Snort - Network Intrusion Detection & Prevention System

Talos Rules 2016-04-07

This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the and server-other rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2976

2016-04-08 01:11:05 UTC

Snort Subscriber Rules Update

Date: 2016-04-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:

Modified Rules:


 * 1:38423 <-> DISABLED <-> FILE-FLASH Adobe Flash Player RASMan.dll dll-load exploit attempt (file-flash.rules)
 * 1:38424 <-> DISABLED <-> FILE-FLASH Adobe Flash Player setupapi.dll dll-load exploit attempt (file-flash.rules)
 * 1:38425 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ExportAssets count memory corruption attempt (file-flash.rules)
 * 1:38426 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ExportAssets count memory corruption attempt (file-flash.rules)
 * 1:38427 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ExportAssets count memory corruption attempt (file-flash.rules)
 * 1:38428 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ExportAssets count memory corruption attempt (file-flash.rules)
 * 1:30520 <-> ENABLED <-> SERVER-OTHER OpenSSL SSLv3 heartbeat read overrun attempt - vulnerable client response (server-other.rules)
 * 1:30521 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1 heartbeat read overrun attempt - vulnerable client response (server-other.rules)
 * 1:30522 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt - vulnerable client response (server-other.rules)
 * 1:30523 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.2 heartbeat read overrun attempt - vulnerable client response (server-other.rules)
 * 1:37234 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)
 * 1:37235 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)
 * 1:38401 <-> ENABLED <-> FILE-FLASH Adobe Flash Player multiple scripts display rendering use-after-free attempt (file-flash.rules)
 * 1:38402 <-> ENABLED <-> FILE-FLASH Adobe Flash Player multiple scripts display rendering use-after-free attempt (file-flash.rules)
 * 1:38403 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Transform Class Matrix AS2 use after free attempt (file-flash.rules)
 * 1:38404 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Transform Class Matrix AS2 use after free attempt (file-flash.rules)
 * 1:38405 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Transform Class Matrix AS2 use after free attempt (file-flash.rules)
 * 1:38406 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Transform Class Matrix AS2 use after free attempt (file-flash.rules)
 * 1:38407 <-> ENABLED <-> FILE-FLASH Adobe Flash Player JPEG-XR decode buffer overflow attempt (file-flash.rules)
 * 1:38408 <-> ENABLED <-> FILE-FLASH Adobe Flash Player JPEG-XR decode buffer overflow attempt (file-flash.rules)
 * 1:38409 <-> ENABLED <-> FILE-FLASH Adobe Flash Player JPEG-XR decode buffer overflow attempt (file-flash.rules)
 * 1:38410 <-> ENABLED <-> FILE-FLASH Adobe Flash Player JPEG-XR decode buffer overflow attempt (file-flash.rules)
 * 1:38411 <-> ENABLED <-> FILE-FLASH Adobe Flash Player duplicateMovieClip use after free attempt (file-flash.rules)
 * 1:38412 <-> ENABLED <-> FILE-FLASH Adobe Flash Player duplicateMovieClip use after free attempt (file-flash.rules)
 * 1:38413 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection to ColorMatrixFilter object type confusion attempt (file-flash.rules)
 * 1:38414 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection to ColorMatrixFilter object type confusion attempt (file-flash.rules)
 * 1:38415 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection to ColorMatrixFilter object type confusion attempt (file-flash.rules)
 * 1:38416 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection to ColorMatrixFilter object type confusion attempt (file-flash.rules)
 * 1:38417 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ClbCatQ.dll dll-load exploit attempt (file-flash.rules)
 * 1:38418 <-> DISABLED <-> FILE-FLASH Adobe Flash Player HNetCfg.dll dll-load exploit attempt (file-flash.rules)
 * 1:38419 <-> DISABLED <-> FILE-FLASH Adobe Flash Player RASMan.dll dll-load exploit attempt (file-flash.rules)
 * 1:38420 <-> DISABLED <-> FILE-FLASH Adobe Flash Player setupapi.dll dll-load exploit attempt (file-flash.rules)
 * 1:38421 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ClbCatQ.dll dll-load exploit attempt (file-flash.rules)
 * 1:38422 <-> DISABLED <-> FILE-FLASH Adobe Flash Player HNetCfg.dll dll-load exploit attempt (file-flash.rules)

