Talos Rules 2017-12-05
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the deleted, file-flash, file-office, file-pdf, malware-cnc, protocol-scada, server-apache, server-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-12-05 15:41:11 UTC

Snort Subscriber Rules Update

Date: 2017-12-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45104 <-> DISABLED <-> MALWARE-CNC Win.Malware.Recam variant outbound connection (malware-cnc.rules)
 * 1:45101 <-> DISABLED <-> PROTOCOL-SCADA vxworks rpc credential flavor integer overflow device crash attempt (protocol-scada.rules)
 * 1:45100 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Syscon variant outbound connection (malware-cnc.rules)
 * 1:45099 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Syscon variant inbound connection (malware-cnc.rules)
 * 1:45098 <-> ENABLED <-> MALWARE-CNC Win.Downloader.SnatchLoader variant outbound connection (malware-cnc.rules)
 * 1:45097 <-> ENABLED <-> MALWARE-CNC Win.Downloader.SnatchLoader variant inbound connection (malware-cnc.rules)
 * 1:45096 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Gibon variant inbound connection (malware-cnc.rules)
 * 1:45095 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Gibon variant outbound connection (malware-cnc.rules)
 * 1:45094 <-> DISABLED <-> SERVER-WEBAPP MediaWiki arbitrary file write attempt (server-webapp.rules)
 * 1:45093 <-> DISABLED <-> SERVER-WEBAPP Apache Archiva XML server side request forgery attempt (server-webapp.rules)
 * 1:45092 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.StoneDrill get commands outbound connection (malware-cnc.rules)
 * 1:45091 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.StoneDrill login outbound connection (malware-cnc.rules)
 * 1:45090 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.StoneDrill server selection outbound connection (malware-cnc.rules)
 * 1:45085 <-> DISABLED <-> FILE-FLASH Adobe Flash Player use after free attempt (file-flash.rules)
 * 1:45084 <-> DISABLED <-> SERVER-APACHE Apache Solr xmlparser external doctype or entity expansion attempt (server-apache.rules)
 * 1:45083 <-> DISABLED <-> SERVER-APACHE Apache Solr RunExecutableListener arbitrary command execution attempt (server-apache.rules)
 * 1:45082 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails log file manipulation attempt (server-webapp.rules)
 * 1:44870 <-> DISABLED <-> DELETED MzxoBYWaxvjLcsmkxZjK (deleted.rules)
 * 1:44869 <-> DISABLED <-> DELETED rZWXwyJ8bPnkrEyUfMbl (deleted.rules)
 * 1:44868 <-> DISABLED <-> DELETED ttP2cWhxHiaW4S7ZGfi6 (deleted.rules)
 * 1:44867 <-> DISABLED <-> DELETED qYHcy2wy7PRGLrt918ZR (deleted.rules)
 * 3:45105 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0504 attack attempt (file-pdf.rules)
 * 3:45106 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0504 attack attempt (file-pdf.rules)
 * 3:45102 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0505 attack attempt (file-pdf.rules)
 * 3:45103 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0505 attack attempt (file-pdf.rules)
 * 3:45088 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0502 attack attempt (server-webapp.rules)
 * 3:45089 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0501 attack attempt (server-other.rules)
 * 3:45086 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0494 attack attempt (server-webapp.rules)
 * 3:45087 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0495 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:45074 <-> ENABLED <-> SERVER-SAMBA Samba unsigned connections attempt (server-samba.rules)
 * 1:45065 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected (malware-cnc.rules)
 * 1:45064 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected (malware-cnc.rules)
 * 1:45063 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected (malware-cnc.rules)
 * 1:45062 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected (malware-cnc.rules)
 * 1:45050 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedId outbound connection (malware-cnc.rules)
 * 1:44975 <-> ENABLED <-> MALWARE-CNC Php.Dropper.Mayhem variant outbound connection (malware-cnc.rules)
 * 1:44973 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules)
 * 1:44972 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules)
 * 1:44922 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager manageApplications.do SQL injection attempt (server-webapp.rules)
 * 1:44921 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager manageApplications.do SQL injection attempt (server-webapp.rules)
 * 1:44899 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner inbound connection detected (malware-cnc.rules)
 * 1:44898 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner outbound connection (malware-cnc.rules)
 * 1:44897 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner outbound connection (malware-cnc.rules)
 * 1:44896 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner outbound connection (malware-cnc.rules)
 * 1:44895 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner inbound connection detected (malware-cnc.rules)
 * 1:44839 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word RTF memory corruption attempt (file-office.rules)
 * 1:44838 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word RTF memory corruption attempt (file-office.rules)
 * 1:44822 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel use after free vulnerability exploit attempt (file-office.rules)
 * 1:44821 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel use after free vulnerability exploit attempt (file-office.rules)
 * 1:44807 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules)
 * 1:44806 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules)
 * 1:44805 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules)
 * 1:44804 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules)
 * 1:44803 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules)
 * 1:44802 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules)
 * 1:44801 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules)
 * 1:44800 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules)
 * 1:44799 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules)
 * 1:44798 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules)
 * 1:44797 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules)
 * 1:44791 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Retadup variant outbound connection (malware-cnc.rules)
 * 1:44789 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nymaim variant outbound connection (malware-cnc.rules)
 * 1:44788 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nymaim variant outbound connection (malware-cnc.rules)
 * 1:44787 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Godzilla outbound connection (malware-cnc.rules)
 * 1:44689 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gen variant outbound connection (malware-cnc.rules)
 * 1:44659 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wraut variant outbound connection (malware-cnc.rules)
 * 1:44622 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection (malware-cnc.rules)
 * 1:44621 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection (malware-cnc.rules)
 * 1:44620 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection (malware-cnc.rules)
 * 1:44619 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection (malware-cnc.rules)
 * 1:44586 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word docx object type confusion attempt (file-office.rules)
