Talos Rules 2016-02-02
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, browser-plugins, exploit-kit, file-flash, file-multimedia, file-other, malware-cnc, malware-other, os-solaris, protocol-tftp and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2016-02-02 15:08:20 UTC

Snort Subscriber Rules Update

Date: 2016-02-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37515 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima F1BookView ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37514 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima F1BookView ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37513 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima F1BookView ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35774 <-> DISABLED <-> FILE-MULTIMEDIA Matroska libmatroska track video double free attempt (file-multimedia.rules)
 * 1:35778 <-> DISABLED <-> FILE-MULTIMEDIA Matroska libmatroska track video double free attempt (file-multimedia.rules)
 * 1:35777 <-> DISABLED <-> FILE-MULTIMEDIA Matroska libmatroska track video double free attempt (file-multimedia.rules)
 * 1:35775 <-> DISABLED <-> FILE-MULTIMEDIA Matroska libmatroska track video double free attempt (file-multimedia.rules)
 * 1:35776 <-> DISABLED <-> FILE-MULTIMEDIA Matroska libmatroska track video double free attempt (file-multimedia.rules)
 * 1:35725 <-> ENABLED <-> FILE-MULTIMEDIA Matroska libmatroska ebml unicode string out of bounds read attempt (file-multimedia.rules)
 * 1:35773 <-> DISABLED <-> FILE-MULTIMEDIA Matroska libmatroska track video double free attempt (file-multimedia.rules)
 * 1:37507 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer Media Service Component mdsauth.dll ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37509 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer Media Service Component mdsauth.dll ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37510 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer Media Service Component mdsauth.dll ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37511 <-> DISABLED <-> OS-SOLARIS XMDCP double-free attempt (os-solaris.rules)
 * 1:37503 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ shutdown command denial of service attempt (server-other.rules)
 * 1:37512 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima F1BookView ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35726 <-> ENABLED <-> FILE-MULTIMEDIA Matroska libmatroska ebml unicode string out of bounds read attempt (file-multimedia.rules)
 * 1:37516 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:37521 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpySoft variant outbound connection (malware-cnc.rules)
 * 1:37522 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpySoft variant outbound connection (malware-cnc.rules)
 * 1:37523 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpySoft variant outbound connection (malware-cnc.rules)
 * 1:37508 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer Media Service Component mdsauth.dll ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37504 <-> DISABLED <-> SERVER-WEBAPP SAP HANA hdbindexserver buffer overflow attempt (server-webapp.rules)
 * 1:37525 <-> ENABLED <-> SERVER-OTHER NTP arbitrary pidfile and driftfile overwrite attempt (server-other.rules)
 * 1:37526 <-> ENABLED <-> SERVER-OTHER NTP arbitrary pidfile and driftfile overwrite attempt (server-other.rules)
 * 1:37524 <-> DISABLED <-> FILE-OTHER ReGet Deluxe wjr file buffer overflow attempt (file-other.rules)
 * 1:37527 <-> DISABLED <-> SERVER-OTHER IBM WebSphere InvokerTransformer serialized Java object remote code execution attempt (server-other.rules)

Modified Rules:


 * 1:519 <-> DISABLED <-> PROTOCOL-TFTP parent directory (protocol-tftp.rules)
 * 1:34718 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Desktop Central FileUploadServlet directory traversal attempt (server-webapp.rules)
 * 1:37361 <-> ENABLED <-> EXPLOIT-KIT DarkLeech iframe injection tool detected (exploit-kit.rules)
 * 1:36007 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTableColCalc out of bounds memory write attempt (browser-ie.rules)
 * 1:37146 <-> ENABLED <-> SERVER-OTHER Juniper ScreenOS unauthorized backdoor access attempt (server-other.rules)
 * 1:36006 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTableColCalc out of bounds memory write attempt (browser-ie.rules)
 * 1:31068 <-> DISABLED <-> SERVER-OTHER F5 BIG-IP iControl API hostname command injection attempt (server-other.rules)
 * 1:34717 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Desktop Central FileUploadServlet directory traversal attempt (server-webapp.rules)
 * 1:33943 <-> ENABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules)
 * 1:34716 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Desktop Central FileUploadServlet directory traversal attempt (server-webapp.rules)
 * 1:25835 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ActionScript 3 integer overflow attempt (file-flash.rules)
 * 1:33942 <-> DISABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules)
 * 1:2278 <-> DISABLED <-> SERVER-WEBAPP client negative Content-Length attempt (server-webapp.rules)
 * 1:16301 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML textnode creation attempt (browser-ie.rules)
 * 1:19682 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ActionScript 3 integer overflow attempt (file-flash.rules)

2016-02-02 15:08:20 UTC

Snort Subscriber Rules Update

Date: 2016-02-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37504 <-> DISABLED <-> SERVER-WEBAPP SAP HANA hdbindexserver buffer overflow attempt (server-webapp.rules)
 * 1:37507 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer Media Service Component mdsauth.dll ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37508 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer Media Service Component mdsauth.dll ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37509 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer Media Service Component mdsauth.dll ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37510 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer Media Service Component mdsauth.dll ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37511 <-> DISABLED <-> OS-SOLARIS XMDCP double-free attempt (os-solaris.rules)
 * 1:37503 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ shutdown command denial of service attempt (server-other.rules)
 * 1:37512 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima F1BookView ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35777 <-> DISABLED <-> FILE-MULTIMEDIA Matroska libmatroska track video double free attempt (file-multimedia.rules)
 * 1:35778 <-> DISABLED <-> FILE-MULTIMEDIA Matroska libmatroska track video double free attempt (file-multimedia.rules)
 * 1:35775 <-> DISABLED <-> FILE-MULTIMEDIA Matroska libmatroska track video double free attempt (file-multimedia.rules)
 * 1:35776 <-> DISABLED <-> FILE-MULTIMEDIA Matroska libmatroska track video double free attempt (file-multimedia.rules)
 * 1:37513 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima F1BookView ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35773 <-> DISABLED <-> FILE-MULTIMEDIA Matroska libmatroska track video double free attempt (file-multimedia.rules)
 * 1:35774 <-> DISABLED <-> FILE-MULTIMEDIA Matroska libmatroska track video double free attempt (file-multimedia.rules)
 * 1:35725 <-> ENABLED <-> FILE-MULTIMEDIA Matroska libmatroska ebml unicode string out of bounds read attempt (file-multimedia.rules)
 * 1:35726 <-> ENABLED <-> FILE-MULTIMEDIA Matroska libmatroska ebml unicode string out of bounds read attempt (file-multimedia.rules)
 * 1:37514 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima F1BookView ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37515 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima F1BookView ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37516 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:37521 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpySoft variant outbound connection (malware-cnc.rules)
 * 1:37522 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpySoft variant outbound connection (malware-cnc.rules)
 * 1:37523 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpySoft variant outbound connection (malware-cnc.rules)
 * 1:37524 <-> DISABLED <-> FILE-OTHER ReGet Deluxe wjr file buffer overflow attempt (file-other.rules)
 * 1:37525 <-> ENABLED <-> SERVER-OTHER NTP arbitrary pidfile and driftfile overwrite attempt (server-other.rules)
 * 1:37527 <-> DISABLED <-> SERVER-OTHER IBM WebSphere InvokerTransformer serialized Java object remote code execution attempt (server-other.rules)
 * 1:37526 <-> ENABLED <-> SERVER-OTHER NTP arbitrary pidfile and driftfile overwrite attempt (server-other.rules)

Modified Rules:


 * 1:37361 <-> ENABLED <-> EXPLOIT-KIT DarkLeech iframe injection tool detected (exploit-kit.rules)
 * 1:519 <-> DISABLED <-> PROTOCOL-TFTP parent directory (protocol-tftp.rules)
 * 1:36007 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTableColCalc out of bounds memory write attempt (browser-ie.rules)
 * 1:37146 <-> ENABLED <-> SERVER-OTHER Juniper ScreenOS unauthorized backdoor access attempt (server-other.rules)
 * 1:34718 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Desktop Central FileUploadServlet directory traversal attempt (server-webapp.rules)
 * 1:36006 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTableColCalc out of bounds memory write attempt (browser-ie.rules)
 * 1:34716 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Desktop Central FileUploadServlet directory traversal attempt (server-webapp.rules)
 * 1:34717 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Desktop Central FileUploadServlet directory traversal attempt (server-webapp.rules)
 * 1:33943 <-> ENABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules)
 * 1:33942 <-> DISABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules)
 * 1:25835 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ActionScript 3 integer overflow attempt (file-flash.rules)
 * 1:31068 <-> DISABLED <-> SERVER-OTHER F5 BIG-IP iControl API hostname command injection attempt (server-other.rules)
 * 1:19682 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ActionScript 3 integer overflow attempt (file-flash.rules)
 * 1:2278 <-> DISABLED <-> SERVER-WEBAPP client negative Content-Length attempt (server-webapp.rules)
 * 1:16301 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML textnode creation attempt (browser-ie.rules)

