Talos Rules 2016-08-30
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, file-executable, file-other, file-pdf, malware-cnc, malware-other, os-solaris, protocol-snmp, pua-adware, scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2016-08-30 20:55:50 UTC

Snort Subscriber Rules Update

Date: 2016-08-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39942 <-> DISABLED <-> SERVER-WEBAPP FreePBX Recordings Module ajax.php command injection attempt (server-webapp.rules)
 * 1:39940 <-> ENABLED <-> BLACKLIST DNS request for known malware domain eparfum.ro - Donoff (blacklist.rules)
 * 1:39939 <-> ENABLED <-> BLACKLIST DNS request for known malware domain supketwron.ru - Donoff (blacklist.rules)
 * 1:39945 <-> DISABLED <-> SERVER-WEBAPP FreePBX Recordings Module ajax.php command injection attempt (server-webapp.rules)
 * 1:39941 <-> DISABLED <-> SCADA Schneider Electric Accutech http request overflow attempt (scada.rules)
 * 1:39936 <-> DISABLED <-> OS-SOLARIS XMDCP double-free attempt (os-solaris.rules)
 * 1:39943 <-> DISABLED <-> SERVER-WEBAPP FreePBX Recordings Module ajax.php command injection attempt (server-webapp.rules)
 * 1:39944 <-> DISABLED <-> SERVER-WEBAPP FreePBX Recordings Module ajax.php command injection attempt (server-webapp.rules)
 * 3:39919 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0175 attack attempt (file-executable.rules)
 * 3:39918 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0175 attack attempt (file-executable.rules)
 * 3:39937 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0194 attack attempt (file-pdf.rules)
 * 3:39938 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0194 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:39787 <-> DISABLED <-> PUA-ADWARE Win.Dowadmin.Adware outbound connection detected (pua-adware.rules)
 * 1:24321 <-> DISABLED <-> SERVER-OTHER HP StorageWorks File Migration Agent buffer overflow attempt (server-other.rules)
 * 1:38963 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Nemucod file download (malware-other.rules)
 * 1:39786 <-> DISABLED <-> PUA-ADWARE Win.Dowadmin.Adware outbound connection detected (pua-adware.rules)
 * 1:39734 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Xtrat outbound connection detected (malware-other.rules)
 * 1:39887 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Toga variant outbound connection (malware-cnc.rules)
 * 1:39807 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Lethic outbound connection detected (malware-other.rules)
 * 1:39909 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Adnel outbound connection detected (malware-cnc.rules)
 * 3:39661 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0162 attack attempt (file-other.rules)
 * 3:39885 <-> ENABLED <-> PROTOCOL-SNMP Cisco ASA SNMP OID parsing stack buffer overflow attempt (protocol-snmp.rules)
 * 3:39660 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0162 attack attempt (file-other.rules)