 * 1:44585 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word docx object type confusion attempt (file-office.rules)
 * 1:44570 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection (malware-cnc.rules)
 * 1:44569 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection (malware-cnc.rules)
 * 1:44396 <-> ENABLED <-> MALWARE-CNC Win.Trojan.KediRAT outbound connection (malware-cnc.rules)
 * 1:44316 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ellell variant outbound connection (malware-cnc.rules)
 * 1:44313 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Totbrick variant outbound connection (malware-cnc.rules)
 * 1:44212 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tarayt outbound connection (malware-cnc.rules)
 * 1:44211 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tarayt outbound connection (malware-cnc.rules)
 * 1:43985 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rortiem outbound connection (malware-cnc.rules)
 * 1:43930 <-> ENABLED <-> MALWARE-CNC Win.Malware.GamKer variant outbound connection (malware-cnc.rules)
 * 1:43597 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules)
 * 1:43524 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Donvibs variant outbound connection (malware-cnc.rules)
 * 1:43523 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Donvibs variant outbound connection (malware-cnc.rules)
 * 1:43457 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Eorezo variant outbound connection (malware-cnc.rules)
 * 1:43172 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word malformed jpeg remote code execution attempt (file-office.rules)
 * 1:43171 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word malformed jpeg remote code execution attempt (file-office.rules)
 * 1:43160 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word 2016 use after free attempt (file-office.rules)
 * 1:43159 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word 2016 use after free attempt (file-office.rules)
 * 1:43129 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection (malware-cnc.rules)
 * 1:43049 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gasonen variant outbound connection (malware-cnc.rules)
 * 1:42997 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Spesseo variant outbound connection (malware-cnc.rules)
 * 1:42996 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Spesseo variant outbound connection (malware-cnc.rules)
 * 1:42945 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Adylkuzz variant initial outbound connection (malware-cnc.rules)
 * 1:42929 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Niramdat variant initial outbound connection (malware-cnc.rules)
 * 1:42926 <-> ENABLED <-> MALWARE-CNC Js.Keylogger.Scanbox outbound connection (malware-cnc.rules)
 * 1:42925 <-> ENABLED <-> MALWARE-CNC Js.Keylogger.Scanbox outbound connection (malware-cnc.rules)
 * 1:42899 <-> ENABLED <-> MALWARE-CNC Jaff ransomware outbound connection (malware-cnc.rules)
 * 1:42892 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA outbound connection (malware-cnc.rules)
 * 1:42884 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MadMax implant outbound connection (malware-cnc.rules)
 * 1:42883 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MadMax implant outbound connection (malware-cnc.rules)
 * 1:42882 <-> ENABLED <-> MALWARE-CNC ZoxPNG initial outbound connection (malware-cnc.rules)
 * 1:42881 <-> ENABLED <-> MALWARE-CNC Deputy Dog implant outbound connection (malware-cnc.rules)
 * 1:42880 <-> ENABLED <-> MALWARE-CNC Deputy Dog implant outbound connection (malware-cnc.rules)
 * 1:42756 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word 2010 Sepx memory corruption attempt (file-office.rules)
 * 1:42755 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word 2010 Sepx memory corruption attempt (file-office.rules)
 * 1:42452 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Frethog variant outbound connection (malware-cnc.rules)
 * 1:42447 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Batlopma variant outbound connection (malware-cnc.rules)
 * 1:42398 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RedLeaves outbound connection (malware-cnc.rules)
 * 1:42391 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Moarider variant outbound connection (malware-cnc.rules)
 * 1:42390 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Moarider variant outbound connection (malware-cnc.rules)
 * 1:42386 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mikcer variant outbound connection (malware-cnc.rules)
 * 1:42385 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Moonwind outbound connection (malware-cnc.rules)
 * 1:42348 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QQPass variant outbound connection (malware-cnc.rules)
 * 1:42302 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuaibu outbound connection (malware-cnc.rules)
 * 1:42243 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dimnie outbound connection (malware-cnc.rules)
 * 1:42233 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mikcer variant outbound connection (malware-cnc.rules)
 * 1:42225 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RedLeaves outbound connection (malware-cnc.rules)
 * 1:42126 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Acronym variant outbound connection (malware-cnc.rules)
 * 1:42083 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downeks variant initial outbound connection (malware-cnc.rules)
 * 1:42080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jenxcus outbound connection with unique User-Agent (malware-cnc.rules)
 * 1:42079 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jenxcus outbound connection with unique User-Agent (malware-cnc.rules)
 * 1:42031 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:42027 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:42026 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:42025 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:42024 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:42023 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:42022 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:42021 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:41965 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word 2010 use-after-free memory corruption vulnerability attempt (file-office.rules)
 * 1:41964 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word 2010 use-after-free memory corruption vulnerability attempt (file-office.rules)
 * 1:41657 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MagicHound variant outbound connection (malware-cnc.rules)
 * 1:41444 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.X-Mas variant keylogger outbound connection (malware-cnc.rules)
 * 1:41443 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.X-Mas variant keylogger outbound connection (malware-cnc.rules)
 * 1:41442 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.X-Mas outbound connection (malware-cnc.rules)
 * 1:41424 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cerber outbound connection (malware-cnc.rules)
 * 1:41337 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Sysch variant outbound connection (malware-cnc.rules)
 * 1:41336 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Sysch variant outbound connection (malware-cnc.rules)
 * 1:41335 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules)
 * 1:41334 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules)
 * 1:41331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scudy outbound connection (malware-cnc.rules)
