Talos Rules 2015-10-08
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-other, browser-plugins, deleted, exploit-kit, file-flash, malware-cnc, malware-other, os-mobile, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-10-08 15:42:38 UTC

Snort Subscriber Rules Update

Date: 2015-10-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36361 <-> DISABLED <-> OS-MOBILE Android WebKit Java reflection command execution attempt (os-mobile.rules)
 * 1:36359 <-> DISABLED <-> SERVER-WEBAPP pfSense WebGui Zone Parameter cross-site scripting attempt (server-webapp.rules)
 * 1:36360 <-> DISABLED <-> OS-MOBILE Android WebKit Java reflection command execution attempt (os-mobile.rules)
 * 1:36357 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSegmentedSource null pointer attempt (file-flash.rules)
 * 1:36358 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSegmentedSource null pointer attempt (file-flash.rules)
 * 1:36355 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSS null pointer attempt (file-flash.rules)
 * 1:36356 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSS null pointer attempt (file-flash.rules)
 * 1:36354 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSS null pointer attempt (file-flash.rules)
 * 1:36352 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSS null pointer attempt (file-flash.rules)
 * 1:36353 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSS null pointer attempt (file-flash.rules)
 * 1:36350 <-> DISABLED <-> BROWSER-PLUGINS Touch22 Software Image22 DrawIcon ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36351 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSS null pointer attempt (file-flash.rules)
 * 1:36348 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt (file-flash.rules)
 * 1:36349 <-> DISABLED <-> BROWSER-PLUGINS Touch22 Software Image22 DrawIcon ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36347 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt (file-flash.rules)
 * 1:36345 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt (file-flash.rules)
 * 1:36346 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt (file-flash.rules)
 * 1:36341 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt (file-flash.rules)
 * 1:36344 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt (file-flash.rules)
 * 1:36343 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt (file-flash.rules)
 * 1:36342 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt (file-flash.rules)
 * 1:36335 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire user-create cross site request forgery attempt (server-webapp.rules)
 * 1:36340 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt (file-flash.rules)
 * 1:36339 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt (file-flash.rules)
 * 1:36338 <-> ENABLED <-> MALWARE-OTHER Apple iTunes Connect HTTP response phishing attempt (malware-other.rules)
 * 1:36337 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire permitted-clients cross site request forgery attempt (server-webapp.rules)
 * 1:36336 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire server properties cross site request forgery attempt (server-webapp.rules)
 * 1:36334 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire user-password cross site request forgery attempt (server-webapp.rules)
 * 1:35724 <-> DISABLED <-> DELETED OS-WINDOWS Microsoft Windows OpenType font parsing memory corruption attempt (deleted.rules)
 * 1:36333 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET FileDownloadServlet directory traversal attempt (server-webapp.rules)
 * 1:36332 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit relay traffic detected (exploit-kit.rules)
 * 1:35723 <-> DISABLED <-> DELETED OS-WINDOWS Microsoft Windows OpenType font parsing memory corruption attempt (deleted.rules)
 * 1:36381 <-> ENABLED <-> BLACKLIST DNS request for known malware domain yidjskdfjskdfsdf.cf - Necurs (blacklist.rules)
 * 1:36377 <-> DISABLED <-> BROWSER-OTHER Google Chrome invalid URI denial of service attempt (browser-other.rules)
 * 1:36389 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dnsfor.dnsfor.me - Win.Trojan.DustySky (blacklist.rules)
 * 1:36382 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mindfucktoys.com - Necurs (blacklist.rules)
 * 1:36383 <-> DISABLED <-> OS-WINDOWS Microsoft Windows FlattenPath paged memory consumption privilege escalation attempt (os-windows.rules)
 * 1:36391 <-> ENABLED <-> BLACKLIST DNS request for known malware domain games.buybit.us - Win.Trojan.DustySky (blacklist.rules)
 * 1:36392 <-> ENABLED <-> BLACKLIST DNS request for known malware domain news.buybit.us - Win.Trojan.DustySky (blacklist.rules)
 * 1:36393 <-> ENABLED <-> BLACKLIST DNS request for known malware domain news.net-freaks.com - Win.Trojan.DustySky (blacklist.rules)
 * 1:36394 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sip.supportcom.xyz - Win.Trojan.DustySky (blacklist.rules)
 * 1:36395 <-> ENABLED <-> BLACKLIST DNS request for known malware domain update.ciscofreak.com - Win.Trojan.DustySky (blacklist.rules)
 * 1:36396 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DustySky variant outbound connection (malware-cnc.rules)
 * 1:36397 <-> DISABLED <-> MALWARE-CNC Win.Trojan.DustySky variant outbound connection (malware-cnc.rules)
 * 1:36398 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Ovector out of bounds stack corruption attempt (file-flash.rules)
 * 1:36399 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Ovector out of bounds stack corruption attempt (file-flash.rules)
 * 1:36390 <-> ENABLED <-> BLACKLIST DNS request for known malware domain facetoo.co.vu - Win.Trojan.DustySky (blacklist.rules)
 * 1:36362 <-> DISABLED <-> OS-MOBILE Android WebKit Java reflection command execution attempt (os-mobile.rules)
 * 1:36363 <-> DISABLED <-> SERVER-WEBAPP Typo3 CMS show_rechis cross site scripting attempt (server-webapp.rules)
 * 1:36364 <-> DISABLED <-> SERVER-WEBAPP Typo3 CMS index cross site scripting attempt (server-webapp.rules)
 * 1:36365 <-> DISABLED <-> SERVER-WEBAPP Typo3 CMS show_rechis cross site scripting attempt (server-webapp.rules)
 * 1:36366 <-> DISABLED <-> SERVER-WEBAPP Typo3 CMS index cross site scripting attempt (server-webapp.rules)
 * 1:36367 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DefineText buffer overflow attempt (file-flash.rules)
 * 1:36368 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DefineText buffer overflow attempt (file-flash.rules)
 * 1:36369 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DefineText buffer overflow attempt (file-flash.rules)
 * 1:36370 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DefineText buffer overflow attempt (file-flash.rules)
 * 1:36371 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid vector length memory corruption attempt (file-flash.rules)
 * 1:36373 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid vector length memory corruption attempt (file-flash.rules)
 * 1:36372 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid vector length memory corruption attempt (file-flash.rules)
 * 1:36376 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Management Framework lcfd endpoint daemon buffer overflow attempt (server-other.rules)
 * 1:36374 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid vector length memory corruption attempt (file-flash.rules)
 * 1:36375 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Management Framework Endpoint default HTTP password authentication attempt (server-other.rules)
 * 1:36380 <-> DISABLED <-> SERVER-WEBAPP Borland AccuRev SaveContentServiceImpl servlet directory traversal attempt (server-webapp.rules)
 * 1:36384 <-> DISABLED <-> OS-WINDOWS Microsoft Windows FlattenPath paged memory consumption privilege escalation attempt (os-windows.rules)
 * 1:36379 <-> DISABLED <-> POLICY-OTHER dnstunnel v0.5 outbound traffic detected (policy-other.rules)
 * 1:36378 <-> DISABLED <-> BROWSER-OTHER Google Chrome invalid URI denial of service attempt (browser-other.rules)