2016-02-02 15:08:20 UTC

Snort Subscriber Rules Update

Date: 2016-02-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37527 <-> DISABLED <-> SERVER-OTHER IBM WebSphere InvokerTransformer serialized Java object remote code execution attempt (server-other.rules)
 * 1:37526 <-> ENABLED <-> SERVER-OTHER NTP arbitrary pidfile and driftfile overwrite attempt (server-other.rules)
 * 1:37525 <-> ENABLED <-> SERVER-OTHER NTP arbitrary pidfile and driftfile overwrite attempt (server-other.rules)
 * 1:37524 <-> DISABLED <-> FILE-OTHER ReGet Deluxe wjr file buffer overflow attempt (file-other.rules)
 * 1:37523 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpySoft variant outbound connection (malware-cnc.rules)
 * 1:37522 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpySoft variant outbound connection (malware-cnc.rules)
 * 1:37521 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpySoft variant outbound connection (malware-cnc.rules)
 * 1:37516 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:37515 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima F1BookView ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37514 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima F1BookView ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37513 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima F1BookView ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37512 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima F1BookView ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37511 <-> DISABLED <-> OS-SOLARIS XMDCP double-free attempt (os-solaris.rules)
 * 1:37510 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer Media Service Component mdsauth.dll ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37509 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer Media Service Component mdsauth.dll ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37508 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer Media Service Component mdsauth.dll ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37507 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer Media Service Component mdsauth.dll ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37504 <-> DISABLED <-> SERVER-WEBAPP SAP HANA hdbindexserver buffer overflow attempt (server-webapp.rules)
 * 1:37503 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ shutdown command denial of service attempt (server-other.rules)
 * 1:35778 <-> DISABLED <-> FILE-MULTIMEDIA Matroska libmatroska track video double free attempt (file-multimedia.rules)
 * 1:35777 <-> DISABLED <-> FILE-MULTIMEDIA Matroska libmatroska track video double free attempt (file-multimedia.rules)
 * 1:35776 <-> DISABLED <-> FILE-MULTIMEDIA Matroska libmatroska track video double free attempt (file-multimedia.rules)
 * 1:35775 <-> DISABLED <-> FILE-MULTIMEDIA Matroska libmatroska track video double free attempt (file-multimedia.rules)
 * 1:35774 <-> DISABLED <-> FILE-MULTIMEDIA Matroska libmatroska track video double free attempt (file-multimedia.rules)
 * 1:35773 <-> DISABLED <-> FILE-MULTIMEDIA Matroska libmatroska track video double free attempt (file-multimedia.rules)
 * 1:35726 <-> ENABLED <-> FILE-MULTIMEDIA Matroska libmatroska ebml unicode string out of bounds read attempt (file-multimedia.rules)
 * 1:35725 <-> ENABLED <-> FILE-MULTIMEDIA Matroska libmatroska ebml unicode string out of bounds read attempt (file-multimedia.rules)

Modified Rules:


 * 1:519 <-> DISABLED <-> PROTOCOL-TFTP parent directory (protocol-tftp.rules)
 * 1:37146 <-> ENABLED <-> SERVER-OTHER Juniper ScreenOS unauthorized backdoor access attempt (server-other.rules)
 * 1:37361 <-> ENABLED <-> EXPLOIT-KIT DarkLeech iframe injection tool detected (exploit-kit.rules)
 * 1:36006 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTableColCalc out of bounds memory write attempt (browser-ie.rules)
 * 1:36007 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTableColCalc out of bounds memory write attempt (browser-ie.rules)
 * 1:34717 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Desktop Central FileUploadServlet directory traversal attempt (server-webapp.rules)
 * 1:34718 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Desktop Central FileUploadServlet directory traversal attempt (server-webapp.rules)
 * 1:33943 <-> ENABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules)
 * 1:34716 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Desktop Central FileUploadServlet directory traversal attempt (server-webapp.rules)
 * 1:31068 <-> DISABLED <-> SERVER-OTHER F5 BIG-IP iControl API hostname command injection attempt (server-other.rules)
 * 1:33942 <-> DISABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules)
 * 1:2278 <-> DISABLED <-> SERVER-WEBAPP client negative Content-Length attempt (server-webapp.rules)
 * 1:25835 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ActionScript 3 integer overflow attempt (file-flash.rules)
 * 1:16301 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML textnode creation attempt (browser-ie.rules)
 * 1:19682 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ActionScript 3 integer overflow attempt (file-flash.rules)