Talos Rules 2016-09-16
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the exploit-kit, file-flash, file-pdf, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-09-16 20:41:12 UTC

Snort Subscriber Rules Update

Date: 2016-09-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40233 <-> ENABLED <-> EXPLOIT-KIT Sundown exploit kit landing page detected (exploit-kit.rules)
 * 1:40234 <-> ENABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes ping reply (malware-cnc.rules)
 * 1:40231 <-> DISABLED <-> SERVER-WEBAPP Cisco ASA WebVPN auth_handle cross site scripting attempt (server-webapp.rules)
 * 1:40232 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CeeInject external connection (malware-cnc.rules)
 * 1:40230 <-> DISABLED <-> SERVER-WEBAPP Cisco ASA WebVPN auth_handle cross site scripting attempt (server-webapp.rules)
 * 1:40228 <-> DISABLED <-> SERVER-WEBAPP Cisco ASA WebVPN auth_handle cross site scripting attempt (server-webapp.rules)
 * 1:40229 <-> DISABLED <-> SERVER-WEBAPP Cisco ASA WebVPN auth_handle cross site scripting attempt (server-webapp.rules)
 * 1:40227 <-> DISABLED <-> SERVER-WEBAPP Cisco ASA WebVPN auth_handle cross site scripting attempt (server-webapp.rules)
 * 1:40225 <-> DISABLED <-> SERVER-WEBAPP Cisco ASA WebVPN auth_handle cross site scripting attempt (server-webapp.rules)
 * 1:40220 <-> ENABLED <-> SERVER-OTHER Cisco IOS Group-Prime memory disclosure attempt (server-other.rules)
 * 1:40238 <-> ENABLED <-> MALWARE-CNC Win.Keylogger.AgentTesla variant outbound connection (malware-cnc.rules)
 * 1:40221 <-> ENABLED <-> SERVER-OTHER Cisco IOS Group-Prime MD5 memory disclosure attempt (server-other.rules)
 * 1:40224 <-> DISABLED <-> SERVER-WEBAPP Cisco ASA WebVPN auth_handle cross site scripting attempt (server-webapp.rules)
 * 1:40226 <-> DISABLED <-> SERVER-WEBAPP Cisco ASA WebVPN auth_handle cross site scripting attempt (server-webapp.rules)
 * 1:40222 <-> ENABLED <-> SERVER-OTHER Cisco IOS Group-Prime SHA memory disclosure attempt (server-other.rules)
 * 1:40235 <-> ENABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes ping request (malware-cnc.rules)
 * 1:40237 <-> ENABLED <-> FILE-PDF Adobe Reader embedded font out of bounds memory access attempt (file-pdf.rules)
 * 1:40236 <-> ENABLED <-> FILE-PDF Adobe Reader embedded font out of bounds memory access attempt (file-pdf.rules)
 * 3:40239 <-> ENABLED <-> SERVER-OTHER Cisco WebEx meetings server denial of service attempt (server-other.rules)
 * 3:40240 <-> ENABLED <-> SERVER-WEBAPP Cisco WebEx Meetings Server config_dmz remote code execution attempt (server-webapp.rules)

Modified Rules:


 * 1:35608 <-> ENABLED <-> FILE-FLASH Adobe Flash Player CreateTextField use-after-free attempt (file-flash.rules)
 * 1:35607 <-> ENABLED <-> FILE-FLASH Adobe Flash Player CreateTextField use-after-free attempt (file-flash.rules)

2016-09-16 20:41:12 UTC

Snort Subscriber Rules Update

Date: 2016-09-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40238 <-> ENABLED <-> MALWARE-CNC Win.Keylogger.AgentTesla variant outbound connection (malware-cnc.rules)
 * 1:40237 <-> ENABLED <-> FILE-PDF Adobe Reader embedded font out of bounds memory access attempt (file-pdf.rules)
 * 1:40236 <-> ENABLED <-> FILE-PDF Adobe Reader embedded font out of bounds memory access attempt (file-pdf.rules)
 * 1:40235 <-> ENABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes ping request (malware-cnc.rules)
 * 1:40234 <-> ENABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes ping reply (malware-cnc.rules)
 * 1:40233 <-> ENABLED <-> EXPLOIT-KIT Sundown exploit kit landing page detected (exploit-kit.rules)
 * 1:40232 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CeeInject external connection (malware-cnc.rules)
 * 1:40231 <-> DISABLED <-> SERVER-WEBAPP Cisco ASA WebVPN auth_handle cross site scripting attempt (server-webapp.rules)
 * 1:40230 <-> DISABLED <-> SERVER-WEBAPP Cisco ASA WebVPN auth_handle cross site scripting attempt (server-webapp.rules)
 * 1:40229 <-> DISABLED <-> SERVER-WEBAPP Cisco ASA WebVPN auth_handle cross site scripting attempt (server-webapp.rules)
 * 1:40228 <-> DISABLED <-> SERVER-WEBAPP Cisco ASA WebVPN auth_handle cross site scripting attempt (server-webapp.rules)
 * 1:40227 <-> DISABLED <-> SERVER-WEBAPP Cisco ASA WebVPN auth_handle cross site scripting attempt (server-webapp.rules)
 * 1:40226 <-> DISABLED <-> SERVER-WEBAPP Cisco ASA WebVPN auth_handle cross site scripting attempt (server-webapp.rules)
 * 1:40225 <-> DISABLED <-> SERVER-WEBAPP Cisco ASA WebVPN auth_handle cross site scripting attempt (server-webapp.rules)
 * 1:40224 <-> DISABLED <-> SERVER-WEBAPP Cisco ASA WebVPN auth_handle cross site scripting attempt (server-webapp.rules)
 * 1:40222 <-> ENABLED <-> SERVER-OTHER Cisco IOS Group-Prime SHA memory disclosure attempt (server-other.rules)
 * 1:40221 <-> ENABLED <-> SERVER-OTHER Cisco IOS Group-Prime MD5 memory disclosure attempt (server-other.rules)
 * 1:40220 <-> ENABLED <-> SERVER-OTHER Cisco IOS Group-Prime memory disclosure attempt (server-other.rules)
 * 3:40239 <-> ENABLED <-> SERVER-OTHER Cisco WebEx meetings server denial of service attempt (server-other.rules)
 * 3:40240 <-> ENABLED <-> SERVER-WEBAPP Cisco WebEx Meetings Server config_dmz remote code execution attempt (server-webapp.rules)

