Talos Rules 2016-10-20
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the app-detect, blacklist, browser-ie, exploit-kit, file-flash, file-pdf, indicator-compromise, indicator-obfuscation, malware-cnc, malware-other, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2016-10-20 17:18:02 UTC

Snort Subscriber Rules Update

Date: 2016-10-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40516 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed unicode font name code execution attempt (file-pdf.rules)
 * 1:40514 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules)
 * 1:40515 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed unicode font name code execution attempt (file-pdf.rules)
 * 1:40512 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules)
 * 1:40513 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules)
 * 1:40510 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules)
 * 1:40511 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules)
 * 1:40508 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules)
 * 1:40509 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules)
 * 1:40506 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules)
 * 1:40507 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules)
 * 1:40503 <-> ENABLED <-> FILE-FLASH Adobe Flash Player QOSProvider use-after-free attempt (file-flash.rules)
 * 1:40505 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules)
 * 1:40501 <-> ENABLED <-> MALWARE-CNC Andr.Tool.Snowfox Androidbauts/snowfox outbound connection (malware-cnc.rules)
 * 1:40502 <-> ENABLED <-> FILE-FLASH Adobe Flash Player QOSProvider use-after-free attempt (file-flash.rules)
 * 1:40497 <-> ENABLED <-> SERVER-WEBAPP WordPress Plugin RevSlider file upload attempt (server-webapp.rules)
 * 1:40500 <-> ENABLED <-> MALWARE-CNC Andr.Tool.Snowfox Androidbauts/snowfox outbound connection (malware-cnc.rules)
 * 1:40495 <-> ENABLED <-> FILE-FLASH Adobe Standalone Flash Player PSDK FlashRuntime mediaplayer pause attempt (file-flash.rules)
 * 1:40496 <-> ENABLED <-> FILE-FLASH Adobe Standalone Flash Player PSDK FlashRuntime mediaplayer pause attempt (file-flash.rules)
 * 1:40493 <-> DISABLED <-> SERVER-WEBAPP Ektron ServerControlWS.asmx XSL transform code injection attempt (server-webapp.rules)
 * 1:40494 <-> ENABLED <-> SERVER-WEBAPP Wordpress Symposium PHP file upload attempt (server-webapp.rules)
 * 1:40492 <-> DISABLED <-> PUA-ADWARE Win.Adware.DownloadManager outbound connection (pua-adware.rules)
 * 3:40498 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA Crypto CA Server out of bounds read attempt (server-webapp.rules)
 * 3:40499 <-> ENABLED <-> SERVER-OTHER Cisco ASA NBSTAT response stack buffer overflow attempt (server-other.rules)
 * 3:40504 <-> ENABLED <-> SERVER-OTHER Cisco Snort HTTP chunked transfer encoding processing denial of service attempt (server-other.rules)

Modified Rules:


 * 1:28795 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit payload download attempt (exploit-kit.rules)
 * 1:23910 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23911 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23114 <-> DISABLED <-> INDICATOR-OBFUSCATION GIF header with PHP tags - likely malicious (indicator-obfuscation.rules)
 * 1:23913 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:29213 <-> ENABLED <-> INDICATOR-OBFUSCATION potential math library debugging (indicator-obfuscation.rules)
 * 1:23914 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23915 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23916 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23917 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23918 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23919 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23920 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23921 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23922 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23923 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23924 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23925 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23926 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23927 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23928 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23929 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:39362 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Batlopma (blacklist.rules)
 * 1:31299 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Necurs or Win.Trojan.Locky variant outbound detection (malware-cnc.rules)
 * 1:23930 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:39867 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .tk dns query (indicator-compromise.rules)
 * 1:28797 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit binkey xored binary download attempt (exploit-kit.rules)
 * 1:40404 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer eval type confusion attempt (browser-ie.rules)
 * 1:39866 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .ml dns query (indicator-compromise.rules)
 * 1:23931 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:40405 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer eval type confusion attempt (browser-ie.rules)
 * 1:23932 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:28796 <-> ENABLED <-> EXPLOIT-KIT iFRAMEr successful cnt.php redirection (exploit-kit.rules)
 * 1:23933 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:16301 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML textnode creation attempt (browser-ie.rules)
 * 1:19551 <-> DISABLED <-> MALWARE-OTHER self-signed SSL certificate with default Internet Widgits Pty Ltd organization name (malware-other.rules)
 * 1:23912 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:21108 <-> DISABLED <-> EXPLOIT-KIT unknown exploit kit obfuscated landing page (exploit-kit.rules)
 * 1:23113 <-> DISABLED <-> INDICATOR-OBFUSCATION eval gzinflate base64_decode call - likely malicious (indicator-obfuscation.rules)
 * 1:28039 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .pw dns query (indicator-compromise.rules)
 * 1:40081 <-> DISABLED <-> BLACKLIST User-Agent known PUA user-agent string - TopTools100 (blacklist.rules)
 * 1:28068 <-> DISABLED <-> APP-DETECT 360.cn Safeguard runtime outbound communication (app-detect.rules)
 * 1:28069 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn (app-detect.rules)
 * 1:28070 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com (app-detect.rules)
 * 1:23905 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:28071 <-> DISABLED <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt (app-detect.rules)
 * 1:23906 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23908 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23909 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23907 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)

2016-10-20 17:18:02 UTC

Snort Subscriber Rules Update

Date: 2016-10-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40516 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed unicode font name code execution attempt (file-pdf.rules)
 * 1:40515 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed unicode font name code execution attempt (file-pdf.rules)
 * 1:40514 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules)
 * 1:40513 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules)
 * 1:40512 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules)
 * 1:40511 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules)
 * 1:40510 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules)
 * 1:40509 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules)
 * 1:40508 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules)
 * 1:40507 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules)
 * 1:40506 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules)
 * 1:40505 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules)
 * 1:40503 <-> ENABLED <-> FILE-FLASH Adobe Flash Player QOSProvider use-after-free attempt (file-flash.rules)
 * 1:40502 <-> ENABLED <-> FILE-FLASH Adobe Flash Player QOSProvider use-after-free attempt (file-flash.rules)
 * 1:40501 <-> ENABLED <-> MALWARE-CNC Andr.Tool.Snowfox Androidbauts/snowfox outbound connection (malware-cnc.rules)
 * 1:40500 <-> ENABLED <-> MALWARE-CNC Andr.Tool.Snowfox Androidbauts/snowfox outbound connection (malware-cnc.rules)
 * 1:40497 <-> ENABLED <-> SERVER-WEBAPP WordPress Plugin RevSlider file upload attempt (server-webapp.rules)
 * 1:40496 <-> ENABLED <-> FILE-FLASH Adobe Standalone Flash Player PSDK FlashRuntime mediaplayer pause attempt (file-flash.rules)
 * 1:40495 <-> ENABLED <-> FILE-FLASH Adobe Standalone Flash Player PSDK FlashRuntime mediaplayer pause attempt (file-flash.rules)
 * 1:40494 <-> ENABLED <-> SERVER-WEBAPP Wordpress Symposium PHP file upload attempt (server-webapp.rules)
 * 1:40493 <-> DISABLED <-> SERVER-WEBAPP Ektron ServerControlWS.asmx XSL transform code injection attempt (server-webapp.rules)
 * 1:40492 <-> DISABLED <-> PUA-ADWARE Win.Adware.DownloadManager outbound connection (pua-adware.rules)
 * 3:40498 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA Crypto CA Server out of bounds read attempt (server-webapp.rules)
 * 3:40499 <-> ENABLED <-> SERVER-OTHER Cisco ASA NBSTAT response stack buffer overflow attempt (server-other.rules)
 * 3:40504 <-> ENABLED <-> SERVER-OTHER Cisco Snort HTTP chunked transfer encoding processing denial of service attempt (server-other.rules)

Modified Rules:


 * 1:23908 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23906 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23114 <-> DISABLED <-> INDICATOR-OBFUSCATION GIF header with PHP tags - likely malicious (indicator-obfuscation.rules)
 * 1:23905 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:21108 <-> DISABLED <-> EXPLOIT-KIT unknown exploit kit obfuscated landing page (exploit-kit.rules)
 * 1:23113 <-> DISABLED <-> INDICATOR-OBFUSCATION eval gzinflate base64_decode call - likely malicious (indicator-obfuscation.rules)
 * 1:16301 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML textnode creation attempt (browser-ie.rules)
 * 1:19551 <-> DISABLED <-> MALWARE-OTHER self-signed SSL certificate with default Internet Widgits Pty Ltd organization name (malware-other.rules)
 * 1:40405 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer eval type confusion attempt (browser-ie.rules)
 * 1:40404 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer eval type confusion attempt (browser-ie.rules)
 * 1:40081 <-> DISABLED <-> BLACKLIST User-Agent known PUA user-agent string - TopTools100 (blacklist.rules)
 * 1:39867 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .tk dns query (indicator-compromise.rules)
 * 1:39866 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .ml dns query (indicator-compromise.rules)
 * 1:39362 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Batlopma (blacklist.rules)
 * 1:31299 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Necurs or Win.Trojan.Locky variant outbound detection (malware-cnc.rules)
 * 1:29213 <-> ENABLED <-> INDICATOR-OBFUSCATION potential math library debugging (indicator-obfuscation.rules)
 * 1:28797 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit binkey xored binary download attempt (exploit-kit.rules)
 * 1:28796 <-> ENABLED <-> EXPLOIT-KIT iFRAMEr successful cnt.php redirection (exploit-kit.rules)
 * 1:28795 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit payload download attempt (exploit-kit.rules)
 * 1:28071 <-> DISABLED <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt (app-detect.rules)
 * 1:28070 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com (app-detect.rules)
 * 1:28069 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn (app-detect.rules)
 * 1:28068 <-> DISABLED <-> APP-DETECT 360.cn Safeguard runtime outbound communication (app-detect.rules)
 * 1:28039 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .pw dns query (indicator-compromise.rules)
 * 1:23933 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23932 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23931 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23930 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23929 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23928 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23927 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23926 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23925 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23924 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23923 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23922 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23921 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23920 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23919 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23918 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23917 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23916 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23915 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23914 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23913 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23911 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23912 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23910 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23907 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
 * 1:23909 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)