 * 1:41178 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection (malware-cnc.rules)
 * 1:41177 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection (malware-cnc.rules)
 * 1:41176 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection (malware-cnc.rules)
 * 1:41175 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection (malware-cnc.rules)
 * 1:41174 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection (malware-cnc.rules)
 * 1:41173 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection (malware-cnc.rules)
 * 1:41141 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word Out-of-Bounds Write attempt (file-office.rules)
 * 1:41140 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word Out-of-Bounds Write attempt (file-office.rules)
 * 1:41046 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TextField setter use after free attempt (file-flash.rules)
 * 1:41045 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TextField setter use after free attempt (file-flash.rules)
 * 1:40911 <-> ENABLED <-> MALWARE-CNC Win.Rootkit.Sednit variant outbound connection (malware-cnc.rules)
 * 1:40910 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules)
 * 1:40831 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant initial outbound connection (malware-cnc.rules)
 * 1:40816 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules)
 * 1:40702 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word out of bounds memory read attempt (file-office.rules)
 * 1:40701 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word out of bounds memory read attempt (file-office.rules)
 * 1:40680 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib out of bounds read attempt (file-office.rules)
 * 1:40679 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib out of bounds read attempt (file-office.rules)
 * 1:40559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpy variant outbound connection (malware-cnc.rules)
 * 1:40548 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Redosdru variant outbound connection (malware-cnc.rules)
 * 1:40541 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Satana ransomware outbound connection (malware-cnc.rules)
 * 1:40527 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules)
 * 1:40369 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word RTF file parsing buffer overflow attempt (file-office.rules)
 * 1:40368 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word RTF file parsing buffer overflow attempt (file-office.rules)
 * 1:40307 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word document containing VBA project entry detected (file-office.rules)
 * 1:40306 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word document containing VBA project entry detected (file-office.rules)
 * 1:40290 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Philadelphia variant status update outbound connection (malware-cnc.rules)
 * 1:40289 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Philadelphia variant initial outbound connection (malware-cnc.rules)
 * 1:40282 <-> DISABLED <-> FILE-OFFICE Microsoft Office Wordpad font conversion buffer overflow attempt (file-office.rules)
 * 1:40281 <-> DISABLED <-> FILE-OFFICE Microsoft Office Wordpad font conversion buffer overflow attempt (file-office.rules)
 * 1:40252 <-> ENABLED <-> MALWARE-CNC Win.Perseus variant outbound connection (malware-cnc.rules)
 * 1:40067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit outbound connection (malware-cnc.rules)
 * 1:40058 <-> DISABLED <-> SERVER-WEBAPP WordPress Quick-Post Widget GET request using Body cross-site scripting (server-webapp.rules)
 * 1:39931 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules)
 * 1:39921 <-> DISABLED <-> MALWARE-CNC Neutrino outbound connection (malware-cnc.rules)
 * 1:39920 <-> DISABLED <-> MALWARE-CNC Neutrino outbound connection (malware-cnc.rules)
 * 1:39836 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word malformed jpeg memory corruption attempt (file-office.rules)
 * 1:39835 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word malformed jpeg memory corruption attempt (file-office.rules)
 * 1:36497 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hangman.A outbound connection (malware-cnc.rules)
 * 1:35083 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Regiskazi outbound connection (malware-cnc.rules)
 * 1:35082 <-> ENABLED <-> MALWARE-CNC Backdoor.Linux.Qenerek outbound connection (malware-cnc.rules)
 * 1:35081 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenbus outbound connection (malware-cnc.rules)
 * 1:35080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenbus outbound connection (malware-cnc.rules)
 * 1:35035 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Taleretzbj outbound connection (malware-cnc.rules)
 * 1:34998 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bossabot outbound connection (malware-cnc.rules)
 * 1:34963 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Threebyte outbound connection (malware-cnc.rules)
 * 1:34957 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sysmain outbound connection (malware-cnc.rules)
 * 1:34932 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shindo outbound connection (malware-cnc.rules)
 * 1:34888 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sojax variant outbound connection (malware-cnc.rules)
 * 1:34887 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sojax variant outbound connection (malware-cnc.rules)
 * 1:34871 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Logreaz variant outbound connection (malware-cnc.rules)
 * 1:34870 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Logreaz variant outbound connection (malware-cnc.rules)
 * 1:34863 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wheelsof variant outbound connection (malware-cnc.rules)
 * 1:34862 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wheelsof variant outbound connection (malware-cnc.rules)
 * 1:34597 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Atrax variant outbound connection (malware-cnc.rules)
 * 1:34596 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Atrax variant outbound connection (malware-cnc.rules)
 * 1:33594 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Upatre variant outbound connection (malware-cnc.rules)
 * 1:32824 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Darkhotel variant outbound connection (malware-cnc.rules)
 * 1:32129 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader variant outbound connection (malware-cnc.rules)
 * 1:32016 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Menteni variant outbound connection (malware-cnc.rules)
 * 1:31834 <-> ENABLED <-> MALWARE-CNC Win.Trojan-Downloader.Delorado variant outbound connection (malware-cnc.rules)
 * 1:31262 <-> ENABLED <-> MALWARE-CNC Win.Worm.VBNA variant outbound connection (malware-cnc.rules)
 * 1:30259 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Strictor variant outbound connection (malware-cnc.rules)
 * 1:30251 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mumawow outbound connection (malware-cnc.rules)
 * 1:29955 <-> DISABLED <-> SERVER-WEBAPP WordPress Quick-Post Widget GET request using Body cross-site scripting (server-webapp.rules)
 * 1:29895 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection (malware-cnc.rules)
 * 1:28411 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner variant outbound connection (malware-cnc.rules)
 * 1:28410 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner variant outbound connection (malware-cnc.rules)
