Talos Rules 2017-03-21
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-flash, indicator-obfuscation, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-03-21 13:34:31 UTC

Snort Subscriber Rules Update

Date: 2017-03-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42042 <-> DISABLED <-> SERVER-WEBAPP Wordpress Press-This cross site request forgery attempt (server-webapp.rules)
 * 1:42041 <-> ENABLED <-> BROWSER-IE Microsoft Edge proxy object type confusion attempt (browser-ie.rules)
 * 1:42047 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom object garbage collection use after free (file-flash.rules)
 * 1:42019 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Andr.Trojan.Agent (blacklist.rules)
 * 1:42018 <-> DISABLED <-> EXPLOIT-KIT Exploit Kit EITest Gate redirection attempt detected (exploit-kit.rules)
 * 1:42017 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip encoded HTTP response with no Content-Length or chunked Transfer-Encoding header (indicator-obfuscation.rules)
 * 1:42045 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom object garbage collection use after free (file-flash.rules)
 * 1:42020 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Andr.Trojan.Agent (blacklist.rules)
 * 1:42021 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection attempt (malware-cnc.rules)
 * 1:42022 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection attempt (malware-cnc.rules)
 * 1:42023 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection attempt (malware-cnc.rules)
 * 1:42043 <-> DISABLED <-> SERVER-WEBAPP WordPress embedded URL video cross site scripting attempt (server-webapp.rules)
 * 1:42024 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection attempt (malware-cnc.rules)
 * 1:42046 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom object garbage collection use after free (file-flash.rules)
 * 1:42025 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection attempt (malware-cnc.rules)
 * 1:42026 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection attempt (malware-cnc.rules)
 * 1:42027 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection attempt (malware-cnc.rules)
 * 1:42028 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant file download attempt (malware-cnc.rules)
 * 1:42029 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant file download attempt (malware-cnc.rules)
 * 1:42030 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant file download attempt (malware-cnc.rules)
 * 1:42031 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection attempt (malware-cnc.rules)
 * 1:42032 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:42033 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:42034 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:42035 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:42036 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:42037 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:42038 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:42039 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:42040 <-> DISABLED <-> BROWSER-IE Microsoft Edge proxy object type confusion attempt (browser-ie.rules)
 * 1:42016 <-> ENABLED <-> PROTOCOL-SCADA Moxa discovery packet information disclosure attempt (protocol-scada.rules)
 * 1:42048 <-> ENABLED <-> SERVER-WEBAPP dnaLIMS sysAdmin.cgi arbitrary command execution attempt (server-webapp.rules)
 * 1:42044 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom object garbage collection use after free (file-flash.rules)

Modified Rules:


 * 1:37970 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:37969 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:41987 <-> DISABLED <-> BROWSER-IE Microsoft Edge web address spoofing attempt (browser-ie.rules)
 * 1:34728 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:41988 <-> DISABLED <-> BROWSER-IE Microsoft Edge web address spoofing attempt (browser-ie.rules)
 * 1:34727 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)

2017-03-21 13:34:31 UTC

Snort Subscriber Rules Update

Date: 2017-03-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42041 <-> ENABLED <-> BROWSER-IE Microsoft Edge proxy object type confusion attempt (browser-ie.rules)
 * 1:42018 <-> DISABLED <-> EXPLOIT-KIT Exploit Kit EITest Gate redirection attempt detected (exploit-kit.rules)
 * 1:42017 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip encoded HTTP response with no Content-Length or chunked Transfer-Encoding header (indicator-obfuscation.rules)
 * 1:42020 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Andr.Trojan.Agent (blacklist.rules)
 * 1:42021 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection attempt (malware-cnc.rules)
 * 1:42022 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection attempt (malware-cnc.rules)
 * 1:42023 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection attempt (malware-cnc.rules)
 * 1:42024 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection attempt (malware-cnc.rules)
 * 1:42025 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection attempt (malware-cnc.rules)
 * 1:42026 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection attempt (malware-cnc.rules)
 * 1:42027 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection attempt (malware-cnc.rules)
 * 1:42028 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant file download attempt (malware-cnc.rules)
 * 1:42029 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant file download attempt (malware-cnc.rules)
 * 1:42030 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant file download attempt (malware-cnc.rules)
 * 1:42031 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection attempt (malware-cnc.rules)
 * 1:42032 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:42033 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:42034 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:42035 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:42036 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:42037 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:42038 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:42039 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:42040 <-> DISABLED <-> BROWSER-IE Microsoft Edge proxy object type confusion attempt (browser-ie.rules)
 * 1:42016 <-> ENABLED <-> PROTOCOL-SCADA Moxa discovery packet information disclosure attempt (protocol-scada.rules)
 * 1:42048 <-> ENABLED <-> SERVER-WEBAPP dnaLIMS sysAdmin.cgi arbitrary command execution attempt (server-webapp.rules)
 * 1:42047 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom object garbage collection use after free (file-flash.rules)
 * 1:42046 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom object garbage collection use after free (file-flash.rules)
 * 1:42019 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Andr.Trojan.Agent (blacklist.rules)
 * 1:42044 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom object garbage collection use after free (file-flash.rules)
 * 1:42045 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom object garbage collection use after free (file-flash.rules)
 * 1:42043 <-> DISABLED <-> SERVER-WEBAPP WordPress embedded URL video cross site scripting attempt (server-webapp.rules)
 * 1:42042 <-> DISABLED <-> SERVER-WEBAPP Wordpress Press-This cross site request forgery attempt (server-webapp.rules)

Modified Rules:


 * 1:41987 <-> DISABLED <-> BROWSER-IE Microsoft Edge web address spoofing attempt (browser-ie.rules)
 * 1:41988 <-> DISABLED <-> BROWSER-IE Microsoft Edge web address spoofing attempt (browser-ie.rules)
 * 1:37970 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:37969 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:34728 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:34727 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)

2017-03-21 13:34:31 UTC

Snort Subscriber Rules Update

Date: 2017-03-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42048 <-> ENABLED <-> SERVER-WEBAPP dnaLIMS sysAdmin.cgi arbitrary command execution attempt (server-webapp.rules)
 * 1:42047 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom object garbage collection use after free (file-flash.rules)
 * 1:42046 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom object garbage collection use after free (file-flash.rules)
 * 1:42045 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom object garbage collection use after free (file-flash.rules)
 * 1:42044 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom object garbage collection use after free (file-flash.rules)
 * 1:42043 <-> DISABLED <-> SERVER-WEBAPP WordPress embedded URL video cross site scripting attempt (server-webapp.rules)
 * 1:42042 <-> DISABLED <-> SERVER-WEBAPP Wordpress Press-This cross site request forgery attempt (server-webapp.rules)
 * 1:42041 <-> ENABLED <-> BROWSER-IE Microsoft Edge proxy object type confusion attempt (browser-ie.rules)
 * 1:42040 <-> DISABLED <-> BROWSER-IE Microsoft Edge proxy object type confusion attempt (browser-ie.rules)
 * 1:42039 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:42038 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:42037 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:42036 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:42035 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:42034 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:42033 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:42032 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:42031 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection attempt (malware-cnc.rules)
 * 1:42030 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant file download attempt (malware-cnc.rules)
 * 1:42029 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant file download attempt (malware-cnc.rules)
 * 1:42028 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant file download attempt (malware-cnc.rules)
 * 1:42027 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection attempt (malware-cnc.rules)
 * 1:42026 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection attempt (malware-cnc.rules)
 * 1:42025 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection attempt (malware-cnc.rules)
 * 1:42024 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection attempt (malware-cnc.rules)
 * 1:42023 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection attempt (malware-cnc.rules)
 * 1:42022 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection attempt (malware-cnc.rules)
 * 1:42021 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection attempt (malware-cnc.rules)
 * 1:42020 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Andr.Trojan.Agent (blacklist.rules)
 * 1:42019 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Andr.Trojan.Agent (blacklist.rules)
 * 1:42018 <-> DISABLED <-> EXPLOIT-KIT Exploit Kit EITest Gate redirection attempt detected (exploit-kit.rules)
 * 1:42017 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip encoded HTTP response with no Content-Length or chunked Transfer-Encoding header (indicator-obfuscation.rules)
 * 1:42016 <-> ENABLED <-> PROTOCOL-SCADA Moxa discovery packet information disclosure attempt (protocol-scada.rules)

Modified Rules:


 * 1:34727 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:34728 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:37969 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:37970 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:41987 <-> DISABLED <-> BROWSER-IE Microsoft Edge web address spoofing attempt (browser-ie.rules)
 * 1:41988 <-> DISABLED <-> BROWSER-IE Microsoft Edge web address spoofing attempt (browser-ie.rules)