Modified Rules:


 * 1:28043 <-> DISABLED <-> OS-MOBILE Android WebKit Java reflection command execution attempt (os-mobile.rules)

2015-10-08 15:42:38 UTC

Snort Subscriber Rules Update

Date: 2015-10-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2973.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36389 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dnsfor.dnsfor.me - Win.Trojan.DustySky (blacklist.rules)
 * 1:36382 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mindfucktoys.com - Necurs (blacklist.rules)
 * 1:36383 <-> DISABLED <-> OS-WINDOWS Microsoft Windows FlattenPath paged memory consumption privilege escalation attempt (os-windows.rules)
 * 1:36391 <-> ENABLED <-> BLACKLIST DNS request for known malware domain games.buybit.us - Win.Trojan.DustySky (blacklist.rules)
 * 1:36392 <-> ENABLED <-> BLACKLIST DNS request for known malware domain news.buybit.us - Win.Trojan.DustySky (blacklist.rules)
 * 1:36393 <-> ENABLED <-> BLACKLIST DNS request for known malware domain news.net-freaks.com - Win.Trojan.DustySky (blacklist.rules)
 * 1:36394 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sip.supportcom.xyz - Win.Trojan.DustySky (blacklist.rules)
 * 1:36395 <-> ENABLED <-> BLACKLIST DNS request for known malware domain update.ciscofreak.com - Win.Trojan.DustySky (blacklist.rules)
 * 1:36396 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DustySky variant outbound connection (malware-cnc.rules)
 * 1:36397 <-> DISABLED <-> MALWARE-CNC Win.Trojan.DustySky variant outbound connection (malware-cnc.rules)
 * 1:36398 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Ovector out of bounds stack corruption attempt (file-flash.rules)
 * 1:36399 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Ovector out of bounds stack corruption attempt (file-flash.rules)
 * 1:35723 <-> DISABLED <-> DELETED OS-WINDOWS Microsoft Windows OpenType font parsing memory corruption attempt (deleted.rules)
 * 1:35724 <-> DISABLED <-> DELETED OS-WINDOWS Microsoft Windows OpenType font parsing memory corruption attempt (deleted.rules)
 * 1:36332 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit relay traffic detected (exploit-kit.rules)
 * 1:36333 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET FileDownloadServlet directory traversal attempt (server-webapp.rules)
 * 1:36334 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire user-password cross site request forgery attempt (server-webapp.rules)
 * 1:36335 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire user-create cross site request forgery attempt (server-webapp.rules)
 * 1:36336 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire server properties cross site request forgery attempt (server-webapp.rules)
 * 1:36337 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire permitted-clients cross site request forgery attempt (server-webapp.rules)
 * 1:36338 <-> ENABLED <-> MALWARE-OTHER Apple iTunes Connect HTTP response phishing attempt (malware-other.rules)
 * 1:36339 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt (file-flash.rules)
 * 1:36340 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt (file-flash.rules)
 * 1:36341 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt (file-flash.rules)
 * 1:36342 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt (file-flash.rules)
 * 1:36343 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt (file-flash.rules)
 * 1:36344 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt (file-flash.rules)
 * 1:36345 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt (file-flash.rules)
 * 1:36346 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt (file-flash.rules)
 * 1:36347 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt (file-flash.rules)
 * 1:36348 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt (file-flash.rules)
 * 1:36349 <-> DISABLED <-> BROWSER-PLUGINS Touch22 Software Image22 DrawIcon ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36350 <-> DISABLED <-> BROWSER-PLUGINS Touch22 Software Image22 DrawIcon ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36351 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSS null pointer attempt (file-flash.rules)
 * 1:36352 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSS null pointer attempt (file-flash.rules)
 * 1:36353 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSS null pointer attempt (file-flash.rules)
 * 1:36354 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSS null pointer attempt (file-flash.rules)
 * 1:36355 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSS null pointer attempt (file-flash.rules)
 * 1:36356 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSS null pointer attempt (file-flash.rules)
 * 1:36357 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSegmentedSource null pointer attempt (file-flash.rules)
 * 1:36358 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSegmentedSource null pointer attempt (file-flash.rules)
 * 1:36359 <-> DISABLED <-> SERVER-WEBAPP pfSense WebGui Zone Parameter cross-site scripting attempt (server-webapp.rules)
 * 1:36360 <-> DISABLED <-> OS-MOBILE Android WebKit Java reflection command execution attempt (os-mobile.rules)
 * 1:36361 <-> DISABLED <-> OS-MOBILE Android WebKit Java reflection command execution attempt (os-mobile.rules)
 * 1:36362 <-> DISABLED <-> OS-MOBILE Android WebKit Java reflection command execution attempt (os-mobile.rules)
 * 1:36363 <-> DISABLED <-> SERVER-WEBAPP Typo3 CMS show_rechis cross site scripting attempt (server-webapp.rules)
 * 1:36364 <-> DISABLED <-> SERVER-WEBAPP Typo3 CMS index cross site scripting attempt (server-webapp.rules)
 * 1:36365 <-> DISABLED <-> SERVER-WEBAPP Typo3 CMS show_rechis cross site scripting attempt (server-webapp.rules)
 * 1:36366 <-> DISABLED <-> SERVER-WEBAPP Typo3 CMS index cross site scripting attempt (server-webapp.rules)
 * 1:36367 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DefineText buffer overflow attempt (file-flash.rules)
 * 1:36368 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DefineText buffer overflow attempt (file-flash.rules)
 * 1:36369 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DefineText buffer overflow attempt (file-flash.rules)
 * 1:36370 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DefineText buffer overflow attempt (file-flash.rules)
 * 1:36371 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid vector length memory corruption attempt (file-flash.rules)
 * 1:36372 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid vector length memory corruption attempt (file-flash.rules)
 * 1:36373 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid vector length memory corruption attempt (file-flash.rules)
 * 1:36374 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid vector length memory corruption attempt (file-flash.rules)
 * 1:36375 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Management Framework Endpoint default HTTP password authentication attempt (server-other.rules)
 * 1:36390 <-> ENABLED <-> BLACKLIST DNS request for known malware domain facetoo.co.vu - Win.Trojan.DustySky (blacklist.rules)
 * 1:36376 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Management Framework lcfd endpoint daemon buffer overflow attempt (server-other.rules)
 * 1:36378 <-> DISABLED <-> BROWSER-OTHER Google Chrome invalid URI denial of service attempt (browser-other.rules)
 * 1:36377 <-> DISABLED <-> BROWSER-OTHER Google Chrome invalid URI denial of service attempt (browser-other.rules)
 * 1:36384 <-> DISABLED <-> OS-WINDOWS Microsoft Windows FlattenPath paged memory consumption privilege escalation attempt (os-windows.rules)
 * 1:36379 <-> DISABLED <-> POLICY-OTHER dnstunnel v0.5 outbound traffic detected (policy-other.rules)
 * 1:36381 <-> ENABLED <-> BLACKLIST DNS request for known malware domain yidjskdfjskdfsdf.cf - Necurs (blacklist.rules)
 * 1:36380 <-> DISABLED <-> SERVER-WEBAPP Borland AccuRev SaveContentServiceImpl servlet directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 1:28043 <-> DISABLED <-> OS-MOBILE Android WebKit Java reflection command execution attempt (os-mobile.rules)