 * 3:45049 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0493 attack attempt (server-webapp.rules)

2017-12-05 15:41:11 UTC

Snort Subscriber Rules Update

Date: 2017-12-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45100 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Syscon variant outbound connection (malware-cnc.rules)
 * 1:44870 <-> DISABLED <-> DELETED MzxoBYWaxvjLcsmkxZjK (deleted.rules)
 * 1:44867 <-> DISABLED <-> DELETED qYHcy2wy7PRGLrt918ZR (deleted.rules)
 * 1:45097 <-> ENABLED <-> MALWARE-CNC Win.Downloader.SnatchLoader variant inbound connection (malware-cnc.rules)
 * 1:45091 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.StoneDrill login outbound connection (malware-cnc.rules)
 * 1:45098 <-> ENABLED <-> MALWARE-CNC Win.Downloader.SnatchLoader variant outbound connection (malware-cnc.rules)
 * 1:45084 <-> DISABLED <-> SERVER-APACHE Apache Solr xmlparser external doctype or entity expansion attempt (server-apache.rules)
 * 1:45096 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Gibon variant inbound connection (malware-cnc.rules)
 * 1:44869 <-> DISABLED <-> DELETED rZWXwyJ8bPnkrEyUfMbl (deleted.rules)
 * 1:45099 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Syscon variant inbound connection (malware-cnc.rules)
 * 1:45082 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails log file manipulation attempt (server-webapp.rules)
 * 1:45083 <-> DISABLED <-> SERVER-APACHE Apache Solr RunExecutableListener arbitrary command execution attempt (server-apache.rules)
 * 1:45094 <-> DISABLED <-> SERVER-WEBAPP MediaWiki arbitrary file write attempt (server-webapp.rules)
 * 1:45092 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.StoneDrill get commands outbound connection (malware-cnc.rules)
 * 1:45090 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.StoneDrill server selection outbound connection (malware-cnc.rules)
 * 1:45093 <-> DISABLED <-> SERVER-WEBAPP Apache Archiva XML server side request forgery attempt (server-webapp.rules)
 * 1:45085 <-> DISABLED <-> FILE-FLASH Adobe Flash Player use after free attempt (file-flash.rules)
 * 1:45095 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Gibon variant outbound connection (malware-cnc.rules)
 * 1:44868 <-> DISABLED <-> DELETED ttP2cWhxHiaW4S7ZGfi6 (deleted.rules)
 * 1:45104 <-> DISABLED <-> MALWARE-CNC Win.Malware.Recam variant outbound connection (malware-cnc.rules)
 * 1:45101 <-> DISABLED <-> PROTOCOL-SCADA vxworks rpc credential flavor integer overflow device crash attempt (protocol-scada.rules)
 * 3:45089 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0501 attack attempt (server-other.rules)
 * 3:45106 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0504 attack attempt (file-pdf.rules)
 * 3:45087 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0495 attack attempt (server-webapp.rules)
 * 3:45088 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0502 attack attempt (server-webapp.rules)
 * 3:45103 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0505 attack attempt (file-pdf.rules)
 * 3:45086 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0494 attack attempt (server-webapp.rules)
 * 3:45105 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0504 attack attempt (file-pdf.rules)
 * 3:45102 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0505 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:44805 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules)
 * 1:44212 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tarayt outbound connection (malware-cnc.rules)
 * 1:43985 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rortiem outbound connection (malware-cnc.rules)
 * 1:44211 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tarayt outbound connection (malware-cnc.rules)
 * 1:43930 <-> ENABLED <-> MALWARE-CNC Win.Malware.GamKer variant outbound connection (malware-cnc.rules)
 * 1:43597 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules)
 * 1:43524 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Donvibs variant outbound connection (malware-cnc.rules)
 * 1:43457 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Eorezo variant outbound connection (malware-cnc.rules)
 * 1:43523 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Donvibs variant outbound connection (malware-cnc.rules)
 * 1:43171 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word malformed jpeg remote code execution attempt (file-office.rules)
 * 1:43172 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word malformed jpeg remote code execution attempt (file-office.rules)
 * 1:43159 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word 2016 use after free attempt (file-office.rules)
 * 1:43160 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word 2016 use after free attempt (file-office.rules)
 * 1:43049 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gasonen variant outbound connection (malware-cnc.rules)
 * 1:43129 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection (malware-cnc.rules)
 * 1:42996 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Spesseo variant outbound connection (malware-cnc.rules)
 * 1:42997 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Spesseo variant outbound connection (malware-cnc.rules)
 * 1:42929 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Niramdat variant initial outbound connection (malware-cnc.rules)
 * 1:42945 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Adylkuzz variant initial outbound connection (malware-cnc.rules)
 * 1:42925 <-> ENABLED <-> MALWARE-CNC Js.Keylogger.Scanbox outbound connection (malware-cnc.rules)
 * 1:42926 <-> ENABLED <-> MALWARE-CNC Js.Keylogger.Scanbox outbound connection (malware-cnc.rules)
 * 1:42892 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA outbound connection (malware-cnc.rules)
 * 1:42899 <-> ENABLED <-> MALWARE-CNC Jaff ransomware outbound connection (malware-cnc.rules)
 * 1:42883 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MadMax implant outbound connection (malware-cnc.rules)
 * 1:42884 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MadMax implant outbound connection (malware-cnc.rules)
 * 1:42881 <-> ENABLED <-> MALWARE-CNC Deputy Dog implant outbound connection (malware-cnc.rules)
 * 1:42882 <-> ENABLED <-> MALWARE-CNC ZoxPNG initial outbound connection (malware-cnc.rules)
 * 1:42756 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word 2010 Sepx memory corruption attempt (file-office.rules)
 * 1:42880 <-> ENABLED <-> MALWARE-CNC Deputy Dog implant outbound connection (malware-cnc.rules)
 * 1:42452 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Frethog variant outbound connection (malware-cnc.rules)
 * 1:42755 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word 2010 Sepx memory corruption attempt (file-office.rules)
 * 1:42398 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RedLeaves outbound connection (malware-cnc.rules)
 * 1:42447 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Batlopma variant outbound connection (malware-cnc.rules)
 * 1:42390 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Moarider variant outbound connection (malware-cnc.rules)
 * 1:42391 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Moarider variant outbound connection (malware-cnc.rules)
 * 1:42385 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Moonwind outbound connection (malware-cnc.rules)
 * 1:42386 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mikcer variant outbound connection (malware-cnc.rules)
 * 1:42302 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuaibu outbound connection (malware-cnc.rules)
