Talos Rules 2016-07-21
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-ie, browser-other, exploit-kit, file-flash, file-image, file-other, file-pdf, malware-cnc, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2016-07-21 22:06:08 UTC

Snort Subscriber Rules Update

Date: 2016-07-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39686 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection (malware-cnc.rules)
 * 1:39689 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39705 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus variant inbound connection attempt (malware-cnc.rules)
 * 1:39703 <-> ENABLED <-> FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt (file-pdf.rules)
 * 1:39704 <-> ENABLED <-> FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt (file-pdf.rules)
 * 1:39701 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MediaPlayerItemLoader out of bounds memory access attempt (file-flash.rules)
 * 1:39702 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MediaPlayerItemLoader out of bounds memory access attempt (file-flash.rules)
 * 1:39699 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (file-pdf.rules)
 * 1:39700 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (file-pdf.rules)
 * 1:39697 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39698 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39695 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39696 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39693 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39694 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39691 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39692 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39690 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39688 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (file-pdf.rules)
 * 1:39687 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (file-pdf.rules)
 * 1:39682 <-> DISABLED <-> PUA-ADWARE Win.Adware.EoRezo outbound ad download attempt (pua-adware.rules)
 * 1:39681 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript toString redim array use after free attempt (browser-ie.rules)
 * 1:39677 <-> ENABLED <-> EXPLOIT-KIT Pseudo-Darkleech gate redirect attempt (exploit-kit.rules)
 * 1:39707 <-> DISABLED <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt (browser-other.rules)
 * 1:39712 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PrintJobOptions use-after-free attempt (file-flash.rules)
 * 1:39706 <-> DISABLED <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt (browser-other.rules)
 * 1:39711 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PrintJobOptions use-after-free attempt (file-flash.rules)
 * 1:39710 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string mozilla/2.0 (blacklist.rules)
 * 1:39708 <-> DISABLED <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt (browser-other.rules)
 * 1:39680 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript toString redim array use after free attempt (browser-ie.rules)
 * 1:39685 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tinba variant outbound connection (malware-cnc.rules)
 * 1:39709 <-> DISABLED <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt (browser-other.rules)
 * 3:39678 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Performance Manager command injection attempt (server-webapp.rules)
 * 3:39679 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Performance Manager command injection attempt (server-webapp.rules)
 * 3:39683 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0186 attack attempt (file-image.rules)
 * 3:39684 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0186 attack attempt (file-image.rules)

Modified Rules:


 * 1:38982 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:19072 <-> DISABLED <-> SERVER-OTHER RealNetworks Helix Server NTLM authentication heap overflow attempt (server-other.rules)
 * 1:38983 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 3:38856 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0149 attack attempt (file-other.rules)
 * 3:38857 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0149 attack attempt (file-other.rules)
 * 3:38859 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0149 attack attempt (file-other.rules)
 * 3:38858 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0149 attack attempt (file-other.rules)

2016-07-21 22:06:08 UTC

Snort Subscriber Rules Update

Date: 2016-07-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39705 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus variant inbound connection attempt (malware-cnc.rules)
 * 1:39703 <-> ENABLED <-> FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt (file-pdf.rules)
 * 1:39704 <-> ENABLED <-> FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt (file-pdf.rules)
 * 1:39701 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MediaPlayerItemLoader out of bounds memory access attempt (file-flash.rules)
 * 1:39702 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MediaPlayerItemLoader out of bounds memory access attempt (file-flash.rules)
 * 1:39699 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (file-pdf.rules)
 * 1:39700 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (file-pdf.rules)
 * 1:39697 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39698 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39695 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39696 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39693 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39694 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39691 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39692 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39690 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39688 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (file-pdf.rules)
 * 1:39687 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (file-pdf.rules)
 * 1:39682 <-> DISABLED <-> PUA-ADWARE Win.Adware.EoRezo outbound ad download attempt (pua-adware.rules)
 * 1:39681 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript toString redim array use after free attempt (browser-ie.rules)
 * 1:39677 <-> ENABLED <-> EXPLOIT-KIT Pseudo-Darkleech gate redirect attempt (exploit-kit.rules)
 * 1:39680 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript toString redim array use after free attempt (browser-ie.rules)
 * 1:39685 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tinba variant outbound connection (malware-cnc.rules)
 * 1:39686 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection (malware-cnc.rules)
 * 1:39689 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39712 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PrintJobOptions use-after-free attempt (file-flash.rules)
 * 1:39710 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string mozilla/2.0 (blacklist.rules)
 * 1:39711 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PrintJobOptions use-after-free attempt (file-flash.rules)
 * 1:39709 <-> DISABLED <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt (browser-other.rules)
 * 1:39708 <-> DISABLED <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt (browser-other.rules)
 * 1:39707 <-> DISABLED <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt (browser-other.rules)
 * 1:39706 <-> DISABLED <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt (browser-other.rules)
 * 3:39678 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Performance Manager command injection attempt (server-webapp.rules)
 * 3:39679 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Performance Manager command injection attempt (server-webapp.rules)
 * 3:39683 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0186 attack attempt (file-image.rules)
 * 3:39684 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0186 attack attempt (file-image.rules)

Modified Rules:


 * 1:38982 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:19072 <-> DISABLED <-> SERVER-OTHER RealNetworks Helix Server NTLM authentication heap overflow attempt (server-other.rules)
 * 1:38983 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 3:38856 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0149 attack attempt (file-other.rules)
 * 3:38857 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0149 attack attempt (file-other.rules)
 * 3:38859 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0149 attack attempt (file-other.rules)
 * 3:38858 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0149 attack attempt (file-other.rules)

2016-07-21 22:06:08 UTC

Snort Subscriber Rules Update

Date: 2016-07-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39712 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PrintJobOptions use-after-free attempt (file-flash.rules)
 * 1:39711 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PrintJobOptions use-after-free attempt (file-flash.rules)
 * 1:39710 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string mozilla/2.0 (blacklist.rules)
 * 1:39709 <-> DISABLED <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt (browser-other.rules)
 * 1:39708 <-> DISABLED <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt (browser-other.rules)
 * 1:39707 <-> DISABLED <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt (browser-other.rules)
 * 1:39706 <-> DISABLED <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt (browser-other.rules)
 * 1:39705 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus variant inbound connection attempt (malware-cnc.rules)
 * 1:39704 <-> ENABLED <-> FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt (file-pdf.rules)
 * 1:39703 <-> ENABLED <-> FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt (file-pdf.rules)
 * 1:39702 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MediaPlayerItemLoader out of bounds memory access attempt (file-flash.rules)
 * 1:39701 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MediaPlayerItemLoader out of bounds memory access attempt (file-flash.rules)
 * 1:39700 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (file-pdf.rules)
 * 1:39699 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (file-pdf.rules)
 * 1:39698 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39697 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39696 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39695 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39694 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39693 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39692 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39691 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39690 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39689 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ABRControlParameters access memory corruption attempt (file-flash.rules)
 * 1:39688 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (file-pdf.rules)
 * 1:39687 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (file-pdf.rules)
 * 1:39686 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection (malware-cnc.rules)
 * 1:39685 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tinba variant outbound connection (malware-cnc.rules)
 * 1:39682 <-> DISABLED <-> PUA-ADWARE Win.Adware.EoRezo outbound ad download attempt (pua-adware.rules)
 * 1:39681 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript toString redim array use after free attempt (browser-ie.rules)
 * 1:39680 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript toString redim array use after free attempt (browser-ie.rules)
 * 1:39677 <-> ENABLED <-> EXPLOIT-KIT Pseudo-Darkleech gate redirect attempt (exploit-kit.rules)
 * 3:39678 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Performance Manager command injection attempt (server-webapp.rules)
 * 3:39679 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Performance Manager command injection attempt (server-webapp.rules)
 * 3:39683 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0186 attack attempt (file-image.rules)
 * 3:39684 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0186 attack attempt (file-image.rules)

Modified Rules:


 * 1:19072 <-> DISABLED <-> SERVER-OTHER RealNetworks Helix Server NTLM authentication heap overflow attempt (server-other.rules)
 * 1:38982 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:38983 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 3:38856 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0149 attack attempt (file-other.rules)
 * 3:38858 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0149 attack attempt (file-other.rules)
 * 3:38857 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0149 attack attempt (file-other.rules)
 * 3:38859 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0149 attack attempt (file-other.rules)