2015-10-08 15:42:38 UTC

Snort Subscriber Rules Update

Date: 2015-10-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35723 <-> DISABLED <-> DELETED OS-WINDOWS Microsoft Windows OpenType font parsing memory corruption attempt (deleted.rules)
 * 1:35724 <-> DISABLED <-> DELETED OS-WINDOWS Microsoft Windows OpenType font parsing memory corruption attempt (deleted.rules)
 * 1:36332 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit relay traffic detected (exploit-kit.rules)
 * 1:36333 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET FileDownloadServlet directory traversal attempt (server-webapp.rules)
 * 1:36334 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire user-password cross site request forgery attempt (server-webapp.rules)
 * 1:36335 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire user-create cross site request forgery attempt (server-webapp.rules)
 * 1:36336 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire server properties cross site request forgery attempt (server-webapp.rules)
 * 1:36337 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire permitted-clients cross site request forgery attempt (server-webapp.rules)
 * 1:36338 <-> ENABLED <-> MALWARE-OTHER Apple iTunes Connect HTTP response phishing attempt (malware-other.rules)
 * 1:36339 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt (file-flash.rules)
 * 1:36340 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt (file-flash.rules)
 * 1:36341 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt (file-flash.rules)
 * 1:36342 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt (file-flash.rules)
 * 1:36343 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt (file-flash.rules)
 * 1:36344 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt (file-flash.rules)
 * 1:36345 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt (file-flash.rules)
 * 1:36346 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt (file-flash.rules)
 * 1:36347 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt (file-flash.rules)
 * 1:36348 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt (file-flash.rules)
 * 1:36349 <-> DISABLED <-> BROWSER-PLUGINS Touch22 Software Image22 DrawIcon ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36350 <-> DISABLED <-> BROWSER-PLUGINS Touch22 Software Image22 DrawIcon ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36351 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSS null pointer attempt (file-flash.rules)
 * 1:36352 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSS null pointer attempt (file-flash.rules)
 * 1:36353 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSS null pointer attempt (file-flash.rules)
 * 1:36354 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSS null pointer attempt (file-flash.rules)
 * 1:36355 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSS null pointer attempt (file-flash.rules)
 * 1:36356 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSS null pointer attempt (file-flash.rules)
 * 1:36357 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSegmentedSource null pointer attempt (file-flash.rules)
 * 1:36358 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSegmentedSource null pointer attempt (file-flash.rules)
 * 1:36359 <-> DISABLED <-> SERVER-WEBAPP pfSense WebGui Zone Parameter cross-site scripting attempt (server-webapp.rules)
 * 1:36360 <-> DISABLED <-> OS-MOBILE Android WebKit Java reflection command execution attempt (os-mobile.rules)
 * 1:36361 <-> DISABLED <-> OS-MOBILE Android WebKit Java reflection command execution attempt (os-mobile.rules)
 * 1:36362 <-> DISABLED <-> OS-MOBILE Android WebKit Java reflection command execution attempt (os-mobile.rules)
 * 1:36363 <-> DISABLED <-> SERVER-WEBAPP Typo3 CMS show_rechis cross site scripting attempt (server-webapp.rules)
 * 1:36364 <-> DISABLED <-> SERVER-WEBAPP Typo3 CMS index cross site scripting attempt (server-webapp.rules)
 * 1:36365 <-> DISABLED <-> SERVER-WEBAPP Typo3 CMS show_rechis cross site scripting attempt (server-webapp.rules)
 * 1:36366 <-> DISABLED <-> SERVER-WEBAPP Typo3 CMS index cross site scripting attempt (server-webapp.rules)
 * 1:36367 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DefineText buffer overflow attempt (file-flash.rules)
 * 1:36368 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DefineText buffer overflow attempt (file-flash.rules)
 * 1:36369 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DefineText buffer overflow attempt (file-flash.rules)
 * 1:36370 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DefineText buffer overflow attempt (file-flash.rules)
 * 1:36371 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid vector length memory corruption attempt (file-flash.rules)
 * 1:36372 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid vector length memory corruption attempt (file-flash.rules)
 * 1:36373 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid vector length memory corruption attempt (file-flash.rules)
 * 1:36374 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid vector length memory corruption attempt (file-flash.rules)
 * 1:36375 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Management Framework Endpoint default HTTP password authentication attempt (server-other.rules)
 * 1:36376 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Management Framework lcfd endpoint daemon buffer overflow attempt (server-other.rules)
 * 1:36377 <-> DISABLED <-> BROWSER-OTHER Google Chrome invalid URI denial of service attempt (browser-other.rules)
 * 1:36378 <-> DISABLED <-> BROWSER-OTHER Google Chrome invalid URI denial of service attempt (browser-other.rules)
 * 1:36379 <-> DISABLED <-> POLICY-OTHER dnstunnel v0.5 outbound traffic detected (policy-other.rules)
 * 1:36399 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Ovector out of bounds stack corruption attempt (file-flash.rules)
 * 1:36398 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Ovector out of bounds stack corruption attempt (file-flash.rules)
 * 1:36397 <-> DISABLED <-> MALWARE-CNC Win.Trojan.DustySky variant outbound connection (malware-cnc.rules)
 * 1:36396 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DustySky variant outbound connection (malware-cnc.rules)
 * 1:36395 <-> ENABLED <-> BLACKLIST DNS request for known malware domain update.ciscofreak.com - Win.Trojan.DustySky (blacklist.rules)
 * 1:36394 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sip.supportcom.xyz - Win.Trojan.DustySky (blacklist.rules)
 * 1:36393 <-> ENABLED <-> BLACKLIST DNS request for known malware domain news.net-freaks.com - Win.Trojan.DustySky (blacklist.rules)
 * 1:36392 <-> ENABLED <-> BLACKLIST DNS request for known malware domain news.buybit.us - Win.Trojan.DustySky (blacklist.rules)
 * 1:36391 <-> ENABLED <-> BLACKLIST DNS request for known malware domain games.buybit.us - Win.Trojan.DustySky (blacklist.rules)
 * 1:36390 <-> ENABLED <-> BLACKLIST DNS request for known malware domain facetoo.co.vu - Win.Trojan.DustySky (blacklist.rules)
 * 1:36389 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dnsfor.dnsfor.me - Win.Trojan.DustySky (blacklist.rules)
 * 1:36383 <-> DISABLED <-> OS-WINDOWS Microsoft Windows FlattenPath paged memory consumption privilege escalation attempt (os-windows.rules)
 * 1:36384 <-> DISABLED <-> OS-WINDOWS Microsoft Windows FlattenPath paged memory consumption privilege escalation attempt (os-windows.rules)
 * 1:36382 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mindfucktoys.com - Necurs (blacklist.rules)
 * 1:36380 <-> DISABLED <-> SERVER-WEBAPP Borland AccuRev SaveContentServiceImpl servlet directory traversal attempt (server-webapp.rules)
 * 1:36381 <-> ENABLED <-> BLACKLIST DNS request for known malware domain yidjskdfjskdfsdf.cf - Necurs (blacklist.rules)