Modified Rules:


 * 1:35608 <-> ENABLED <-> FILE-FLASH Adobe Flash Player CreateTextField use-after-free attempt (file-flash.rules)
 * 1:35607 <-> ENABLED <-> FILE-FLASH Adobe Flash Player CreateTextField use-after-free attempt (file-flash.rules)

2016-09-16 20:41:12 UTC

Snort Subscriber Rules Update

Date: 2016-09-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40233 <-> ENABLED <-> EXPLOIT-KIT Sundown exploit kit landing page detected (exploit-kit.rules)
 * 1:40224 <-> DISABLED <-> SERVER-WEBAPP Cisco ASA WebVPN auth_handle cross site scripting attempt (server-webapp.rules)
 * 1:40220 <-> ENABLED <-> SERVER-OTHER Cisco IOS Group-Prime memory disclosure attempt (server-other.rules)
 * 1:40221 <-> ENABLED <-> SERVER-OTHER Cisco IOS Group-Prime MD5 memory disclosure attempt (server-other.rules)
 * 1:40222 <-> ENABLED <-> SERVER-OTHER Cisco IOS Group-Prime SHA memory disclosure attempt (server-other.rules)
 * 1:40225 <-> DISABLED <-> SERVER-WEBAPP Cisco ASA WebVPN auth_handle cross site scripting attempt (server-webapp.rules)
 * 1:40226 <-> DISABLED <-> SERVER-WEBAPP Cisco ASA WebVPN auth_handle cross site scripting attempt (server-webapp.rules)
 * 1:40227 <-> DISABLED <-> SERVER-WEBAPP Cisco ASA WebVPN auth_handle cross site scripting attempt (server-webapp.rules)
 * 1:40228 <-> DISABLED <-> SERVER-WEBAPP Cisco ASA WebVPN auth_handle cross site scripting attempt (server-webapp.rules)
 * 1:40229 <-> DISABLED <-> SERVER-WEBAPP Cisco ASA WebVPN auth_handle cross site scripting attempt (server-webapp.rules)
 * 1:40230 <-> DISABLED <-> SERVER-WEBAPP Cisco ASA WebVPN auth_handle cross site scripting attempt (server-webapp.rules)
 * 1:40231 <-> DISABLED <-> SERVER-WEBAPP Cisco ASA WebVPN auth_handle cross site scripting attempt (server-webapp.rules)
 * 1:40232 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CeeInject external connection (malware-cnc.rules)
 * 1:40238 <-> ENABLED <-> MALWARE-CNC Win.Keylogger.AgentTesla variant outbound connection (malware-cnc.rules)
 * 1:40236 <-> ENABLED <-> FILE-PDF Adobe Reader embedded font out of bounds memory access attempt (file-pdf.rules)
 * 1:40237 <-> ENABLED <-> FILE-PDF Adobe Reader embedded font out of bounds memory access attempt (file-pdf.rules)
 * 1:40234 <-> ENABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes ping reply (malware-cnc.rules)
 * 1:40235 <-> ENABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes ping request (malware-cnc.rules)
 * 3:40240 <-> ENABLED <-> SERVER-WEBAPP Cisco WebEx Meetings Server config_dmz remote code execution attempt (server-webapp.rules)
 * 3:40239 <-> ENABLED <-> SERVER-OTHER Cisco WebEx meetings server denial of service attempt (server-other.rules)

Modified Rules:


 * 1:35608 <-> ENABLED <-> FILE-FLASH Adobe Flash Player CreateTextField use-after-free attempt (file-flash.rules)
 * 1:35607 <-> ENABLED <-> FILE-FLASH Adobe Flash Player CreateTextField use-after-free attempt (file-flash.rules)