 * 1:42348 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QQPass variant outbound connection (malware-cnc.rules)
 * 1:42233 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mikcer variant outbound connection (malware-cnc.rules)
 * 1:42243 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dimnie outbound connection (malware-cnc.rules)
 * 1:42126 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Acronym variant outbound connection (malware-cnc.rules)
 * 1:42225 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RedLeaves outbound connection (malware-cnc.rules)
 * 1:42080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jenxcus outbound connection with unique User-Agent (malware-cnc.rules)
 * 1:42083 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downeks variant initial outbound connection (malware-cnc.rules)
 * 1:42031 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:42079 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jenxcus outbound connection with unique User-Agent (malware-cnc.rules)
 * 1:42027 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:42025 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:42026 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:42023 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:42024 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:42022 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:41965 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word 2010 use-after-free memory corruption vulnerability attempt (file-office.rules)
 * 1:42021 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:41657 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MagicHound variant outbound connection (malware-cnc.rules)
 * 1:41964 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word 2010 use-after-free memory corruption vulnerability attempt (file-office.rules)
 * 1:41443 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.X-Mas variant keylogger outbound connection (malware-cnc.rules)
 * 1:41444 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.X-Mas variant keylogger outbound connection (malware-cnc.rules)
 * 1:41442 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.X-Mas outbound connection (malware-cnc.rules)
 * 1:41337 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Sysch variant outbound connection (malware-cnc.rules)
 * 1:41424 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cerber outbound connection (malware-cnc.rules)
 * 1:41336 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Sysch variant outbound connection (malware-cnc.rules)
 * 1:41331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scudy outbound connection (malware-cnc.rules)
 * 1:41335 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules)
 * 1:41334 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules)
 * 1:41177 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection (malware-cnc.rules)
 * 1:41178 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection (malware-cnc.rules)
 * 1:41175 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection (malware-cnc.rules)
 * 1:41176 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection (malware-cnc.rules)
 * 1:41174 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection (malware-cnc.rules)
 * 1:41141 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word Out-of-Bounds Write attempt (file-office.rules)
 * 1:41173 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection (malware-cnc.rules)
 * 1:41140 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word Out-of-Bounds Write attempt (file-office.rules)
 * 1:41046 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TextField setter use after free attempt (file-flash.rules)
 * 1:40911 <-> ENABLED <-> MALWARE-CNC Win.Rootkit.Sednit variant outbound connection (malware-cnc.rules)
 * 1:41045 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TextField setter use after free attempt (file-flash.rules)
 * 1:40910 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules)
 * 1:40831 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant initial outbound connection (malware-cnc.rules)
 * 1:40816 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules)
 * 1:40701 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word out of bounds memory read attempt (file-office.rules)
 * 1:40702 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word out of bounds memory read attempt (file-office.rules)
 * 1:40679 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib out of bounds read attempt (file-office.rules)
 * 1:40680 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib out of bounds read attempt (file-office.rules)
 * 1:40548 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Redosdru variant outbound connection (malware-cnc.rules)
 * 1:40559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpy variant outbound connection (malware-cnc.rules)
 * 1:40541 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Satana ransomware outbound connection (malware-cnc.rules)
 * 1:40369 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word RTF file parsing buffer overflow attempt (file-office.rules)
 * 1:40527 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules)
 * 1:40368 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word RTF file parsing buffer overflow attempt (file-office.rules)
 * 1:40290 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Philadelphia variant status update outbound connection (malware-cnc.rules)
 * 1:40307 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word document containing VBA project entry detected (file-office.rules)
 * 1:40306 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word document containing VBA project entry detected (file-office.rules)
 * 1:40282 <-> DISABLED <-> FILE-OFFICE Microsoft Office Wordpad font conversion buffer overflow attempt (file-office.rules)
 * 1:40289 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Philadelphia variant initial outbound connection (malware-cnc.rules)
 * 1:40252 <-> ENABLED <-> MALWARE-CNC Win.Perseus variant outbound connection (malware-cnc.rules)
 * 1:40281 <-> DISABLED <-> FILE-OFFICE Microsoft Office Wordpad font conversion buffer overflow attempt (file-office.rules)
 * 1:40058 <-> DISABLED <-> SERVER-WEBAPP WordPress Quick-Post Widget GET request using Body cross-site scripting (server-webapp.rules)
 * 1:40067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit outbound connection (malware-cnc.rules)
 * 1:39931 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules)
 * 1:39920 <-> DISABLED <-> MALWARE-CNC Neutrino outbound connection (malware-cnc.rules)
 * 1:39921 <-> DISABLED <-> MALWARE-CNC Neutrino outbound connection (malware-cnc.rules)
 * 1:39835 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word malformed jpeg memory corruption attempt (file-office.rules)
 * 1:39836 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word malformed jpeg memory corruption attempt (file-office.rules)
 * 1:36497 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hangman.A outbound connection (malware-cnc.rules)
 * 1:35082 <-> ENABLED <-> MALWARE-CNC Backdoor.Linux.Qenerek outbound connection (malware-cnc.rules)
 * 1:35083 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Regiskazi outbound connection (malware-cnc.rules)
 * 1:35080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenbus outbound connection (malware-cnc.rules)
 * 1:35081 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenbus outbound connection (malware-cnc.rules)
 * 1:35035 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Taleretzbj outbound connection (malware-cnc.rules)
