Talos Rules 2015-11-12
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-plugins, exploit-kit, file-other, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-11-12 16:39:16 UTC

Snort Subscriber Rules Update

Date: 2015-11-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36784 <-> DISABLED <-> POLICY-OTHER Symantec LiveUpdate forcepasswd.do insecure password change attempt (policy-other.rules)
 * 1:36775 <-> ENABLED <-> BLACKLIST DNS request for known malware domain down.rtba.info - Win.Trojan.Zimwervi (blacklist.rules)
 * 1:36780 <-> ENABLED <-> BLACKLIST DNS request for known malware domain xa.yessearches.com - Win.Trojan.Gokawa (blacklist.rules)
 * 1:36779 <-> ENABLED <-> BLACKLIST DNS request for known malware domain xa.ghokswa.com - Win.Trojan.Gokawa (blacklist.rules)
 * 1:36773 <-> ENABLED <-> BLACKLIST DNS request for known malware domain 240.la - Win.Trojan.Zimwervi (blacklist.rules)
 * 1:36777 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zimwervi variant outbound connection (malware-cnc.rules)
 * 1:36778 <-> DISABLED <-> SERVER-WEBAPP F5 BIG-IP iControl API arbitrary command execution attempt (server-webapp.rules)
 * 1:36781 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gokawa variant outbound connection (malware-cnc.rules)
 * 1:36782 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DHTML Editing ActiveX clsid access (browser-plugins.rules)
 * 1:36783 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DHTML Editing ActiveX clsid access (browser-plugins.rules)
 * 1:36776 <-> ENABLED <-> BLACKLIST DNS request for known malware domain zy98.com - Win.Trojan.Zimwervi (blacklist.rules)
 * 1:36785 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:36774 <-> ENABLED <-> BLACKLIST DNS request for known malware domain count.9i1.cn - Win.Trojan.Zimwervi (blacklist.rules)
 * 1:36788 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:36772 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer Scriptlet Component ActiveX clsid access (browser-plugins.rules)
 * 1:36786 <-> DISABLED <-> FILE-OTHER Apple SceneKit qlmanage setelementname buffer overflow attempt (file-other.rules)
 * 1:36787 <-> DISABLED <-> FILE-OTHER Apple SceneKit qlmanage setelementname buffer overflow attempt (file-other.rules)

Modified Rules:


 * 1:4148 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DHTML Editing ActiveX clsid access (browser-plugins.rules)
 * 1:18767 <-> DISABLED <-> PROTOCOL-TFTP Multiple TFTP product buffer overflow attempt (protocol-tftp.rules)
 * 1:2337 <-> DISABLED <-> PROTOCOL-TFTP PUT filename overflow attempt (protocol-tftp.rules)
 * 1:17772 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer Scriptlet Component ActiveX clsid access (browser-plugins.rules)
 * 1:15924 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DHTML Editing ActiveX clsid access (browser-plugins.rules)

2015-11-12 16:39:16 UTC

Snort Subscriber Rules Update

Date: 2015-11-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36786 <-> DISABLED <-> FILE-OTHER Apple SceneKit qlmanage setelementname buffer overflow attempt (file-other.rules)
 * 1:36781 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gokawa variant outbound connection (malware-cnc.rules)
 * 1:36775 <-> ENABLED <-> BLACKLIST DNS request for known malware domain down.rtba.info - Win.Trojan.Zimwervi (blacklist.rules)
 * 1:36773 <-> ENABLED <-> BLACKLIST DNS request for known malware domain 240.la - Win.Trojan.Zimwervi (blacklist.rules)
 * 1:36777 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zimwervi variant outbound connection (malware-cnc.rules)
 * 1:36772 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer Scriptlet Component ActiveX clsid access (browser-plugins.rules)
 * 1:36776 <-> ENABLED <-> BLACKLIST DNS request for known malware domain zy98.com - Win.Trojan.Zimwervi (blacklist.rules)
 * 1:36778 <-> DISABLED <-> SERVER-WEBAPP F5 BIG-IP iControl API arbitrary command execution attempt (server-webapp.rules)
 * 1:36779 <-> ENABLED <-> BLACKLIST DNS request for known malware domain xa.ghokswa.com - Win.Trojan.Gokawa (blacklist.rules)
 * 1:36780 <-> ENABLED <-> BLACKLIST DNS request for known malware domain xa.yessearches.com - Win.Trojan.Gokawa (blacklist.rules)
 * 1:36782 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DHTML Editing ActiveX clsid access (browser-plugins.rules)
 * 1:36783 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DHTML Editing ActiveX clsid access (browser-plugins.rules)
 * 1:36784 <-> DISABLED <-> POLICY-OTHER Symantec LiveUpdate forcepasswd.do insecure password change attempt (policy-other.rules)
 * 1:36785 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:36788 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:36774 <-> ENABLED <-> BLACKLIST DNS request for known malware domain count.9i1.cn - Win.Trojan.Zimwervi (blacklist.rules)
 * 1:36787 <-> DISABLED <-> FILE-OTHER Apple SceneKit qlmanage setelementname buffer overflow attempt (file-other.rules)

Modified Rules:


 * 1:2337 <-> DISABLED <-> PROTOCOL-TFTP PUT filename overflow attempt (protocol-tftp.rules)
 * 1:17772 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer Scriptlet Component ActiveX clsid access (browser-plugins.rules)
 * 1:18767 <-> DISABLED <-> PROTOCOL-TFTP Multiple TFTP product buffer overflow attempt (protocol-tftp.rules)
 * 1:4148 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DHTML Editing ActiveX clsid access (browser-plugins.rules)
 * 1:15924 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DHTML Editing ActiveX clsid access (browser-plugins.rules)

2015-11-12 16:39:16 UTC

Snort Subscriber Rules Update

Date: 2015-11-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36788 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:36787 <-> DISABLED <-> FILE-OTHER Apple SceneKit qlmanage setelementname buffer overflow attempt (file-other.rules)
 * 1:36786 <-> DISABLED <-> FILE-OTHER Apple SceneKit qlmanage setelementname buffer overflow attempt (file-other.rules)
 * 1:36785 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:36784 <-> DISABLED <-> POLICY-OTHER Symantec LiveUpdate forcepasswd.do insecure password change attempt (policy-other.rules)
 * 1:36783 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DHTML Editing ActiveX clsid access (browser-plugins.rules)
 * 1:36782 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DHTML Editing ActiveX clsid access (browser-plugins.rules)
 * 1:36781 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gokawa variant outbound connection (malware-cnc.rules)
 * 1:36780 <-> ENABLED <-> BLACKLIST DNS request for known malware domain xa.yessearches.com - Win.Trojan.Gokawa (blacklist.rules)
 * 1:36779 <-> ENABLED <-> BLACKLIST DNS request for known malware domain xa.ghokswa.com - Win.Trojan.Gokawa (blacklist.rules)
 * 1:36778 <-> DISABLED <-> SERVER-WEBAPP F5 BIG-IP iControl API arbitrary command execution attempt (server-webapp.rules)
 * 1:36777 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zimwervi variant outbound connection (malware-cnc.rules)
 * 1:36776 <-> ENABLED <-> BLACKLIST DNS request for known malware domain zy98.com - Win.Trojan.Zimwervi (blacklist.rules)
 * 1:36775 <-> ENABLED <-> BLACKLIST DNS request for known malware domain down.rtba.info - Win.Trojan.Zimwervi (blacklist.rules)
 * 1:36774 <-> ENABLED <-> BLACKLIST DNS request for known malware domain count.9i1.cn - Win.Trojan.Zimwervi (blacklist.rules)
 * 1:36773 <-> ENABLED <-> BLACKLIST DNS request for known malware domain 240.la - Win.Trojan.Zimwervi (blacklist.rules)
 * 1:36772 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer Scriptlet Component ActiveX clsid access (browser-plugins.rules)

Modified Rules:


 * 1:15924 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DHTML Editing ActiveX clsid access (browser-plugins.rules)
 * 1:17772 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer Scriptlet Component ActiveX clsid access (browser-plugins.rules)
 * 1:18767 <-> DISABLED <-> PROTOCOL-TFTP Multiple TFTP product buffer overflow attempt (protocol-tftp.rules)
 * 1:2337 <-> DISABLED <-> PROTOCOL-TFTP PUT filename overflow attempt (protocol-tftp.rules)
 * 1:4148 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DHTML Editing ActiveX clsid access (browser-plugins.rules)