Talos Rules 2016-09-27
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-firefox, browser-ie, exploit-kit, file-image, file-office, indicator-shellcode, os-windows, protocol-dns and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2976

2016-09-27 14:13:23 UTC

Snort Subscriber Rules Update

Date: 2016-09-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40278 <-> DISABLED <-> INDICATOR-SHELLCODE x86 OS agnostic dword additive feedback decoder (indicator-shellcode.rules)
 * 1:40280 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox file type memory corruption attempt (browser-firefox.rules)
 * 1:40279 <-> DISABLED <-> INDICATOR-SHELLCODE x86 OS agnostic dword additive feedback decoder (indicator-shellcode.rules)
 * 1:40282 <-> DISABLED <-> FILE-OFFICE Microsoft Wordpad font conversion buffer overflow attempt (file-office.rules)
 * 1:40281 <-> DISABLED <-> FILE-OFFICE Microsoft Wordpad font conversion buffer overflow attempt (file-office.rules)
 * 1:40284 <-> ENABLED <-> BLACKLIST DNS request for known malware domain microsoftware.xyz - Win.Trojan.Sapertilz (blacklist.rules)
 * 1:40283 <-> DISABLED <-> SERVER-WEBAPP Kaltura redirectWidgetCmd PHP object injection attempt (server-webapp.rules)
 * 1:40285 <-> ENABLED <-> BLACKLIST DNS request for known malware domain microsoftwindowsupdate.org - Win.Trojan.Sapertilz (blacklist.rules)
 * 1:40286 <-> ENABLED <-> BLACKLIST DNS request for known malware domain phoneupdates.xyz - Win.Trojan.Sapertilz (blacklist.rules)
 * 1:40277 <-> DISABLED <-> SERVER-WEBAPP SugarCRM SugarRestSerialize.php PHP object injection attempt (server-webapp.rules)
 * 1:40276 <-> DISABLED <-> SERVER-WEBAPP SugarCRM SugarRestSerialize.php PHP object injection attempt (server-webapp.rules)

Modified Rules:


 * 1:31380 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 onpropertychange remote code execution attempt (browser-ie.rules)
 * 1:40221 <-> ENABLED <-> SERVER-OTHER Cisco IOS Group-Prime MD5 memory disclosure attempt (server-other.rules)
 * 1:27149 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer beforeeditfocus use after free exploit attempt (browser-ie.rules)
 * 1:32803 <-> ENABLED <-> EXPLOIT-KIT CK exploit kit landing page (exploit-kit.rules)
 * 1:27844 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos object use-after-free attempt (browser-ie.rules)
 * 1:36097 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules)
 * 1:32804 <-> ENABLED <-> EXPLOIT-KIT known malicious javascript packer detected (exploit-kit.rules)
 * 1:36098 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules)
 * 1:40222 <-> ENABLED <-> SERVER-OTHER Cisco IOS Group-Prime SHA memory disclosure attempt (server-other.rules)
 * 1:40248 <-> DISABLED <-> FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt (file-image.rules)
 * 1:17603 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox file type memory corruption attempt (browser-firefox.rules)
 * 1:27148 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer beforeeditfocus use after free exploit attempt (browser-ie.rules)
 * 1:27843 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos object use-after-free attempt (browser-ie.rules)
 * 1:40246 <-> DISABLED <-> FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt (file-image.rules)
 * 1:36099 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules)
 * 1:40220 <-> ENABLED <-> SERVER-OTHER Cisco IOS Group-Prime memory disclosure exfiltration attempt (server-other.rules)
 * 1:31381 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 onpropertychange remote code execution attempt (browser-ie.rules)
 * 3:33053 <-> ENABLED <-> OS-WINDOWS Microsoft RADIUS Server invalid access-request username denial of service attempt (os-windows.rules)
 * 3:35942 <-> ENABLED <-> PROTOCOL-DNS ISC BIND TKEY query processing denial of service attempt (protocol-dns.rules)
 * 3:35943 <-> ENABLED <-> PROTOCOL-DNS ISC BIND TKEY query processing denial of service attempt (protocol-dns.rules)

2983

2016-09-27 14:13:23 UTC

Snort Subscriber Rules Update

Date: 2016-09-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40286 <-> ENABLED <-> BLACKLIST DNS request for known malware domain phoneupdates.xyz - Win.Trojan.Sapertilz (blacklist.rules)
 * 1:40285 <-> ENABLED <-> BLACKLIST DNS request for known malware domain microsoftwindowsupdate.org - Win.Trojan.Sapertilz (blacklist.rules)
 * 1:40284 <-> ENABLED <-> BLACKLIST DNS request for known malware domain microsoftware.xyz - Win.Trojan.Sapertilz (blacklist.rules)
 * 1:40283 <-> DISABLED <-> SERVER-WEBAPP Kaltura redirectWidgetCmd PHP object injection attempt (server-webapp.rules)
 * 1:40282 <-> DISABLED <-> FILE-OFFICE Microsoft Wordpad font conversion buffer overflow attempt (file-office.rules)
 * 1:40281 <-> DISABLED <-> FILE-OFFICE Microsoft Wordpad font conversion buffer overflow attempt (file-office.rules)
 * 1:40280 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox file type memory corruption attempt (browser-firefox.rules)
 * 1:40279 <-> DISABLED <-> INDICATOR-SHELLCODE x86 OS agnostic dword additive feedback decoder (indicator-shellcode.rules)
 * 1:40278 <-> DISABLED <-> INDICATOR-SHELLCODE x86 OS agnostic dword additive feedback decoder (indicator-shellcode.rules)
 * 1:40277 <-> DISABLED <-> SERVER-WEBAPP SugarCRM SugarRestSerialize.php PHP object injection attempt (server-webapp.rules)
 * 1:40276 <-> DISABLED <-> SERVER-WEBAPP SugarCRM SugarRestSerialize.php PHP object injection attempt (server-webapp.rules)

Modified Rules:


 * 1:40248 <-> DISABLED <-> FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt (file-image.rules)
 * 1:40246 <-> DISABLED <-> FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt (file-image.rules)
 * 1:40222 <-> ENABLED <-> SERVER-OTHER Cisco IOS Group-Prime SHA memory disclosure attempt (server-other.rules)
 * 1:40221 <-> ENABLED <-> SERVER-OTHER Cisco IOS Group-Prime MD5 memory disclosure attempt (server-other.rules)
 * 1:40220 <-> ENABLED <-> SERVER-OTHER Cisco IOS Group-Prime memory disclosure exfiltration attempt (server-other.rules)
 * 1:36099 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules)
 * 1:36098 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules)
 * 1:17603 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox file type memory corruption attempt (browser-firefox.rules)
 * 1:27148 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer beforeeditfocus use after free exploit attempt (browser-ie.rules)
 * 1:32804 <-> ENABLED <-> EXPLOIT-KIT known malicious javascript packer detected (exploit-kit.rules)
 * 1:27149 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer beforeeditfocus use after free exploit attempt (browser-ie.rules)
 * 1:27843 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos object use-after-free attempt (browser-ie.rules)
 * 1:27844 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos object use-after-free attempt (browser-ie.rules)
 * 1:36097 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules)
 * 1:32803 <-> ENABLED <-> EXPLOIT-KIT CK exploit kit landing page (exploit-kit.rules)
 * 1:31381 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 onpropertychange remote code execution attempt (browser-ie.rules)
 * 1:31380 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 onpropertychange remote code execution attempt (browser-ie.rules)
 * 3:33053 <-> ENABLED <-> OS-WINDOWS Microsoft RADIUS Server invalid access-request username denial of service attempt (os-windows.rules)
 * 3:35942 <-> ENABLED <-> PROTOCOL-DNS ISC BIND TKEY query processing denial of service attempt (protocol-dns.rules)
 * 3:35943 <-> ENABLED <-> PROTOCOL-DNS ISC BIND TKEY query processing denial of service attempt (protocol-dns.rules)