Talos Rules 2016-12-08
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the exploit-kit, file-executable, file-office, file-pdf and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-12-08 15:03:46 UTC

Snort Subscriber Rules Update

Date: 2016-12-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40933 <-> DISABLED <-> SERVER-WEBAPP Reference Design Kit ajax_network_diagnostic_tools.php command injection attempt (server-webapp.rules)
 * 3:40935 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2016-0217 attack attempt (file-executable.rules)
 * 3:40934 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2016-0217 attack attempt (file-executable.rules)
 * 3:40932 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0209 attack attempt (file-office.rules)
 * 3:40931 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0209 attack attempt (file-office.rules)
 * 3:40930 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0208 attack attempt (file-office.rules)
 * 3:40929 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0208 attack attempt (file-office.rules)
 * 3:40928 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0207 attack attempt (file-office.rules)
 * 3:40927 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0207 attack attempt (file-office.rules)
 * 3:40926 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0214 attack attempt (file-pdf.rules)
 * 3:40925 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0214 attack attempt (file-pdf.rules)
 * 3:40924 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0213 attack attempt (file-pdf.rules)
 * 3:40923 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0213 attack attempt (file-pdf.rules)
 * 3:40922 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0212 attack attempt (file-pdf.rules)
 * 3:40921 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0212 attack attempt (file-pdf.rules)
 * 3:40920 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0211 attack attempt (file-pdf.rules)
 * 3:40919 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0211 attack attempt (file-pdf.rules)
 * 3:40918 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0210 attack attempt (file-pdf.rules)
 * 3:40917 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0210 attack attempt (file-pdf.rules)
 * 3:40916 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2016-0236 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:28851 <-> ENABLED <-> SERVER-OTHER JBoss EJBInvokerServlet remote code execution attempt (server-other.rules)
 * 1:35110 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit obfuscated Flash actionscript classname detected (exploit-kit.rules)
 * 1:40106 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt (file-office.rules)
 * 1:40107 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt (file-office.rules)

2016-12-08 15:03:46 UTC

Snort Subscriber Rules Update

Date: 2016-12-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40933 <-> DISABLED <-> SERVER-WEBAPP Reference Design Kit ajax_network_diagnostic_tools.php command injection attempt (server-webapp.rules)
 * 3:40927 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0207 attack attempt (file-office.rules)
 * 3:40923 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0213 attack attempt (file-pdf.rules)
 * 3:40916 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2016-0236 attack attempt (server-webapp.rules)
 * 3:40917 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0210 attack attempt (file-pdf.rules)
 * 3:40919 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0211 attack attempt (file-pdf.rules)
 * 3:40918 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0210 attack attempt (file-pdf.rules)
 * 3:40920 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0211 attack attempt (file-pdf.rules)
 * 3:40921 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0212 attack attempt (file-pdf.rules)
 * 3:40922 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0212 attack attempt (file-pdf.rules)
 * 3:40924 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0213 attack attempt (file-pdf.rules)
 * 3:40925 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0214 attack attempt (file-pdf.rules)
 * 3:40926 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0214 attack attempt (file-pdf.rules)
 * 3:40935 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2016-0217 attack attempt (file-executable.rules)
 * 3:40934 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2016-0217 attack attempt (file-executable.rules)
 * 3:40930 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0208 attack attempt (file-office.rules)
 * 3:40931 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0209 attack attempt (file-office.rules)
 * 3:40932 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0209 attack attempt (file-office.rules)
 * 3:40928 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0207 attack attempt (file-office.rules)
 * 3:40929 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0208 attack attempt (file-office.rules)

Modified Rules:


 * 1:35110 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit obfuscated Flash actionscript classname detected (exploit-kit.rules)
 * 1:40106 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt (file-office.rules)
 * 1:40107 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt (file-office.rules)
 * 1:28851 <-> ENABLED <-> SERVER-OTHER JBoss EJBInvokerServlet remote code execution attempt (server-other.rules)