Talos Rules 2016-03-15
Talos is aware of a vulnerability affecting products from Adobe Systems Inc.

CVE 2016-1010: Adobe Flash Player suffers from programming errors that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 38238 through 38241.

Talos has also added and modified multiple rules in the blacklist, browser-plugins, exploit-kit, file-flash, file-office, file-other, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2016-03-15 15:55:54 UTC

Snort Subscriber Rules Update

Date: 2016-03-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38247 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:38243 <-> DISABLED <-> SERVER-WEBAPP VmWare Tools command injection attempt (server-webapp.rules)
 * 1:38246 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:38240 <-> ENABLED <-> FILE-FLASH Adobe Flash Player rectangle width integer overflow attempt (file-flash.rules)
 * 1:38242 <-> DISABLED <-> SERVER-WEBAPP VmWare Tools command injection attempt (server-webapp.rules)
 * 1:38228 <-> ENABLED <-> EXPLOIT-KIT Angler EK landing page URI request attempt (exploit-kit.rules)
 * 1:38229 <-> DISABLED <-> SERVER-WEBAPP Wordpress Simple Ads Manager sam-ajax-admin.php directory traversal attempt (server-webapp.rules)
 * 1:38230 <-> DISABLED <-> BROWSER-PLUGINS WebGate Control Center WESPPlayback ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38231 <-> DISABLED <-> BROWSER-PLUGINS WebGate Control Center WESPPlayback ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38232 <-> DISABLED <-> BROWSER-PLUGINS WebGate Control Center WESPPlayback ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38233 <-> DISABLED <-> BROWSER-PLUGINS WebGate Control Center WESPPlayback ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38234 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.FighterPOS (blacklist.rules)
 * 1:38235 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FighterPOS variant outbound connection (malware-cnc.rules)
 * 1:38236 <-> DISABLED <-> SERVER-WEBAPP Wordpress MM Forms community plugin arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:38237 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word RTF parsing memory corruption attempt (file-office.rules)
 * 1:38238 <-> ENABLED <-> FILE-FLASH Adobe Flash Player rectangle width integer overflow attempt (file-flash.rules)
 * 1:38239 <-> ENABLED <-> FILE-FLASH Adobe Flash Player rectangle width integer overflow attempt (file-flash.rules)
 * 1:38241 <-> ENABLED <-> FILE-FLASH Adobe Flash Player rectangle width integer overflow attempt (file-flash.rules)
 * 3:38245 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Flash exploit file download (exploit-kit.rules)
 * 3:38244 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Flash exploit file download (exploit-kit.rules)

Modified Rules:


 * 1:23303 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23287 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23288 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23146 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23286 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23144 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23145 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23142 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23143 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23293 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23291 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38225 <-> DISABLED <-> FILE-FLASH Adobe Flash Player invalid FLV header out of bounds write attempt (file-flash.rules)
 * 1:17743 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word RTF parsing memory corruption attempt (file-office.rules)
 * 1:23292 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23294 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23295 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:25050 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:23296 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23301 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23297 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23298 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23299 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38226 <-> DISABLED <-> FILE-FLASH Adobe Flash Player invalid FLV header out of bounds write attempt (file-flash.rules)
 * 1:34138 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Netkrypt inbound response (malware-cnc.rules)
 * 1:23304 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23302 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23566 <-> DISABLED <-> FILE-OTHER Microsoft Windows Embedded Open Type Font malformed name table overflow attempt (file-other.rules)
 * 1:23300 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23289 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23290 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)

2016-03-15 15:55:54 UTC

Snort Subscriber Rules Update

Date: 2016-03-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38247 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:38246 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:38243 <-> DISABLED <-> SERVER-WEBAPP VmWare Tools command injection attempt (server-webapp.rules)
 * 1:38242 <-> DISABLED <-> SERVER-WEBAPP VmWare Tools command injection attempt (server-webapp.rules)
 * 1:38241 <-> ENABLED <-> FILE-FLASH Adobe Flash Player rectangle width integer overflow attempt (file-flash.rules)
 * 1:38240 <-> ENABLED <-> FILE-FLASH Adobe Flash Player rectangle width integer overflow attempt (file-flash.rules)
 * 1:38239 <-> ENABLED <-> FILE-FLASH Adobe Flash Player rectangle width integer overflow attempt (file-flash.rules)
 * 1:38238 <-> ENABLED <-> FILE-FLASH Adobe Flash Player rectangle width integer overflow attempt (file-flash.rules)
 * 1:38237 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word RTF parsing memory corruption attempt (file-office.rules)
 * 1:38236 <-> DISABLED <-> SERVER-WEBAPP Wordpress MM Forms community plugin arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:38235 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FighterPOS variant outbound connection (malware-cnc.rules)
 * 1:38234 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.FighterPOS (blacklist.rules)
 * 1:38233 <-> DISABLED <-> BROWSER-PLUGINS WebGate Control Center WESPPlayback ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38232 <-> DISABLED <-> BROWSER-PLUGINS WebGate Control Center WESPPlayback ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38231 <-> DISABLED <-> BROWSER-PLUGINS WebGate Control Center WESPPlayback ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38230 <-> DISABLED <-> BROWSER-PLUGINS WebGate Control Center WESPPlayback ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38229 <-> DISABLED <-> SERVER-WEBAPP Wordpress Simple Ads Manager sam-ajax-admin.php directory traversal attempt (server-webapp.rules)
 * 1:38228 <-> ENABLED <-> EXPLOIT-KIT Angler EK landing page URI request attempt (exploit-kit.rules)
 * 3:38244 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Flash exploit file download (exploit-kit.rules)
 * 3:38245 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Flash exploit file download (exploit-kit.rules)

Modified Rules:


 * 1:17743 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word RTF parsing memory corruption attempt (file-office.rules)
 * 1:38226 <-> DISABLED <-> FILE-FLASH Adobe Flash Player invalid FLV header out of bounds write attempt (file-flash.rules)
 * 1:38225 <-> DISABLED <-> FILE-FLASH Adobe Flash Player invalid FLV header out of bounds write attempt (file-flash.rules)
 * 1:34138 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Netkrypt inbound response (malware-cnc.rules)
 * 1:25050 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:23566 <-> DISABLED <-> FILE-OTHER Microsoft Windows Embedded Open Type Font malformed name table overflow attempt (file-other.rules)
 * 1:23304 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23303 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23302 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23301 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23300 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23299 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23298 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23297 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23296 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23142 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23295 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23143 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23144 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23145 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23146 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23286 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23287 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23288 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23294 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23292 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23291 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23293 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23289 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23290 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules)