Talos Rules 2016-07-28
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, file-executable, file-other, malware-backdoor, malware-cnc, malware-other, pua-adware and sql rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-07-28 15:28:01 UTC

Snort Subscriber Rules Update

Date: 2016-07-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39737 <-> DISABLED <-> SERVER-WEBAPP HttpOxy CGI application vulnerability potential man-in-the-middle attempt (server-webapp.rules)
 * 1:39739 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dns01.ninth.biz - Win.Backdoor.Contopee (blacklist.rules)
 * 1:39734 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Xtrat outbound connection attempt (malware-other.rules)
 * 1:39735 <-> DISABLED <-> FILE-OTHER VideoCharge Studio buffer overflow SEH attempt (file-other.rules)
 * 1:39740 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ovhelp.mrbasic.com - Win.Backdoor.Contopee (blacklist.rules)
 * 1:39741 <-> DISABLED <-> PUA-ADWARE Win.Adware.StartPage variant outbound connection (pua-adware.rules)
 * 1:39738 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trans callout attempt (malware-cnc.rules)
 * 1:39742 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall GMS set_dns XMLRPC method command injection attempt (server-webapp.rules)
 * 1:39743 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall GMS set_time_config XMLRPC method command injection attempt (server-webapp.rules)
 * 1:39736 <-> DISABLED <-> FILE-OTHER VideoCharge Studio buffer overflow SEH attempt (file-other.rules)

Modified Rules:


 * 1:6315 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - open browser response (malware-backdoor.rules)
 * 1:6314 <-> ENABLED <-> MALWARE-BACKDOOR net demon runtime detection - open browser request (malware-backdoor.rules)
 * 1:6316 <-> ENABLED <-> MALWARE-BACKDOOR net demon runtime detection - file manager request (malware-backdoor.rules)
 * 1:15584 <-> DISABLED <-> SQL char and sysobjects - possible sql injection recon attempt (sql.rules)
 * 1:20764 <-> DISABLED <-> SERVER-WEBAPP SyBase MBusiness xml closing tag overflow attempt (server-webapp.rules)
 * 1:6313 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - message response (malware-backdoor.rules)
 * 1:24792 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent - Google page (blacklist.rules)
 * 1:6317 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - file manager response (malware-backdoor.rules)
 * 1:6309 <-> ENABLED <-> MALWARE-BACKDOOR net demon runtime detection - initial connection - password request (malware-backdoor.rules)
 * 1:6310 <-> ENABLED <-> MALWARE-BACKDOOR net demon runtime detection - initial connection - password send (malware-backdoor.rules)
 * 1:6312 <-> ENABLED <-> MALWARE-BACKDOOR net demon runtime detection - message send (malware-backdoor.rules)
 * 1:6311 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - initial connection - password accepted (malware-backdoor.rules)
 * 3:39466 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0182 attack attempt (file-executable.rules)
 * 3:39467 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0182 attack attempt (file-executable.rules)

