Talos Rules 2015-10-20
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, exploit-kit, file-flash, file-identify, file-java, file-multimedia, file-office, file-other, malware-cnc, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-10-20 15:59:53 UTC

Snort Subscriber Rules Update

Date: 2015-10-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36518 <-> ENABLED <-> BLACKLIST DNS request for known malware domain corpsone.agropecuaria.ws - Win.Trojan.Banker.NWT (blacklist.rules)
 * 1:36520 <-> ENABLED <-> BLACKLIST DNS request for known malware domain marmitariakisabor.com - Win.Trojan.Banker.NWT (blacklist.rules)
 * 1:36525 <-> DISABLED <-> FILE-JAVA Oracle Java TrueType font parsing mort table ligature subtable buffer overflow attempt (file-java.rules)
 * 1:36516 <-> DISABLED <-> BROWSER-PLUGINS X360 VideoPlayer ConvertFile ActiveX clsid access (browser-plugins.rules)
 * 1:36517 <-> DISABLED <-> BROWSER-PLUGINS X360 VideoPlayer SetText ActiveX clsid access (browser-plugins.rules)
 * 1:36515 <-> DISABLED <-> BROWSER-PLUGINS X360 VideoPlayer SetText ActiveX clsid access (browser-plugins.rules)
 * 1:36513 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed mp4 CABAC encoding out of bounds read attempt (file-multimedia.rules)
 * 1:36514 <-> DISABLED <-> BROWSER-PLUGINS X360 VideoPlayer ConvertFile ActiveX clsid access (browser-plugins.rules)
 * 1:36512 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed mp4 CABAC encoding out of bounds read attempt (file-multimedia.rules)
 * 1:36510 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules)
 * 1:36511 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire server properties cross site request forgery attempt (server-webapp.rules)
 * 1:36508 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules)
 * 1:36509 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules)
 * 1:36506 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Njrat variant outbound connection (malware-cnc.rules)
 * 1:36507 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules)
 * 1:36505 <-> DISABLED <-> FILE-FLASH Adobe Flash Player scrollRect property use after free attempt (file-flash.rules)
 * 1:36504 <-> DISABLED <-> FILE-FLASH Adobe Flash Player scrollRect property use after free attempt (file-flash.rules)
 * 1:36502 <-> DISABLED <-> FILE-FLASH Adobe Flash Player scrollRect property use after free attempt (file-flash.rules)
 * 1:36503 <-> DISABLED <-> FILE-FLASH Adobe Flash Player scrollRect property use after free attempt (file-flash.rules)
 * 1:36501 <-> ENABLED <-> FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt (file-other.rules)
 * 1:36500 <-> ENABLED <-> FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt (file-other.rules)
 * 1:36499 <-> ENABLED <-> FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt (file-other.rules)
 * 1:36498 <-> ENABLED <-> FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt (file-other.rules)
 * 1:36496 <-> DISABLED <-> BROWSER-PLUGINS RealNetworks RealPlayer Import ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36497 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hangman.A outbound connection  (malware-cnc.rules)
 * 1:36527 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:36519 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gfxcorp.engenharia.ws - Win.Trojan.Banker.NWT (blacklist.rules)
 * 1:36522 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banker.NWT variant outbound connection attempt (malware-cnc.rules)
 * 1:36526 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules)
 * 1:36524 <-> DISABLED <-> FILE-JAVA Oracle Java TrueType font parsing mort table ligature subtable buffer overflow attempt (file-java.rules)
 * 1:36528 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:36529 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:36530 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:36531 <-> ENABLED <-> FILE-IDENTIFY Oracle Java JMX management loading mlet detected (file-identify.rules)
 * 1:36532 <-> DISABLED <-> SERVER-OTHER Oracle Java JMX server insecure configuration remote code execution attempt (server-other.rules)
 * 1:36495 <-> DISABLED <-> BROWSER-PLUGINS RealNetworks RealPlayer Import ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36523 <-> DISABLED <-> EXPLOIT-KIT Sundown exploit kit landing page detected (exploit-kit.rules)
 * 1:36521 <-> ENABLED <-> BLACKLIST DNS request for known malware domain smartcell.webcindario.com - Win.Trojan.Banker.NWT (blacklist.rules)

Modified Rules:


 * 1:13834 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer request header overwrite (browser-ie.rules)
 * 1:16609 <-> DISABLED <-> BROWSER-PLUGINS RealNetworks RealPlayer Import ActiveX clsid access attempt (browser-plugins.rules)
 * 1:17384 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer setRequestHeader overflow attempt (browser-ie.rules)
 * 1:17385 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer setRequestHeader overflow attempt (browser-ie.rules)
 * 1:17425 <-> DISABLED <-> BROWSER-PLUGINS RealNetworks RealPlayer Import ActiveX clsid access attempt (browser-plugins.rules)
 * 1:18172 <-> DISABLED <-> OS-WINDOWS Multiple product mailto uri handling code execution attempt (os-windows.rules)
 * 1:21268 <-> DISABLED <-> SERVER-OTHER Oracle Java RMI services remote object execution attempt (server-other.rules)
 * 1:25100 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Njrat variant outbound connection (malware-cnc.rules)
 * 1:28502 <-> ENABLED <-> FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt (file-other.rules)
 * 1:28545 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record memory corruption attempt (file-office.rules)
 * 1:28546 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record memory corruption attempt (file-office.rules)
 * 1:29047 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:29048 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:29049 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:29050 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:29051 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:29052 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:29053 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:29054 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:36336 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire server properties cross site request forgery attempt (server-webapp.rules)
 * 1:36335 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire user-create cross site request forgery attempt (server-webapp.rules)
 * 1:36337 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire permitted-clients cross site request forgery attempt (server-webapp.rules)
 * 1:33458 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules)
 * 1:33459 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules)
 * 1:33460 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules)
 * 1:33461 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules)
 * 1:33462 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules)
 * 1:33463 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules)
 * 1:36334 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire user-password cross site request forgery attempt (server-webapp.rules)
 * 1:35279 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules)
 * 1:36326 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules)
 * 1:35281 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules)
 * 1:36328 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules)
 * 1:36327 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules)
 * 1:35280 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules)
 * 1:36325 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules)

2015-10-20 15:59:53 UTC

Snort Subscriber Rules Update

Date: 2015-10-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2973.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36519 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gfxcorp.engenharia.ws - Win.Trojan.Banker.NWT (blacklist.rules)
 * 1:36520 <-> ENABLED <-> BLACKLIST DNS request for known malware domain marmitariakisabor.com - Win.Trojan.Banker.NWT (blacklist.rules)
 * 1:36521 <-> ENABLED <-> BLACKLIST DNS request for known malware domain smartcell.webcindario.com - Win.Trojan.Banker.NWT (blacklist.rules)
 * 1:36524 <-> DISABLED <-> FILE-JAVA Oracle Java TrueType font parsing mort table ligature subtable buffer overflow attempt (file-java.rules)
 * 1:36526 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules)
 * 1:36525 <-> DISABLED <-> FILE-JAVA Oracle Java TrueType font parsing mort table ligature subtable buffer overflow attempt (file-java.rules)
 * 1:36518 <-> ENABLED <-> BLACKLIST DNS request for known malware domain corpsone.agropecuaria.ws - Win.Trojan.Banker.NWT (blacklist.rules)
 * 1:36510 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules)
 * 1:36522 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banker.NWT variant outbound connection attempt (malware-cnc.rules)
 * 1:36527 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:36528 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:36529 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:36530 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:36531 <-> ENABLED <-> FILE-IDENTIFY Oracle Java JMX management loading mlet detected (file-identify.rules)
 * 1:36532 <-> DISABLED <-> SERVER-OTHER Oracle Java JMX server insecure configuration remote code execution attempt (server-other.rules)
 * 1:36495 <-> DISABLED <-> BROWSER-PLUGINS RealNetworks RealPlayer Import ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36496 <-> DISABLED <-> BROWSER-PLUGINS RealNetworks RealPlayer Import ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36497 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hangman.A outbound connection  (malware-cnc.rules)
 * 1:36498 <-> ENABLED <-> FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt (file-other.rules)
 * 1:36499 <-> ENABLED <-> FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt (file-other.rules)
 * 1:36500 <-> ENABLED <-> FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt (file-other.rules)
 * 1:36501 <-> ENABLED <-> FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt (file-other.rules)
 * 1:36502 <-> DISABLED <-> FILE-FLASH Adobe Flash Player scrollRect property use after free attempt (file-flash.rules)
 * 1:36503 <-> DISABLED <-> FILE-FLASH Adobe Flash Player scrollRect property use after free attempt (file-flash.rules)
 * 1:36504 <-> DISABLED <-> FILE-FLASH Adobe Flash Player scrollRect property use after free attempt (file-flash.rules)
 * 1:36505 <-> DISABLED <-> FILE-FLASH Adobe Flash Player scrollRect property use after free attempt (file-flash.rules)
 * 1:36506 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Njrat variant outbound connection (malware-cnc.rules)
 * 1:36507 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules)
 * 1:36508 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules)
 * 1:36509 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules)
 * 1:36511 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire server properties cross site request forgery attempt (server-webapp.rules)
 * 1:36512 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed mp4 CABAC encoding out of bounds read attempt (file-multimedia.rules)
 * 1:36513 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed mp4 CABAC encoding out of bounds read attempt (file-multimedia.rules)
 * 1:36515 <-> DISABLED <-> BROWSER-PLUGINS X360 VideoPlayer SetText ActiveX clsid access (browser-plugins.rules)
 * 1:36514 <-> DISABLED <-> BROWSER-PLUGINS X360 VideoPlayer ConvertFile ActiveX clsid access (browser-plugins.rules)
 * 1:36517 <-> DISABLED <-> BROWSER-PLUGINS X360 VideoPlayer SetText ActiveX clsid access (browser-plugins.rules)
 * 1:36516 <-> DISABLED <-> BROWSER-PLUGINS X360 VideoPlayer ConvertFile ActiveX clsid access (browser-plugins.rules)
 * 1:36523 <-> DISABLED <-> EXPLOIT-KIT Sundown exploit kit landing page detected (exploit-kit.rules)

Modified Rules:


 * 1:36335 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire user-create cross site request forgery attempt (server-webapp.rules)
 * 1:36336 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire server properties cross site request forgery attempt (server-webapp.rules)
 * 1:36337 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire permitted-clients cross site request forgery attempt (server-webapp.rules)
 * 1:13834 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer request header overwrite (browser-ie.rules)
 * 1:16609 <-> DISABLED <-> BROWSER-PLUGINS RealNetworks RealPlayer Import ActiveX clsid access attempt (browser-plugins.rules)
 * 1:17384 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer setRequestHeader overflow attempt (browser-ie.rules)
 * 1:17385 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer setRequestHeader overflow attempt (browser-ie.rules)
 * 1:36334 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire user-password cross site request forgery attempt (server-webapp.rules)
 * 1:17425 <-> DISABLED <-> BROWSER-PLUGINS RealNetworks RealPlayer Import ActiveX clsid access attempt (browser-plugins.rules)
 * 1:18172 <-> DISABLED <-> OS-WINDOWS Multiple product mailto uri handling code execution attempt (os-windows.rules)
 * 1:21268 <-> DISABLED <-> SERVER-OTHER Oracle Java RMI services remote object execution attempt (server-other.rules)
 * 1:25100 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Njrat variant outbound connection (malware-cnc.rules)
 * 1:28502 <-> ENABLED <-> FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt (file-other.rules)
 * 1:28545 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record memory corruption attempt (file-office.rules)
 * 1:28546 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record memory corruption attempt (file-office.rules)
 * 1:29047 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:29048 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:29049 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:29050 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:29051 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:29052 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:29053 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:29054 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:33458 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules)
 * 1:33459 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules)
 * 1:33460 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules)
 * 1:33461 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules)
 * 1:33462 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules)
 * 1:33463 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules)
 * 1:35279 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules)
 * 1:35280 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules)
 * 1:36325 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules)
 * 1:36328 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules)
 * 1:35281 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules)
 * 1:36326 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules)
 * 1:36327 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules)

