Talos Rules 2016-10-11
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the exploit-kit, file-flash and malware-cnc rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-10-12 00:27:31 UTC

Snort Subscriber Rules Update

Date: 2016-10-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40440 <-> ENABLED <-> FILE-PDF Adobe Reader TrueType font file numberofmetrics out of bounds read attempt (file-pdf.rules)
 * 1:40439 <-> ENABLED <-> FILE-FLASH Adobe Standalone Flash Player AS3 NetStream object use after free attempt (file-flash.rules)
 * 1:40434 <-> DISABLED <-> FILE-FLASH Adobe Flash Player malformed ActionConstantPool memory corruption attempt (file-flash.rules)
 * 1:40433 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Marsjoke variant post infection beacon (malware-cnc.rules)
 * 1:40431 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XML Java used in app.setTimeOut (file-pdf.rules)
 * 1:40432 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Marsjoke variant post infection beacon (malware-cnc.rules)
 * 1:40435 <-> DISABLED <-> FILE-FLASH Adobe Flash Player malformed ActionConstantPool memory corruption attempt (file-flash.rules)
 * 1:40436 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XSLT substring memory corruption attempt (file-pdf.rules)
 * 1:40437 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XSLT substring memory corruption attempt (file-pdf.rules)
 * 1:40438 <-> ENABLED <-> FILE-FLASH Adobe Standalone Flash Player AS3 NetStream object use after free attempt (file-flash.rules)
 * 1:40443 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FrameLabel memory corruption attempt (file-flash.rules)
 * 1:40442 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FrameLabel memory corruption attempt (file-flash.rules)
 * 1:40441 <-> ENABLED <-> FILE-PDF Adobe Reader TrueType font file numberofmetrics out of bounds read attempt (file-pdf.rules)

Modified Rules:


 * 1:31237 <-> DISABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound swf request (exploit-kit.rules)
 * 1:26021 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XML Java used in app.setTimeOut (file-pdf.rules)

2016-10-12 00:27:31 UTC

Snort Subscriber Rules Update

Date: 2016-10-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40443 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FrameLabel memory corruption attempt (file-flash.rules)
 * 1:40442 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FrameLabel memory corruption attempt (file-flash.rules)
 * 1:40441 <-> ENABLED <-> FILE-PDF Adobe Reader TrueType font file numberofmetrics out of bounds read attempt (file-pdf.rules)
 * 1:40440 <-> ENABLED <-> FILE-PDF Adobe Reader TrueType font file numberofmetrics out of bounds read attempt (file-pdf.rules)
 * 1:40439 <-> ENABLED <-> FILE-FLASH Adobe Standalone Flash Player AS3 NetStream object use after free attempt (file-flash.rules)
 * 1:40438 <-> ENABLED <-> FILE-FLASH Adobe Standalone Flash Player AS3 NetStream object use after free attempt (file-flash.rules)
 * 1:40437 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XSLT substring memory corruption attempt (file-pdf.rules)
 * 1:40436 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XSLT substring memory corruption attempt (file-pdf.rules)
 * 1:40435 <-> DISABLED <-> FILE-FLASH Adobe Flash Player malformed ActionConstantPool memory corruption attempt (file-flash.rules)
 * 1:40434 <-> DISABLED <-> FILE-FLASH Adobe Flash Player malformed ActionConstantPool memory corruption attempt (file-flash.rules)
 * 1:40433 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Marsjoke variant post infection beacon (malware-cnc.rules)
 * 1:40432 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Marsjoke variant post infection beacon (malware-cnc.rules)
 * 1:40431 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XML Java used in app.setTimeOut (file-pdf.rules)

Modified Rules:


 * 1:31237 <-> DISABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound swf request (exploit-kit.rules)
 * 1:26021 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XML Java used in app.setTimeOut (file-pdf.rules)