2016-07-28 15:28:00 UTC

Snort Subscriber Rules Update

Date: 2016-07-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39741 <-> DISABLED <-> PUA-ADWARE Win.Adware.StartPage variant outbound connection (pua-adware.rules)
 * 1:39736 <-> DISABLED <-> FILE-OTHER VideoCharge Studio buffer overflow SEH attempt (file-other.rules)
 * 1:39734 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Xtrat outbound connection attempt (malware-other.rules)
 * 1:39735 <-> DISABLED <-> FILE-OTHER VideoCharge Studio buffer overflow SEH attempt (file-other.rules)
 * 1:39742 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall GMS set_dns XMLRPC method command injection attempt (server-webapp.rules)
 * 1:39737 <-> DISABLED <-> SERVER-WEBAPP HttpOxy CGI application vulnerability potential man-in-the-middle attempt (server-webapp.rules)
 * 1:39738 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trans callout attempt (malware-cnc.rules)
 * 1:39740 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ovhelp.mrbasic.com - Win.Backdoor.Contopee (blacklist.rules)
 * 1:39739 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dns01.ninth.biz - Win.Backdoor.Contopee (blacklist.rules)
 * 1:39743 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall GMS set_time_config XMLRPC method command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:6316 <-> ENABLED <-> MALWARE-BACKDOOR net demon runtime detection - file manager request (malware-backdoor.rules)
 * 1:6313 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - message response (malware-backdoor.rules)
 * 1:6315 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - open browser response (malware-backdoor.rules)
 * 1:15584 <-> DISABLED <-> SQL char and sysobjects - possible sql injection recon attempt (sql.rules)
 * 1:20764 <-> DISABLED <-> SERVER-WEBAPP SyBase MBusiness xml closing tag overflow attempt (server-webapp.rules)
 * 1:24792 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent - Google page (blacklist.rules)
 * 1:6314 <-> ENABLED <-> MALWARE-BACKDOOR net demon runtime detection - open browser request (malware-backdoor.rules)
 * 1:6309 <-> ENABLED <-> MALWARE-BACKDOOR net demon runtime detection - initial connection - password request (malware-backdoor.rules)
 * 1:6310 <-> ENABLED <-> MALWARE-BACKDOOR net demon runtime detection - initial connection - password send (malware-backdoor.rules)
 * 1:6312 <-> ENABLED <-> MALWARE-BACKDOOR net demon runtime detection - message send (malware-backdoor.rules)
 * 1:6317 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - file manager response (malware-backdoor.rules)
 * 1:6311 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - initial connection - password accepted (malware-backdoor.rules)
 * 3:39466 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0182 attack attempt (file-executable.rules)
 * 3:39467 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0182 attack attempt (file-executable.rules)

2016-07-28 15:27:59 UTC

Snort Subscriber Rules Update

Date: 2016-07-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39743 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall GMS set_time_config XMLRPC method command injection attempt (server-webapp.rules)
 * 1:39742 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall GMS set_dns XMLRPC method command injection attempt (server-webapp.rules)
 * 1:39741 <-> DISABLED <-> PUA-ADWARE Win.Adware.StartPage variant outbound connection (pua-adware.rules)
 * 1:39740 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ovhelp.mrbasic.com - Win.Backdoor.Contopee (blacklist.rules)
 * 1:39739 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dns01.ninth.biz - Win.Backdoor.Contopee (blacklist.rules)
 * 1:39738 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trans callout attempt (malware-cnc.rules)
 * 1:39737 <-> DISABLED <-> SERVER-WEBAPP HttpOxy CGI application vulnerability potential man-in-the-middle attempt (server-webapp.rules)
 * 1:39736 <-> DISABLED <-> FILE-OTHER VideoCharge Studio buffer overflow SEH attempt (file-other.rules)
 * 1:39735 <-> DISABLED <-> FILE-OTHER VideoCharge Studio buffer overflow SEH attempt (file-other.rules)
 * 1:39734 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Xtrat outbound connection attempt (malware-other.rules)

Modified Rules:


 * 1:6316 <-> ENABLED <-> MALWARE-BACKDOOR net demon runtime detection - file manager request (malware-backdoor.rules)
 * 1:6317 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - file manager response (malware-backdoor.rules)
 * 1:15584 <-> DISABLED <-> SQL char and sysobjects - possible sql injection recon attempt (sql.rules)
 * 1:20764 <-> DISABLED <-> SERVER-WEBAPP SyBase MBusiness xml closing tag overflow attempt (server-webapp.rules)
 * 1:24792 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent - Google page (blacklist.rules)
 * 1:6309 <-> ENABLED <-> MALWARE-BACKDOOR net demon runtime detection - initial connection - password request (malware-backdoor.rules)
 * 1:6310 <-> ENABLED <-> MALWARE-BACKDOOR net demon runtime detection - initial connection - password send (malware-backdoor.rules)
 * 1:6314 <-> ENABLED <-> MALWARE-BACKDOOR net demon runtime detection - open browser request (malware-backdoor.rules)
 * 1:6315 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - open browser response (malware-backdoor.rules)
 * 1:6313 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - message response (malware-backdoor.rules)
 * 1:6312 <-> ENABLED <-> MALWARE-BACKDOOR net demon runtime detection - message send (malware-backdoor.rules)
 * 1:6311 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - initial connection - password accepted (malware-backdoor.rules)
 * 3:39466 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0182 attack attempt (file-executable.rules)
 * 3:39467 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0182 attack attempt (file-executable.rules)