Talos Rules 2016-11-01
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-flash, file-pdf, indicator-compromise, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-11-01 18:51:09 UTC

Snort Subscriber Rules Update

Date: 2016-11-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40604 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:40586 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader SaveAs use-after-free attempt (file-pdf.rules)
 * 1:40584 <-> ENABLED <-> FILE-FLASH Adobe Flash Player event handler out of bounds memory access attempt (file-flash.rules)
 * 1:40587 <-> ENABLED <-> FILE-PDF Adobe Reader XLST parsing engine use after free attempt (file-pdf.rules)
 * 1:40588 <-> ENABLED <-> FILE-PDF Adobe Reader XLST parsing engine use after free attempt (file-pdf.rules)
 * 1:40589 <-> DISABLED <-> SERVER-WEBAPP DaloRADIUS config-maint-disconnect-user.php command injection attempt (server-webapp.rules)
 * 1:40590 <-> DISABLED <-> SERVER-WEBAPP DaloRADIUS config-maint-disconnect-user.php command injection attempt (server-webapp.rules)
 * 1:40591 <-> DISABLED <-> SERVER-WEBAPP DaloRADIUS config-maint-disconnect-user.php command injection attempt (server-webapp.rules)
 * 1:40592 <-> DISABLED <-> SERVER-WEBAPP DaloRADIUS notificationsBatchDetails.php SQL injection attempt (server-webapp.rules)
 * 1:40593 <-> DISABLED <-> PUA-ADWARE Win.Adware.CoolMirage outbound ad download attempt (pua-adware.rules)
 * 1:40594 <-> DISABLED <-> PUA-ADWARE Win.Adware.CoolMirage outbound ad download attempt (pua-adware.rules)
 * 1:40595 <-> DISABLED <-> PUA-ADWARE Win.Adware.CoolMirage outbound ad download attempt (pua-adware.rules)
 * 1:40596 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Berbew variant outbound connection (malware-cnc.rules)
 * 1:40597 <-> DISABLED <-> INDICATOR-COMPROMISE shell script download with wget from external source (indicator-compromise.rules)
 * 1:40598 <-> DISABLED <-> INDICATOR-COMPROMISE shell script download with curl from external source (indicator-compromise.rules)
 * 1:40599 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise echo loader attempt (malware-cnc.rules)
 * 1:40601 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise activity (malware-cnc.rules)
 * 1:40600 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise echo loader attempt (malware-cnc.rules)
 * 1:40602 <-> ENABLED <-> FILE-PDF Adobe Reader XFA exclGroup JavaScript out of bounds memory access attempt (file-pdf.rules)
 * 1:40603 <-> ENABLED <-> FILE-PDF Adobe Reader XFA exclGroup JavaScript out of bounds memory access attempt (file-pdf.rules)
 * 1:40581 <-> ENABLED <-> FILE-FLASH Adobe Flash Player sentEvent use after free attempt (file-flash.rules)
 * 1:40585 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader SaveAs use-after-free attempt (file-pdf.rules)
 * 1:40612 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download attempt (malware-cnc.rules)
 * 1:40611 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus variant download attempt (malware-cnc.rules)
 * 1:40610 <-> DISABLED <-> INDICATOR-COMPROMISE DNS response points to sinkholed domain (indicator-compromise.rules)
 * 1:40609 <-> ENABLED <-> SERVER-WEBAPP Joomla UsersController non-standard insecure account registration method access attempt (server-webapp.rules)
 * 1:40607 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:40608 <-> ENABLED <-> SERVER-WEBAPP Joomla UsersController non-standard insecure account registration method access attempt (server-webapp.rules)
 * 1:40582 <-> ENABLED <-> FILE-FLASH Adobe Flash Player sentEvent use after free attempt (file-flash.rules)
 * 1:40583 <-> ENABLED <-> FILE-FLASH Adobe Flash Player event handler out of bounds memory access attempt (file-flash.rules)
 * 1:40606 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:40605 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:33941 <-> DISABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules)
 * 1:38845 <-> DISABLED <-> FILE-PDF Adobe Reader out of bounds memory access violation attempt (file-pdf.rules)
 * 1:38846 <-> DISABLED <-> FILE-PDF Adobe Reader out of bounds memory access violation attempt (file-pdf.rules)
 * 1:40356 <-> ENABLED <-> PUA-ADWARE Win.Trojan.InstantAccess variant outbound connection (pua-adware.rules)
 * 1:40357 <-> ENABLED <-> PUA-ADWARE Win.Trojan.InstantAccess variant outbound connection (pua-adware.rules)
 * 1:40522 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise fingerprinting (malware-cnc.rules)
 * 1:40523 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise echo loader attempt (malware-cnc.rules)
 * 1:40546 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript API privileged function bypass attempt (file-pdf.rules)
 * 1:40547 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript API privileged function bypass attempt (file-pdf.rules)

2016-11-01 18:51:09 UTC

Snort Subscriber Rules Update

Date: 2016-11-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40612 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download attempt (malware-cnc.rules)
 * 1:40611 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus variant download attempt (malware-cnc.rules)
 * 1:40610 <-> DISABLED <-> INDICATOR-COMPROMISE DNS response points to sinkholed domain (indicator-compromise.rules)
 * 1:40609 <-> ENABLED <-> SERVER-WEBAPP Joomla UsersController non-standard insecure account registration method access attempt (server-webapp.rules)
 * 1:40608 <-> ENABLED <-> SERVER-WEBAPP Joomla UsersController non-standard insecure account registration method access attempt (server-webapp.rules)
 * 1:40607 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:40606 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:40605 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:40604 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:40603 <-> ENABLED <-> FILE-PDF Adobe Reader XFA exclGroup JavaScript out of bounds memory access attempt (file-pdf.rules)
 * 1:40602 <-> ENABLED <-> FILE-PDF Adobe Reader XFA exclGroup JavaScript out of bounds memory access attempt (file-pdf.rules)
 * 1:40601 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise activity (malware-cnc.rules)
 * 1:40600 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise echo loader attempt (malware-cnc.rules)
 * 1:40599 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise echo loader attempt (malware-cnc.rules)
 * 1:40598 <-> DISABLED <-> INDICATOR-COMPROMISE shell script download with curl from external source (indicator-compromise.rules)
 * 1:40597 <-> DISABLED <-> INDICATOR-COMPROMISE shell script download with wget from external source (indicator-compromise.rules)
 * 1:40596 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Berbew variant outbound connection (malware-cnc.rules)
 * 1:40595 <-> DISABLED <-> PUA-ADWARE Win.Adware.CoolMirage outbound ad download attempt (pua-adware.rules)
 * 1:40594 <-> DISABLED <-> PUA-ADWARE Win.Adware.CoolMirage outbound ad download attempt (pua-adware.rules)
 * 1:40593 <-> DISABLED <-> PUA-ADWARE Win.Adware.CoolMirage outbound ad download attempt (pua-adware.rules)
 * 1:40592 <-> DISABLED <-> SERVER-WEBAPP DaloRADIUS notificationsBatchDetails.php SQL injection attempt (server-webapp.rules)
 * 1:40591 <-> DISABLED <-> SERVER-WEBAPP DaloRADIUS config-maint-disconnect-user.php command injection attempt (server-webapp.rules)
 * 1:40590 <-> DISABLED <-> SERVER-WEBAPP DaloRADIUS config-maint-disconnect-user.php command injection attempt (server-webapp.rules)
 * 1:40589 <-> DISABLED <-> SERVER-WEBAPP DaloRADIUS config-maint-disconnect-user.php command injection attempt (server-webapp.rules)
 * 1:40588 <-> ENABLED <-> FILE-PDF Adobe Reader XLST parsing engine use after free attempt (file-pdf.rules)
 * 1:40587 <-> ENABLED <-> FILE-PDF Adobe Reader XLST parsing engine use after free attempt (file-pdf.rules)
 * 1:40586 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader SaveAs use-after-free attempt (file-pdf.rules)
 * 1:40585 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader SaveAs use-after-free attempt (file-pdf.rules)
 * 1:40584 <-> ENABLED <-> FILE-FLASH Adobe Flash Player event handler out of bounds memory access attempt (file-flash.rules)
 * 1:40583 <-> ENABLED <-> FILE-FLASH Adobe Flash Player event handler out of bounds memory access attempt (file-flash.rules)
 * 1:40582 <-> ENABLED <-> FILE-FLASH Adobe Flash Player sentEvent use after free attempt (file-flash.rules)
 * 1:40581 <-> ENABLED <-> FILE-FLASH Adobe Flash Player sentEvent use after free attempt (file-flash.rules)

Modified Rules:


 * 1:33941 <-> DISABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules)
 * 1:38845 <-> DISABLED <-> FILE-PDF Adobe Reader out of bounds memory access violation attempt (file-pdf.rules)
 * 1:38846 <-> DISABLED <-> FILE-PDF Adobe Reader out of bounds memory access violation attempt (file-pdf.rules)
 * 1:40356 <-> ENABLED <-> PUA-ADWARE Win.Trojan.InstantAccess variant outbound connection (pua-adware.rules)
 * 1:40357 <-> ENABLED <-> PUA-ADWARE Win.Trojan.InstantAccess variant outbound connection (pua-adware.rules)
 * 1:40522 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise fingerprinting (malware-cnc.rules)
 * 1:40523 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise echo loader attempt (malware-cnc.rules)
 * 1:40546 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript API privileged function bypass attempt (file-pdf.rules)
 * 1:40547 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript API privileged function bypass attempt (file-pdf.rules)