Talos Rules 2016-04-26
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-other, file-other, indicator-compromise, indicator-obfuscation, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-04-26 19:02:51 UTC

Snort Subscriber Rules Update

Date: 2016-04-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38621 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex certificate exchange (malware-cnc.rules)
 * 1:38597 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header null byte evasion attempt (indicator-obfuscation.rules)
 * 1:38599 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP 100 response followed by 200 evasion attempt (indicator-obfuscation.rules)
 * 1:38604 <-> ENABLED <-> BLACKLIST DNS request for known malware domain tongjii.us - JS_JITON (blacklist.rules)
 * 1:38612 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wallex.ho.ua - Win.Trojan.Wallex (blacklist.rules)
 * 1:38610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Godzilla downloader successful base64 binary download (malware-cnc.rules)
 * 1:38606 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot variant network speed test (malware-cnc.rules)
 * 1:38614 <-> DISABLED <-> INDICATOR-OBFUSCATION carriage return only separator evasion (indicator-obfuscation.rules)
 * 1:38605 <-> ENABLED <-> BLACKLIST DNS request for known malware domain tongjj.info - JS_JITON (blacklist.rules)
 * 1:38603 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UP007 variant outbound connection (malware-cnc.rules)
 * 1:38602 <-> DISABLED <-> INDICATOR-OBFUSCATION mixed case HTTP header evasion attempt (indicator-obfuscation.rules)
 * 1:38600 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP response code evasion attempt (indicator-obfuscation.rules)
 * 1:38601 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP header format evasion attempt (indicator-obfuscation.rules)
 * 1:38625 <-> DISABLED <-> SERVER-WEBAPP Gemtek CPE7000 sysconf.cgi command injection attempt (server-webapp.rules)
 * 1:38598 <-> DISABLED <-> INDICATOR-OBFUSCATION invalid HTTP header evasion attempt (indicator-obfuscation.rules)
 * 1:38622 <-> DISABLED <-> SERVER-OTHER ISC BIND malformed control channel authentication message denial of service attempt (server-other.rules)
 * 1:38624 <-> ENABLED <-> FILE-OTHER GDCM DICOM image integer overflow attempt (file-other.rules)
 * 1:38623 <-> ENABLED <-> FILE-OTHER GDCM DICOM image integer overflow attempt (file-other.rules)
 * 1:38607 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot variant outbound connection attempt (malware-cnc.rules)
 * 1:38608 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RockLoader variant outbound connection (malware-cnc.rules)
 * 1:38609 <-> DISABLED <-> SERVER-WEBAPP pfSense status_rrd_graph_img.php command injection attempt (server-webapp.rules)
 * 1:38611 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gils.ho.ua - Win.Trojan.Wallex (blacklist.rules)
 * 1:38596 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header null byte evasion attempt (indicator-obfuscation.rules)
 * 1:38626 <-> DISABLED <-> SERVER-WEBAPP Gemtek CPE7000 sysconf.cgi command injection attempt (server-webapp.rules)
 * 1:38613 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wallex variant outbound connection (malware-cnc.rules)
 * 1:38616 <-> DISABLED <-> INDICATOR-OBFUSCATION carriage return only separator evasion (indicator-obfuscation.rules)
 * 1:38615 <-> DISABLED <-> INDICATOR-OBFUSCATION newline only separator evasion (indicator-obfuscation.rules)
 * 1:38619 <-> DISABLED <-> INDICATOR-COMPROMISE binary download while text expected (indicator-compromise.rules)
 * 1:38618 <-> DISABLED <-> INDICATOR-OBFUSCATION newline only separator evasion (indicator-obfuscation.rules)
 * 1:38617 <-> DISABLED <-> INDICATOR-OBFUSCATION carriage return only separator evasion (indicator-obfuscation.rules)
 * 1:38620 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex certificate exchange (malware-cnc.rules)

Modified Rules:


 * 1:31299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Necurs or Win.Trojan.Locky variant outbound detection (malware-cnc.rules)
 * 1:38332 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header dual colon evasion attempt (indicator-obfuscation.rules)
 * 1:38340 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP multiple encodings per line attempt (indicator-obfuscation.rules)
 * 1:38381 <-> DISABLED <-> BROWSER-OTHER HTTP characters prior to header evasion attempt (browser-other.rules)

2016-04-26 19:02:51 UTC

Snort Subscriber Rules Update

Date: 2016-04-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38619 <-> DISABLED <-> INDICATOR-COMPROMISE binary download while text expected (indicator-compromise.rules)
 * 1:38618 <-> DISABLED <-> INDICATOR-OBFUSCATION newline only separator evasion (indicator-obfuscation.rules)
 * 1:38617 <-> DISABLED <-> INDICATOR-OBFUSCATION carriage return only separator evasion (indicator-obfuscation.rules)
 * 1:38615 <-> DISABLED <-> INDICATOR-OBFUSCATION newline only separator evasion (indicator-obfuscation.rules)
 * 1:38616 <-> DISABLED <-> INDICATOR-OBFUSCATION carriage return only separator evasion (indicator-obfuscation.rules)
 * 1:38613 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wallex variant outbound connection (malware-cnc.rules)
 * 1:38614 <-> DISABLED <-> INDICATOR-OBFUSCATION carriage return only separator evasion (indicator-obfuscation.rules)
 * 1:38611 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gils.ho.ua - Win.Trojan.Wallex (blacklist.rules)
 * 1:38612 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wallex.ho.ua - Win.Trojan.Wallex (blacklist.rules)
 * 1:38609 <-> DISABLED <-> SERVER-WEBAPP pfSense status_rrd_graph_img.php command injection attempt (server-webapp.rules)
 * 1:38610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Godzilla downloader successful base64 binary download (malware-cnc.rules)
 * 1:38607 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot variant outbound connection attempt (malware-cnc.rules)
 * 1:38608 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RockLoader variant outbound connection (malware-cnc.rules)
 * 1:38605 <-> ENABLED <-> BLACKLIST DNS request for known malware domain tongjj.info - JS_JITON (blacklist.rules)
 * 1:38606 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot variant network speed test (malware-cnc.rules)
 * 1:38596 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header null byte evasion attempt (indicator-obfuscation.rules)
 * 1:38598 <-> DISABLED <-> INDICATOR-OBFUSCATION invalid HTTP header evasion attempt (indicator-obfuscation.rules)
 * 1:38599 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP 100 response followed by 200 evasion attempt (indicator-obfuscation.rules)
 * 1:38600 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP response code evasion attempt (indicator-obfuscation.rules)
 * 1:38601 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP header format evasion attempt (indicator-obfuscation.rules)
 * 1:38602 <-> DISABLED <-> INDICATOR-OBFUSCATION mixed case HTTP header evasion attempt (indicator-obfuscation.rules)
 * 1:38603 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UP007 variant outbound connection (malware-cnc.rules)
 * 1:38604 <-> ENABLED <-> BLACKLIST DNS request for known malware domain tongjii.us - JS_JITON (blacklist.rules)
 * 1:38626 <-> DISABLED <-> SERVER-WEBAPP Gemtek CPE7000 sysconf.cgi command injection attempt (server-webapp.rules)
 * 1:38597 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header null byte evasion attempt (indicator-obfuscation.rules)
 * 1:38624 <-> ENABLED <-> FILE-OTHER GDCM DICOM image integer overflow attempt (file-other.rules)
 * 1:38625 <-> DISABLED <-> SERVER-WEBAPP Gemtek CPE7000 sysconf.cgi command injection attempt (server-webapp.rules)
 * 1:38623 <-> ENABLED <-> FILE-OTHER GDCM DICOM image integer overflow attempt (file-other.rules)
 * 1:38622 <-> DISABLED <-> SERVER-OTHER ISC BIND malformed control channel authentication message denial of service attempt (server-other.rules)
 * 1:38621 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex certificate exchange (malware-cnc.rules)
 * 1:38620 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex certificate exchange (malware-cnc.rules)

Modified Rules:


 * 1:31299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Necurs or Win.Trojan.Locky variant outbound detection (malware-cnc.rules)
 * 1:38332 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header dual colon evasion attempt (indicator-obfuscation.rules)
 * 1:38340 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP multiple encodings per line attempt (indicator-obfuscation.rules)
 * 1:38381 <-> DISABLED <-> BROWSER-OTHER HTTP characters prior to header evasion attempt (browser-other.rules)

2016-04-26 19:02:51 UTC

Snort Subscriber Rules Update

Date: 2016-04-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38626 <-> DISABLED <-> SERVER-WEBAPP Gemtek CPE7000 sysconf.cgi command injection attempt (server-webapp.rules)
 * 1:38625 <-> DISABLED <-> SERVER-WEBAPP Gemtek CPE7000 sysconf.cgi command injection attempt (server-webapp.rules)
 * 1:38624 <-> ENABLED <-> FILE-OTHER GDCM DICOM image integer overflow attempt (file-other.rules)
 * 1:38623 <-> ENABLED <-> FILE-OTHER GDCM DICOM image integer overflow attempt (file-other.rules)
 * 1:38622 <-> DISABLED <-> SERVER-OTHER ISC BIND malformed control channel authentication message denial of service attempt (server-other.rules)
 * 1:38621 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex certificate exchange (malware-cnc.rules)
 * 1:38620 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex certificate exchange (malware-cnc.rules)
 * 1:38619 <-> DISABLED <-> INDICATOR-COMPROMISE binary download while text expected (indicator-compromise.rules)
 * 1:38618 <-> DISABLED <-> INDICATOR-OBFUSCATION newline only separator evasion (indicator-obfuscation.rules)
 * 1:38617 <-> DISABLED <-> INDICATOR-OBFUSCATION carriage return only separator evasion (indicator-obfuscation.rules)
 * 1:38616 <-> DISABLED <-> INDICATOR-OBFUSCATION carriage return only separator evasion (indicator-obfuscation.rules)
 * 1:38615 <-> DISABLED <-> INDICATOR-OBFUSCATION newline only separator evasion (indicator-obfuscation.rules)
 * 1:38614 <-> DISABLED <-> INDICATOR-OBFUSCATION carriage return only separator evasion (indicator-obfuscation.rules)
 * 1:38613 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wallex variant outbound connection (malware-cnc.rules)
 * 1:38612 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wallex.ho.ua - Win.Trojan.Wallex (blacklist.rules)
 * 1:38611 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gils.ho.ua - Win.Trojan.Wallex (blacklist.rules)
 * 1:38610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Godzilla downloader successful base64 binary download (malware-cnc.rules)
 * 1:38609 <-> DISABLED <-> SERVER-WEBAPP pfSense status_rrd_graph_img.php command injection attempt (server-webapp.rules)
 * 1:38608 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RockLoader variant outbound connection (malware-cnc.rules)
 * 1:38607 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot variant outbound connection attempt (malware-cnc.rules)
 * 1:38606 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot variant network speed test (malware-cnc.rules)
 * 1:38605 <-> ENABLED <-> BLACKLIST DNS request for known malware domain tongjj.info - JS_JITON (blacklist.rules)
 * 1:38604 <-> ENABLED <-> BLACKLIST DNS request for known malware domain tongjii.us - JS_JITON (blacklist.rules)
 * 1:38603 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UP007 variant outbound connection (malware-cnc.rules)
 * 1:38602 <-> DISABLED <-> INDICATOR-OBFUSCATION mixed case HTTP header evasion attempt (indicator-obfuscation.rules)
 * 1:38601 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP header format evasion attempt (indicator-obfuscation.rules)
 * 1:38600 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP response code evasion attempt (indicator-obfuscation.rules)
 * 1:38599 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP 100 response followed by 200 evasion attempt (indicator-obfuscation.rules)
 * 1:38598 <-> DISABLED <-> INDICATOR-OBFUSCATION invalid HTTP header evasion attempt (indicator-obfuscation.rules)
 * 1:38597 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header null byte evasion attempt (indicator-obfuscation.rules)
 * 1:38596 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header null byte evasion attempt (indicator-obfuscation.rules)

Modified Rules:


 * 1:31299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Necurs or Win.Trojan.Locky variant outbound detection (malware-cnc.rules)
 * 1:38332 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header dual colon evasion attempt (indicator-obfuscation.rules)
 * 1:38340 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP multiple encodings per line attempt (indicator-obfuscation.rules)
 * 1:38381 <-> DISABLED <-> BROWSER-OTHER HTTP characters prior to header evasion attempt (browser-other.rules)