2980

2016-04-08 01:11:05 UTC

Snort Subscriber Rules Update

Date: 2016-04-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:

Modified Rules:


 * 1:30520 <-> ENABLED <-> SERVER-OTHER OpenSSL SSLv3 heartbeat read overrun attempt - vulnerable client response (server-other.rules)
 * 1:30521 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1 heartbeat read overrun attempt - vulnerable client response (server-other.rules)
 * 1:30522 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt - vulnerable client response (server-other.rules)
 * 1:30523 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.2 heartbeat read overrun attempt - vulnerable client response (server-other.rules)
 * 1:37234 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)
 * 1:37235 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)
 * 1:38401 <-> ENABLED <-> FILE-FLASH Adobe Flash Player multiple scripts display rendering use-after-free attempt (file-flash.rules)
 * 1:38402 <-> ENABLED <-> FILE-FLASH Adobe Flash Player multiple scripts display rendering use-after-free attempt (file-flash.rules)
 * 1:38403 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Transform Class Matrix AS2 use after free attempt (file-flash.rules)
 * 1:38404 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Transform Class Matrix AS2 use after free attempt (file-flash.rules)
 * 1:38405 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Transform Class Matrix AS2 use after free attempt (file-flash.rules)
 * 1:38406 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Transform Class Matrix AS2 use after free attempt (file-flash.rules)
 * 1:38407 <-> ENABLED <-> FILE-FLASH Adobe Flash Player JPEG-XR decode buffer overflow attempt (file-flash.rules)
 * 1:38408 <-> ENABLED <-> FILE-FLASH Adobe Flash Player JPEG-XR decode buffer overflow attempt (file-flash.rules)
 * 1:38409 <-> ENABLED <-> FILE-FLASH Adobe Flash Player JPEG-XR decode buffer overflow attempt (file-flash.rules)
 * 1:38410 <-> ENABLED <-> FILE-FLASH Adobe Flash Player JPEG-XR decode buffer overflow attempt (file-flash.rules)
 * 1:38411 <-> ENABLED <-> FILE-FLASH Adobe Flash Player duplicateMovieClip use after free attempt (file-flash.rules)
 * 1:38412 <-> ENABLED <-> FILE-FLASH Adobe Flash Player duplicateMovieClip use after free attempt (file-flash.rules)
 * 1:38413 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection to ColorMatrixFilter object type confusion attempt (file-flash.rules)
 * 1:38414 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection to ColorMatrixFilter object type confusion attempt (file-flash.rules)
 * 1:38415 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection to ColorMatrixFilter object type confusion attempt (file-flash.rules)
 * 1:38416 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection to ColorMatrixFilter object type confusion attempt (file-flash.rules)
 * 1:38417 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ClbCatQ.dll dll-load exploit attempt (file-flash.rules)
 * 1:38418 <-> DISABLED <-> FILE-FLASH Adobe Flash Player HNetCfg.dll dll-load exploit attempt (file-flash.rules)
 * 1:38419 <-> DISABLED <-> FILE-FLASH Adobe Flash Player RASMan.dll dll-load exploit attempt (file-flash.rules)
 * 1:38420 <-> DISABLED <-> FILE-FLASH Adobe Flash Player setupapi.dll dll-load exploit attempt (file-flash.rules)
 * 1:38428 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ExportAssets count memory corruption attempt (file-flash.rules)
 * 1:38427 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ExportAssets count memory corruption attempt (file-flash.rules)
 * 1:38426 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ExportAssets count memory corruption attempt (file-flash.rules)
 * 1:38423 <-> DISABLED <-> FILE-FLASH Adobe Flash Player RASMan.dll dll-load exploit attempt (file-flash.rules)
 * 1:38425 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ExportAssets count memory corruption attempt (file-flash.rules)
 * 1:38424 <-> DISABLED <-> FILE-FLASH Adobe Flash Player setupapi.dll dll-load exploit attempt (file-flash.rules)
 * 1:38421 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ClbCatQ.dll dll-load exploit attempt (file-flash.rules)
 * 1:38422 <-> DISABLED <-> FILE-FLASH Adobe Flash Player HNetCfg.dll dll-load exploit attempt (file-flash.rules)