2015-10-20 15:59:53 UTC

Snort Subscriber Rules Update

Date: 2015-10-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36526 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules)
 * 1:36522 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banker.NWT variant outbound connection attempt (malware-cnc.rules)
 * 1:36525 <-> DISABLED <-> FILE-JAVA Oracle Java TrueType font parsing mort table ligature subtable buffer overflow attempt (file-java.rules)
 * 1:36527 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:36528 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:36529 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:36530 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:36531 <-> ENABLED <-> FILE-IDENTIFY Oracle Java JMX management loading mlet detected (file-identify.rules)
 * 1:36532 <-> DISABLED <-> SERVER-OTHER Oracle Java JMX server insecure configuration remote code execution attempt (server-other.rules)
 * 1:36495 <-> DISABLED <-> BROWSER-PLUGINS RealNetworks RealPlayer Import ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36496 <-> DISABLED <-> BROWSER-PLUGINS RealNetworks RealPlayer Import ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36497 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hangman.A outbound connection  (malware-cnc.rules)
 * 1:36498 <-> ENABLED <-> FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt (file-other.rules)
 * 1:36499 <-> ENABLED <-> FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt (file-other.rules)
 * 1:36500 <-> ENABLED <-> FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt (file-other.rules)
 * 1:36501 <-> ENABLED <-> FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt (file-other.rules)
 * 1:36502 <-> DISABLED <-> FILE-FLASH Adobe Flash Player scrollRect property use after free attempt (file-flash.rules)
 * 1:36503 <-> DISABLED <-> FILE-FLASH Adobe Flash Player scrollRect property use after free attempt (file-flash.rules)
 * 1:36504 <-> DISABLED <-> FILE-FLASH Adobe Flash Player scrollRect property use after free attempt (file-flash.rules)
 * 1:36505 <-> DISABLED <-> FILE-FLASH Adobe Flash Player scrollRect property use after free attempt (file-flash.rules)
 * 1:36506 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Njrat variant outbound connection (malware-cnc.rules)
 * 1:36507 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules)
 * 1:36508 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules)
 * 1:36509 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules)
 * 1:36510 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules)
 * 1:36511 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire server properties cross site request forgery attempt (server-webapp.rules)
 * 1:36512 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed mp4 CABAC encoding out of bounds read attempt (file-multimedia.rules)
 * 1:36513 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed mp4 CABAC encoding out of bounds read attempt (file-multimedia.rules)
 * 1:36524 <-> DISABLED <-> FILE-JAVA Oracle Java TrueType font parsing mort table ligature subtable buffer overflow attempt (file-java.rules)
 * 1:36514 <-> DISABLED <-> BROWSER-PLUGINS X360 VideoPlayer ConvertFile ActiveX clsid access (browser-plugins.rules)
 * 1:36515 <-> DISABLED <-> BROWSER-PLUGINS X360 VideoPlayer SetText ActiveX clsid access (browser-plugins.rules)
 * 1:36516 <-> DISABLED <-> BROWSER-PLUGINS X360 VideoPlayer ConvertFile ActiveX clsid access (browser-plugins.rules)
 * 1:36519 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gfxcorp.engenharia.ws - Win.Trojan.Banker.NWT (blacklist.rules)
 * 1:36517 <-> DISABLED <-> BROWSER-PLUGINS X360 VideoPlayer SetText ActiveX clsid access (browser-plugins.rules)
 * 1:36518 <-> ENABLED <-> BLACKLIST DNS request for known malware domain corpsone.agropecuaria.ws - Win.Trojan.Banker.NWT (blacklist.rules)
 * 1:36520 <-> ENABLED <-> BLACKLIST DNS request for known malware domain marmitariakisabor.com - Win.Trojan.Banker.NWT (blacklist.rules)
 * 1:36523 <-> DISABLED <-> EXPLOIT-KIT Sundown exploit kit landing page detected (exploit-kit.rules)
 * 1:36521 <-> ENABLED <-> BLACKLIST DNS request for known malware domain smartcell.webcindario.com - Win.Trojan.Banker.NWT (blacklist.rules)

Modified Rules:


 * 1:36326 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules)
 * 1:36336 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire server properties cross site request forgery attempt (server-webapp.rules)
 * 1:36335 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire user-create cross site request forgery attempt (server-webapp.rules)
 * 1:36337 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire permitted-clients cross site request forgery attempt (server-webapp.rules)
 * 1:36334 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire user-password cross site request forgery attempt (server-webapp.rules)
 * 1:13834 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer request header overwrite (browser-ie.rules)
 * 1:16609 <-> DISABLED <-> BROWSER-PLUGINS RealNetworks RealPlayer Import ActiveX clsid access attempt (browser-plugins.rules)
 * 1:17384 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer setRequestHeader overflow attempt (browser-ie.rules)
 * 1:17385 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer setRequestHeader overflow attempt (browser-ie.rules)
 * 1:17425 <-> DISABLED <-> BROWSER-PLUGINS RealNetworks RealPlayer Import ActiveX clsid access attempt (browser-plugins.rules)
 * 1:18172 <-> DISABLED <-> OS-WINDOWS Multiple product mailto uri handling code execution attempt (os-windows.rules)
 * 1:21268 <-> DISABLED <-> SERVER-OTHER Oracle Java RMI services remote object execution attempt (server-other.rules)
 * 1:25100 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Njrat variant outbound connection (malware-cnc.rules)
 * 1:28502 <-> ENABLED <-> FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt (file-other.rules)
 * 1:28545 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record memory corruption attempt (file-office.rules)
 * 1:28546 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record memory corruption attempt (file-office.rules)
 * 1:29047 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:29048 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:29049 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:29050 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:29051 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:29052 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:29053 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:29054 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:33458 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules)
 * 1:33459 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules)
 * 1:33460 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules)
 * 1:33461 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules)
 * 1:33462 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules)
 * 1:33463 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules)
 * 1:35279 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules)
 * 1:35280 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules)
 * 1:36325 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules)
 * 1:35281 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules)
 * 1:36328 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules)
 * 1:36327 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules)

