Talos Rules 2015-11-05
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-plugins, exploit-kit, malware-cnc, protocol-icmp and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-11-05 17:59:53 UTC

Snort Subscriber Rules Update

Date: 2015-11-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36647 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Strategic Finance Client SetDevNames ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36648 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Strategic Finance Client SetDevNames ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36646 <-> DISABLED <-> BROWSER-PLUGINS IBM Lotus iNotes Attachment_Times ActiveX clsid access (browser-plugins.rules)
 * 1:36641 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA webdact.ocx AccessCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36640 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA webdact.ocx AccessCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36644 <-> DISABLED <-> BROWSER-PLUGINS IBM Lotus iNotes Attachment_Times ActiveX clsid access (browser-plugins.rules)
 * 1:36642 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA webdact.ocx AccessCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36643 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA webdact.ocx AccessCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36638 <-> DISABLED <-> SERVER-WEBAPP WordPress Font Plugin AjaxProxy.php absolute path traversal attempt (server-webapp.rules)
 * 1:36639 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tavex outbound connection attempt (malware-cnc.rules)
 * 1:36650 <-> DISABLED <-> PROTOCOL-ICMP Squid Pinger IPv6 denial of service attempt (protocol-icmp.rules)
 * 1:36651 <-> DISABLED <-> PROTOCOL-ICMP Squid Pinger IPv6 denial of service attempt (protocol-icmp.rules)
 * 1:36645 <-> DISABLED <-> BROWSER-PLUGINS IBM Lotus iNotes Attachment_Times ActiveX clsid access (browser-plugins.rules)
 * 3:36649 <-> ENABLED <-> SERVER-OTHER Cisco Web Security Appliance range request memory leak denial of service attempt (server-other.rules)
 * 3:36652 <-> ENABLED <-> SERVER-OTHER Cisco ESA malformed spf TXT record anti-spam bypass attempt (server-other.rules)

Modified Rules:


 * 1:20847 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Strategic Finance Client SetDevNames ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36636 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit index uri request attempt (exploit-kit.rules)
 * 1:24771 <-> DISABLED <-> BROWSER-PLUGINS IBM Lotus iNotes Attachment_Times ActiveX clsid access (browser-plugins.rules)
 * 1:36635 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit search uri request attempt (exploit-kit.rules)
 * 1:24772 <-> DISABLED <-> BROWSER-PLUGINS IBM Lotus iNotes Attachment_Times ActiveX clsid access (browser-plugins.rules)
 * 1:24773 <-> DISABLED <-> BROWSER-PLUGINS IBM Lotus iNotes Attachement_Times ActiveX clsid access (browser-plugins.rules)
 * 1:36634 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit viewforum uri request attempt (exploit-kit.rules)
 * 1:36637 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit viewtopic uri request attempt (exploit-kit.rules)
 * 1:20846 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Strategic Finance Client SetDevNames ActiveX clsid access attempt (browser-plugins.rules)

2015-11-05 17:59:53 UTC

Snort Subscriber Rules Update

Date: 2015-11-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36639 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tavex outbound connection attempt (malware-cnc.rules)
 * 1:36648 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Strategic Finance Client SetDevNames ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36640 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA webdact.ocx AccessCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36638 <-> DISABLED <-> SERVER-WEBAPP WordPress Font Plugin AjaxProxy.php absolute path traversal attempt (server-webapp.rules)
 * 1:36650 <-> DISABLED <-> PROTOCOL-ICMP Squid Pinger IPv6 denial of service attempt (protocol-icmp.rules)
 * 1:36644 <-> DISABLED <-> BROWSER-PLUGINS IBM Lotus iNotes Attachment_Times ActiveX clsid access (browser-plugins.rules)
 * 1:36641 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA webdact.ocx AccessCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36642 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA webdact.ocx AccessCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36643 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA webdact.ocx AccessCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36651 <-> DISABLED <-> PROTOCOL-ICMP Squid Pinger IPv6 denial of service attempt (protocol-icmp.rules)
 * 1:36646 <-> DISABLED <-> BROWSER-PLUGINS IBM Lotus iNotes Attachment_Times ActiveX clsid access (browser-plugins.rules)
 * 1:36645 <-> DISABLED <-> BROWSER-PLUGINS IBM Lotus iNotes Attachment_Times ActiveX clsid access (browser-plugins.rules)
 * 1:36647 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Strategic Finance Client SetDevNames ActiveX clsid access attempt (browser-plugins.rules)
 * 3:36652 <-> ENABLED <-> SERVER-OTHER Cisco ESA malformed spf TXT record anti-spam bypass attempt (server-other.rules)
 * 3:36649 <-> ENABLED <-> SERVER-OTHER Cisco Web Security Appliance range request memory leak denial of service attempt (server-other.rules)

