Talos Rules 2016-11-17
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-ie, file-flash, file-office, file-other, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-11-17 19:27:29 UTC

Snort Subscriber Rules Update

Date: 2016-11-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40800 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Crypton (blacklist.rules)
 * 1:40799 <-> ENABLED <-> FILE-FLASH Adobe Standalone Flash Player use after free class extending obfuscation attempt (file-flash.rules)
 * 1:40798 <-> ENABLED <-> FILE-FLASH Adobe Standalone Flash Player use after free class extending obfuscation attempt (file-flash.rules)
 * 1:40797 <-> DISABLED <-> MALWARE-CNC Nesxlh variant outbound connection (malware-cnc.rules)
 * 1:40796 <-> DISABLED <-> MALWARE-CNC Nesxlh variant outbound connection (malware-cnc.rules)
 * 1:40795 <-> DISABLED <-> MALWARE-CNC Nesxlh variant outbound connection (malware-cnc.rules)
 * 1:40788 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer iertutil.dll long UNC redirect out of bounds read attempt (browser-ie.rules)
 * 1:40787 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer iertutil.dll long UNC redirect out of bounds read attempt (browser-ie.rules)
 * 1:40786 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Security Appliance command injection attempt (server-webapp.rules)
 * 1:40785 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Security Appliance command injection attempt (server-webapp.rules)
 * 1:40784 <-> DISABLED <-> SERVER-WEBAPP ZyXEL TR-064 SetNTPServers command injection attempt (server-webapp.rules)
 * 1:40783 <-> DISABLED <-> SERVER-WEBAPP ZyXEL TR-064 GetSecurityKeys information disclosure attempt (server-webapp.rules)
 * 1:40782 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Venik (blacklist.rules)
 * 1:40781 <-> ENABLED <-> FILE-FLASH Adobe Flash Player LoadVars use-after-free attempt (file-flash.rules)
 * 1:40780 <-> ENABLED <-> FILE-FLASH Adobe Flash Player LoadVars use-after-free attempt (file-flash.rules)
 * 3:40804 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0179 attack attempt (file-other.rules)
 * 3:40810 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0178 attack attempt (file-other.rules)
 * 3:40789 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0207 attack attempt (file-office.rules)
 * 3:40790 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0207 attack attempt (file-office.rules)
 * 3:40791 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0176 attack attempt (file-other.rules)
 * 3:40792 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0176 attack attempt (file-other.rules)
 * 3:40793 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0176 attack attempt (file-other.rules)
 * 3:40794 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0176 attack attempt (file-other.rules)
 * 3:40801 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0177 attack attempt (file-other.rules)
 * 3:40809 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0178 attack attempt (file-other.rules)
 * 3:40802 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0177 attack attempt (file-other.rules)
 * 3:40803 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0179 attack attempt (file-other.rules)
 * 3:40808 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0178 attack attempt (file-other.rules)
 * 3:40806 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0178 attack attempt (file-other.rules)
 * 3:40807 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0178 attack attempt (file-other.rules)
 * 3:40805 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0178 attack attempt (file-other.rules)

Modified Rules:


 * 1:34757 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CDXTFilterNode object remote code execution attempt (browser-ie.rules)
 * 1:34758 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CDXTFilterNode object remote code execution attempt (browser-ie.rules)
 * 1:36922 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:39293 <-> DISABLED <-> FILE-FLASH Adobe Flash Player apphelp.dll dll-load exploit attempt (file-flash.rules)
 * 1:39294 <-> DISABLED <-> FILE-FLASH Adobe Flash Player dbghelp.dll dll-load exploit attempt (file-flash.rules)
 * 1:39295 <-> DISABLED <-> FILE-FLASH Adobe Flash Player apphelp.dll dll-load exploit attempt (file-flash.rules)
 * 1:39296 <-> DISABLED <-> FILE-FLASH Adobe Flash Player dbghelp.dll dll-load exploit attempt (file-flash.rules)
 * 1:40170 <-> DISABLED <-> FILE-FLASH Adobe Standalone Flash Player use after free attempt (file-flash.rules)
 * 1:40171 <-> DISABLED <-> FILE-FLASH Adobe Standalone Flash Player use after free attempt (file-flash.rules)
 * 1:40301 <-> DISABLED <-> SERVER-OTHER Redis CONFIG SET array index out of bounds attempt (server-other.rules)

2016-11-17 19:27:29 UTC

Snort Subscriber Rules Update

Date: 2016-11-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40785 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Security Appliance command injection attempt (server-webapp.rules)
 * 1:40782 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Venik (blacklist.rules)
 * 1:40783 <-> DISABLED <-> SERVER-WEBAPP ZyXEL TR-064 GetSecurityKeys information disclosure attempt (server-webapp.rules)
 * 1:40780 <-> ENABLED <-> FILE-FLASH Adobe Flash Player LoadVars use-after-free attempt (file-flash.rules)
 * 1:40781 <-> ENABLED <-> FILE-FLASH Adobe Flash Player LoadVars use-after-free attempt (file-flash.rules)
 * 1:40788 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer iertutil.dll long UNC redirect out of bounds read attempt (browser-ie.rules)
 * 1:40796 <-> DISABLED <-> MALWARE-CNC Nesxlh variant outbound connection (malware-cnc.rules)
 * 1:40787 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer iertutil.dll long UNC redirect out of bounds read attempt (browser-ie.rules)
 * 1:40799 <-> ENABLED <-> FILE-FLASH Adobe Standalone Flash Player use after free class extending obfuscation attempt (file-flash.rules)
 * 1:40795 <-> DISABLED <-> MALWARE-CNC Nesxlh variant outbound connection (malware-cnc.rules)
 * 1:40798 <-> ENABLED <-> FILE-FLASH Adobe Standalone Flash Player use after free class extending obfuscation attempt (file-flash.rules)
 * 1:40797 <-> DISABLED <-> MALWARE-CNC Nesxlh variant outbound connection (malware-cnc.rules)
 * 1:40800 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Crypton (blacklist.rules)
 * 1:40786 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Security Appliance command injection attempt (server-webapp.rules)
 * 1:40784 <-> DISABLED <-> SERVER-WEBAPP ZyXEL TR-064 SetNTPServers command injection attempt (server-webapp.rules)
 * 3:40804 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0179 attack attempt (file-other.rules)
 * 3:40802 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0177 attack attempt (file-other.rules)
 * 3:40793 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0176 attack attempt (file-other.rules)
 * 3:40807 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0178 attack attempt (file-other.rules)
 * 3:40791 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0176 attack attempt (file-other.rules)
 * 3:40801 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0177 attack attempt (file-other.rules)
 * 3:40790 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0207 attack attempt (file-office.rules)
 * 3:40810 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0178 attack attempt (file-other.rules)
 * 3:40806 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0178 attack attempt (file-other.rules)
 * 3:40808 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0178 attack attempt (file-other.rules)
 * 3:40809 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0178 attack attempt (file-other.rules)
 * 3:40794 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0176 attack attempt (file-other.rules)
 * 3:40792 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0176 attack attempt (file-other.rules)
 * 3:40805 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0178 attack attempt (file-other.rules)
 * 3:40803 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0179 attack attempt (file-other.rules)
 * 3:40789 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0207 attack attempt (file-office.rules)

Modified Rules:


 * 1:34757 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CDXTFilterNode object remote code execution attempt (browser-ie.rules)
 * 1:34758 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CDXTFilterNode object remote code execution attempt (browser-ie.rules)
 * 1:36922 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:39293 <-> DISABLED <-> FILE-FLASH Adobe Flash Player apphelp.dll dll-load exploit attempt (file-flash.rules)
 * 1:39294 <-> DISABLED <-> FILE-FLASH Adobe Flash Player dbghelp.dll dll-load exploit attempt (file-flash.rules)
 * 1:39295 <-> DISABLED <-> FILE-FLASH Adobe Flash Player apphelp.dll dll-load exploit attempt (file-flash.rules)
 * 1:39296 <-> DISABLED <-> FILE-FLASH Adobe Flash Player dbghelp.dll dll-load exploit attempt (file-flash.rules)
 * 1:40170 <-> DISABLED <-> FILE-FLASH Adobe Standalone Flash Player use after free attempt (file-flash.rules)
 * 1:40171 <-> DISABLED <-> FILE-FLASH Adobe Standalone Flash Player use after free attempt (file-flash.rules)
 * 1:40301 <-> DISABLED <-> SERVER-OTHER Redis CONFIG SET array index out of bounds attempt (server-other.rules)