Talos Rules 2016-04-07
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the and server-other rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-04-08 01:11:05 UTC

Snort Subscriber Rules Update

Date: 2016-04-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


Modified Rules:


 * 1:38423 <-> DISABLED <-> FILE-FLASH Adobe Flash Player RASMan.dll dll-load exploit attempt (file-flash.rules)
 * 1:38424 <-> DISABLED <-> FILE-FLASH Adobe Flash Player setupapi.dll dll-load exploit attempt (file-flash.rules)
 * 1:38425 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ExportAssets count memory corruption attempt (file-flash.rules)
 * 1:38426 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ExportAssets count memory corruption attempt (file-flash.rules)
 * 1:38427 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ExportAssets count memory corruption attempt (file-flash.rules)
 * 1:38428 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ExportAssets count memory corruption attempt (file-flash.rules)
 * 1:30520 <-> ENABLED <-> SERVER-OTHER OpenSSL SSLv3 heartbeat read overrun attempt - vulnerable client response (server-other.rules)
 * 1:30521 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1 heartbeat read overrun attempt - vulnerable client response (server-other.rules)
 * 1:30522 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt - vulnerable client response (server-other.rules)
 * 1:30523 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.2 heartbeat read overrun attempt - vulnerable client response (server-other.rules)
 * 1:37234 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)
 * 1:37235 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)
 * 1:38401 <-> ENABLED <-> FILE-FLASH Adobe Flash Player multiple scripts display rendering use-after-free attempt (file-flash.rules)
 * 1:38402 <-> ENABLED <-> FILE-FLASH Adobe Flash Player multiple scripts display rendering use-after-free attempt (file-flash.rules)
 * 1:38403 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Transform Class Matrix AS2 use after free attempt (file-flash.rules)
 * 1:38404 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Transform Class Matrix AS2 use after free attempt (file-flash.rules)
 * 1:38405 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Transform Class Matrix AS2 use after free attempt (file-flash.rules)
 * 1:38406 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Transform Class Matrix AS2 use after free attempt (file-flash.rules)
 * 1:38407 <-> ENABLED <-> FILE-FLASH Adobe Flash Player JPEG-XR decode buffer overflow attempt (file-flash.rules)
 * 1:38408 <-> ENABLED <-> FILE-FLASH Adobe Flash Player JPEG-XR decode buffer overflow attempt (file-flash.rules)
 * 1:38409 <-> ENABLED <-> FILE-FLASH Adobe Flash Player JPEG-XR decode buffer overflow attempt (file-flash.rules)
 * 1:38410 <-> ENABLED <-> FILE-FLASH Adobe Flash Player JPEG-XR decode buffer overflow attempt (file-flash.rules)
 * 1:38411 <-> ENABLED <-> FILE-FLASH Adobe Flash Player duplicateMovieClip use after free attempt (file-flash.rules)
 * 1:38412 <-> ENABLED <-> FILE-FLASH Adobe Flash Player duplicateMovieClip use after free attempt (file-flash.rules)
 * 1:38413 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection to ColorMatrixFilter object type confusion attempt (file-flash.rules)
 * 1:38414 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection to ColorMatrixFilter object type confusion attempt (file-flash.rules)
 * 1:38415 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection to ColorMatrixFilter object type confusion attempt (file-flash.rules)
 * 1:38416 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection to ColorMatrixFilter object type confusion attempt (file-flash.rules)
 * 1:38417 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ClbCatQ.dll dll-load exploit attempt (file-flash.rules)
 * 1:38418 <-> DISABLED <-> FILE-FLASH Adobe Flash Player HNetCfg.dll dll-load exploit attempt (file-flash.rules)
 * 1:38419 <-> DISABLED <-> FILE-FLASH Adobe Flash Player RASMan.dll dll-load exploit attempt (file-flash.rules)
 * 1:38420 <-> DISABLED <-> FILE-FLASH Adobe Flash Player setupapi.dll dll-load exploit attempt (file-flash.rules)
 * 1:38421 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ClbCatQ.dll dll-load exploit attempt (file-flash.rules)
 * 1:38422 <-> DISABLED <-> FILE-FLASH Adobe Flash Player HNetCfg.dll dll-load exploit attempt (file-flash.rules)

2016-04-08 01:11:05 UTC

Snort Subscriber Rules Update

Date: 2016-04-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


Modified Rules:


 * 1:30520 <-> ENABLED <-> SERVER-OTHER OpenSSL SSLv3 heartbeat read overrun attempt - vulnerable client response (server-other.rules)
 * 1:30521 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1 heartbeat read overrun attempt - vulnerable client response (server-other.rules)
 * 1:30522 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt - vulnerable client response (server-other.rules)
 * 1:30523 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.2 heartbeat read overrun attempt - vulnerable client response (server-other.rules)
 * 1:37234 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)
 * 1:37235 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)
 * 1:38401 <-> ENABLED <-> FILE-FLASH Adobe Flash Player multiple scripts display rendering use-after-free attempt (file-flash.rules)
 * 1:38402 <-> ENABLED <-> FILE-FLASH Adobe Flash Player multiple scripts display rendering use-after-free attempt (file-flash.rules)
 * 1:38403 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Transform Class Matrix AS2 use after free attempt (file-flash.rules)
 * 1:38404 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Transform Class Matrix AS2 use after free attempt (file-flash.rules)
 * 1:38405 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Transform Class Matrix AS2 use after free attempt (file-flash.rules)
 * 1:38406 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Transform Class Matrix AS2 use after free attempt (file-flash.rules)
 * 1:38407 <-> ENABLED <-> FILE-FLASH Adobe Flash Player JPEG-XR decode buffer overflow attempt (file-flash.rules)
 * 1:38408 <-> ENABLED <-> FILE-FLASH Adobe Flash Player JPEG-XR decode buffer overflow attempt (file-flash.rules)
 * 1:38409 <-> ENABLED <-> FILE-FLASH Adobe Flash Player JPEG-XR decode buffer overflow attempt (file-flash.rules)
 * 1:38410 <-> ENABLED <-> FILE-FLASH Adobe Flash Player JPEG-XR decode buffer overflow attempt (file-flash.rules)
 * 1:38411 <-> ENABLED <-> FILE-FLASH Adobe Flash Player duplicateMovieClip use after free attempt (file-flash.rules)
 * 1:38412 <-> ENABLED <-> FILE-FLASH Adobe Flash Player duplicateMovieClip use after free attempt (file-flash.rules)
 * 1:38413 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection to ColorMatrixFilter object type confusion attempt (file-flash.rules)
 * 1:38414 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection to ColorMatrixFilter object type confusion attempt (file-flash.rules)
 * 1:38415 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection to ColorMatrixFilter object type confusion attempt (file-flash.rules)
 * 1:38416 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection to ColorMatrixFilter object type confusion attempt (file-flash.rules)
 * 1:38417 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ClbCatQ.dll dll-load exploit attempt (file-flash.rules)
 * 1:38418 <-> DISABLED <-> FILE-FLASH Adobe Flash Player HNetCfg.dll dll-load exploit attempt (file-flash.rules)
 * 1:38419 <-> DISABLED <-> FILE-FLASH Adobe Flash Player RASMan.dll dll-load exploit attempt (file-flash.rules)
 * 1:38420 <-> DISABLED <-> FILE-FLASH Adobe Flash Player setupapi.dll dll-load exploit attempt (file-flash.rules)
 * 1:38428 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ExportAssets count memory corruption attempt (file-flash.rules)
 * 1:38427 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ExportAssets count memory corruption attempt (file-flash.rules)
 * 1:38426 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ExportAssets count memory corruption attempt (file-flash.rules)
 * 1:38423 <-> DISABLED <-> FILE-FLASH Adobe Flash Player RASMan.dll dll-load exploit attempt (file-flash.rules)
 * 1:38425 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ExportAssets count memory corruption attempt (file-flash.rules)
 * 1:38424 <-> DISABLED <-> FILE-FLASH Adobe Flash Player setupapi.dll dll-load exploit attempt (file-flash.rules)
 * 1:38421 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ClbCatQ.dll dll-load exploit attempt (file-flash.rules)
 * 1:38422 <-> DISABLED <-> FILE-FLASH Adobe Flash Player HNetCfg.dll dll-load exploit attempt (file-flash.rules)