Modified Rules:


 * 1:24773 <-> DISABLED <-> BROWSER-PLUGINS IBM Lotus iNotes Attachement_Times ActiveX clsid access (browser-plugins.rules)
 * 1:20846 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Strategic Finance Client SetDevNames ActiveX clsid access attempt (browser-plugins.rules)
 * 1:24771 <-> DISABLED <-> BROWSER-PLUGINS IBM Lotus iNotes Attachment_Times ActiveX clsid access (browser-plugins.rules)
 * 1:36634 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit viewforum uri request attempt (exploit-kit.rules)
 * 1:20847 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Strategic Finance Client SetDevNames ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36637 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit viewtopic uri request attempt (exploit-kit.rules)
 * 1:36636 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit index uri request attempt (exploit-kit.rules)
 * 1:24772 <-> DISABLED <-> BROWSER-PLUGINS IBM Lotus iNotes Attachment_Times ActiveX clsid access (browser-plugins.rules)
 * 1:36635 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit search uri request attempt (exploit-kit.rules)

2015-11-05 17:59:53 UTC

Snort Subscriber Rules Update

Date: 2015-11-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36651 <-> DISABLED <-> PROTOCOL-ICMP Squid Pinger IPv6 denial of service attempt (protocol-icmp.rules)
 * 1:36650 <-> DISABLED <-> PROTOCOL-ICMP Squid Pinger IPv6 denial of service attempt (protocol-icmp.rules)
 * 1:36648 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Strategic Finance Client SetDevNames ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36647 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Strategic Finance Client SetDevNames ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36646 <-> DISABLED <-> BROWSER-PLUGINS IBM Lotus iNotes Attachment_Times ActiveX clsid access (browser-plugins.rules)
 * 1:36645 <-> DISABLED <-> BROWSER-PLUGINS IBM Lotus iNotes Attachment_Times ActiveX clsid access (browser-plugins.rules)
 * 1:36644 <-> DISABLED <-> BROWSER-PLUGINS IBM Lotus iNotes Attachment_Times ActiveX clsid access (browser-plugins.rules)
 * 1:36643 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA webdact.ocx AccessCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36642 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA webdact.ocx AccessCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36641 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA webdact.ocx AccessCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36640 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA webdact.ocx AccessCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36639 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tavex outbound connection attempt (malware-cnc.rules)
 * 1:36638 <-> DISABLED <-> SERVER-WEBAPP WordPress Font Plugin AjaxProxy.php absolute path traversal attempt (server-webapp.rules)
 * 3:36649 <-> ENABLED <-> SERVER-OTHER Cisco Web Security Appliance range request memory leak denial of service attempt (server-other.rules)
 * 3:36652 <-> ENABLED <-> SERVER-OTHER Cisco ESA malformed spf TXT record anti-spam bypass attempt (server-other.rules)

Modified Rules:


 * 1:24771 <-> DISABLED <-> BROWSER-PLUGINS IBM Lotus iNotes Attachment_Times ActiveX clsid access (browser-plugins.rules)
 * 1:20847 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Strategic Finance Client SetDevNames ActiveX clsid access attempt (browser-plugins.rules)
 * 1:24772 <-> DISABLED <-> BROWSER-PLUGINS IBM Lotus iNotes Attachment_Times ActiveX clsid access (browser-plugins.rules)
 * 1:36634 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit viewforum uri request attempt (exploit-kit.rules)
 * 1:24773 <-> DISABLED <-> BROWSER-PLUGINS IBM Lotus iNotes Attachement_Times ActiveX clsid access (browser-plugins.rules)
 * 1:36635 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit search uri request attempt (exploit-kit.rules)
 * 1:36636 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit index uri request attempt (exploit-kit.rules)
 * 1:36637 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit viewtopic uri request attempt (exploit-kit.rules)
 * 1:20846 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Strategic Finance Client SetDevNames ActiveX clsid access attempt (browser-plugins.rules)