Talos Rules 2016-10-25
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, file-image, malware-cnc, os-linux, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-10-25 17:25:02 UTC

Snort Subscriber Rules Update

Date: 2016-10-25

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40541 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Satana ransomware outbound connection attempt (malware-cnc.rules)
 * 1:40517 <-> DISABLED <-> PROTOCOL-SCADA Rockwell ControlLogix set network configuration attempt (protocol-scada.rules)
 * 1:40518 <-> DISABLED <-> PROTOCOL-SCADA Rockwell ControlLogix CPU STOP attempt (protocol-scada.rules)
 * 1:40519 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)
 * 1:40520 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)
 * 1:40527 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection attempt (malware-cnc.rules)
 * 1:40521 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)
 * 1:40522 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise fingerprinting (malware-cnc.rules)
 * 1:40524 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync JSON API ad_sync_now command injection attempt (server-webapp.rules)
 * 1:40528 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string Instally (blacklist.rules)
 * 1:40529 <-> DISABLED <-> PUA-ADWARE Win.Downloader.Instally variant outbound connection attempt (pua-adware.rules)
 * 1:40530 <-> DISABLED <-> PUA-ADWARE Win.Downloader.Instally variant outbound connection attempt (pua-adware.rules)
 * 1:40531 <-> DISABLED <-> PUA-ADWARE Win.Downloader.Instally variant outbound connection attempt (pua-adware.rules)
 * 1:40532 <-> DISABLED <-> PUA-ADWARE Win.Downloader.Instally variant outbound connection attempt (pua-adware.rules)
 * 1:40523 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise echo loader attempt (malware-cnc.rules)
 * 1:40543 <-> ENABLED <-> OS-LINUX Linux kernel madvise race condition attempt (os-linux.rules)
 * 1:40542 <-> ENABLED <-> OS-LINUX Linux kernel madvise race condition attempt (os-linux.rules)
 * 3:40540 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0205 attack attempt (file-image.rules)
 * 3:40539 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0205 attack attempt (file-image.rules)
 * 3:40538 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0190 attack attempt (file-image.rules)
 * 3:40536 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0190 attack attempt (file-image.rules)
 * 3:40537 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0190 attack attempt (file-image.rules)
 * 3:40534 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0190 attack attempt (file-image.rules)
 * 3:40535 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0190 attack attempt (file-image.rules)
 * 3:40526 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0187 attack attempt (file-image.rules)
 * 3:40533 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0190 attack attempt (file-image.rules)
 * 3:40525 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0187 attack attempt (file-image.rules)

Modified Rules:



2016-10-25 17:25:01 UTC

Snort Subscriber Rules Update

Date: 2016-10-25

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40543 <-> ENABLED <-> OS-LINUX Linux kernel madvise race condition attempt (os-linux.rules)
 * 1:40542 <-> ENABLED <-> OS-LINUX Linux kernel madvise race condition attempt (os-linux.rules)
 * 1:40541 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Satana ransomware outbound connection attempt (malware-cnc.rules)
 * 1:40532 <-> DISABLED <-> PUA-ADWARE Win.Downloader.Instally variant outbound connection attempt (pua-adware.rules)
 * 1:40531 <-> DISABLED <-> PUA-ADWARE Win.Downloader.Instally variant outbound connection attempt (pua-adware.rules)
 * 1:40530 <-> DISABLED <-> PUA-ADWARE Win.Downloader.Instally variant outbound connection attempt (pua-adware.rules)
 * 1:40529 <-> DISABLED <-> PUA-ADWARE Win.Downloader.Instally variant outbound connection attempt (pua-adware.rules)
 * 1:40528 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string Instally (blacklist.rules)
 * 1:40527 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection attempt (malware-cnc.rules)
 * 1:40524 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync JSON API ad_sync_now command injection attempt (server-webapp.rules)
 * 1:40523 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise echo loader attempt (malware-cnc.rules)
 * 1:40522 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise fingerprinting (malware-cnc.rules)
 * 1:40521 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)
 * 1:40520 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)
 * 1:40519 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)
 * 1:40518 <-> DISABLED <-> PROTOCOL-SCADA Rockwell ControlLogix CPU STOP attempt (protocol-scada.rules)
 * 1:40517 <-> DISABLED <-> PROTOCOL-SCADA Rockwell ControlLogix set network configuration attempt (protocol-scada.rules)
 * 3:40540 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0205 attack attempt (file-image.rules)
 * 3:40538 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0190 attack attempt (file-image.rules)
 * 3:40539 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0205 attack attempt (file-image.rules)
 * 3:40536 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0190 attack attempt (file-image.rules)
 * 3:40537 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0190 attack attempt (file-image.rules)
 * 3:40534 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0190 attack attempt (file-image.rules)
 * 3:40535 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0190 attack attempt (file-image.rules)
 * 3:40526 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0187 attack attempt (file-image.rules)
 * 3:40533 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0190 attack attempt (file-image.rules)
 * 3:40525 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0187 attack attempt (file-image.rules)

Modified Rules: