Talos Rules 2016-09-20
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, file-image, indicator-obfuscation, malware-cnc and server-other rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-09-20 14:07:30 UTC

Snort Subscriber Rules Update

Date: 2016-09-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40250 <-> DISABLED <-> INDICATOR-OBFUSCATION Chunked encoding used with HTTP 1.0 evasion attempt. (indicator-obfuscation.rules)
 * 1:40243 <-> DISABLED <-> FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt (file-image.rules)
 * 1:40241 <-> DISABLED <-> SERVER-OTHER Fortigate Firewall HTTP cookie buffer overflow (server-other.rules)
 * 1:40247 <-> DISABLED <-> FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt (file-image.rules)
 * 1:40242 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpy variant outbound connection (malware-cnc.rules)
 * 1:40248 <-> DISABLED <-> FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt (file-image.rules)
 * 1:40245 <-> DISABLED <-> FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt (file-image.rules)
 * 1:40246 <-> DISABLED <-> FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt (file-image.rules)
 * 1:40249 <-> ENABLED <-> MALWARE-CNC Win.Downloader.QuantLoader external connection attempt (malware-cnc.rules)
 * 1:40252 <-> ENABLED <-> MALWARE-CNC Win.Perseus variant outbound connection attempt (malware-cnc.rules)
 * 1:40251 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Perseus (blacklist.rules)
 * 1:40244 <-> DISABLED <-> FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt (file-image.rules)

Modified Rules:


 * 3:40049 <-> ENABLED <-> SERVER-OTHER Cisco IOS PPTP control message response information disclosure detected (server-other.rules)
 * 3:33053 <-> ENABLED <-> OS-WINDOWS Microsoft RADIUS Server invalid access-request username denial of service attempt (os-windows.rules)

2016-09-20 14:07:30 UTC

Snort Subscriber Rules Update

Date: 2016-09-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40249 <-> ENABLED <-> MALWARE-CNC Win.Downloader.QuantLoader external connection attempt (malware-cnc.rules)
 * 1:40247 <-> DISABLED <-> FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt (file-image.rules)
 * 1:40248 <-> DISABLED <-> FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt (file-image.rules)
 * 1:40246 <-> DISABLED <-> FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt (file-image.rules)
 * 1:40243 <-> DISABLED <-> FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt (file-image.rules)
 * 1:40241 <-> DISABLED <-> SERVER-OTHER Fortigate Firewall HTTP cookie buffer overflow (server-other.rules)
 * 1:40244 <-> DISABLED <-> FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt (file-image.rules)
 * 1:40245 <-> DISABLED <-> FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt (file-image.rules)
 * 1:40242 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpy variant outbound connection (malware-cnc.rules)
 * 1:40252 <-> ENABLED <-> MALWARE-CNC Win.Perseus variant outbound connection attempt (malware-cnc.rules)
 * 1:40250 <-> DISABLED <-> INDICATOR-OBFUSCATION Chunked encoding used with HTTP 1.0 evasion attempt. (indicator-obfuscation.rules)
 * 1:40251 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Perseus (blacklist.rules)

Modified Rules:


 * 3:33053 <-> ENABLED <-> OS-WINDOWS Microsoft RADIUS Server invalid access-request username denial of service attempt (os-windows.rules)
 * 3:40049 <-> ENABLED <-> SERVER-OTHER Cisco IOS PPTP control message response information disclosure detected (server-other.rules)

2016-09-20 14:07:30 UTC

Snort Subscriber Rules Update

Date: 2016-09-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40252 <-> ENABLED <-> MALWARE-CNC Win.Perseus variant outbound connection attempt (malware-cnc.rules)
 * 1:40251 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Perseus (blacklist.rules)
 * 1:40250 <-> DISABLED <-> INDICATOR-OBFUSCATION Chunked encoding used with HTTP 1.0 evasion attempt. (indicator-obfuscation.rules)
 * 1:40249 <-> ENABLED <-> MALWARE-CNC Win.Downloader.QuantLoader external connection attempt (malware-cnc.rules)
 * 1:40248 <-> DISABLED <-> FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt (file-image.rules)
 * 1:40247 <-> DISABLED <-> FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt (file-image.rules)
 * 1:40246 <-> DISABLED <-> FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt (file-image.rules)
 * 1:40245 <-> DISABLED <-> FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt (file-image.rules)
 * 1:40244 <-> DISABLED <-> FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt (file-image.rules)
 * 1:40243 <-> DISABLED <-> FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt (file-image.rules)
 * 1:40242 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpy variant outbound connection (malware-cnc.rules)
 * 1:40241 <-> DISABLED <-> SERVER-OTHER Fortigate Firewall HTTP cookie buffer overflow (server-other.rules)

Modified Rules:


 * 3:40049 <-> ENABLED <-> SERVER-OTHER Cisco IOS PPTP control message response information disclosure detected (server-other.rules)
 * 3:33053 <-> ENABLED <-> OS-WINDOWS Microsoft RADIUS Server invalid access-request username denial of service attempt (os-windows.rules)