Talos Rules 2016-09-30
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, file-image, file-office, indicator-obfuscation, malware-cnc, pua-adware, server-other and sql rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-09-30 23:10:04 UTC

Snort Subscriber Rules Update

Date: 2016-09-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40309 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Randrew variant outbound connection (malware-cnc.rules)
 * 1:40313 <-> DISABLED <-> SQL PostgreSQL potential remote code execution attempt (sql.rules)
 * 1:40310 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules)
 * 1:40311 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules)
 * 1:40312 <-> ENABLED <-> BROWSER-IE Internet Explorer CTreePos type confusion attempt (browser-ie.rules)
 * 1:40305 <-> DISABLED <-> PUA-ADWARE Win.Adware.SupTab external connection attempt (pua-adware.rules)
 * 1:40306 <-> DISABLED <-> FILE-OFFICE Microsoft Word document containing VBA project entry detected (file-office.rules)
 * 1:40307 <-> DISABLED <-> FILE-OFFICE Microsoft Word document containing VBA project entry detected (file-office.rules)
 * 1:40308 <-> ENABLED <-> MALWARE-CNC Backdoor.MSIL.Kazybot.A botnet server connection attempt (malware-cnc.rules)
 * 3:40315 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0193 attack attempt (file-image.rules)
 * 3:40314 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0193 attack attempt (file-image.rules)

Modified Rules:


 * 1:40258 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant backdoor detected (malware-cnc.rules)
 * 1:40259 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant backdoor detected (malware-cnc.rules)
 * 1:39726 <-> ENABLED <-> SERVER-WEBAPP Drupal RESTWS restws_page_callback command injection attempt (server-webapp.rules)
 * 1:40301 <-> DISABLED <-> SERVER-OTHER Redis CONFIG SET array index out of bounds attempt (server-other.rules)
 * 1:39725 <-> ENABLED <-> SERVER-WEBAPP Drupal RESTWS restws_page_callback command injection attempt (server-webapp.rules)
 * 1:40261 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant backdoor detected (malware-cnc.rules)
 * 1:29519 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation using split reverse join (indicator-obfuscation.rules)
 * 1:40262 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant backdoor detected (malware-cnc.rules)

2016-09-30 23:10:04 UTC

Snort Subscriber Rules Update

Date: 2016-09-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40313 <-> DISABLED <-> SQL PostgreSQL potential remote code execution attempt (sql.rules)
 * 1:40312 <-> ENABLED <-> BROWSER-IE Internet Explorer CTreePos type confusion attempt (browser-ie.rules)
 * 1:40311 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules)
 * 1:40310 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules)
 * 1:40309 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Randrew variant outbound connection (malware-cnc.rules)
 * 1:40308 <-> ENABLED <-> MALWARE-CNC Backdoor.MSIL.Kazybot.A botnet server connection attempt (malware-cnc.rules)
 * 1:40307 <-> DISABLED <-> FILE-OFFICE Microsoft Word document containing VBA project entry detected (file-office.rules)
 * 1:40306 <-> DISABLED <-> FILE-OFFICE Microsoft Word document containing VBA project entry detected (file-office.rules)
 * 1:40305 <-> DISABLED <-> PUA-ADWARE Win.Adware.SupTab external connection attempt (pua-adware.rules)
 * 3:40314 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0193 attack attempt (file-image.rules)
 * 3:40315 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0193 attack attempt (file-image.rules)

Modified Rules:


 * 1:40258 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant backdoor detected (malware-cnc.rules)
 * 1:39725 <-> ENABLED <-> SERVER-WEBAPP Drupal RESTWS restws_page_callback command injection attempt (server-webapp.rules)
 * 1:39726 <-> ENABLED <-> SERVER-WEBAPP Drupal RESTWS restws_page_callback command injection attempt (server-webapp.rules)
 * 1:40301 <-> DISABLED <-> SERVER-OTHER Redis CONFIG SET array index out of bounds attempt (server-other.rules)
 * 1:40259 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant backdoor detected (malware-cnc.rules)
 * 1:29519 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation using split reverse join (indicator-obfuscation.rules)
 * 1:40261 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant backdoor detected (malware-cnc.rules)
 * 1:40262 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant backdoor detected (malware-cnc.rules)