Talos Rules 2016-01-14
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the app-detect, blacklist, browser-chrome, browser-ie, exploit-kit, file-flash, file-identify, file-image, file-multimedia, file-office, file-other, file-pdf, indicator-compromise, indicator-scan, malware-cnc, netbios, policy-other, protocol-dns, protocol-rpc, protocol-voip and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-01-14 15:01:43 UTC

Snort Subscriber Rules Update

Date: 2016-01-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37338 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:37340 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:37336 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:37335 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:37331 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:37332 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:37330 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:37313 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader external entity data exfiltration attempt (file-pdf.rules)
 * 1:37328 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:37326 <-> DISABLED <-> BROWSER-CHROME Google Chrome PDF Viewer information disclosure attempt (browser-chrome.rules)
 * 1:37298 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules)
 * 1:37300 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:37299 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules)
 * 1:37302 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt (app-detect.rules)
 * 1:37297 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sesramot variant outbound connection attempt (malware-cnc.rules)
 * 1:37304 <-> DISABLED <-> APP-DETECT Hola VPN non-http port ping (app-detect.rules)
 * 1:37301 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:37306 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:37303 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header attempt (app-detect.rules)
 * 1:37307 <-> DISABLED <-> BLACKLIST DNS request for Hola VPN domain hola.org (blacklist.rules)
 * 1:37305 <-> DISABLED <-> APP-DETECT Hola VPN tunnel keep alive (app-detect.rules)
 * 1:37317 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Radamant inbound communication attempt (malware-cnc.rules)
 * 1:37354 <-> DISABLED <-> APP-DETECT Jenkins Groovy script access through script console attempt (app-detect.rules)
 * 1:37294 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RTD buffer overflow attempt  (file-office.rules)
 * 1:37315 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged method protection bypass attempt (file-pdf.rules)
 * 1:37295 <-> ENABLED <-> BLACKLIST DNS request for known malware domain leotindall.com - Win.Trojan.Sesramot (blacklist.rules)
 * 1:37296 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sesramot variant outbound connection attempt (malware-cnc.rules)
 * 1:37309 <-> DISABLED <-> BLACKLIST DNS request for Hola VPN domain holanetworksltd.netdna-cdn.com (blacklist.rules)
 * 1:37311 <-> DISABLED <-> BROWSER-CHROME Google Chrome MOTW pageSerializer HTML injection attempt (browser-chrome.rules)
 * 1:37316 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer corrupted HROW instance write access violation attempt (browser-ie.rules)
 * 1:37360 <-> ENABLED <-> MALWARE-CNC MultiOS.Trojan.Pbot outbound IRC channel join attempt (malware-cnc.rules)
 * 1:37348 <-> DISABLED <-> SERVER-WEBAPP Limesurvey unauthenticated file download attempt (server-webapp.rules)
 * 1:37310 <-> DISABLED <-> BROWSER-CHROME Google Chrome MOTW pageSerializer HTML injection attempt (browser-chrome.rules)
 * 1:37293 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RTD buffer overflow attempt  (file-office.rules)
 * 1:37344 <-> ENABLED <-> FILE-FLASH Adobe Flash Player improper display list handling memory corruption attempt (file-flash.rules)
 * 1:37355 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit landing page detected (exploit-kit.rules)
 * 1:37318 <-> DISABLED <-> FILE-OFFICE Microsoft Word rpawinet.dll dll-load exploit attempt (file-office.rules)
 * 1:37322 <-> ENABLED <-> BLACKLIST DNS request for known malware domain coding-revolution.to - Win.Trojan.Direvex (blacklist.rules)
 * 1:37319 <-> DISABLED <-> FILE-OFFICE Microsoft Word rpawinet.dll dll-load exploit attempt (file-office.rules)
 * 1:37320 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sakurel variant outbound connection (malware-cnc.rules)
 * 1:37323 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Direvex variant outbound connection attempt (malware-cnc.rules)
 * 1:37324 <-> DISABLED <-> SERVER-WEBAPP AVM FritzBox dsl_control stack buffer overflow attempt (server-webapp.rules)
 * 1:37325 <-> DISABLED <-> BROWSER-CHROME Google Chrome same origin policy bypass attempt (browser-chrome.rules)
 * 1:37327 <-> DISABLED <-> BROWSER-CHROME Google Chrome PDF Viewer information disclosure attempt (browser-chrome.rules)
 * 1:37329 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:37312 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader external entity data exfiltration attempt (file-pdf.rules)
 * 1:37333 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:37334 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:37337 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:37339 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:37342 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:37346 <-> ENABLED <-> FILE-FLASH Adobe Flash Player improper display list handling memory corruption attempt (file-flash.rules)
 * 1:37321 <-> DISABLED <-> SERVER-WEBAPP Cacti graphs_new.php SQL injection attempt (server-webapp.rules)
 * 1:37343 <-> DISABLED <-> SERVER-WEBAPP D-Link  DNS-326 check_login command injection attempt (server-webapp.rules)
 * 1:37345 <-> ENABLED <-> FILE-FLASH Adobe Flash Player improper display list handling memory corruption attempt (file-flash.rules)
 * 1:37347 <-> ENABLED <-> FILE-FLASH Adobe Flash Player improper display list handling memory corruption attempt (file-flash.rules)
 * 1:37350 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid parent pointer use after free attempt (file-flash.rules)
 * 1:37359 <-> ENABLED <-> MALWARE-CNC MultiOS.Trojan.Pbot inbound command attempt (malware-cnc.rules)
 * 1:37341 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:37349 <-> DISABLED <-> SERVER-WEBAPP Limesurvey unauthenticated file download attempt (server-webapp.rules)
 * 1:37353 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SimpleButton constructor type confusion attempt (file-flash.rules)
 * 1:37352 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SimpleButton constructor type confusion attempt (file-flash.rules)
 * 1:37308 <-> DISABLED <-> BLACKLIST DNS request for Hola VPN domain holanetworksltd.netdns-ssl.com (blacklist.rules)
 * 1:37314 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged method protection bypass attempt (file-pdf.rules)
 * 1:37356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy DropBear SSH public key (malware-cnc.rules)
 * 1:37351 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid parent pointer use after free attempt (file-flash.rules)
 * 1:37357 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy DropBear SSH server password authentication (malware-cnc.rules)
 * 3:37358 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine default password authentication attempt (server-webapp.rules)

Modified Rules:


 * 1:37213 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pmabot outbound connection attempt (malware-cnc.rules)
 * 1:36915 <-> DISABLED <-> POLICY-OTHER ManageEngine EventLog Analyzer runQuery.do insecure SQL query attempt (policy-other.rules)
 * 1:6407 <-> DISABLED <-> APP-DETECT Gizmo register VOIP state (app-detect.rules)
 * 1:34949 <-> ENABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest and tsmRequest command execution attempt (server-webapp.rules)
 * 1:33157 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CClipStack array index exploitation attempt (browser-ie.rules)
 * 1:33158 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CClipStack array index exploitation attempt (browser-ie.rules)
 * 1:33188 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Trojan.Bedep variant outbound connection (indicator-compromise.rules)
 * 1:32128 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php command injection attempt (server-webapp.rules)
 * 1:32269 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php install license command injection attempt (server-webapp.rules)
 * 1:32261 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:32268 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php install license command injection attempt (server-webapp.rules)
 * 1:32203 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure ldapsyncnow.php command injection attempt (server-webapp.rules)
 * 1:25607 <-> DISABLED <-> FILE-OTHER cSounds.com Csound hetro audio file buffer overflow attempt (file-other.rules)
 * 1:2922 <-> DISABLED <-> PROTOCOL-DNS TCP inverse query (protocol-dns.rules)
 * 1:26576 <-> DISABLED <-> MALWARE-CNC Potential hostile executable served from compromised or malicious WordPress site attempt (malware-cnc.rules)
 * 1:2921 <-> DISABLED <-> PROTOCOL-DNS UDP inverse query (protocol-dns.rules)
 * 1:25606 <-> ENABLED <-> FILE-IDENTIFY cSounds.com Csound audio file file attachment detected (file-identify.rules)
 * 1:25608 <-> DISABLED <-> FILE-OTHER cSounds.com Csound hetro audio file buffer overflow attempt (file-other.rules)
 * 1:25605 <-> ENABLED <-> FILE-IDENTIFY cSounds.com Csound audio file file attachment detected (file-identify.rules)
 * 1:19559 <-> DISABLED <-> INDICATOR-SCAN SSH brute force login attempt (indicator-scan.rules)
 * 1:23280 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer corrupted HROW instance write access violation attempt (browser-ie.rules)
 * 1:25604 <-> ENABLED <-> FILE-IDENTIFY cSounds.com Csound audio file file download request (file-identify.rules)
 * 1:14019 <-> DISABLED <-> FILE-MULTIMEDIA CyberLink PowerDVD playlist file handling stack overflow attempt (file-multimedia.rules)
 * 1:17495 <-> DISABLED <-> SERVER-OTHER Squid proxy DNS response spoofing attempt (server-other.rules)
 * 1:16646 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RTD buffer overflow attempt  (file-office.rules)
 * 1:16739 <-> DISABLED <-> FILE-MULTIMEDIA Multiple audio players playlist file handling heap overflow attempt (file-multimedia.rules)
 * 1:12708 <-> DISABLED <-> PROTOCOL-RPC MIT Kerberos kadmind auth buffer overflow attempt (protocol-rpc.rules)
 * 1:14020 <-> DISABLED <-> FILE-MULTIMEDIA CyberLink PowerDVD playlist file handling stack overflow attempt (file-multimedia.rules)
 * 1:12357 <-> DISABLED <-> SERVER-OTHER Apple mDNSresponder excessive HTTP headers (server-other.rules)
 * 1:11968 <-> DISABLED <-> PROTOCOL-VOIP inbound INVITE message (protocol-voip.rules)
 * 1:12100 <-> DISABLED <-> NETBIOS DCERPC-NCACN-IP-TCP ca alert function 16/23 overflow attempt (netbios.rules)

