Talos Rules 2016-08-16
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-plugins, file-flash, file-image, indicator-compromise, indicator-obfuscation, malware-cnc and server-other rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2016-08-16 23:00:41 UTC

Snort Subscriber Rules Update

Date: 2016-08-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39880 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi MC-WorkX ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39881 <-> DISABLED <-> INDICATOR-COMPROMISE Meteocontrol WEBlog config containing passwords download attempt (indicator-compromise.rules)
 * 1:39879 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi MC-WorkX ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39882 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vibro outbound connection detected (malware-cnc.rules)
 * 3:39883 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0189 attack attempt (file-image.rules)
 * 3:39885 <-> ENABLED <-> PROTOCOL-SNMP Cisco ASA SNMP OID parsing stack buffer overflow attempt (protocol-snmp.rules)
 * 3:39878 <-> ENABLED <-> SERVER-OTHER Cisco IOS truncated NTP packet processing denial of service attempt (server-other.rules)
 * 3:39884 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0189 attack attempt (file-image.rules)

Modified Rules:


 * 1:38394 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip invalid extra field evasion attempt (indicator-obfuscation.rules)
 * 1:39565 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed tag parsing memory corruption attempt (file-flash.rules)
 * 1:39566 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed tag parsing memory corruption attempt (file-flash.rules)

2016-08-16 23:00:41 UTC

Snort Subscriber Rules Update

Date: 2016-08-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39880 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi MC-WorkX ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39879 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi MC-WorkX ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39881 <-> DISABLED <-> INDICATOR-COMPROMISE Meteocontrol WEBlog config containing passwords download attempt (indicator-compromise.rules)
 * 1:39882 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vibro outbound connection detected (malware-cnc.rules)
 * 3:39885 <-> ENABLED <-> PROTOCOL-SNMP Cisco ASA SNMP OID parsing stack buffer overflow attempt (protocol-snmp.rules)
 * 3:39878 <-> ENABLED <-> SERVER-OTHER Cisco IOS truncated NTP packet processing denial of service attempt (server-other.rules)
 * 3:39884 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0189 attack attempt (file-image.rules)
 * 3:39883 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0189 attack attempt (file-image.rules)

Modified Rules:


 * 1:39565 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed tag parsing memory corruption attempt (file-flash.rules)
 * 1:38394 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip invalid extra field evasion attempt (indicator-obfuscation.rules)
 * 1:39566 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed tag parsing memory corruption attempt (file-flash.rules)

2016-08-16 23:00:40 UTC

Snort Subscriber Rules Update

Date: 2016-08-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39882 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vibro outbound connection detected (malware-cnc.rules)
 * 1:39881 <-> DISABLED <-> INDICATOR-COMPROMISE Meteocontrol WEBlog config containing passwords download attempt (indicator-compromise.rules)
 * 1:39880 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi MC-WorkX ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39879 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi MC-WorkX ActiveX clsid access attempt (browser-plugins.rules)
 * 3:39878 <-> ENABLED <-> SERVER-OTHER Cisco IOS truncated NTP packet processing denial of service attempt (server-other.rules)
 * 3:39885 <-> ENABLED <-> PROTOCOL-SNMP Cisco ASA SNMP OID parsing stack buffer overflow attempt (protocol-snmp.rules)
 * 3:39884 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0189 attack attempt (file-image.rules)
 * 3:39883 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0189 attack attempt (file-image.rules)

Modified Rules:


 * 1:39565 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed tag parsing memory corruption attempt (file-flash.rules)
 * 1:38394 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip invalid extra field evasion attempt (indicator-obfuscation.rules)
 * 1:39566 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed tag parsing memory corruption attempt (file-flash.rules)