Talos Rules 2016-12-22
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, exploit-kit, file-flash, malware-cnc, os-windows, policy-other, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2016-12-22 16:14:49 UTC

Snort Subscriber Rules Update

Date: 2016-12-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41091 <-> DISABLED <-> PROTOCOL-SCADA Rockwell Controllogix Crash Ethernet attempt (protocol-scada.rules)
 * 1:41090 <-> DISABLED <-> SERVER-OTHER Rockwell Factorytalk RNADiagReceiver denial of service attempt (server-other.rules)
 * 1:41087 <-> ENABLED <-> SERVER-WEBAPP Oracle Opera Property Management System ProcessInfo command injection attempt (server-webapp.rules)
 * 1:41092 <-> ENABLED <-> EXPLOIT-KIT Rig Exploit Kit landing page obfuscation detected (exploit-kit.rules)
 * 1:41086 <-> ENABLED <-> SERVER-WEBAPP Oracle Opera Property Management System ProcessInfo command injection attempt (server-webapp.rules)
 * 1:41083 <-> ENABLED <-> BLACKLIST suspicious .bit dns query (blacklist.rules)
 * 1:41088 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MrWhite out bound communication attempt (malware-cnc.rules)
 * 1:41084 <-> DISABLED <-> EXPLOIT-KIT Sundown Exploit kit landing page obfuscation detected (exploit-kit.rules)
 * 1:41089 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ostap out bound communication attempt (malware-cnc.rules)
 * 3:41085 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2016-0235 attack attempt (server-webapp.rules)
 * 3:41093 <-> ENABLED <-> POLICY-OTHER Docker management traffic detected (policy-other.rules)

Modified Rules:


 * 1:36719 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k kernel memory information disclosure attempt (os-windows.rules)
 * 1:36718 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k kernel memory information disclosure attempt (os-windows.rules)
 * 1:40999 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection proxyType invalid value out of bounds read attempt (file-flash.rules)
 * 1:40998 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection proxyType invalid value out of bounds read attempt (file-flash.rules)
 * 1:12058 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SPNEGO ASN.1 library heap corruption overflow attempt (os-windows.rules)

2016-12-22 16:14:49 UTC

Snort Subscriber Rules Update

Date: 2016-12-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41092 <-> ENABLED <-> EXPLOIT-KIT Rig Exploit Kit landing page obfuscation detected (exploit-kit.rules)
 * 1:41091 <-> DISABLED <-> PROTOCOL-SCADA Rockwell Controllogix Crash Ethernet attempt (protocol-scada.rules)
 * 1:41089 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ostap out bound communication attempt (malware-cnc.rules)
 * 1:41090 <-> DISABLED <-> SERVER-OTHER Rockwell Factorytalk RNADiagReceiver denial of service attempt (server-other.rules)
 * 1:41083 <-> ENABLED <-> BLACKLIST suspicious .bit dns query (blacklist.rules)
 * 1:41084 <-> DISABLED <-> EXPLOIT-KIT Sundown Exploit kit landing page obfuscation detected (exploit-kit.rules)
 * 1:41088 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MrWhite out bound communication attempt (malware-cnc.rules)
 * 1:41087 <-> ENABLED <-> SERVER-WEBAPP Oracle Opera Property Management System ProcessInfo command injection attempt (server-webapp.rules)
 * 1:41086 <-> ENABLED <-> SERVER-WEBAPP Oracle Opera Property Management System ProcessInfo command injection attempt (server-webapp.rules)
 * 3:41093 <-> ENABLED <-> POLICY-OTHER Docker management traffic detected (policy-other.rules)
 * 3:41085 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2016-0235 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:12058 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SPNEGO ASN.1 library heap corruption overflow attempt (os-windows.rules)
 * 1:40998 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection proxyType invalid value out of bounds read attempt (file-flash.rules)
 * 1:36719 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k kernel memory information disclosure attempt (os-windows.rules)
 * 1:40999 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection proxyType invalid value out of bounds read attempt (file-flash.rules)
 * 1:36718 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k kernel memory information disclosure attempt (os-windows.rules)

2016-12-22 16:14:49 UTC

Snort Subscriber Rules Update

Date: 2016-12-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41092 <-> ENABLED <-> EXPLOIT-KIT Rig Exploit Kit landing page obfuscation detected (exploit-kit.rules)
 * 1:41091 <-> DISABLED <-> PROTOCOL-SCADA Rockwell Controllogix Crash Ethernet attempt (protocol-scada.rules)
 * 1:41090 <-> DISABLED <-> SERVER-OTHER Rockwell Factorytalk RNADiagReceiver denial of service attempt (server-other.rules)
 * 1:41089 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ostap out bound communication attempt (malware-cnc.rules)
 * 1:41088 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MrWhite out bound communication attempt (malware-cnc.rules)
 * 1:41087 <-> ENABLED <-> SERVER-WEBAPP Oracle Opera Property Management System ProcessInfo command injection attempt (server-webapp.rules)
 * 1:41086 <-> ENABLED <-> SERVER-WEBAPP Oracle Opera Property Management System ProcessInfo command injection attempt (server-webapp.rules)
 * 1:41084 <-> DISABLED <-> EXPLOIT-KIT Sundown Exploit kit landing page obfuscation detected (exploit-kit.rules)
 * 1:41083 <-> ENABLED <-> BLACKLIST suspicious .bit dns query (blacklist.rules)
 * 3:41085 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2016-0235 attack attempt (server-webapp.rules)
 * 3:41093 <-> ENABLED <-> POLICY-OTHER Docker management traffic detected (policy-other.rules)

Modified Rules:


 * 1:12058 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SPNEGO ASN.1 library heap corruption overflow attempt (os-windows.rules)
 * 1:36719 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k kernel memory information disclosure attempt (os-windows.rules)
 * 1:40998 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection proxyType invalid value out of bounds read attempt (file-flash.rules)
 * 1:40999 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection proxyType invalid value out of bounds read attempt (file-flash.rules)
 * 1:36718 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k kernel memory information disclosure attempt (os-windows.rules)