Modified Rules:


 * 1:28043 <-> DISABLED <-> OS-MOBILE Android WebKit Java reflection command execution attempt (os-mobile.rules)

2015-10-08 15:42:38 UTC

Snort Subscriber Rules Update

Date: 2015-10-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36399 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Ovector out of bounds stack corruption attempt (file-flash.rules)
 * 1:36398 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Ovector out of bounds stack corruption attempt (file-flash.rules)
 * 1:36397 <-> DISABLED <-> MALWARE-CNC Win.Trojan.DustySky variant outbound connection (malware-cnc.rules)
 * 1:36396 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DustySky variant outbound connection (malware-cnc.rules)
 * 1:36395 <-> ENABLED <-> BLACKLIST DNS request for known malware domain update.ciscofreak.com - Win.Trojan.DustySky (blacklist.rules)
 * 1:36394 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sip.supportcom.xyz - Win.Trojan.DustySky (blacklist.rules)
 * 1:36393 <-> ENABLED <-> BLACKLIST DNS request for known malware domain news.net-freaks.com - Win.Trojan.DustySky (blacklist.rules)
 * 1:36392 <-> ENABLED <-> BLACKLIST DNS request for known malware domain news.buybit.us - Win.Trojan.DustySky (blacklist.rules)
 * 1:36391 <-> ENABLED <-> BLACKLIST DNS request for known malware domain games.buybit.us - Win.Trojan.DustySky (blacklist.rules)
 * 1:36390 <-> ENABLED <-> BLACKLIST DNS request for known malware domain facetoo.co.vu - Win.Trojan.DustySky (blacklist.rules)
 * 1:36389 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dnsfor.dnsfor.me - Win.Trojan.DustySky (blacklist.rules)
 * 1:36384 <-> DISABLED <-> OS-WINDOWS Microsoft Windows FlattenPath paged memory consumption privilege escalation attempt (os-windows.rules)
 * 1:36383 <-> DISABLED <-> OS-WINDOWS Microsoft Windows FlattenPath paged memory consumption privilege escalation attempt (os-windows.rules)
 * 1:36382 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mindfucktoys.com - Necurs (blacklist.rules)
 * 1:36381 <-> ENABLED <-> BLACKLIST DNS request for known malware domain yidjskdfjskdfsdf.cf - Necurs (blacklist.rules)
 * 1:36380 <-> DISABLED <-> SERVER-WEBAPP Borland AccuRev SaveContentServiceImpl servlet directory traversal attempt (server-webapp.rules)
 * 1:36379 <-> DISABLED <-> POLICY-OTHER dnstunnel v0.5 outbound traffic detected (policy-other.rules)
 * 1:36378 <-> DISABLED <-> BROWSER-OTHER Google Chrome invalid URI denial of service attempt (browser-other.rules)
 * 1:36377 <-> DISABLED <-> BROWSER-OTHER Google Chrome invalid URI denial of service attempt (browser-other.rules)
 * 1:36376 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Management Framework lcfd endpoint daemon buffer overflow attempt (server-other.rules)
 * 1:36375 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Management Framework Endpoint default HTTP password authentication attempt (server-other.rules)
 * 1:36374 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid vector length memory corruption attempt (file-flash.rules)
 * 1:36373 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid vector length memory corruption attempt (file-flash.rules)
 * 1:36372 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid vector length memory corruption attempt (file-flash.rules)
 * 1:36371 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid vector length memory corruption attempt (file-flash.rules)
 * 1:36370 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DefineText buffer overflow attempt (file-flash.rules)
 * 1:36369 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DefineText buffer overflow attempt (file-flash.rules)
 * 1:36368 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DefineText buffer overflow attempt (file-flash.rules)
 * 1:36367 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DefineText buffer overflow attempt (file-flash.rules)
 * 1:36366 <-> DISABLED <-> SERVER-WEBAPP Typo3 CMS index cross site scripting attempt (server-webapp.rules)
