Talos Rules 2016-07-28
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, file-executable, file-other, malware-backdoor, malware-cnc, malware-other, pua-adware and sql rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2016-07-28 15:28:01 UTC

Snort Subscriber Rules Update

Date: 2016-07-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39737 <-> DISABLED <-> SERVER-WEBAPP HttpOxy CGI application vulnerability potential man-in-the-middle attempt (server-webapp.rules)
 * 1:39739 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dns01.ninth.biz - Win.Backdoor.Contopee (blacklist.rules)
 * 1:39734 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Xtrat outbound connection attempt (malware-other.rules)
 * 1:39735 <-> DISABLED <-> FILE-OTHER VideoCharge Studio buffer overflow SEH attempt (file-other.rules)
 * 1:39740 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ovhelp.mrbasic.com - Win.Backdoor.Contopee (blacklist.rules)
 * 1:39741 <-> DISABLED <-> PUA-ADWARE Win.Adware.StartPage variant outbound connection (pua-adware.rules)
 * 1:39738 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trans callout attempt (malware-cnc.rules)
 * 1:39742 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall GMS set_dns XMLRPC method command injection attempt (server-webapp.rules)
 * 1:39743 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall GMS set_time_config XMLRPC method command injection attempt (server-webapp.rules)
 * 1:39736 <-> DISABLED <-> FILE-OTHER VideoCharge Studio buffer overflow SEH attempt (file-other.rules)

Modified Rules:


 * 1:6315 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - open browser response (malware-backdoor.rules)
 * 1:6314 <-> ENABLED <-> MALWARE-BACKDOOR net demon runtime detection - open browser request (malware-backdoor.rules)
 * 1:6316 <-> ENABLED <-> MALWARE-BACKDOOR net demon runtime detection - file manager request (malware-backdoor.rules)
 * 1:15584 <-> DISABLED <-> SQL char and sysobjects - possible sql injection recon attempt (sql.rules)
 * 1:20764 <-> DISABLED <-> SERVER-WEBAPP SyBase MBusiness xml closing tag overflow attempt (server-webapp.rules)
 * 1:6313 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - message response (malware-backdoor.rules)
 * 1:24792 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent - Google page (blacklist.rules)
 * 1:6317 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - file manager response (malware-backdoor.rules)
 * 1:6309 <-> ENABLED <-> MALWARE-BACKDOOR net demon runtime detection - initial connection - password request (malware-backdoor.rules)
 * 1:6310 <-> ENABLED <-> MALWARE-BACKDOOR net demon runtime detection - initial connection - password send (malware-backdoor.rules)
 * 1:6312 <-> ENABLED <-> MALWARE-BACKDOOR net demon runtime detection - message send (malware-backdoor.rules)
 * 1:6311 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - initial connection - password accepted (malware-backdoor.rules)
 * 3:39466 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0182 attack attempt (file-executable.rules)
 * 3:39467 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0182 attack attempt (file-executable.rules)

2016-07-28 15:28:00 UTC

Snort Subscriber Rules Update

Date: 2016-07-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39741 <-> DISABLED <-> PUA-ADWARE Win.Adware.StartPage variant outbound connection (pua-adware.rules)
 * 1:39736 <-> DISABLED <-> FILE-OTHER VideoCharge Studio buffer overflow SEH attempt (file-other.rules)
 * 1:39734 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Xtrat outbound connection attempt (malware-other.rules)
 * 1:39735 <-> DISABLED <-> FILE-OTHER VideoCharge Studio buffer overflow SEH attempt (file-other.rules)
 * 1:39742 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall GMS set_dns XMLRPC method command injection attempt (server-webapp.rules)
 * 1:39737 <-> DISABLED <-> SERVER-WEBAPP HttpOxy CGI application vulnerability potential man-in-the-middle attempt (server-webapp.rules)
 * 1:39738 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trans callout attempt (malware-cnc.rules)
 * 1:39740 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ovhelp.mrbasic.com - Win.Backdoor.Contopee (blacklist.rules)
 * 1:39739 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dns01.ninth.biz - Win.Backdoor.Contopee (blacklist.rules)
 * 1:39743 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall GMS set_time_config XMLRPC method command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:6316 <-> ENABLED <-> MALWARE-BACKDOOR net demon runtime detection - file manager request (malware-backdoor.rules)
 * 1:6313 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - message response (malware-backdoor.rules)
 * 1:6315 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - open browser response (malware-backdoor.rules)
 * 1:15584 <-> DISABLED <-> SQL char and sysobjects - possible sql injection recon attempt (sql.rules)
 * 1:20764 <-> DISABLED <-> SERVER-WEBAPP SyBase MBusiness xml closing tag overflow attempt (server-webapp.rules)
 * 1:24792 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent - Google page (blacklist.rules)
 * 1:6314 <-> ENABLED <-> MALWARE-BACKDOOR net demon runtime detection - open browser request (malware-backdoor.rules)
 * 1:6309 <-> ENABLED <-> MALWARE-BACKDOOR net demon runtime detection - initial connection - password request (malware-backdoor.rules)
 * 1:6310 <-> ENABLED <-> MALWARE-BACKDOOR net demon runtime detection - initial connection - password send (malware-backdoor.rules)
 * 1:6312 <-> ENABLED <-> MALWARE-BACKDOOR net demon runtime detection - message send (malware-backdoor.rules)
 * 1:6317 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - file manager response (malware-backdoor.rules)
 * 1:6311 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - initial connection - password accepted (malware-backdoor.rules)
 * 3:39466 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0182 attack attempt (file-executable.rules)
 * 3:39467 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0182 attack attempt (file-executable.rules)

2016-07-28 15:27:59 UTC

Snort Subscriber Rules Update

Date: 2016-07-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39743 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall GMS set_time_config XMLRPC method command injection attempt (server-webapp.rules)
 * 1:39742 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall GMS set_dns XMLRPC method command injection attempt (server-webapp.rules)
 * 1:39741 <-> DISABLED <-> PUA-ADWARE Win.Adware.StartPage variant outbound connection (pua-adware.rules)
 * 1:39740 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ovhelp.mrbasic.com - Win.Backdoor.Contopee (blacklist.rules)
 * 1:39739 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dns01.ninth.biz - Win.Backdoor.Contopee (blacklist.rules)
 * 1:39738 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trans callout attempt (malware-cnc.rules)
 * 1:39737 <-> DISABLED <-> SERVER-WEBAPP HttpOxy CGI application vulnerability potential man-in-the-middle attempt (server-webapp.rules)
 * 1:39736 <-> DISABLED <-> FILE-OTHER VideoCharge Studio buffer overflow SEH attempt (file-other.rules)
 * 1:39735 <-> DISABLED <-> FILE-OTHER VideoCharge Studio buffer overflow SEH attempt (file-other.rules)
 * 1:39734 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Xtrat outbound connection attempt (malware-other.rules)

Modified Rules:


 * 1:6316 <-> ENABLED <-> MALWARE-BACKDOOR net demon runtime detection - file manager request (malware-backdoor.rules)
 * 1:6317 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - file manager response (malware-backdoor.rules)
 * 1:15584 <-> DISABLED <-> SQL char and sysobjects - possible sql injection recon attempt (sql.rules)
 * 1:20764 <-> DISABLED <-> SERVER-WEBAPP SyBase MBusiness xml closing tag overflow attempt (server-webapp.rules)
 * 1:24792 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent - Google page (blacklist.rules)
 * 1:6309 <-> ENABLED <-> MALWARE-BACKDOOR net demon runtime detection - initial connection - password request (malware-backdoor.rules)
 * 1:6310 <-> ENABLED <-> MALWARE-BACKDOOR net demon runtime detection - initial connection - password send (malware-backdoor.rules)
 * 1:6314 <-> ENABLED <-> MALWARE-BACKDOOR net demon runtime detection - open browser request (malware-backdoor.rules)
 * 1:6315 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - open browser response (malware-backdoor.rules)
 * 1:6313 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - message response (malware-backdoor.rules)
 * 1:6312 <-> ENABLED <-> MALWARE-BACKDOOR net demon runtime detection - message send (malware-backdoor.rules)
 * 1:6311 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - initial connection - password accepted (malware-backdoor.rules)
 * 3:39466 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0182 attack attempt (file-executable.rules)
 * 3:39467 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0182 attack attempt (file-executable.rules)