Snort - Network Intrusion Detection & Prevention System

Talos Rules 2016-11-15

This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the exploit-kit, file-other, file-pdf, malware-cnc, os-windows and server-other rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2976

2016-11-15 16:45:42 UTC

Snort Subscriber Rules Update

Date: 2016-11-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40764 <-> ENABLED <-> MALWARE-CNC Android.Trojan.SpyNote RAT variant getContacts command response (malware-cnc.rules)
 * 1:40766 <-> ENABLED <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack directory traversal attempt (server-other.rules)
 * 1:40765 <-> DISABLED <-> SERVER-OTHER Multiple products ICMP denial of service attempt (server-other.rules)
 * 1:40775 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banker variant outbound connection (malware-cnc.rules)
 * 1:40771 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Miuref variant outbound connection (malware-cnc.rules)
 * 1:40760 <-> DISABLED <-> SERVER-OTHER OpenLDAP deref control denial of service attempt (server-other.rules)
 * 1:40762 <-> ENABLED <-> MALWARE-CNC Android.Trojan.SpyNote RAT variant inbound connection (malware-cnc.rules)
 * 1:40772 <-> DISABLED <-> PUA-ADWARE Win.Trojan.Miuref variant outbound connection (pua-adware.rules)
 * 1:40763 <-> ENABLED <-> MALWARE-CNC Android.Trojan.SpyNote RAT variant getSMS command response (malware-cnc.rules)
 * 1:40761 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Syscan outbound connection (malware-cnc.rules)
 * 1:40778 <-> ENABLED <-> FILE-PDF Acrobat Reader Open Cascade Library memory corruption attempt (file-pdf.rules)
 * 1:40779 <-> ENABLED <-> FILE-PDF Acrobat Reader Open Cascade Library memory corruption attempt (file-pdf.rules)
 * 1:40759 <-> DISABLED <-> OS-WINDOWS Microsoft Windows LSASS GSS-API DER decoding null pointer dereference attempt (os-windows.rules)
 * 3:40777 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0218 attack attempt (file-pdf.rules)
 * 3:40768 <-> ENABLED <-> FILE-OTHER Cisco IOS-XE update directory traversal attempt (file-other.rules)
 * 3:40773 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0198 attack attempt (file-pdf.rules)
 * 3:40776 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0218 attack attempt (file-pdf.rules)
 * 3:40770 <-> ENABLED <-> FILE-OTHER Cisco IOS-XE update directory traversal attempt (file-other.rules)
 * 3:40769 <-> ENABLED <-> FILE-OTHER Cisco IOS-XE update directory traversal attempt (file-other.rules)
 * 3:40774 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0198 attack attempt (file-pdf.rules)
 * 3:40767 <-> ENABLED <-> FILE-OTHER Cisco IOS-XE update directory traversal attempt (file-other.rules)

Modified Rules:


 * 1:31971 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit multiple exploit download request (exploit-kit.rules)
 * 1:29630 <-> DISABLED <-> SERVER-OTHER HP Data Protector Backup Client Service code execution attempt (server-other.rules)
 * 3:40756 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0224 attack attempt (file-pdf.rules)
 * 3:40757 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0224 attack attempt (file-pdf.rules)

2983