Talos Rules 2016-03-10
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-plugins, exploit-kit and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-03-10 15:26:32 UTC

Snort Subscriber Rules Update

Date: 2016-03-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38140 <-> DISABLED <-> SERVER-WEBAPP ATutor connections.php SQL injection attempt (server-webapp.rules)
 * 1:38141 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Media Player ActiveX unknown compression algorithm use after free attempt (browser-plugins.rules)
 * 1:38143 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Media Player ActiveX unknown compression algorithm use after free attempt (browser-plugins.rules)
 * 1:38145 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kovter variant outbound connection (malware-cnc.rules)
 * 1:38146 <-> DISABLED <-> BROWSER-PLUGINS SolarWinds Server Monitor ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38147 <-> DISABLED <-> BROWSER-PLUGINS SolarWinds Server Monitor ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38148 <-> DISABLED <-> BROWSER-PLUGINS SolarWinds Server Monitor ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38149 <-> DISABLED <-> BROWSER-PLUGINS SolarWinds Server Monitor ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38150 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt variant outbound connection (malware-cnc.rules)
 * 1:38151 <-> DISABLED <-> BROWSER-PLUGINS Symantec Altiris Deployment Solution ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38152 <-> DISABLED <-> BROWSER-PLUGINS WebGate WESPDiscovery ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38153 <-> DISABLED <-> BROWSER-PLUGINS WebGate WESPDiscovery ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38154 <-> DISABLED <-> BROWSER-PLUGINS WebGate WESPDiscovery ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38155 <-> DISABLED <-> BROWSER-PLUGINS WebGate WESPDiscovery ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38156 <-> DISABLED <-> SERVER-WEBAPP 29o3 CMS LibDir parameter multiple remote file include attempt (server-webapp.rules)
 * 1:38157 <-> DISABLED <-> SERVER-WEBAPP 29o3 CMS LibDir parameter multiple remote file include attempt (server-webapp.rules)
 * 1:38142 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Media Player ActiveX unknown compression algorithm use after free attempt (browser-plugins.rules)
 * 1:38144 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Media Player ActiveX unknown compression algorithm use after free attempt (browser-plugins.rules)
 * 1:38163 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit view uri request attempt (exploit-kit.rules)
 * 1:38161 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit index uri request attempt (exploit-kit.rules)
 * 1:38162 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit viewthread uri request attempt (exploit-kit.rules)
 * 1:38160 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit gate detected (exploit-kit.rules)
 * 1:38159 <-> DISABLED <-> SERVER-WEBAPP 29o3 CMS LibDir parameter multiple remote file include attempt (server-webapp.rules)
 * 1:38158 <-> DISABLED <-> SERVER-WEBAPP 29o3 CMS LibDir parameter multiple remote file include attempt (server-webapp.rules)

Modified Rules:


 * 1:16587 <-> DISABLED <-> BROWSER-PLUGINS Symantec Altiris Deployment Solution ActiveX clsid access attempt (browser-plugins.rules)
 * 1:16305 <-> DISABLED <-> BROWSER-PLUGINS Symantec Altiris Deployment Solution ActiveX clsid access attempt (browser-plugins.rules)
 * 1:16307 <-> DISABLED <-> BROWSER-PLUGINS Symantec Altiris Deployment Solution ActiveX clsid access attempt (browser-plugins.rules)
 * 1:16537 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Media Player ActiveX unknown compression algorithm use after free attempt (browser-plugins.rules)
 * 1:18542 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Media Player ActiveX unknown compression algorithm use after free attempt (browser-plugins.rules)

2016-03-10 15:26:32 UTC

Snort Subscriber Rules Update

Date: 2016-03-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38163 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit view uri request attempt (exploit-kit.rules)
 * 1:38162 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit viewthread uri request attempt (exploit-kit.rules)
 * 1:38161 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit index uri request attempt (exploit-kit.rules)
 * 1:38160 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit gate detected (exploit-kit.rules)
 * 1:38159 <-> DISABLED <-> SERVER-WEBAPP 29o3 CMS LibDir parameter multiple remote file include attempt (server-webapp.rules)
 * 1:38158 <-> DISABLED <-> SERVER-WEBAPP 29o3 CMS LibDir parameter multiple remote file include attempt (server-webapp.rules)
 * 1:38157 <-> DISABLED <-> SERVER-WEBAPP 29o3 CMS LibDir parameter multiple remote file include attempt (server-webapp.rules)
 * 1:38156 <-> DISABLED <-> SERVER-WEBAPP 29o3 CMS LibDir parameter multiple remote file include attempt (server-webapp.rules)
 * 1:38155 <-> DISABLED <-> BROWSER-PLUGINS WebGate WESPDiscovery ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38154 <-> DISABLED <-> BROWSER-PLUGINS WebGate WESPDiscovery ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38153 <-> DISABLED <-> BROWSER-PLUGINS WebGate WESPDiscovery ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38152 <-> DISABLED <-> BROWSER-PLUGINS WebGate WESPDiscovery ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38151 <-> DISABLED <-> BROWSER-PLUGINS Symantec Altiris Deployment Solution ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38150 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt variant outbound connection (malware-cnc.rules)
 * 1:38149 <-> DISABLED <-> BROWSER-PLUGINS SolarWinds Server Monitor ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38148 <-> DISABLED <-> BROWSER-PLUGINS SolarWinds Server Monitor ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38147 <-> DISABLED <-> BROWSER-PLUGINS SolarWinds Server Monitor ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38146 <-> DISABLED <-> BROWSER-PLUGINS SolarWinds Server Monitor ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38145 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kovter variant outbound connection (malware-cnc.rules)
 * 1:38144 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Media Player ActiveX unknown compression algorithm use after free attempt (browser-plugins.rules)
 * 1:38143 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Media Player ActiveX unknown compression algorithm use after free attempt (browser-plugins.rules)
 * 1:38142 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Media Player ActiveX unknown compression algorithm use after free attempt (browser-plugins.rules)
 * 1:38141 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Media Player ActiveX unknown compression algorithm use after free attempt (browser-plugins.rules)
 * 1:38140 <-> DISABLED <-> SERVER-WEBAPP ATutor connections.php SQL injection attempt (server-webapp.rules)

Modified Rules:


 * 1:16305 <-> DISABLED <-> BROWSER-PLUGINS Symantec Altiris Deployment Solution ActiveX clsid access attempt (browser-plugins.rules)
 * 1:16307 <-> DISABLED <-> BROWSER-PLUGINS Symantec Altiris Deployment Solution ActiveX clsid access attempt (browser-plugins.rules)
 * 1:16537 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Media Player ActiveX unknown compression algorithm use after free attempt (browser-plugins.rules)
 * 1:16587 <-> DISABLED <-> BROWSER-PLUGINS Symantec Altiris Deployment Solution ActiveX clsid access attempt (browser-plugins.rules)
 * 1:18542 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Media Player ActiveX unknown compression algorithm use after free attempt (browser-plugins.rules)