Talos Rules 2016-06-21
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-pdf, indicator-obfuscation, malware-cnc, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-06-21 19:52:23 UTC

Snort Subscriber Rules Update

Date: 2016-06-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39325 <-> DISABLED <-> SERVER-WEBAPP Bomgar Remote Support session_complete PHP object injection attempt (server-webapp.rules)
 * 1:39323 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip encoded with invalid CRC16 evasion attempt (indicator-obfuscation.rules)
 * 1:39324 <-> DISABLED <-> SERVER-WEBAPP Bomgar Remote Support session_complete PHP object injection attempt (server-webapp.rules)
 * 1:39322 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GozNym variant outbound connection (malware-cnc.rules)
 * 1:39321 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip encoded with reserved bit set evasion attempt (indicator-obfuscation.rules)
 * 1:39326 <-> DISABLED <-> SERVER-APACHE Apache Continuum saveInstallation.action command injection attempt (server-apache.rules)
 * 1:39320 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt (indicator-obfuscation.rules)

Modified Rules:


 * 1:39103 <-> ENABLED <-> FILE-PDF Adobe Reader PDF embedded JPEG memory corruption attempt (file-pdf.rules)
 * 1:33211 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Upatre variant outbound connection (malware-cnc.rules)
 * 1:25050 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:33483 <-> ENABLED <-> PUA-ADWARE Win.Adware.InstallMonster variant outbound connection (pua-adware.rules)
 * 1:37516 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:39102 <-> ENABLED <-> FILE-PDF Adobe Reader PDF embedded JPEG memory corruption attempt (file-pdf.rules)
 * 1:38638 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GozNym variant outbound connection (malware-cnc.rules)

2016-06-21 19:52:23 UTC

Snort Subscriber Rules Update

Date: 2016-06-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39326 <-> DISABLED <-> SERVER-APACHE Apache Continuum saveInstallation.action command injection attempt (server-apache.rules)
 * 1:39325 <-> DISABLED <-> SERVER-WEBAPP Bomgar Remote Support session_complete PHP object injection attempt (server-webapp.rules)
 * 1:39324 <-> DISABLED <-> SERVER-WEBAPP Bomgar Remote Support session_complete PHP object injection attempt (server-webapp.rules)
 * 1:39323 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip encoded with invalid CRC16 evasion attempt (indicator-obfuscation.rules)
 * 1:39322 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GozNym variant outbound connection (malware-cnc.rules)
 * 1:39321 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip encoded with reserved bit set evasion attempt (indicator-obfuscation.rules)
 * 1:39320 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt (indicator-obfuscation.rules)

Modified Rules:


 * 1:37516 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:33211 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Upatre variant outbound connection (malware-cnc.rules)
 * 1:33483 <-> ENABLED <-> PUA-ADWARE Win.Adware.InstallMonster variant outbound connection (pua-adware.rules)
 * 1:25050 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:39103 <-> ENABLED <-> FILE-PDF Adobe Reader PDF embedded JPEG memory corruption attempt (file-pdf.rules)
 * 1:39102 <-> ENABLED <-> FILE-PDF Adobe Reader PDF embedded JPEG memory corruption attempt (file-pdf.rules)
 * 1:38638 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GozNym variant outbound connection (malware-cnc.rules)

2016-06-21 19:52:23 UTC

Snort Subscriber Rules Update

Date: 2016-06-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39320 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt (indicator-obfuscation.rules)
 * 1:39321 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip encoded with reserved bit set evasion attempt (indicator-obfuscation.rules)
 * 1:39322 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GozNym variant outbound connection (malware-cnc.rules)
 * 1:39323 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip encoded with invalid CRC16 evasion attempt (indicator-obfuscation.rules)
 * 1:39326 <-> DISABLED <-> SERVER-APACHE Apache Continuum saveInstallation.action command injection attempt (server-apache.rules)
 * 1:39325 <-> DISABLED <-> SERVER-WEBAPP Bomgar Remote Support session_complete PHP object injection attempt (server-webapp.rules)
 * 1:39324 <-> DISABLED <-> SERVER-WEBAPP Bomgar Remote Support session_complete PHP object injection attempt (server-webapp.rules)

Modified Rules:


 * 1:37516 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:33211 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Upatre variant outbound connection (malware-cnc.rules)
 * 1:33483 <-> ENABLED <-> PUA-ADWARE Win.Adware.InstallMonster variant outbound connection (pua-adware.rules)
 * 1:25050 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:38638 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GozNym variant outbound connection (malware-cnc.rules)
 * 1:39103 <-> ENABLED <-> FILE-PDF Adobe Reader PDF embedded JPEG memory corruption attempt (file-pdf.rules)
 * 1:39102 <-> ENABLED <-> FILE-PDF Adobe Reader PDF embedded JPEG memory corruption attempt (file-pdf.rules)

2016-06-21 19:52:23 UTC

Snort Subscriber Rules Update

Date: 2016-06-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39323 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip encoded with invalid CRC16 evasion attempt (indicator-obfuscation.rules)
 * 1:39321 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip encoded with reserved bit set evasion attempt (indicator-obfuscation.rules)
 * 1:39326 <-> DISABLED <-> SERVER-APACHE Apache Continuum saveInstallation.action command injection attempt (server-apache.rules)
 * 1:39325 <-> DISABLED <-> SERVER-WEBAPP Bomgar Remote Support session_complete PHP object injection attempt (server-webapp.rules)
 * 1:39320 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt (indicator-obfuscation.rules)
 * 1:39322 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GozNym variant outbound connection (malware-cnc.rules)
 * 1:39324 <-> DISABLED <-> SERVER-WEBAPP Bomgar Remote Support session_complete PHP object injection attempt (server-webapp.rules)

Modified Rules:


 * 1:37516 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:33483 <-> ENABLED <-> PUA-ADWARE Win.Adware.InstallMonster variant outbound connection (pua-adware.rules)
 * 1:25050 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:33211 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Upatre variant outbound connection (malware-cnc.rules)
 * 1:39102 <-> ENABLED <-> FILE-PDF Adobe Reader PDF embedded JPEG memory corruption attempt (file-pdf.rules)
 * 1:38638 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GozNym variant outbound connection (malware-cnc.rules)
 * 1:39103 <-> ENABLED <-> FILE-PDF Adobe Reader PDF embedded JPEG memory corruption attempt (file-pdf.rules)