2015-10-20 15:59:53 UTC

Snort Subscriber Rules Update

Date: 2015-10-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36532 <-> DISABLED <-> SERVER-OTHER Oracle Java JMX server insecure configuration remote code execution attempt (server-other.rules)
 * 1:36531 <-> ENABLED <-> FILE-IDENTIFY Oracle Java JMX management loading mlet detected (file-identify.rules)
 * 1:36530 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:36529 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:36528 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:36527 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:36526 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules)
 * 1:36525 <-> DISABLED <-> FILE-JAVA Oracle Java TrueType font parsing mort table ligature subtable buffer overflow attempt (file-java.rules)
 * 1:36524 <-> DISABLED <-> FILE-JAVA Oracle Java TrueType font parsing mort table ligature subtable buffer overflow attempt (file-java.rules)
 * 1:36523 <-> DISABLED <-> EXPLOIT-KIT Sundown exploit kit landing page detected (exploit-kit.rules)
 * 1:36522 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banker.NWT variant outbound connection attempt (malware-cnc.rules)
 * 1:36521 <-> ENABLED <-> BLACKLIST DNS request for known malware domain smartcell.webcindario.com - Win.Trojan.Banker.NWT (blacklist.rules)
 * 1:36520 <-> ENABLED <-> BLACKLIST DNS request for known malware domain marmitariakisabor.com - Win.Trojan.Banker.NWT (blacklist.rules)
 * 1:36519 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gfxcorp.engenharia.ws - Win.Trojan.Banker.NWT (blacklist.rules)
 * 1:36518 <-> ENABLED <-> BLACKLIST DNS request for known malware domain corpsone.agropecuaria.ws - Win.Trojan.Banker.NWT (blacklist.rules)
 * 1:36517 <-> DISABLED <-> BROWSER-PLUGINS X360 VideoPlayer SetText ActiveX clsid access (browser-plugins.rules)
 * 1:36516 <-> DISABLED <-> BROWSER-PLUGINS X360 VideoPlayer ConvertFile ActiveX clsid access (browser-plugins.rules)
 * 1:36515 <-> DISABLED <-> BROWSER-PLUGINS X360 VideoPlayer SetText ActiveX clsid access (browser-plugins.rules)
 * 1:36514 <-> DISABLED <-> BROWSER-PLUGINS X360 VideoPlayer ConvertFile ActiveX clsid access (browser-plugins.rules)
 * 1:36513 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed mp4 CABAC encoding out of bounds read attempt (file-multimedia.rules)
 * 1:36512 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed mp4 CABAC encoding out of bounds read attempt (file-multimedia.rules)
 * 1:36511 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire server properties cross site request forgery attempt (server-webapp.rules)
 * 1:36510 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules)
 * 1:36509 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules)
 * 1:36508 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules)
 * 1:36507 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules)
 * 1:36506 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Njrat variant outbound connection (malware-cnc.rules)
 * 1:36505 <-> DISABLED <-> FILE-FLASH Adobe Flash Player scrollRect property use after free attempt (file-flash.rules)
 * 1:36504 <-> DISABLED <-> FILE-FLASH Adobe Flash Player scrollRect property use after free attempt (file-flash.rules)
 * 1:36503 <-> DISABLED <-> FILE-FLASH Adobe Flash Player scrollRect property use after free attempt (file-flash.rules)
 * 1:36502 <-> DISABLED <-> FILE-FLASH Adobe Flash Player scrollRect property use after free attempt (file-flash.rules)
 * 1:36501 <-> ENABLED <-> FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt (file-other.rules)
 * 1:36500 <-> ENABLED <-> FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt (file-other.rules)
 * 1:36499 <-> ENABLED <-> FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt (file-other.rules)
 * 1:36498 <-> ENABLED <-> FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt (file-other.rules)
 * 1:36497 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hangman.A outbound connection  (malware-cnc.rules)
 * 1:36496 <-> DISABLED <-> BROWSER-PLUGINS RealNetworks RealPlayer Import ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36495 <-> DISABLED <-> BROWSER-PLUGINS RealNetworks RealPlayer Import ActiveX clsid access attempt (browser-plugins.rules)

Modified Rules:


 * 1:13834 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer request header overwrite (browser-ie.rules)
 * 1:16609 <-> DISABLED <-> BROWSER-PLUGINS RealNetworks RealPlayer Import ActiveX clsid access attempt (browser-plugins.rules)
 * 1:17384 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer setRequestHeader overflow attempt (browser-ie.rules)
 * 1:17385 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer setRequestHeader overflow attempt (browser-ie.rules)
 * 1:17425 <-> DISABLED <-> BROWSER-PLUGINS RealNetworks RealPlayer Import ActiveX clsid access attempt (browser-plugins.rules)
 * 1:18172 <-> DISABLED <-> OS-WINDOWS Multiple product mailto uri handling code execution attempt (os-windows.rules)
 * 1:21268 <-> DISABLED <-> SERVER-OTHER Oracle Java RMI services remote object execution attempt (server-other.rules)
 * 1:25100 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Njrat variant outbound connection (malware-cnc.rules)
 * 1:28502 <-> ENABLED <-> FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt (file-other.rules)
 * 1:28545 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record memory corruption attempt (file-office.rules)
 * 1:28546 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record memory corruption attempt (file-office.rules)
 * 1:29047 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:29048 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:29049 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:29050 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:29051 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:29052 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:29053 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:29054 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules)
 * 1:33458 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules)
 * 1:33459 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules)
 * 1:33460 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules)
 * 1:33461 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules)
 * 1:33462 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules)
 * 1:33463 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules)
 * 1:35279 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules)
 * 1:35280 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules)
 * 1:36337 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire permitted-clients cross site request forgery attempt (server-webapp.rules)
 * 1:36336 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire server properties cross site request forgery attempt (server-webapp.rules)
 * 1:36335 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire user-create cross site request forgery attempt (server-webapp.rules)
 * 1:36334 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire user-password cross site request forgery attempt (server-webapp.rules)
 * 1:36328 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules)
 * 1:36327 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules)
 * 1:36326 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules)
 * 1:36325 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules)
 * 1:35281 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules)