Talos Rules 2016-03-24
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the exploit-kit, file-flash, file-java, indicator-obfuscation and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-03-24 21:15:42 UTC

Snort Subscriber Rules Update

Date: 2016-03-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38338 <-> DISABLED <-> FILE-JAVA Oracle Java Class Loader namespace sandbox bypass attempt (file-java.rules)
 * 1:38339 <-> DISABLED <-> FILE-JAVA Oracle Java Class Loader namespace sandbox bypass attempt (file-java.rules)
 * 1:38336 <-> DISABLED <-> SERVER-WEBAPP possible directory traversal attempt (server-webapp.rules)
 * 1:38337 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP Evader comma prior to encoding type evasion attempt (indicator-obfuscation.rules)
 * 1:38335 <-> DISABLED <-> FILE-FLASH Adobe Flash Player atomicCompareAndSwapLength integer overflow attempt (file-flash.rules)
 * 1:38331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules)
 * 1:38333 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.Bifrose outbound connection (malware-cnc.rules)
 * 1:38334 <-> DISABLED <-> FILE-FLASH Adobe Flash Player atomicCompareAndSwapLength integer overflow attempt (file-flash.rules)
 * 1:38332 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP Evader dual colon evasion attempt (indicator-obfuscation.rules)
 * 1:38341 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP Evader multiple Content-Encoding headers evasion attempt (indicator-obfuscation.rules)
 * 1:38340 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP Evader multiple encodings per line attempt (indicator-obfuscation.rules)

Modified Rules:


 * 1:36798 <-> ENABLED <-> EXPLOIT-KIT Angler Gate redirect attempt test rule (exploit-kit.rules)

2016-03-24 21:15:42 UTC

Snort Subscriber Rules Update

Date: 2016-03-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38341 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP Evader multiple Content-Encoding headers evasion attempt (indicator-obfuscation.rules)
 * 1:38340 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP Evader multiple encodings per line attempt (indicator-obfuscation.rules)
 * 1:38339 <-> DISABLED <-> FILE-JAVA Oracle Java Class Loader namespace sandbox bypass attempt (file-java.rules)
 * 1:38338 <-> DISABLED <-> FILE-JAVA Oracle Java Class Loader namespace sandbox bypass attempt (file-java.rules)
 * 1:38337 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP Evader comma prior to encoding type evasion attempt (indicator-obfuscation.rules)
 * 1:38336 <-> DISABLED <-> SERVER-WEBAPP possible directory traversal attempt (server-webapp.rules)
 * 1:38335 <-> DISABLED <-> FILE-FLASH Adobe Flash Player atomicCompareAndSwapLength integer overflow attempt (file-flash.rules)
 * 1:38334 <-> DISABLED <-> FILE-FLASH Adobe Flash Player atomicCompareAndSwapLength integer overflow attempt (file-flash.rules)
 * 1:38333 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.Bifrose outbound connection (malware-cnc.rules)
 * 1:38332 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP Evader dual colon evasion attempt (indicator-obfuscation.rules)
 * 1:38331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:36798 <-> ENABLED <-> EXPLOIT-KIT Angler Gate redirect attempt test rule (exploit-kit.rules)