
 * 1:35462 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Kazy (blacklist.rules)
 * 1:35461 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox InstallWrapper error handling code execution attempt (browser-firefox.rules)
 * 1:35460 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox InstallWrapper error handling code execution attempt (browser-firefox.rules)
 * 1:35459 <-> ENABLED <-> FILE-IDENTIFY Adobe LZMA compressed Flash file download request (file-identify.rules)
 * 1:35458 <-> ENABLED <-> FILE-IDENTIFY Adobe LZMA compressed Flash file magic detected (file-identify.rules)
 * 1:35457 <-> ENABLED <-> FILE-IDENTIFY Adobe LZMA compressed Flash file attachment detected (file-identify.rules)
 * 1:35456 <-> ENABLED <-> FILE-IDENTIFY Adobe LZMA compressed Flash file attachment detected (file-identify.rules)
 * 1:35455 <-> ENABLED <-> FILE-IDENTIFY Adobe LZMA compressed Flash file magic detected (file-identify.rules)
 * 1:35454 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt (file-flash.rules)
 * 1:35453 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt (file-flash.rules)
 * 1:35452 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt (file-flash.rules)
 * 1:35451 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt (file-flash.rules)
 * 1:35450 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt (file-flash.rules)
 * 1:35449 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt (file-flash.rules)
 * 1:35448 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bedep variant outbound connection (malware-cnc.rules)
 * 1:35447 <-> DISABLED <-> BROWSER-PLUGINS Oracle Data Quality LoaderWizard DataPreview type confusion attempt (browser-plugins.rules)
 * 1:35446 <-> DISABLED <-> BROWSER-PLUGINS Oracle Data Quality LoaderWizard DataPreview type confusion attempt (browser-plugins.rules)
 * 1:35445 <-> DISABLED <-> BROWSER-PLUGINS Oracle Data Quality LoaderWizard DataPreview type confusion attempt (browser-plugins.rules)
 * 1:35444 <-> DISABLED <-> BROWSER-PLUGINS Oracle Data Quality LoaderWizard DataPreview type confusion attempt (browser-plugins.rules)
 * 1:35443 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint invalid OfficeArtSpContainer subrecord type confusion attempt (file-office.rules)
 * 1:35442 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint invalid OfficeArtSpContainer subrecord type confusion attempt (file-office.rules)
 * 1:35441 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint invalid OfficeArtSpContainer subrecord type confusion attempt (file-office.rules)
 * 1:35440 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint invalid OfficeArtSpContainer subrecord type confusion attempt (file-office.rules)
 * 1:35439 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules)
 * 1:35438 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules)
 * 1:35437 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Jrml variant outbound connection (malware-cnc.rules)
 * 1:35436 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackCoffee outbound connection (malware-cnc.rules)
 * 1:35435 <-> DISABLED <-> OS-MOBILE Android MP4 buffer overflow attempt (os-mobile.rules)
 * 1:35434 <-> DISABLED <-> OS-MOBILE Android MP4 buffer overflow attempt (os-mobile.rules)
 * 1:35433 <-> ENABLED <-> FILE-IDENTIFY MP4 file magic detected (file-identify.rules)
 * 1:35432 <-> ENABLED <-> FILE-IDENTIFY MP4 file magic detected (file-identify.rules)

Modified Rules:


 * 1:12713 <-> DISABLED <-> SERVER-ORACLE Oracle Database Server pitrig_dropmetadata buffer overflow attempt (server-oracle.rules)
 * 1:16423 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 7/8 execute local file in Internet zone redirect attempt (browser-ie.rules)
 * 1:19559 <-> DISABLED <-> INDICATOR-SCAN SSH brute force login attempt (indicator-scan.rules)
 * 1:20722 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint invalid OfficeArtSpContainer subrecord type confusion attempt (file-office.rules)
 * 1:25353 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint invalid OfficeArtSpContainer subrecord type confusion attempt (file-office.rules)
 * 1:25354 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint invalid OfficeArtSpContainer subrecord type confusion attempt (file-office.rules)
 * 1:25355 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint invalid OfficeArtSpContainer subrecord type confusion attempt (file-office.rules)
 * 1:29802 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt (browser-ie.rules)
 * 1:29803 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt (browser-ie.rules)
 * 1:34623 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize function integer overflow attempt (server-webapp.rules)