Talos Rules 2016-04-21
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, exploit-kit, file-office, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-04-21 14:01:29 UTC

Snort Subscriber Rules Update

Date: 2016-04-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38584 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.DFSCook variant JS dropper outbound connection (malware-cnc.rules)
 * 1:38585 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.DFSCook variant outbound connection attempt (malware-cnc.rules)
 * 1:38587 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.DFSCook variant temporary redirect attempt (malware-cnc.rules)
 * 1:38579 <-> DISABLED <-> SERVER-WEBAPP Atvise denial of service attempt (server-webapp.rules)
 * 1:38586 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.DFSCook variant outbound connection attempt (malware-cnc.rules)
 * 1:38582 <-> DISABLED <-> EXPLOIT-KIT Nuclear exploit kit landing page detected (exploit-kit.rules)
 * 1:38589 <-> DISABLED <-> EXPLOIT-KIT vbscript downloading executable attempt (exploit-kit.rules)
 * 1:38588 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.DFSCook variant outbound connection attempt (malware-cnc.rules)
 * 1:38592 <-> ENABLED <-> EXPLOIT-KIT Nuclear Exploit Kit back end communications attempt (exploit-kit.rules)
 * 1:38581 <-> ENABLED <-> FILE-OFFICE RFT document malformed header (file-office.rules)
 * 1:38580 <-> ENABLED <-> FILE-OFFICE RFT document malformed header (file-office.rules)
 * 1:38593 <-> ENABLED <-> EXPLOIT-KIT Nuclear Exploit Kit back end communications attempt (exploit-kit.rules)
 * 3:38590 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller mDNS denial of service attempt (server-other.rules)
 * 3:38591 <-> ENABLED <-> SERVER-WEBAPP Cisco WLAN Controller management interface denial of service attempt (server-webapp.rules)

Modified Rules:


 * 1:17904 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - /tongji.js (blacklist.rules)
 * 1:25100 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Njrat variant outbound connection (malware-cnc.rules)
 * 1:36506 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Njrat variant outbound connection (malware-cnc.rules)
 * 1:24642 <-> DISABLED <-> SERVER-WEBAPP RedHat JBoss Enterprise Application Platform JMX code execution attempt (server-webapp.rules)
 * 3:36558 <-> ENABLED <-> SERVER-OTHER Cisco ASA DHCPv6 relay solicit denial of service attempt (server-other.rules)

2016-04-21 14:01:29 UTC

Snort Subscriber Rules Update

Date: 2016-04-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38588 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.DFSCook variant outbound connection attempt (malware-cnc.rules)
 * 1:38587 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.DFSCook variant temporary redirect attempt (malware-cnc.rules)
 * 1:38580 <-> ENABLED <-> FILE-OFFICE RFT document malformed header (file-office.rules)
 * 1:38585 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.DFSCook variant outbound connection attempt (malware-cnc.rules)
 * 1:38582 <-> DISABLED <-> EXPLOIT-KIT Nuclear exploit kit landing page detected (exploit-kit.rules)
 * 1:38586 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.DFSCook variant outbound connection attempt (malware-cnc.rules)
 * 1:38589 <-> DISABLED <-> EXPLOIT-KIT vbscript downloading executable attempt (exploit-kit.rules)
 * 1:38579 <-> DISABLED <-> SERVER-WEBAPP Atvise denial of service attempt (server-webapp.rules)
 * 1:38581 <-> ENABLED <-> FILE-OFFICE RFT document malformed header (file-office.rules)
 * 1:38592 <-> ENABLED <-> EXPLOIT-KIT Nuclear Exploit Kit back end communications attempt (exploit-kit.rules)
 * 1:38584 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.DFSCook variant JS dropper outbound connection (malware-cnc.rules)
 * 1:38593 <-> ENABLED <-> EXPLOIT-KIT Nuclear Exploit Kit back end communications attempt (exploit-kit.rules)
 * 3:38591 <-> ENABLED <-> SERVER-WEBAPP Cisco WLAN Controller management interface denial of service attempt (server-webapp.rules)
 * 3:38590 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller mDNS denial of service attempt (server-other.rules)

Modified Rules:


 * 1:17904 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - /tongji.js (blacklist.rules)
 * 1:25100 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Njrat variant outbound connection (malware-cnc.rules)
 * 1:36506 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Njrat variant outbound connection (malware-cnc.rules)
 * 1:24642 <-> DISABLED <-> SERVER-WEBAPP RedHat JBoss Enterprise Application Platform JMX code execution attempt (server-webapp.rules)
 * 3:36558 <-> ENABLED <-> SERVER-OTHER Cisco ASA DHCPv6 relay solicit denial of service attempt (server-other.rules)

2016-04-21 14:01:29 UTC

Snort Subscriber Rules Update

Date: 2016-04-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38593 <-> ENABLED <-> EXPLOIT-KIT Nuclear Exploit Kit back end communications attempt (exploit-kit.rules)
 * 1:38592 <-> ENABLED <-> EXPLOIT-KIT Nuclear Exploit Kit back end communications attempt (exploit-kit.rules)
 * 1:38589 <-> DISABLED <-> EXPLOIT-KIT vbscript downloading executable attempt (exploit-kit.rules)
 * 1:38588 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.DFSCook variant outbound connection attempt (malware-cnc.rules)
 * 1:38587 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.DFSCook variant temporary redirect attempt (malware-cnc.rules)
 * 1:38586 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.DFSCook variant outbound connection attempt (malware-cnc.rules)
 * 1:38585 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.DFSCook variant outbound connection attempt (malware-cnc.rules)
 * 1:38584 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.DFSCook variant JS dropper outbound connection (malware-cnc.rules)
 * 1:38582 <-> DISABLED <-> EXPLOIT-KIT Nuclear exploit kit landing page detected (exploit-kit.rules)
 * 1:38581 <-> ENABLED <-> FILE-OFFICE RFT document malformed header (file-office.rules)
 * 1:38580 <-> ENABLED <-> FILE-OFFICE RFT document malformed header (file-office.rules)
 * 1:38579 <-> DISABLED <-> SERVER-WEBAPP Atvise denial of service attempt (server-webapp.rules)
 * 3:38590 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller mDNS denial of service attempt (server-other.rules)
 * 3:38591 <-> ENABLED <-> SERVER-WEBAPP Cisco WLAN Controller management interface denial of service attempt (server-webapp.rules)

Modified Rules:


 * 1:17904 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - /tongji.js (blacklist.rules)
 * 1:25100 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Njrat variant outbound connection (malware-cnc.rules)
 * 1:36506 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Njrat variant outbound connection (malware-cnc.rules)
 * 1:24642 <-> DISABLED <-> SERVER-WEBAPP RedHat JBoss Enterprise Application Platform JMX code execution attempt (server-webapp.rules)
 * 3:36558 <-> ENABLED <-> SERVER-OTHER Cisco ASA DHCPv6 relay solicit denial of service attempt (server-other.rules)