2982

2016-04-08 01:11:05 UTC

Snort Subscriber Rules Update

Date: 2016-04-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:

Modified Rules:


 * 1:38428 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ExportAssets count memory corruption attempt (file-flash.rules)
 * 1:38427 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ExportAssets count memory corruption attempt (file-flash.rules)
 * 1:38426 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ExportAssets count memory corruption attempt (file-flash.rules)
 * 1:38425 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ExportAssets count memory corruption attempt (file-flash.rules)
 * 1:38424 <-> DISABLED <-> FILE-FLASH Adobe Flash Player setupapi.dll dll-load exploit attempt (file-flash.rules)
 * 1:38423 <-> DISABLED <-> FILE-FLASH Adobe Flash Player RASMan.dll dll-load exploit attempt (file-flash.rules)
 * 1:38422 <-> DISABLED <-> FILE-FLASH Adobe Flash Player HNetCfg.dll dll-load exploit attempt (file-flash.rules)
 * 1:38421 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ClbCatQ.dll dll-load exploit attempt (file-flash.rules)
 * 1:38420 <-> DISABLED <-> FILE-FLASH Adobe Flash Player setupapi.dll dll-load exploit attempt (file-flash.rules)
 * 1:38419 <-> DISABLED <-> FILE-FLASH Adobe Flash Player RASMan.dll dll-load exploit attempt (file-flash.rules)
 * 1:38418 <-> DISABLED <-> FILE-FLASH Adobe Flash Player HNetCfg.dll dll-load exploit attempt (file-flash.rules)
 * 1:38417 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ClbCatQ.dll dll-load exploit attempt (file-flash.rules)
 * 1:38416 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection to ColorMatrixFilter object type confusion attempt (file-flash.rules)
 * 1:38415 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection to ColorMatrixFilter object type confusion attempt (file-flash.rules)
 * 1:38414 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection to ColorMatrixFilter object type confusion attempt (file-flash.rules)
 * 1:38413 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection to ColorMatrixFilter object type confusion attempt (file-flash.rules)
 * 1:38412 <-> ENABLED <-> FILE-FLASH Adobe Flash Player duplicateMovieClip use after free attempt (file-flash.rules)
 * 1:38411 <-> ENABLED <-> FILE-FLASH Adobe Flash Player duplicateMovieClip use after free attempt (file-flash.rules)
 * 1:38410 <-> ENABLED <-> FILE-FLASH Adobe Flash Player JPEG-XR decode buffer overflow attempt (file-flash.rules)
 * 1:38409 <-> ENABLED <-> FILE-FLASH Adobe Flash Player JPEG-XR decode buffer overflow attempt (file-flash.rules)
 * 1:38408 <-> ENABLED <-> FILE-FLASH Adobe Flash Player JPEG-XR decode buffer overflow attempt (file-flash.rules)
 * 1:38407 <-> ENABLED <-> FILE-FLASH Adobe Flash Player JPEG-XR decode buffer overflow attempt (file-flash.rules)
 * 1:38406 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Transform Class Matrix AS2 use after free attempt (file-flash.rules)
 * 1:38405 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Transform Class Matrix AS2 use after free attempt (file-flash.rules)
 * 1:38404 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Transform Class Matrix AS2 use after free attempt (file-flash.rules)
 * 1:38403 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Transform Class Matrix AS2 use after free attempt (file-flash.rules)
 * 1:38402 <-> ENABLED <-> FILE-FLASH Adobe Flash Player multiple scripts display rendering use-after-free attempt (file-flash.rules)
 * 1:38401 <-> ENABLED <-> FILE-FLASH Adobe Flash Player multiple scripts display rendering use-after-free attempt (file-flash.rules)
 * 1:37235 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)
 * 1:37234 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)
 * 1:30523 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.2 heartbeat read overrun attempt - vulnerable client response (server-other.rules)
 * 1:30522 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt - vulnerable client response (server-other.rules)
 * 1:30521 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1 heartbeat read overrun attempt - vulnerable client response (server-other.rules)
 * 1:30520 <-> ENABLED <-> SERVER-OTHER OpenSSL SSLv3 heartbeat read overrun attempt - vulnerable client response (server-other.rules)