Talos Rules 2015-09-24
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-ie, deleted, file-flash, file-pdf, malware-cnc, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-09-24 15:51:57 UTC

Snort Subscriber Rules Update

Date: 2015-09-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36187 <-> ENABLED <-> FILE-FLASH Adobe Flash Player display list use after free attempt (file-flash.rules)
 * 1:36190 <-> ENABLED <-> FILE-FLASH Adobe Flash Player display list use after free attempt (file-flash.rules)
 * 1:36188 <-> ENABLED <-> FILE-FLASH Adobe Flash Player display list use after free attempt (file-flash.rules)
 * 1:36186 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qytags variant outbound connection (malware-cnc.rules)
 * 1:36184 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire group-summary cross site scripting attempt (server-webapp.rules)
 * 1:36183 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire create-bookmark cross site scripting attempt (server-webapp.rules)
 * 1:36199 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Yakes variant outbound connection (malware-cnc.rules)
 * 1:36189 <-> ENABLED <-> FILE-FLASH Adobe Flash Player display list use after free attempt (file-flash.rules)
 * 1:36178 <-> DISABLED <-> SERVER-WEBAPP Endian Firewall Proxy chpasswd.cgi command injection attempt (server-webapp.rules)
 * 1:36179 <-> DISABLED <-> DELETED SERVER-WEBAPP Endian Firewall Proxy chpasswd.cgi command injection attempt (deleted.rules)
 * 1:36180 <-> DISABLED <-> DELETED SERVER-WEBAPP Endian Firewall Proxy chpasswd.cgi command injection attempt (deleted.rules)
 * 1:36181 <-> DISABLED <-> SERVER-WEBAPP Endian Firewall Proxy chpasswd.cgi command injection attempt (server-webapp.rules)
 * 1:36191 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules)
 * 1:36192 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules)
 * 1:36193 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Exploit Kit decryption key detected (file-flash.rules)
 * 1:36194 <-> DISABLED <-> POLICY-OTHER BitTorrent distributed reflected denial-of-service attempt (policy-other.rules)
 * 1:36196 <-> DISABLED <-> SERVER-WEBAPP Reprise license manager actserver and akey HTTP parameters parsing stack buffer overflow attempt (server-webapp.rules)
 * 1:36182 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire server-session-details cross site scripting attempt (server-webapp.rules)
 * 1:36195 <-> DISABLED <-> SERVER-WEBAPP Reprise license manager actserver and akey HTTP parameters parsing stack buffer overflow attempt (server-webapp.rules)
 * 1:36185 <-> ENABLED <-> BLACKLIST DNS request for known malware domain bokerensheng.lofter.com - Win.Trojan.Qytags (blacklist.rules)
 * 1:36197 <-> DISABLED <-> SERVER-WEBAPP nginx SMTP proxy STARTTLS plaintext command injection attempt (server-webapp.rules)
 * 1:36198 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Yakes variant certificate (malware-cnc.rules)

Modified Rules:


 * 1:26132 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt (browser-ie.rules)
 * 1:16206 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DNS server spoofing attempt (os-windows.rules)
 * 1:27270 <-> DISABLED <-> SERVER-OTHER GuildFTPd LIST command heap overflow attempt (server-other.rules)
 * 1:31068 <-> DISABLED <-> SERVER-OTHER F5 BIG-IP remote command injection attempt (server-other.rules)
 * 1:31069 <-> DISABLED <-> SERVER-OTHER F5 BIG-IP remote command injection attempt (server-other.rules)
 * 1:34065 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMapStringToPtr use after free attempt (browser-ie.rules)
 * 1:34064 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMapStringToPtr use after free attempt (browser-ie.rules)
 * 1:35847 <-> DISABLED <-> SERVER-WEBAPP Oracle Endeca server directory traversal attempt (server-webapp.rules)
 * 1:27269 <-> DISABLED <-> SERVER-OTHER GuildFTPd CWD command heap overflow attempt (server-other.rules)
 * 1:26133 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt (browser-ie.rules)

