Talos Rules 2015-11-11
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Security Bulletin MS15-116 (CVE-2015-6123): A coding deficiency exists in Microsoft Office for Mac that may lead to url redirection.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 36766 through 36767.

Talos has added and modified multiple rules in the blacklist, exploit-kit and malware-cnc rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-11-11 19:11:26 UTC

Snort Subscriber Rules Update

Date: 2015-11-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36769 <-> ENABLED <-> BLACKLIST DNS request for known malware domain webdelphi.ru - Win.Trojan.Redcontrole (blacklist.rules)
 * 1:36770 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Redcontrole variant outbound connection (malware-cnc.rules)
 * 1:36767 <-> DISABLED <-> FILE-OTHER Microsoft Outlook for Mac EML file http-equiv refresh url attempt (file-other.rules)
 * 1:36768 <-> ENABLED <-> BLACKLIST DNS request for known malware domain razercommns.com - Win.Trojan.Redcontrole (blacklist.rules)
 * 1:36766 <-> DISABLED <-> FILE-OTHER Microsoft Outlook for Mac EML file http-equiv refresh url attempt (file-other.rules)
 * 1:36771 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit viewforum uri request attempt (exploit-kit.rules)

Modified Rules:



2015-11-11 19:11:26 UTC

Snort Subscriber Rules Update

Date: 2015-11-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36766 <-> DISABLED <-> FILE-OTHER Microsoft Outlook for Mac EML file http-equiv refresh url attempt (file-other.rules)
 * 1:36767 <-> DISABLED <-> FILE-OTHER Microsoft Outlook for Mac EML file http-equiv refresh url attempt (file-other.rules)
 * 1:36768 <-> ENABLED <-> BLACKLIST DNS request for known malware domain razercommns.com - Win.Trojan.Redcontrole (blacklist.rules)
 * 1:36769 <-> ENABLED <-> BLACKLIST DNS request for known malware domain webdelphi.ru - Win.Trojan.Redcontrole (blacklist.rules)
 * 1:36770 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Redcontrole variant outbound connection (malware-cnc.rules)
 * 1:36771 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit viewforum uri request attempt (exploit-kit.rules)

Modified Rules:



2015-11-11 19:11:26 UTC

Snort Subscriber Rules Update

Date: 2015-11-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36771 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit viewforum uri request attempt (exploit-kit.rules)
 * 1:36770 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Redcontrole variant outbound connection (malware-cnc.rules)
 * 1:36769 <-> ENABLED <-> BLACKLIST DNS request for known malware domain webdelphi.ru - Win.Trojan.Redcontrole (blacklist.rules)
 * 1:36768 <-> ENABLED <-> BLACKLIST DNS request for known malware domain razercommns.com - Win.Trojan.Redcontrole (blacklist.rules)
 * 1:36767 <-> DISABLED <-> FILE-OTHER Microsoft Outlook for Mac EML file http-equiv refresh url attempt (file-other.rules)
 * 1:36766 <-> DISABLED <-> FILE-OTHER Microsoft Outlook for Mac EML file http-equiv refresh url attempt (file-other.rules)

Modified Rules: