Talos Rules 2015-09-10
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-flash, file-office, indicator-compromise, indicator-obfuscation, malware-backdoor, malware-cnc, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-09-10 17:34:33 UTC

Snort Subscriber Rules Update

Date: 2015-09-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36022 <-> DISABLED <-> SERVER-WEBAPP FireEye ModuleDispatch.php name parameter directory traversal directory traversal attempt (server-webapp.rules)
 * 1:36023 <-> DISABLED <-> SERVER-WEBAPP FireEye ModuleDispatch.php name parameter directory traversal directory traversal attempt (server-webapp.rules)
 * 1:36034 <-> DISABLED <-> FILE-FLASH Infinity popup toolkit detected (file-flash.rules)
 * 1:36026 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word EPS filter PostScript object use after free attempt (file-office.rules)
 * 1:36025 <-> DISABLED <-> SERVER-OTHER Digium Asterisk TLS Certificate Common Name null byte validation bypass attempt (server-other.rules)
 * 1:36027 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word EPS filter PostScript object use after free attempt (file-office.rules)
 * 1:36024 <-> DISABLED <-> SERVER-WEBAPP FireEye ModuleDispatch.php name parameter directory traversal directory traversal attempt (server-webapp.rules)
 * 1:36036 <-> DISABLED <-> INDICATOR-OBFUSCATION Adobe Flash file with SecureSwfLoader packer detected (indicator-obfuscation.rules)
 * 1:36028 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k.sys use after free attempt (os-windows.rules)
 * 1:36030 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station subtitle.cgi command injection attempt (server-webapp.rules)
 * 1:36029 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k.sys use after free attempt (os-windows.rules)
 * 1:36031 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station subtitle.cgi command injection attempt (server-webapp.rules)
 * 1:36032 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station subtitle.cgi command injection attempt (server-webapp.rules)
 * 1:36033 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station subtitle.cgi command injection attempt (server-webapp.rules)
 * 1:36035 <-> DISABLED <-> FILE-FLASH Infinity popup toolkit detected (file-flash.rules)

Modified Rules:


 * 1:33188 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Trojan.Bedep variant outbound connection (indicator-compromise.rules)
 * 1:34318 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryptoWall variant outbound connection (malware-cnc.rules)
 * 1:35769 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Cobrike inbound connection  (malware-backdoor.rules)
 * 1:35770 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Cobrike outbound connection  (malware-backdoor.rules)

2015-09-10 17:34:33 UTC

Snort Subscriber Rules Update

Date: 2015-09-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36036 <-> DISABLED <-> INDICATOR-OBFUSCATION Adobe Flash file with SecureSwfLoader packer detected (indicator-obfuscation.rules)
 * 1:36035 <-> DISABLED <-> FILE-FLASH Infinity popup toolkit detected (file-flash.rules)
 * 1:36034 <-> DISABLED <-> FILE-FLASH Infinity popup toolkit detected (file-flash.rules)
 * 1:36033 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station subtitle.cgi command injection attempt (server-webapp.rules)
 * 1:36032 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station subtitle.cgi command injection attempt (server-webapp.rules)
 * 1:36031 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station subtitle.cgi command injection attempt (server-webapp.rules)
 * 1:36030 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station subtitle.cgi command injection attempt (server-webapp.rules)
 * 1:36029 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k.sys use after free attempt (os-windows.rules)
 * 1:36028 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k.sys use after free attempt (os-windows.rules)
 * 1:36027 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word EPS filter PostScript object use after free attempt (file-office.rules)
 * 1:36026 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word EPS filter PostScript object use after free attempt (file-office.rules)
 * 1:36025 <-> DISABLED <-> SERVER-OTHER Digium Asterisk TLS Certificate Common Name null byte validation bypass attempt (server-other.rules)
 * 1:36024 <-> DISABLED <-> SERVER-WEBAPP FireEye ModuleDispatch.php name parameter directory traversal directory traversal attempt (server-webapp.rules)
 * 1:36023 <-> DISABLED <-> SERVER-WEBAPP FireEye ModuleDispatch.php name parameter directory traversal directory traversal attempt (server-webapp.rules)
 * 1:36022 <-> DISABLED <-> SERVER-WEBAPP FireEye ModuleDispatch.php name parameter directory traversal directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 1:33188 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Trojan.Bedep variant outbound connection (indicator-compromise.rules)
 * 1:34318 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryptoWall variant outbound connection (malware-cnc.rules)
 * 1:35769 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Cobrike inbound connection  (malware-backdoor.rules)
 * 1:35770 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Cobrike outbound connection  (malware-backdoor.rules)

2015-09-10 17:34:33 UTC

Snort Subscriber Rules Update

Date: 2015-09-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2973.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36025 <-> DISABLED <-> SERVER-OTHER Digium Asterisk TLS Certificate Common Name null byte validation bypass attempt (server-other.rules)
 * 1:36024 <-> DISABLED <-> SERVER-WEBAPP FireEye ModuleDispatch.php name parameter directory traversal directory traversal attempt (server-webapp.rules)
 * 1:36026 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word EPS filter PostScript object use after free attempt (file-office.rules)
 * 1:36028 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k.sys use after free attempt (os-windows.rules)
 * 1:36029 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k.sys use after free attempt (os-windows.rules)
 * 1:36031 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station subtitle.cgi command injection attempt (server-webapp.rules)
 * 1:36030 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station subtitle.cgi command injection attempt (server-webapp.rules)
 * 1:36027 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word EPS filter PostScript object use after free attempt (file-office.rules)
 * 1:36032 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station subtitle.cgi command injection attempt (server-webapp.rules)
 * 1:36033 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station subtitle.cgi command injection attempt (server-webapp.rules)
 * 1:36034 <-> DISABLED <-> FILE-FLASH Infinity popup toolkit detected (file-flash.rules)
 * 1:36036 <-> DISABLED <-> INDICATOR-OBFUSCATION Adobe Flash file with SecureSwfLoader packer detected (indicator-obfuscation.rules)
 * 1:36035 <-> DISABLED <-> FILE-FLASH Infinity popup toolkit detected (file-flash.rules)
 * 1:36023 <-> DISABLED <-> SERVER-WEBAPP FireEye ModuleDispatch.php name parameter directory traversal directory traversal attempt (server-webapp.rules)
 * 1:36022 <-> DISABLED <-> SERVER-WEBAPP FireEye ModuleDispatch.php name parameter directory traversal directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 1:33188 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Trojan.Bedep variant outbound connection (indicator-compromise.rules)
 * 1:34318 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryptoWall variant outbound connection (malware-cnc.rules)
 * 1:35769 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Cobrike inbound connection  (malware-backdoor.rules)
 * 1:35770 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Cobrike outbound connection  (malware-backdoor.rules)