2016-08-30 20:55:50 UTC

Snort Subscriber Rules Update

Date: 2016-08-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39943 <-> DISABLED <-> SERVER-WEBAPP FreePBX Recordings Module ajax.php command injection attempt (server-webapp.rules)
 * 1:39936 <-> DISABLED <-> OS-SOLARIS XMDCP double-free attempt (os-solaris.rules)
 * 1:39939 <-> ENABLED <-> BLACKLIST DNS request for known malware domain supketwron.ru - Donoff (blacklist.rules)
 * 1:39945 <-> DISABLED <-> SERVER-WEBAPP FreePBX Recordings Module ajax.php command injection attempt (server-webapp.rules)
 * 1:39941 <-> DISABLED <-> SCADA Schneider Electric Accutech http request overflow attempt (scada.rules)
 * 1:39944 <-> DISABLED <-> SERVER-WEBAPP FreePBX Recordings Module ajax.php command injection attempt (server-webapp.rules)
 * 1:39940 <-> ENABLED <-> BLACKLIST DNS request for known malware domain eparfum.ro - Donoff (blacklist.rules)
 * 1:39942 <-> DISABLED <-> SERVER-WEBAPP FreePBX Recordings Module ajax.php command injection attempt (server-webapp.rules)
 * 3:39918 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0175 attack attempt (file-executable.rules)
 * 3:39919 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0175 attack attempt (file-executable.rules)
 * 3:39937 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0194 attack attempt (file-pdf.rules)
 * 3:39938 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0194 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:24321 <-> DISABLED <-> SERVER-OTHER HP StorageWorks File Migration Agent buffer overflow attempt (server-other.rules)
 * 1:39786 <-> DISABLED <-> PUA-ADWARE Win.Dowadmin.Adware outbound connection detected (pua-adware.rules)
 * 1:38963 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Nemucod file download (malware-other.rules)
 * 1:39734 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Xtrat outbound connection detected (malware-other.rules)
 * 1:39787 <-> DISABLED <-> PUA-ADWARE Win.Dowadmin.Adware outbound connection detected (pua-adware.rules)
 * 1:39807 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Lethic outbound connection detected (malware-other.rules)
 * 1:39909 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Adnel outbound connection detected (malware-cnc.rules)
 * 1:39887 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Toga variant outbound connection (malware-cnc.rules)
 * 3:39660 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0162 attack attempt (file-other.rules)
 * 3:39661 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0162 attack attempt (file-other.rules)
 * 3:39885 <-> ENABLED <-> PROTOCOL-SNMP Cisco ASA SNMP OID parsing stack buffer overflow attempt (protocol-snmp.rules)

2016-08-30 20:55:49 UTC

Snort Subscriber Rules Update

Date: 2016-08-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39945 <-> DISABLED <-> SERVER-WEBAPP FreePBX Recordings Module ajax.php command injection attempt (server-webapp.rules)
 * 1:39944 <-> DISABLED <-> SERVER-WEBAPP FreePBX Recordings Module ajax.php command injection attempt (server-webapp.rules)
 * 1:39943 <-> DISABLED <-> SERVER-WEBAPP FreePBX Recordings Module ajax.php command injection attempt (server-webapp.rules)
 * 1:39942 <-> DISABLED <-> SERVER-WEBAPP FreePBX Recordings Module ajax.php command injection attempt (server-webapp.rules)
 * 1:39941 <-> DISABLED <-> SCADA Schneider Electric Accutech http request overflow attempt (scada.rules)
 * 1:39940 <-> ENABLED <-> BLACKLIST DNS request for known malware domain eparfum.ro - Donoff (blacklist.rules)
 * 1:39939 <-> ENABLED <-> BLACKLIST DNS request for known malware domain supketwron.ru - Donoff (blacklist.rules)
 * 1:39936 <-> DISABLED <-> OS-SOLARIS XMDCP double-free attempt (os-solaris.rules)
 * 3:39918 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0175 attack attempt (file-executable.rules)
 * 3:39919 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0175 attack attempt (file-executable.rules)
 * 3:39937 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0194 attack attempt (file-pdf.rules)
 * 3:39938 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0194 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:39807 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Lethic outbound connection detected (malware-other.rules)
 * 1:38963 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Nemucod file download (malware-other.rules)
 * 1:39786 <-> DISABLED <-> PUA-ADWARE Win.Dowadmin.Adware outbound connection detected (pua-adware.rules)
 * 1:24321 <-> DISABLED <-> SERVER-OTHER HP StorageWorks File Migration Agent buffer overflow attempt (server-other.rules)
 * 1:39787 <-> DISABLED <-> PUA-ADWARE Win.Dowadmin.Adware outbound connection detected (pua-adware.rules)
 * 1:39734 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Xtrat outbound connection detected (malware-other.rules)
 * 1:39909 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Adnel outbound connection detected (malware-cnc.rules)
 * 1:39887 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Toga variant outbound connection (malware-cnc.rules)
 * 3:39660 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0162 attack attempt (file-other.rules)
 * 3:39661 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0162 attack attempt (file-other.rules)
 * 3:39885 <-> ENABLED <-> PROTOCOL-SNMP Cisco ASA SNMP OID parsing stack buffer overflow attempt (protocol-snmp.rules)