2016-04-08 01:11:05 UTC

Snort Subscriber Rules Update

Date: 2016-04-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


Modified Rules:


 * 1:38428 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ExportAssets count memory corruption attempt (file-flash.rules)
 * 1:38427 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ExportAssets count memory corruption attempt (file-flash.rules)
 * 1:38426 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ExportAssets count memory corruption attempt (file-flash.rules)
 * 1:38425 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ExportAssets count memory corruption attempt (file-flash.rules)
 * 1:38424 <-> DISABLED <-> FILE-FLASH Adobe Flash Player setupapi.dll dll-load exploit attempt (file-flash.rules)
 * 1:38423 <-> DISABLED <-> FILE-FLASH Adobe Flash Player RASMan.dll dll-load exploit attempt (file-flash.rules)
 * 1:38422 <-> DISABLED <-> FILE-FLASH Adobe Flash Player HNetCfg.dll dll-load exploit attempt (file-flash.rules)
 * 1:38421 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ClbCatQ.dll dll-load exploit attempt (file-flash.rules)
 * 1:38420 <-> DISABLED <-> FILE-FLASH Adobe Flash Player setupapi.dll dll-load exploit attempt (file-flash.rules)
 * 1:38419 <-> DISABLED <-> FILE-FLASH Adobe Flash Player RASMan.dll dll-load exploit attempt (file-flash.rules)
 * 1:38418 <-> DISABLED <-> FILE-FLASH Adobe Flash Player HNetCfg.dll dll-load exploit attempt (file-flash.rules)
 * 1:38417 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ClbCatQ.dll dll-load exploit attempt (file-flash.rules)
 * 1:38416 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection to ColorMatrixFilter object type confusion attempt (file-flash.rules)
 * 1:38415 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection to ColorMatrixFilter object type confusion attempt (file-flash.rules)
 * 1:38414 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection to ColorMatrixFilter object type confusion attempt (file-flash.rules)
 * 1:38413 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection to ColorMatrixFilter object type confusion attempt (file-flash.rules)
 * 1:38412 <-> ENABLED <-> FILE-FLASH Adobe Flash Player duplicateMovieClip use after free attempt (file-flash.rules)
 * 1:38411 <-> ENABLED <-> FILE-FLASH Adobe Flash Player duplicateMovieClip use after free attempt (file-flash.rules)
 * 1:38410 <-> ENABLED <-> FILE-FLASH Adobe Flash Player JPEG-XR decode buffer overflow attempt (file-flash.rules)
 * 1:38409 <-> ENABLED <-> FILE-FLASH Adobe Flash Player JPEG-XR decode buffer overflow attempt (file-flash.rules)
 * 1:38408 <-> ENABLED <-> FILE-FLASH Adobe Flash Player JPEG-XR decode buffer overflow attempt (file-flash.rules)
 * 1:38407 <-> ENABLED <-> FILE-FLASH Adobe Flash Player JPEG-XR decode buffer overflow attempt (file-flash.rules)
 * 1:38406 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Transform Class Matrix AS2 use after free attempt (file-flash.rules)
 * 1:38405 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Transform Class Matrix AS2 use after free attempt (file-flash.rules)
 * 1:38404 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Transform Class Matrix AS2 use after free attempt (file-flash.rules)
 * 1:38403 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Transform Class Matrix AS2 use after free attempt (file-flash.rules)
 * 1:38402 <-> ENABLED <-> FILE-FLASH Adobe Flash Player multiple scripts display rendering use-after-free attempt (file-flash.rules)
 * 1:38401 <-> ENABLED <-> FILE-FLASH Adobe Flash Player multiple scripts display rendering use-after-free attempt (file-flash.rules)
 * 1:37235 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)
 * 1:37234 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)
 * 1:30523 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.2 heartbeat read overrun attempt - vulnerable client response (server-other.rules)
 * 1:30522 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt - vulnerable client response (server-other.rules)
 * 1:30521 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1 heartbeat read overrun attempt - vulnerable client response (server-other.rules)
 * 1:30520 <-> ENABLED <-> SERVER-OTHER OpenSSL SSLv3 heartbeat read overrun attempt - vulnerable client response (server-other.rules)