 * 1:36365 <-> DISABLED <-> SERVER-WEBAPP Typo3 CMS show_rechis cross site scripting attempt (server-webapp.rules)
 * 1:36364 <-> DISABLED <-> SERVER-WEBAPP Typo3 CMS index cross site scripting attempt (server-webapp.rules)
 * 1:36363 <-> DISABLED <-> SERVER-WEBAPP Typo3 CMS show_rechis cross site scripting attempt (server-webapp.rules)
 * 1:36362 <-> DISABLED <-> OS-MOBILE Android WebKit Java reflection command execution attempt (os-mobile.rules)
 * 1:36361 <-> DISABLED <-> OS-MOBILE Android WebKit Java reflection command execution attempt (os-mobile.rules)
 * 1:36360 <-> DISABLED <-> OS-MOBILE Android WebKit Java reflection command execution attempt (os-mobile.rules)
 * 1:36359 <-> DISABLED <-> SERVER-WEBAPP pfSense WebGui Zone Parameter cross-site scripting attempt (server-webapp.rules)
 * 1:36358 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSegmentedSource null pointer attempt (file-flash.rules)
 * 1:36357 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSegmentedSource null pointer attempt (file-flash.rules)
 * 1:36356 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSS null pointer attempt (file-flash.rules)
 * 1:36355 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSS null pointer attempt (file-flash.rules)
 * 1:36354 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSS null pointer attempt (file-flash.rules)
 * 1:36353 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSS null pointer attempt (file-flash.rules)
 * 1:36352 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSS null pointer attempt (file-flash.rules)
 * 1:36351 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSS null pointer attempt (file-flash.rules)
 * 1:36350 <-> DISABLED <-> BROWSER-PLUGINS Touch22 Software Image22 DrawIcon ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36349 <-> DISABLED <-> BROWSER-PLUGINS Touch22 Software Image22 DrawIcon ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36348 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt (file-flash.rules)
 * 1:36347 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt (file-flash.rules)
 * 1:36346 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt (file-flash.rules)
 * 1:36345 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt (file-flash.rules)
 * 1:36344 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt (file-flash.rules)
 * 1:36343 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt (file-flash.rules)
 * 1:36342 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt (file-flash.rules)
 * 1:36341 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt (file-flash.rules)
 * 1:36340 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt (file-flash.rules)
 * 1:36339 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayList memory corruption attempt (file-flash.rules)
 * 1:36338 <-> ENABLED <-> MALWARE-OTHER Apple iTunes Connect HTTP response phishing attempt (malware-other.rules)
 * 1:36337 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire permitted-clients cross site request forgery attempt (server-webapp.rules)
 * 1:36336 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire server properties cross site request forgery attempt (server-webapp.rules)
 * 1:36335 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire user-create cross site request forgery attempt (server-webapp.rules)
 * 1:36334 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire user-password cross site request forgery attempt (server-webapp.rules)
 * 1:36333 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET FileDownloadServlet directory traversal attempt (server-webapp.rules)
 * 1:36332 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit relay traffic detected (exploit-kit.rules)
 * 1:35724 <-> DISABLED <-> DELETED OS-WINDOWS Microsoft Windows OpenType font parsing memory corruption attempt (deleted.rules)
 * 1:35723 <-> DISABLED <-> DELETED OS-WINDOWS Microsoft Windows OpenType font parsing memory corruption attempt (deleted.rules)

Modified Rules:


 * 1:28043 <-> DISABLED <-> OS-MOBILE Android WebKit Java reflection command execution attempt (os-mobile.rules)