Talos Rules 2016-05-19
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-flash, file-other, file-pdf, malware-cnc, malware-other, policy-other, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-05-19 15:30:55 UTC

Snort Subscriber Rules Update

Date: 2016-05-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38965 <-> DISABLED <-> SERVER-WEBAPP VMware vCenter Chargeback Manager ImageUploadServlet arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:38964 <-> DISABLED <-> POLICY-OTHER VMware vCenter Chargeback Manager ImageUploadServlet arbitrary JSP file upload attempt (policy-other.rules)
 * 1:38963 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Nemucod file download (malware-other.rules)
 * 1:38962 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - uguogo - Win.Trojan.Nemucod (blacklist.rules)
 * 1:38961 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - fsrhrsrg - Win.Trojan.Nemucod (blacklist.rules)
 * 1:38960 <-> ENABLED <-> FILE-PDF Adobe Reader malformed Universal 3D stream memory corruption attempt (file-pdf.rules)
 * 1:38959 <-> ENABLED <-> FILE-PDF Adobe Reader malformed Universal 3D stream memory corruption attempt (file-pdf.rules)
 * 1:38957 <-> ENABLED <-> FILE-OTHER Adobe Acrobat DC invalid TIFF tagtype out of bounds read attempt (file-other.rules)
 * 1:38956 <-> ENABLED <-> FILE-OTHER Adobe Acrobat DC invalid TIFF tagtype out of bounds read attempt (file-other.rules)
 * 1:38955 <-> ENABLED <-> FILE-OTHER Adobe Acrobat DC invalid TIFF tagtype out of bounds read attempt (file-other.rules)
 * 1:38954 <-> ENABLED <-> FILE-OTHER Adobe Acrobat DC invalid TIFF tagtype out of bounds read attempt (file-other.rules)
 * 1:38953 <-> ENABLED <-> PUA-ADWARE Win.Adware.OpenSoftwareUpdater variant outbound connection attempt (pua-adware.rules)
 * 1:38952 <-> ENABLED <-> PUA-ADWARE Win.Adware.OpenSoftwareUpdater variant outbound connection attempt (pua-adware.rules)
 * 1:38951 <-> ENABLED <-> PUA-ADWARE Win.Adware.OpenSoftwareUpdater variant outbound connection attempt (pua-adware.rules)
 * 1:38950 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PassStealer passwords exfiltration attempt (malware-cnc.rules)
 * 1:38949 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt variant outbound connection (malware-cnc.rules)
 * 3:38958 <-> ENABLED <-> SERVER-OTHER Cisco Web Security Appliance socket exhaustion denial of service attempt (server-other.rules)

Modified Rules:


 * 1:17367 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer FTP Response Parsing Memory Corruption (browser-ie.rules)
 * 1:38133 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit gate redirector (exploit-kit.rules)
 * 1:21322 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player version.dll dll-load exploit attempt (file-flash.rules)
 * 1:38846 <-> DISABLED <-> FILE-PDF Adobe Reader out of bounds memory access violation attempt (file-pdf.rules)
 * 1:38885 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cerber outbound registration attempt (malware-cnc.rules)
 * 1:38845 <-> DISABLED <-> FILE-PDF Adobe Reader out of bounds memory access violation attempt (file-pdf.rules)

2016-05-19 15:30:55 UTC

Snort Subscriber Rules Update

Date: 2016-05-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38951 <-> ENABLED <-> PUA-ADWARE Win.Adware.OpenSoftwareUpdater variant outbound connection attempt (pua-adware.rules)
 * 1:38953 <-> ENABLED <-> PUA-ADWARE Win.Adware.OpenSoftwareUpdater variant outbound connection attempt (pua-adware.rules)
 * 1:38952 <-> ENABLED <-> PUA-ADWARE Win.Adware.OpenSoftwareUpdater variant outbound connection attempt (pua-adware.rules)
 * 1:38954 <-> ENABLED <-> FILE-OTHER Adobe Acrobat DC invalid TIFF tagtype out of bounds read attempt (file-other.rules)
 * 1:38949 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt variant outbound connection (malware-cnc.rules)
 * 1:38956 <-> ENABLED <-> FILE-OTHER Adobe Acrobat DC invalid TIFF tagtype out of bounds read attempt (file-other.rules)
 * 1:38950 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PassStealer passwords exfiltration attempt (malware-cnc.rules)
 * 1:38955 <-> ENABLED <-> FILE-OTHER Adobe Acrobat DC invalid TIFF tagtype out of bounds read attempt (file-other.rules)
 * 1:38957 <-> ENABLED <-> FILE-OTHER Adobe Acrobat DC invalid TIFF tagtype out of bounds read attempt (file-other.rules)
 * 1:38959 <-> ENABLED <-> FILE-PDF Adobe Reader malformed Universal 3D stream memory corruption attempt (file-pdf.rules)
 * 1:38961 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - fsrhrsrg - Win.Trojan.Nemucod (blacklist.rules)
 * 1:38960 <-> ENABLED <-> FILE-PDF Adobe Reader malformed Universal 3D stream memory corruption attempt (file-pdf.rules)
 * 1:38962 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - uguogo - Win.Trojan.Nemucod (blacklist.rules)
 * 1:38963 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Nemucod file download (malware-other.rules)
 * 1:38965 <-> DISABLED <-> SERVER-WEBAPP VMware vCenter Chargeback Manager ImageUploadServlet arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:38964 <-> DISABLED <-> POLICY-OTHER VMware vCenter Chargeback Manager ImageUploadServlet arbitrary JSP file upload attempt (policy-other.rules)
 * 3:38958 <-> ENABLED <-> SERVER-OTHER Cisco Web Security Appliance socket exhaustion denial of service attempt (server-other.rules)

Modified Rules:


 * 1:38133 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit gate redirector (exploit-kit.rules)
 * 1:17367 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer FTP Response Parsing Memory Corruption (browser-ie.rules)
 * 1:38885 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cerber outbound registration attempt (malware-cnc.rules)
 * 1:38845 <-> DISABLED <-> FILE-PDF Adobe Reader out of bounds memory access violation attempt (file-pdf.rules)
 * 1:21322 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player version.dll dll-load exploit attempt (file-flash.rules)
 * 1:38846 <-> DISABLED <-> FILE-PDF Adobe Reader out of bounds memory access violation attempt (file-pdf.rules)

2016-05-19 15:30:55 UTC

Snort Subscriber Rules Update

Date: 2016-05-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38964 <-> DISABLED <-> POLICY-OTHER VMware vCenter Chargeback Manager ImageUploadServlet arbitrary JSP file upload attempt (policy-other.rules)
 * 1:38959 <-> ENABLED <-> FILE-PDF Adobe Reader malformed Universal 3D stream memory corruption attempt (file-pdf.rules)
 * 1:38960 <-> ENABLED <-> FILE-PDF Adobe Reader malformed Universal 3D stream memory corruption attempt (file-pdf.rules)
 * 1:38951 <-> ENABLED <-> PUA-ADWARE Win.Adware.OpenSoftwareUpdater variant outbound connection attempt (pua-adware.rules)
 * 1:38954 <-> ENABLED <-> FILE-OTHER Adobe Acrobat DC invalid TIFF tagtype out of bounds read attempt (file-other.rules)
 * 1:38955 <-> ENABLED <-> FILE-OTHER Adobe Acrobat DC invalid TIFF tagtype out of bounds read attempt (file-other.rules)
 * 1:38953 <-> ENABLED <-> PUA-ADWARE Win.Adware.OpenSoftwareUpdater variant outbound connection attempt (pua-adware.rules)
 * 1:38956 <-> ENABLED <-> FILE-OTHER Adobe Acrobat DC invalid TIFF tagtype out of bounds read attempt (file-other.rules)
 * 1:38950 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PassStealer passwords exfiltration attempt (malware-cnc.rules)
 * 1:38949 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt variant outbound connection (malware-cnc.rules)
 * 1:38961 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - fsrhrsrg - Win.Trojan.Nemucod (blacklist.rules)
 * 1:38957 <-> ENABLED <-> FILE-OTHER Adobe Acrobat DC invalid TIFF tagtype out of bounds read attempt (file-other.rules)
 * 1:38962 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - uguogo - Win.Trojan.Nemucod (blacklist.rules)
 * 1:38965 <-> DISABLED <-> SERVER-WEBAPP VMware vCenter Chargeback Manager ImageUploadServlet arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:38963 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Nemucod file download (malware-other.rules)
 * 1:38952 <-> ENABLED <-> PUA-ADWARE Win.Adware.OpenSoftwareUpdater variant outbound connection attempt (pua-adware.rules)
 * 3:38958 <-> ENABLED <-> SERVER-OTHER Cisco Web Security Appliance socket exhaustion denial of service attempt (server-other.rules)

Modified Rules:


 * 1:38846 <-> DISABLED <-> FILE-PDF Adobe Reader out of bounds memory access violation attempt (file-pdf.rules)
 * 1:38845 <-> DISABLED <-> FILE-PDF Adobe Reader out of bounds memory access violation attempt (file-pdf.rules)
 * 1:17367 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer FTP Response Parsing Memory Corruption (browser-ie.rules)
 * 1:21322 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player version.dll dll-load exploit attempt (file-flash.rules)
 * 1:38885 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cerber outbound registration attempt (malware-cnc.rules)
 * 1:38133 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit gate redirector (exploit-kit.rules)