Talos Rules 2015-10-29
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, exploit-kit, file-flash, indicator-compromise, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-10-29 15:15:37 UTC

Snort Subscriber Rules Update

Date: 2015-10-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36606 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NavigatetoURL new tab open attempt (file-flash.rules)
 * 1:36609 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NavigatetoURL new tab open attempt (file-flash.rules)
 * 1:36598 <-> ENABLED <-> FILE-FLASH Adobe Flash Player assertion out of bounds corruption attempt (file-flash.rules)
 * 1:36611 <-> DISABLED <-> INDICATOR-COMPROMISE Metasploit Meterpreter reverse HTTPS certificate (indicator-compromise.rules)
 * 1:36607 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NavigatetoURL new tab open attempt (file-flash.rules)
 * 1:36601 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QVKeylogger outbound variant connection (malware-cnc.rules)
 * 1:36599 <-> ENABLED <-> FILE-FLASH Adobe Flash Player assertion out of bounds corruption attempt (file-flash.rules)
 * 1:36603 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QVKeylogger outbound variant connection (malware-cnc.rules)
 * 1:36602 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QVKeylogger outbound variant connection (malware-cnc.rules)
 * 1:36610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Panskeg outbound connection (malware-cnc.rules)
 * 1:36597 <-> ENABLED <-> FILE-FLASH Adobe Flash Player assertion out of bounds corruption attempt (file-flash.rules)
 * 1:36604 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer meta tag double free attempt (browser-ie.rules)
 * 1:36608 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NavigatetoURL new tab open attempt (file-flash.rules)
 * 1:36612 <-> DISABLED <-> INDICATOR-COMPROMISE Metasploit Meterpreter reverse HTTPS certificate (indicator-compromise.rules)
 * 1:36600 <-> ENABLED <-> FILE-FLASH Adobe Flash Player assertion out of bounds corruption attempt (file-flash.rules)
 * 1:36605 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer meta tag double free attempt (browser-ie.rules)

Modified Rules:


 * 1:36452 <-> DISABLED <-> BROWSER-IE Microsoft Edge cross site scripting filter bypass attempt (browser-ie.rules)
 * 1:35958 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStr object use after free attempt (browser-ie.rules)
 * 1:36535 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page detected (exploit-kit.rules)
 * 1:35956 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStr object use after free attempt (browser-ie.rules)
 * 1:35279 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules)
 * 1:35280 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules)
 * 1:35281 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules)
 * 1:35185 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer meta tag double free attempt (browser-ie.rules)
 * 1:32951 <-> DISABLED <-> POLICY-OTHER base64 encoded executable file download (policy-other.rules)
 * 1:35184 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer meta tag double free attempt (browser-ie.rules)
 * 1:29356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cidox variant outbound connection (malware-cnc.rules)

2015-10-29 15:15:37 UTC

Snort Subscriber Rules Update

Date: 2015-10-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36612 <-> DISABLED <-> INDICATOR-COMPROMISE Metasploit Meterpreter reverse HTTPS certificate (indicator-compromise.rules)
 * 1:36597 <-> ENABLED <-> FILE-FLASH Adobe Flash Player assertion out of bounds corruption attempt (file-flash.rules)
 * 1:36598 <-> ENABLED <-> FILE-FLASH Adobe Flash Player assertion out of bounds corruption attempt (file-flash.rules)
 * 1:36599 <-> ENABLED <-> FILE-FLASH Adobe Flash Player assertion out of bounds corruption attempt (file-flash.rules)
 * 1:36600 <-> ENABLED <-> FILE-FLASH Adobe Flash Player assertion out of bounds corruption attempt (file-flash.rules)
 * 1:36601 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QVKeylogger outbound variant connection (malware-cnc.rules)
 * 1:36602 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QVKeylogger outbound variant connection (malware-cnc.rules)
 * 1:36603 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QVKeylogger outbound variant connection (malware-cnc.rules)
 * 1:36605 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer meta tag double free attempt (browser-ie.rules)
 * 1:36604 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer meta tag double free attempt (browser-ie.rules)
 * 1:36606 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NavigatetoURL new tab open attempt (file-flash.rules)
 * 1:36608 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NavigatetoURL new tab open attempt (file-flash.rules)
 * 1:36609 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NavigatetoURL new tab open attempt (file-flash.rules)
 * 1:36610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Panskeg outbound connection (malware-cnc.rules)
 * 1:36611 <-> DISABLED <-> INDICATOR-COMPROMISE Metasploit Meterpreter reverse HTTPS certificate (indicator-compromise.rules)
 * 1:36607 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NavigatetoURL new tab open attempt (file-flash.rules)

Modified Rules:


 * 1:36535 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page detected (exploit-kit.rules)
 * 1:35958 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStr object use after free attempt (browser-ie.rules)
 * 1:36452 <-> DISABLED <-> BROWSER-IE Microsoft Edge cross site scripting filter bypass attempt (browser-ie.rules)
 * 1:35281 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules)
 * 1:35956 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStr object use after free attempt (browser-ie.rules)
 * 1:35279 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules)
 * 1:35280 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules)
 * 1:35184 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer meta tag double free attempt (browser-ie.rules)
 * 1:35185 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer meta tag double free attempt (browser-ie.rules)
 * 1:29356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cidox variant outbound connection (malware-cnc.rules)
 * 1:32951 <-> DISABLED <-> POLICY-OTHER base64 encoded executable file download (policy-other.rules)

2015-10-29 15:15:37 UTC

Snort Subscriber Rules Update

Date: 2015-10-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36612 <-> DISABLED <-> INDICATOR-COMPROMISE Metasploit Meterpreter reverse HTTPS certificate (indicator-compromise.rules)
 * 1:36611 <-> DISABLED <-> INDICATOR-COMPROMISE Metasploit Meterpreter reverse HTTPS certificate (indicator-compromise.rules)
 * 1:36610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Panskeg outbound connection (malware-cnc.rules)
 * 1:36609 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NavigatetoURL new tab open attempt (file-flash.rules)
 * 1:36608 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NavigatetoURL new tab open attempt (file-flash.rules)
 * 1:36607 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NavigatetoURL new tab open attempt (file-flash.rules)
 * 1:36606 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NavigatetoURL new tab open attempt (file-flash.rules)
 * 1:36605 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer meta tag double free attempt (browser-ie.rules)
 * 1:36604 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer meta tag double free attempt (browser-ie.rules)
 * 1:36603 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QVKeylogger outbound variant connection (malware-cnc.rules)
 * 1:36602 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QVKeylogger outbound variant connection (malware-cnc.rules)
 * 1:36601 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QVKeylogger outbound variant connection (malware-cnc.rules)
 * 1:36600 <-> ENABLED <-> FILE-FLASH Adobe Flash Player assertion out of bounds corruption attempt (file-flash.rules)
 * 1:36599 <-> ENABLED <-> FILE-FLASH Adobe Flash Player assertion out of bounds corruption attempt (file-flash.rules)
 * 1:36598 <-> ENABLED <-> FILE-FLASH Adobe Flash Player assertion out of bounds corruption attempt (file-flash.rules)
 * 1:36597 <-> ENABLED <-> FILE-FLASH Adobe Flash Player assertion out of bounds corruption attempt (file-flash.rules)

Modified Rules:


 * 1:36535 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page detected (exploit-kit.rules)
 * 1:36452 <-> DISABLED <-> BROWSER-IE Microsoft Edge cross site scripting filter bypass attempt (browser-ie.rules)
 * 1:35958 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStr object use after free attempt (browser-ie.rules)
 * 1:35281 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules)
 * 1:35956 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStr object use after free attempt (browser-ie.rules)
 * 1:35279 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules)
 * 1:35280 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules)
 * 1:35184 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer meta tag double free attempt (browser-ie.rules)
 * 1:35185 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer meta tag double free attempt (browser-ie.rules)
 * 1:29356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cidox variant outbound connection (malware-cnc.rules)
 * 1:32951 <-> DISABLED <-> POLICY-OTHER base64 encoded executable file download (policy-other.rules)