2015-09-24 15:51:57 UTC

Snort Subscriber Rules Update

Date: 2015-09-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2973.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36197 <-> DISABLED <-> SERVER-WEBAPP nginx SMTP proxy STARTTLS plaintext command injection attempt (server-webapp.rules)
 * 1:36193 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Exploit Kit decryption key detected (file-flash.rules)
 * 1:36186 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qytags variant outbound connection (malware-cnc.rules)
 * 1:36184 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire group-summary cross site scripting attempt (server-webapp.rules)
 * 1:36183 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire create-bookmark cross site scripting attempt (server-webapp.rules)
 * 1:36187 <-> ENABLED <-> FILE-FLASH Adobe Flash Player display list use after free attempt (file-flash.rules)
 * 1:36185 <-> ENABLED <-> BLACKLIST DNS request for known malware domain bokerensheng.lofter.com - Win.Trojan.Qytags (blacklist.rules)
 * 1:36178 <-> DISABLED <-> SERVER-WEBAPP Endian Firewall Proxy chpasswd.cgi command injection attempt (server-webapp.rules)
 * 1:36179 <-> DISABLED <-> DELETED SERVER-WEBAPP Endian Firewall Proxy chpasswd.cgi command injection attempt (deleted.rules)
 * 1:36180 <-> DISABLED <-> DELETED SERVER-WEBAPP Endian Firewall Proxy chpasswd.cgi command injection attempt (deleted.rules)
 * 1:36189 <-> ENABLED <-> FILE-FLASH Adobe Flash Player display list use after free attempt (file-flash.rules)
 * 1:36181 <-> DISABLED <-> SERVER-WEBAPP Endian Firewall Proxy chpasswd.cgi command injection attempt (server-webapp.rules)
 * 1:36182 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire server-session-details cross site scripting attempt (server-webapp.rules)
 * 1:36190 <-> ENABLED <-> FILE-FLASH Adobe Flash Player display list use after free attempt (file-flash.rules)
 * 1:36191 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules)
 * 1:36192 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules)
 * 1:36194 <-> DISABLED <-> POLICY-OTHER BitTorrent distributed reflected denial-of-service attempt (policy-other.rules)
 * 1:36195 <-> DISABLED <-> SERVER-WEBAPP Reprise license manager actserver and akey HTTP parameters parsing stack buffer overflow attempt (server-webapp.rules)
 * 1:36188 <-> ENABLED <-> FILE-FLASH Adobe Flash Player display list use after free attempt (file-flash.rules)
 * 1:36196 <-> DISABLED <-> SERVER-WEBAPP Reprise license manager actserver and akey HTTP parameters parsing stack buffer overflow attempt (server-webapp.rules)
 * 1:36198 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Yakes variant certificate (malware-cnc.rules)
 * 1:36199 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Yakes variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:27269 <-> DISABLED <-> SERVER-OTHER GuildFTPd CWD command heap overflow attempt (server-other.rules)
 * 1:26132 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt (browser-ie.rules)
 * 1:35847 <-> DISABLED <-> SERVER-WEBAPP Oracle Endeca server directory traversal attempt (server-webapp.rules)
 * 1:27270 <-> DISABLED <-> SERVER-OTHER GuildFTPd LIST command heap overflow attempt (server-other.rules)
 * 1:31068 <-> DISABLED <-> SERVER-OTHER F5 BIG-IP remote command injection attempt (server-other.rules)
 * 1:31069 <-> DISABLED <-> SERVER-OTHER F5 BIG-IP remote command injection attempt (server-other.rules)
 * 1:34065 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMapStringToPtr use after free attempt (browser-ie.rules)
 * 1:34064 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMapStringToPtr use after free attempt (browser-ie.rules)
 * 1:16206 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DNS server spoofing attempt (os-windows.rules)
 * 1:26133 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt (browser-ie.rules)

2015-09-24 15:51:57 UTC

Snort Subscriber Rules Update

Date: 2015-09-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36199 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Yakes variant outbound connection (malware-cnc.rules)
 * 1:36198 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Yakes variant certificate (malware-cnc.rules)
 * 1:36197 <-> DISABLED <-> SERVER-WEBAPP nginx SMTP proxy STARTTLS plaintext command injection attempt (server-webapp.rules)
 * 1:36196 <-> DISABLED <-> SERVER-WEBAPP Reprise license manager actserver and akey HTTP parameters parsing stack buffer overflow attempt (server-webapp.rules)
 * 1:36195 <-> DISABLED <-> SERVER-WEBAPP Reprise license manager actserver and akey HTTP parameters parsing stack buffer overflow attempt (server-webapp.rules)
 * 1:36194 <-> DISABLED <-> POLICY-OTHER BitTorrent distributed reflected denial-of-service attempt (policy-other.rules)
 * 1:36193 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Exploit Kit decryption key detected (file-flash.rules)
 * 1:36192 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules)
 * 1:36191 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules)
 * 1:36190 <-> ENABLED <-> FILE-FLASH Adobe Flash Player display list use after free attempt (file-flash.rules)
 * 1:36189 <-> ENABLED <-> FILE-FLASH Adobe Flash Player display list use after free attempt (file-flash.rules)
 * 1:36188 <-> ENABLED <-> FILE-FLASH Adobe Flash Player display list use after free attempt (file-flash.rules)
 * 1:36187 <-> ENABLED <-> FILE-FLASH Adobe Flash Player display list use after free attempt (file-flash.rules)
 * 1:36186 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qytags variant outbound connection (malware-cnc.rules)
 * 1:36185 <-> ENABLED <-> BLACKLIST DNS request for known malware domain bokerensheng.lofter.com - Win.Trojan.Qytags (blacklist.rules)
 * 1:36184 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire group-summary cross site scripting attempt (server-webapp.rules)
 * 1:36183 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire create-bookmark cross site scripting attempt (server-webapp.rules)
 * 1:36182 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire server-session-details cross site scripting attempt (server-webapp.rules)
 * 1:36181 <-> DISABLED <-> SERVER-WEBAPP Endian Firewall Proxy chpasswd.cgi command injection attempt (server-webapp.rules)
 * 1:36180 <-> DISABLED <-> DELETED SERVER-WEBAPP Endian Firewall Proxy chpasswd.cgi command injection attempt (deleted.rules)
 * 1:36179 <-> DISABLED <-> DELETED SERVER-WEBAPP Endian Firewall Proxy chpasswd.cgi command injection attempt (deleted.rules)
 * 1:36178 <-> DISABLED <-> SERVER-WEBAPP Endian Firewall Proxy chpasswd.cgi command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:16206 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DNS server spoofing attempt (os-windows.rules)
 * 1:26132 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt (browser-ie.rules)
 * 1:26133 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt (browser-ie.rules)
 * 1:27269 <-> DISABLED <-> SERVER-OTHER GuildFTPd CWD command heap overflow attempt (server-other.rules)
 * 1:27270 <-> DISABLED <-> SERVER-OTHER GuildFTPd LIST command heap overflow attempt (server-other.rules)
 * 1:31068 <-> DISABLED <-> SERVER-OTHER F5 BIG-IP remote command injection attempt (server-other.rules)
 * 1:31069 <-> DISABLED <-> SERVER-OTHER F5 BIG-IP remote command injection attempt (server-other.rules)
 * 1:34064 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMapStringToPtr use after free attempt (browser-ie.rules)
 * 1:34065 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMapStringToPtr use after free attempt (browser-ie.rules)
 * 1:35847 <-> DISABLED <-> SERVER-WEBAPP Oracle Endeca server directory traversal attempt (server-webapp.rules)