2016-01-14 15:01:43 UTC

Snort Subscriber Rules Update

Date: 2016-01-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37294 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RTD buffer overflow attempt  (file-office.rules)
 * 1:37350 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid parent pointer use after free attempt (file-flash.rules)
 * 1:37345 <-> ENABLED <-> FILE-FLASH Adobe Flash Player improper display list handling memory corruption attempt (file-flash.rules)
 * 1:37340 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:37335 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:37325 <-> DISABLED <-> BROWSER-CHROME Google Chrome same origin policy bypass attempt (browser-chrome.rules)
 * 1:37312 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader external entity data exfiltration attempt (file-pdf.rules)
 * 1:37307 <-> DISABLED <-> BLACKLIST DNS request for Hola VPN domain hola.org (blacklist.rules)
 * 1:37305 <-> DISABLED <-> APP-DETECT Hola VPN tunnel keep alive (app-detect.rules)
 * 1:37306 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:37303 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header attempt (app-detect.rules)
 * 1:37304 <-> DISABLED <-> APP-DETECT Hola VPN non-http port ping (app-detect.rules)
 * 1:37301 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:37302 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt (app-detect.rules)
 * 1:37299 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules)
 * 1:37300 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:37297 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sesramot variant outbound connection attempt (malware-cnc.rules)
 * 1:37298 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules)
 * 1:37295 <-> ENABLED <-> BLACKLIST DNS request for known malware domain leotindall.com - Win.Trojan.Sesramot (blacklist.rules)
 * 1:37296 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sesramot variant outbound connection attempt (malware-cnc.rules)
 * 1:37293 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RTD buffer overflow attempt  (file-office.rules)
 * 1:37310 <-> DISABLED <-> BROWSER-CHROME Google Chrome MOTW pageSerializer HTML injection attempt (browser-chrome.rules)
 * 1:37311 <-> DISABLED <-> BROWSER-CHROME Google Chrome MOTW pageSerializer HTML injection attempt (browser-chrome.rules)
 * 1:37313 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader external entity data exfiltration attempt (file-pdf.rules)
 * 1:37315 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged method protection bypass attempt (file-pdf.rules)
 * 1:37316 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer corrupted HROW instance write access violation attempt (browser-ie.rules)
 * 1:37317 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Radamant inbound communication attempt (malware-cnc.rules)
 * 1:37318 <-> DISABLED <-> FILE-OFFICE Microsoft Word rpawinet.dll dll-load exploit attempt (file-office.rules)
 * 1:37319 <-> DISABLED <-> FILE-OFFICE Microsoft Word rpawinet.dll dll-load exploit attempt (file-office.rules)
 * 1:37320 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sakurel variant outbound connection (malware-cnc.rules)
 * 1:37321 <-> DISABLED <-> SERVER-WEBAPP Cacti graphs_new.php SQL injection attempt (server-webapp.rules)
 * 1:37322 <-> ENABLED <-> BLACKLIST DNS request for known malware domain coding-revolution.to - Win.Trojan.Direvex (blacklist.rules)
 * 1:37323 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Direvex variant outbound connection attempt (malware-cnc.rules)
 * 1:37324 <-> DISABLED <-> SERVER-WEBAPP AVM FritzBox dsl_control stack buffer overflow attempt (server-webapp.rules)
 * 1:37326 <-> DISABLED <-> BROWSER-CHROME Google Chrome PDF Viewer information disclosure attempt (browser-chrome.rules)
 * 1:37327 <-> DISABLED <-> BROWSER-CHROME Google Chrome PDF Viewer information disclosure attempt (browser-chrome.rules)
 * 1:37328 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:37329 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:37330 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:37331 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:37332 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:37333 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:37334 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:37336 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:37337 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:37338 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:37339 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:37341 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:37342 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:37343 <-> DISABLED <-> SERVER-WEBAPP D-Link  DNS-326 check_login command injection attempt (server-webapp.rules)
 * 1:37344 <-> ENABLED <-> FILE-FLASH Adobe Flash Player improper display list handling memory corruption attempt (file-flash.rules)
 * 1:37346 <-> ENABLED <-> FILE-FLASH Adobe Flash Player improper display list handling memory corruption attempt (file-flash.rules)
 * 1:37347 <-> ENABLED <-> FILE-FLASH Adobe Flash Player improper display list handling memory corruption attempt (file-flash.rules)
 * 1:37348 <-> DISABLED <-> SERVER-WEBAPP Limesurvey unauthenticated file download attempt (server-webapp.rules)
 * 1:37349 <-> DISABLED <-> SERVER-WEBAPP Limesurvey unauthenticated file download attempt (server-webapp.rules)
 * 1:37351 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid parent pointer use after free attempt (file-flash.rules)
 * 1:37360 <-> ENABLED <-> MALWARE-CNC MultiOS.Trojan.Pbot outbound IRC channel join attempt (malware-cnc.rules)
 * 1:37359 <-> ENABLED <-> MALWARE-CNC MultiOS.Trojan.Pbot inbound command attempt (malware-cnc.rules)
 * 1:37314 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged method protection bypass attempt (file-pdf.rules)
 * 1:37357 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy DropBear SSH server password authentication (malware-cnc.rules)
 * 1:37355 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit landing page detected (exploit-kit.rules)
 * 1:37354 <-> DISABLED <-> APP-DETECT Jenkins Groovy script access through script console attempt (app-detect.rules)
 * 1:37356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy DropBear SSH public key (malware-cnc.rules)
 * 1:37308 <-> DISABLED <-> BLACKLIST DNS request for Hola VPN domain holanetworksltd.netdns-ssl.com (blacklist.rules)
 * 1:37353 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SimpleButton constructor type confusion attempt (file-flash.rules)
 * 1:37352 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SimpleButton constructor type confusion attempt (file-flash.rules)
 * 1:37309 <-> DISABLED <-> BLACKLIST DNS request for Hola VPN domain holanetworksltd.netdna-cdn.com (blacklist.rules)
 * 3:37358 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine default password authentication attempt (server-webapp.rules)

Modified Rules:


 * 1:36915 <-> DISABLED <-> POLICY-OTHER ManageEngine EventLog Analyzer runQuery.do insecure SQL query attempt (policy-other.rules)
 * 1:6407 <-> DISABLED <-> APP-DETECT Gizmo register VOIP state (app-detect.rules)
 * 1:37213 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pmabot outbound connection attempt (malware-cnc.rules)
 * 1:32268 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php install license command injection attempt (server-webapp.rules)
 * 1:34949 <-> ENABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest and tsmRequest command execution attempt (server-webapp.rules)
 * 1:33188 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Trojan.Bedep variant outbound connection (indicator-compromise.rules)
 * 1:33158 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CClipStack array index exploitation attempt (browser-ie.rules)
 * 1:33157 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CClipStack array index exploitation attempt (browser-ie.rules)
 * 1:32269 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php install license command injection attempt (server-webapp.rules)
 * 1:32261 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:2922 <-> DISABLED <-> PROTOCOL-DNS TCP inverse query (protocol-dns.rules)
 * 1:32203 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure ldapsyncnow.php command injection attempt (server-webapp.rules)
 * 1:32128 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php command injection attempt (server-webapp.rules)
 * 1:26576 <-> DISABLED <-> MALWARE-CNC Potential hostile executable served from compromised or malicious WordPress site attempt (malware-cnc.rules)
 * 1:2921 <-> DISABLED <-> PROTOCOL-DNS UDP inverse query (protocol-dns.rules)
 * 1:25607 <-> DISABLED <-> FILE-OTHER cSounds.com Csound hetro audio file buffer overflow attempt (file-other.rules)
 * 1:25608 <-> DISABLED <-> FILE-OTHER cSounds.com Csound hetro audio file buffer overflow attempt (file-other.rules)
 * 1:25605 <-> ENABLED <-> FILE-IDENTIFY cSounds.com Csound audio file file attachment detected (file-identify.rules)
 * 1:25606 <-> ENABLED <-> FILE-IDENTIFY cSounds.com Csound audio file file attachment detected (file-identify.rules)
 * 1:17495 <-> DISABLED <-> SERVER-OTHER Squid proxy DNS response spoofing attempt (server-other.rules)
 * 1:25604 <-> ENABLED <-> FILE-IDENTIFY cSounds.com Csound audio file file download request (file-identify.rules)
 * 1:23280 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer corrupted HROW instance write access violation attempt (browser-ie.rules)
 * 1:19559 <-> DISABLED <-> INDICATOR-SCAN SSH brute force login attempt (indicator-scan.rules)
 * 1:16646 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RTD buffer overflow attempt  (file-office.rules)
 * 1:16739 <-> DISABLED <-> FILE-MULTIMEDIA Multiple audio players playlist file handling heap overflow attempt (file-multimedia.rules)
 * 1:14019 <-> DISABLED <-> FILE-MULTIMEDIA CyberLink PowerDVD playlist file handling stack overflow attempt (file-multimedia.rules)
 * 1:14020 <-> DISABLED <-> FILE-MULTIMEDIA CyberLink PowerDVD playlist file handling stack overflow attempt (file-multimedia.rules)
 * 1:12357 <-> DISABLED <-> SERVER-OTHER Apple mDNSresponder excessive HTTP headers (server-other.rules)
 * 1:12708 <-> DISABLED <-> PROTOCOL-RPC MIT Kerberos kadmind auth buffer overflow attempt (protocol-rpc.rules)
 * 1:12100 <-> DISABLED <-> NETBIOS DCERPC-NCACN-IP-TCP ca alert function 16/23 overflow attempt (netbios.rules)
 * 1:11968 <-> DISABLED <-> PROTOCOL-VOIP inbound INVITE message (protocol-voip.rules)

2016-01-14 15:01:43 UTC

Snort Subscriber Rules Update

Date: 2016-01-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37360 <-> ENABLED <-> MALWARE-CNC MultiOS.Trojan.Pbot outbound IRC channel join attempt (malware-cnc.rules)
 * 1:37359 <-> ENABLED <-> MALWARE-CNC MultiOS.Trojan.Pbot inbound command attempt (malware-cnc.rules)
 * 1:37357 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy DropBear SSH server password authentication (malware-cnc.rules)
 * 1:37356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy DropBear SSH public key (malware-cnc.rules)
 * 1:37355 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit landing page detected (exploit-kit.rules)
 * 1:37354 <-> DISABLED <-> APP-DETECT Jenkins Groovy script access through script console attempt (app-detect.rules)
 * 1:37353 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SimpleButton constructor type confusion attempt (file-flash.rules)
 * 1:37352 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SimpleButton constructor type confusion attempt (file-flash.rules)
 * 1:37351 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid parent pointer use after free attempt (file-flash.rules)
 * 1:37350 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid parent pointer use after free attempt (file-flash.rules)
 * 1:37349 <-> DISABLED <-> SERVER-WEBAPP Limesurvey unauthenticated file download attempt (server-webapp.rules)
 * 1:37348 <-> DISABLED <-> SERVER-WEBAPP Limesurvey unauthenticated file download attempt (server-webapp.rules)
 * 1:37347 <-> ENABLED <-> FILE-FLASH Adobe Flash Player improper display list handling memory corruption attempt (file-flash.rules)
 * 1:37346 <-> ENABLED <-> FILE-FLASH Adobe Flash Player improper display list handling memory corruption attempt (file-flash.rules)
 * 1:37345 <-> ENABLED <-> FILE-FLASH Adobe Flash Player improper display list handling memory corruption attempt (file-flash.rules)
 * 1:37344 <-> ENABLED <-> FILE-FLASH Adobe Flash Player improper display list handling memory corruption attempt (file-flash.rules)
 * 1:37343 <-> DISABLED <-> SERVER-WEBAPP D-Link  DNS-326 check_login command injection attempt (server-webapp.rules)
 * 1:37342 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:37341 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:37340 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:37339 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:37338 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:37337 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:37336 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:37335 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:37334 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:37333 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:37332 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:37331 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:37330 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:37329 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:37328 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:37327 <-> DISABLED <-> BROWSER-CHROME Google Chrome PDF Viewer information disclosure attempt (browser-chrome.rules)
 * 1:37326 <-> DISABLED <-> BROWSER-CHROME Google Chrome PDF Viewer information disclosure attempt (browser-chrome.rules)
 * 1:37325 <-> DISABLED <-> BROWSER-CHROME Google Chrome same origin policy bypass attempt (browser-chrome.rules)
 * 1:37324 <-> DISABLED <-> SERVER-WEBAPP AVM FritzBox dsl_control stack buffer overflow attempt (server-webapp.rules)
 * 1:37323 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Direvex variant outbound connection attempt (malware-cnc.rules)
 * 1:37322 <-> ENABLED <-> BLACKLIST DNS request for known malware domain coding-revolution.to - Win.Trojan.Direvex (blacklist.rules)
 * 1:37321 <-> DISABLED <-> SERVER-WEBAPP Cacti graphs_new.php SQL injection attempt (server-webapp.rules)
 * 1:37320 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sakurel variant outbound connection (malware-cnc.rules)
 * 1:37319 <-> DISABLED <-> FILE-OFFICE Microsoft Word rpawinet.dll dll-load exploit attempt (file-office.rules)
 * 1:37318 <-> DISABLED <-> FILE-OFFICE Microsoft Word rpawinet.dll dll-load exploit attempt (file-office.rules)
 * 1:37317 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Radamant inbound communication attempt (malware-cnc.rules)
 * 1:37316 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer corrupted HROW instance write access violation attempt (browser-ie.rules)
 * 1:37315 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged method protection bypass attempt (file-pdf.rules)
 * 1:37314 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged method protection bypass attempt (file-pdf.rules)
 * 1:37313 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader external entity data exfiltration attempt (file-pdf.rules)
 * 1:37312 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader external entity data exfiltration attempt (file-pdf.rules)
 * 1:37311 <-> DISABLED <-> BROWSER-CHROME Google Chrome MOTW pageSerializer HTML injection attempt (browser-chrome.rules)
 * 1:37310 <-> DISABLED <-> BROWSER-CHROME Google Chrome MOTW pageSerializer HTML injection attempt (browser-chrome.rules)
 * 1:37309 <-> DISABLED <-> BLACKLIST DNS request for Hola VPN domain holanetworksltd.netdna-cdn.com (blacklist.rules)
 * 1:37308 <-> DISABLED <-> BLACKLIST DNS request for Hola VPN domain holanetworksltd.netdns-ssl.com (blacklist.rules)
 * 1:37307 <-> DISABLED <-> BLACKLIST DNS request for Hola VPN domain hola.org (blacklist.rules)
 * 1:37306 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:37305 <-> DISABLED <-> APP-DETECT Hola VPN tunnel keep alive (app-detect.rules)
 * 1:37304 <-> DISABLED <-> APP-DETECT Hola VPN non-http port ping (app-detect.rules)
 * 1:37303 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header attempt (app-detect.rules)
 * 1:37302 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt (app-detect.rules)
 * 1:37301 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:37300 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:37299 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules)
 * 1:37298 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules)
 * 1:37297 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sesramot variant outbound connection attempt (malware-cnc.rules)
 * 1:37296 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sesramot variant outbound connection attempt (malware-cnc.rules)
 * 1:37295 <-> ENABLED <-> BLACKLIST DNS request for known malware domain leotindall.com - Win.Trojan.Sesramot (blacklist.rules)
 * 1:37294 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RTD buffer overflow attempt  (file-office.rules)
 * 1:37293 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RTD buffer overflow attempt  (file-office.rules)
 * 3:37358 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine default password authentication attempt (server-webapp.rules)

Modified Rules:


 * 1:37213 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pmabot outbound connection attempt (malware-cnc.rules)
 * 1:6407 <-> DISABLED <-> APP-DETECT Gizmo register VOIP state (app-detect.rules)
 * 1:34949 <-> ENABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest and tsmRequest command execution attempt (server-webapp.rules)
 * 1:36915 <-> DISABLED <-> POLICY-OTHER ManageEngine EventLog Analyzer runQuery.do insecure SQL query attempt (policy-other.rules)
 * 1:33158 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CClipStack array index exploitation attempt (browser-ie.rules)
 * 1:33188 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Trojan.Bedep variant outbound connection (indicator-compromise.rules)
 * 1:32269 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php install license command injection attempt (server-webapp.rules)
 * 1:33157 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CClipStack array index exploitation attempt (browser-ie.rules)
 * 1:32261 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:32268 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php install license command injection attempt (server-webapp.rules)
 * 1:32128 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php command injection attempt (server-webapp.rules)
 * 1:32203 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure ldapsyncnow.php command injection attempt (server-webapp.rules)
 * 1:2921 <-> DISABLED <-> PROTOCOL-DNS UDP inverse query (protocol-dns.rules)
 * 1:2922 <-> DISABLED <-> PROTOCOL-DNS TCP inverse query (protocol-dns.rules)
 * 1:25608 <-> DISABLED <-> FILE-OTHER cSounds.com Csound hetro audio file buffer overflow attempt (file-other.rules)
 * 1:26576 <-> DISABLED <-> MALWARE-CNC Potential hostile executable served from compromised or malicious WordPress site attempt (malware-cnc.rules)
 * 1:25606 <-> ENABLED <-> FILE-IDENTIFY cSounds.com Csound audio file file attachment detected (file-identify.rules)
 * 1:25607 <-> DISABLED <-> FILE-OTHER cSounds.com Csound hetro audio file buffer overflow attempt (file-other.rules)
 * 1:25604 <-> ENABLED <-> FILE-IDENTIFY cSounds.com Csound audio file file download request (file-identify.rules)
 * 1:25605 <-> ENABLED <-> FILE-IDENTIFY cSounds.com Csound audio file file attachment detected (file-identify.rules)
 * 1:19559 <-> DISABLED <-> INDICATOR-SCAN SSH brute force login attempt (indicator-scan.rules)
 * 1:23280 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer corrupted HROW instance write access violation attempt (browser-ie.rules)
 * 1:16739 <-> DISABLED <-> FILE-MULTIMEDIA Multiple audio players playlist file handling heap overflow attempt (file-multimedia.rules)
 * 1:17495 <-> DISABLED <-> SERVER-OTHER Squid proxy DNS response spoofing attempt (server-other.rules)
 * 1:14020 <-> DISABLED <-> FILE-MULTIMEDIA CyberLink PowerDVD playlist file handling stack overflow attempt (file-multimedia.rules)
 * 1:16646 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RTD buffer overflow attempt  (file-office.rules)
 * 1:12708 <-> DISABLED <-> PROTOCOL-RPC MIT Kerberos kadmind auth buffer overflow attempt (protocol-rpc.rules)
 * 1:14019 <-> DISABLED <-> FILE-MULTIMEDIA CyberLink PowerDVD playlist file handling stack overflow attempt (file-multimedia.rules)
 * 1:12100 <-> DISABLED <-> NETBIOS DCERPC-NCACN-IP-TCP ca alert function 16/23 overflow attempt (netbios.rules)
 * 1:12357 <-> DISABLED <-> SERVER-OTHER Apple mDNSresponder excessive HTTP headers (server-other.rules)
 * 1:11968 <-> DISABLED <-> PROTOCOL-VOIP inbound INVITE message (protocol-voip.rules)