 * 1:34963 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Threebyte outbound connection (malware-cnc.rules)
 * 1:34998 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bossabot outbound connection (malware-cnc.rules)
 * 1:34932 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shindo outbound connection (malware-cnc.rules)
 * 1:34957 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sysmain outbound connection (malware-cnc.rules)
 * 1:34887 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sojax variant outbound connection (malware-cnc.rules)
 * 1:34888 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sojax variant outbound connection (malware-cnc.rules)
 * 1:34871 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Logreaz variant outbound connection (malware-cnc.rules)
 * 1:28410 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner variant outbound connection (malware-cnc.rules)
 * 1:28411 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner variant outbound connection (malware-cnc.rules)
 * 1:29895 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection (malware-cnc.rules)
 * 1:29955 <-> DISABLED <-> SERVER-WEBAPP WordPress Quick-Post Widget GET request using Body cross-site scripting (server-webapp.rules)
 * 1:30251 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mumawow outbound connection (malware-cnc.rules)
 * 1:30259 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Strictor variant outbound connection (malware-cnc.rules)
 * 1:31262 <-> ENABLED <-> MALWARE-CNC Win.Worm.VBNA variant outbound connection (malware-cnc.rules)
 * 1:31834 <-> ENABLED <-> MALWARE-CNC Win.Trojan-Downloader.Delorado variant outbound connection (malware-cnc.rules)
 * 1:32016 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Menteni variant outbound connection (malware-cnc.rules)
 * 1:32129 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader variant outbound connection (malware-cnc.rules)
 * 1:32824 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Darkhotel variant outbound connection (malware-cnc.rules)
 * 1:34596 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Atrax variant outbound connection (malware-cnc.rules)
 * 1:33594 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Upatre variant outbound connection (malware-cnc.rules)
 * 1:34597 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Atrax variant outbound connection (malware-cnc.rules)
 * 1:34862 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wheelsof variant outbound connection (malware-cnc.rules)
 * 1:34863 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wheelsof variant outbound connection (malware-cnc.rules)
 * 1:34870 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Logreaz variant outbound connection (malware-cnc.rules)
 * 1:44803 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules)
 * 1:44316 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ellell variant outbound connection (malware-cnc.rules)
 * 1:44689 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gen variant outbound connection (malware-cnc.rules)
 * 1:44621 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection (malware-cnc.rules)
 * 1:45074 <-> ENABLED <-> SERVER-SAMBA Samba unsigned connections attempt (server-samba.rules)
 * 1:45065 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected (malware-cnc.rules)
 * 1:45064 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected (malware-cnc.rules)
 * 1:45063 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected (malware-cnc.rules)
 * 1:45062 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected (malware-cnc.rules)
 * 1:45050 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedId outbound connection (malware-cnc.rules)
 * 1:44975 <-> ENABLED <-> MALWARE-CNC Php.Dropper.Mayhem variant outbound connection (malware-cnc.rules)
 * 1:44973 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules)
 * 1:44972 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules)
 * 1:44922 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager manageApplications.do SQL injection attempt (server-webapp.rules)
 * 1:44921 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager manageApplications.do SQL injection attempt (server-webapp.rules)
 * 1:44839 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word RTF memory corruption attempt (file-office.rules)
 * 1:44899 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner inbound connection detected (malware-cnc.rules)
 * 1:44898 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner outbound connection (malware-cnc.rules)
 * 1:44897 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner outbound connection (malware-cnc.rules)
 * 1:44896 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner outbound connection (malware-cnc.rules)
 * 1:44895 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner inbound connection detected (malware-cnc.rules)
 * 1:44620 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection (malware-cnc.rules)
 * 1:44659 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wraut variant outbound connection (malware-cnc.rules)
 * 1:44622 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection (malware-cnc.rules)
 * 1:44838 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word RTF memory corruption attempt (file-office.rules)
 * 1:44619 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection (malware-cnc.rules)
 * 1:44569 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection (malware-cnc.rules)
 * 1:44586 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word docx object type confusion attempt (file-office.rules)
 * 1:44822 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel use after free vulnerability exploit attempt (file-office.rules)
 * 1:44585 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word docx object type confusion attempt (file-office.rules)
 * 1:44396 <-> ENABLED <-> MALWARE-CNC Win.Trojan.KediRAT outbound connection (malware-cnc.rules)
 * 1:44313 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Totbrick variant outbound connection (malware-cnc.rules)
 * 1:44821 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel use after free vulnerability exploit attempt (file-office.rules)
 * 1:44789 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nymaim variant outbound connection (malware-cnc.rules)
 * 1:44791 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Retadup variant outbound connection (malware-cnc.rules)
 * 1:44797 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules)
 * 1:44570 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection (malware-cnc.rules)
 * 1:44798 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules)
 * 1:44787 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Godzilla outbound connection (malware-cnc.rules)
 * 1:44799 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules)
 * 1:44800 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules)
 * 1:44801 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules)
 * 1:44802 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules)
 * 1:44788 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nymaim variant outbound connection (malware-cnc.rules)
 * 1:44807 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules)
 * 1:44806 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules)
 * 1:44804 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules)
 * 3:45049 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0493 attack attempt (server-webapp.rules)

2017-12-05 15:41:11 UTC

Snort Subscriber Rules Update

Date: 2017-12-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45092 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.StoneDrill get commands outbound connection (malware-cnc.rules)
 * 1:45094 <-> DISABLED <-> SERVER-WEBAPP MediaWiki arbitrary file write attempt (server-webapp.rules)
 * 1:45099 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Syscon variant inbound connection (malware-cnc.rules)
 * 1:45082 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails log file manipulation attempt (server-webapp.rules)
 * 1:44869 <-> DISABLED <-> DELETED rZWXwyJ8bPnkrEyUfMbl (deleted.rules)
 * 1:45095 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Gibon variant outbound connection (malware-cnc.rules)
 * 1:45084 <-> DISABLED <-> SERVER-APACHE Apache Solr xmlparser external doctype or entity expansion attempt (server-apache.rules)
 * 1:45104 <-> DISABLED <-> MALWARE-CNC Win.Malware.Recam variant outbound connection (malware-cnc.rules)
 * 1:44868 <-> DISABLED <-> DELETED ttP2cWhxHiaW4S7ZGfi6 (deleted.rules)
 * 1:45093 <-> DISABLED <-> SERVER-WEBAPP Apache Archiva XML server side request forgery attempt (server-webapp.rules)
 * 1:45090 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.StoneDrill server selection outbound connection (malware-cnc.rules)
 * 1:45091 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.StoneDrill login outbound connection (malware-cnc.rules)
 * 1:45097 <-> ENABLED <-> MALWARE-CNC Win.Downloader.SnatchLoader variant inbound connection (malware-cnc.rules)
 * 1:44870 <-> DISABLED <-> DELETED MzxoBYWaxvjLcsmkxZjK (deleted.rules)
 * 1:44867 <-> DISABLED <-> DELETED qYHcy2wy7PRGLrt918ZR (deleted.rules)
 * 1:45100 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Syscon variant outbound connection (malware-cnc.rules)
 * 1:45083 <-> DISABLED <-> SERVER-APACHE Apache Solr RunExecutableListener arbitrary command execution attempt (server-apache.rules)
 * 1:45096 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Gibon variant inbound connection (malware-cnc.rules)
 * 1:45098 <-> ENABLED <-> MALWARE-CNC Win.Downloader.SnatchLoader variant outbound connection (malware-cnc.rules)
 * 1:45085 <-> DISABLED <-> FILE-FLASH Adobe Flash Player use after free attempt (file-flash.rules)
 * 1:45101 <-> DISABLED <-> PROTOCOL-SCADA vxworks rpc credential flavor integer overflow device crash attempt (protocol-scada.rules)
 * 3:45087 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0495 attack attempt (server-webapp.rules)
 * 3:45103 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0505 attack attempt (file-pdf.rules)
 * 3:45102 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0505 attack attempt (file-pdf.rules)
 * 3:45086 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0494 attack attempt (server-webapp.rules)
 * 3:45106 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0504 attack attempt (file-pdf.rules)
 * 3:45105 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0504 attack attempt (file-pdf.rules)
 * 3:45088 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0502 attack attempt (server-webapp.rules)
 * 3:45089 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0501 attack attempt (server-other.rules)

Modified Rules:


 * 1:44921 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager manageApplications.do SQL injection attempt (server-webapp.rules)
 * 1:42022 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:42021 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:41964 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word 2010 use-after-free memory corruption vulnerability attempt (file-office.rules)
 * 1:41965 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word 2010 use-after-free memory corruption vulnerability attempt (file-office.rules)
 * 1:41657 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MagicHound variant outbound connection (malware-cnc.rules)
 * 1:41444 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.X-Mas variant keylogger outbound connection (malware-cnc.rules)
 * 1:41442 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.X-Mas outbound connection (malware-cnc.rules)
 * 1:41443 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.X-Mas variant keylogger outbound connection (malware-cnc.rules)
 * 1:41337 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Sysch variant outbound connection (malware-cnc.rules)
 * 1:41424 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cerber outbound connection (malware-cnc.rules)
 * 1:41336 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Sysch variant outbound connection (malware-cnc.rules)
 * 1:44973 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules)
 * 1:34863 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wheelsof variant outbound connection (malware-cnc.rules)
 * 1:34870 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Logreaz variant outbound connection (malware-cnc.rules)
 * 1:34597 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Atrax variant outbound connection (malware-cnc.rules)
 * 1:34862 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wheelsof variant outbound connection (malware-cnc.rules)
 * 1:34596 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Atrax variant outbound connection (malware-cnc.rules)
 * 1:45063 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected (malware-cnc.rules)
 * 1:45064 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected (malware-cnc.rules)
 * 1:45065 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected (malware-cnc.rules)
 * 1:42024 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:42023 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:42025 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:42026 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:44622 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection (malware-cnc.rules)
 * 1:42027 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:44586 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word docx object type confusion attempt (file-office.rules)
 * 1:44620 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection (malware-cnc.rules)
 * 1:42031 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:41335 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules)
 * 1:41331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scudy outbound connection (malware-cnc.rules)
 * 1:41334 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules)
 * 1:41177 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection (malware-cnc.rules)
 * 1:41178 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection (malware-cnc.rules)
 * 1:41175 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection (malware-cnc.rules)
 * 1:41176 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection (malware-cnc.rules)
 * 1:41174 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection (malware-cnc.rules)
 * 1:41141 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word Out-of-Bounds Write attempt (file-office.rules)
 * 1:41173 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection (malware-cnc.rules)
 * 1:41046 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TextField setter use after free attempt (file-flash.rules)
 * 1:41140 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word Out-of-Bounds Write attempt (file-office.rules)
 * 1:41045 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TextField setter use after free attempt (file-flash.rules)
 * 1:40910 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules)
 * 1:40911 <-> ENABLED <-> MALWARE-CNC Win.Rootkit.Sednit variant outbound connection (malware-cnc.rules)
 * 1:40816 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules)
 * 1:40831 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant initial outbound connection (malware-cnc.rules)
 * 1:40702 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word out of bounds memory read attempt (file-office.rules)
 * 1:40680 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib out of bounds read attempt (file-office.rules)
 * 1:40701 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word out of bounds memory read attempt (file-office.rules)
 * 1:40559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpy variant outbound connection (malware-cnc.rules)
 * 1:40679 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib out of bounds read attempt (file-office.rules)
 * 1:40541 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Satana ransomware outbound connection (malware-cnc.rules)
 * 1:40548 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Redosdru variant outbound connection (malware-cnc.rules)
 * 1:40368 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word RTF file parsing buffer overflow attempt (file-office.rules)
 * 1:40527 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules)
 * 1:40369 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word RTF file parsing buffer overflow attempt (file-office.rules)
 * 1:40307 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word document containing VBA project entry detected (file-office.rules)
 * 1:40290 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Philadelphia variant status update outbound connection (malware-cnc.rules)
 * 1:40306 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word document containing VBA project entry detected (file-office.rules)
 * 1:40289 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Philadelphia variant initial outbound connection (malware-cnc.rules)
 * 1:40281 <-> DISABLED <-> FILE-OFFICE Microsoft Office Wordpad font conversion buffer overflow attempt (file-office.rules)
 * 1:40282 <-> DISABLED <-> FILE-OFFICE Microsoft Office Wordpad font conversion buffer overflow attempt (file-office.rules)
 * 1:40067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit outbound connection (malware-cnc.rules)
 * 1:40252 <-> ENABLED <-> MALWARE-CNC Win.Perseus variant outbound connection (malware-cnc.rules)
 * 1:39931 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules)
 * 1:40058 <-> DISABLED <-> SERVER-WEBAPP WordPress Quick-Post Widget GET request using Body cross-site scripting (server-webapp.rules)
 * 1:39921 <-> DISABLED <-> MALWARE-CNC Neutrino outbound connection (malware-cnc.rules)
 * 1:39920 <-> DISABLED <-> MALWARE-CNC Neutrino outbound connection (malware-cnc.rules)
 * 1:39836 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word malformed jpeg memory corruption attempt (file-office.rules)
 * 1:36497 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hangman.A outbound connection (malware-cnc.rules)
 * 1:39835 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word malformed jpeg memory corruption attempt (file-office.rules)
 * 1:35083 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Regiskazi outbound connection (malware-cnc.rules)
 * 1:35082 <-> ENABLED <-> MALWARE-CNC Backdoor.Linux.Qenerek outbound connection (malware-cnc.rules)
 * 1:35080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenbus outbound connection (malware-cnc.rules)
 * 1:35081 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenbus outbound connection (malware-cnc.rules)
 * 1:35035 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Taleretzbj outbound connection (malware-cnc.rules)
 * 1:34963 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Threebyte outbound connection (malware-cnc.rules)
 * 1:34998 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bossabot outbound connection (malware-cnc.rules)
 * 1:34932 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shindo outbound connection (malware-cnc.rules)
 * 1:34957 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sysmain outbound connection (malware-cnc.rules)
 * 1:34871 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Logreaz variant outbound connection (malware-cnc.rules)
 * 1:34888 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sojax variant outbound connection (malware-cnc.rules)
 * 1:34887 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sojax variant outbound connection (malware-cnc.rules)
 * 1:32824 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Darkhotel variant outbound connection (malware-cnc.rules)
 * 1:33594 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Upatre variant outbound connection (malware-cnc.rules)
 * 1:32016 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Menteni variant outbound connection (malware-cnc.rules)
 * 1:32129 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader variant outbound connection (malware-cnc.rules)
 * 1:31834 <-> ENABLED <-> MALWARE-CNC Win.Trojan-Downloader.Delorado variant outbound connection (malware-cnc.rules)
 * 1:30259 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Strictor variant outbound connection (malware-cnc.rules)
 * 1:31262 <-> ENABLED <-> MALWARE-CNC Win.Worm.VBNA variant outbound connection (malware-cnc.rules)
 * 1:29955 <-> DISABLED <-> SERVER-WEBAPP WordPress Quick-Post Widget GET request using Body cross-site scripting (server-webapp.rules)
 * 1:30251 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mumawow outbound connection (malware-cnc.rules)
 * 1:28411 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner variant outbound connection (malware-cnc.rules)
 * 1:29895 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection (malware-cnc.rules)
 * 1:28410 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner variant outbound connection (malware-cnc.rules)
 * 1:43930 <-> ENABLED <-> MALWARE-CNC Win.Malware.GamKer variant outbound connection (malware-cnc.rules)
 * 1:43985 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rortiem outbound connection (malware-cnc.rules)
 * 1:43597 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules)
 * 1:43524 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Donvibs variant outbound connection (malware-cnc.rules)
 * 1:43171 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word malformed jpeg remote code execution attempt (file-office.rules)
 * 1:43457 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Eorezo variant outbound connection (malware-cnc.rules)
 * 1:43160 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word 2016 use after free attempt (file-office.rules)
 * 1:43159 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word 2016 use after free attempt (file-office.rules)
 * 1:44211 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tarayt outbound connection (malware-cnc.rules)
 * 1:42080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jenxcus outbound connection with unique User-Agent (malware-cnc.rules)
 * 1:43172 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word malformed jpeg remote code execution attempt (file-office.rules)
 * 1:42225 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RedLeaves outbound connection (malware-cnc.rules)
 * 1:42233 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mikcer variant outbound connection (malware-cnc.rules)
 * 1:42243 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dimnie outbound connection (malware-cnc.rules)
 * 1:42302 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuaibu outbound connection (malware-cnc.rules)
 * 1:42348 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QQPass variant outbound connection (malware-cnc.rules)
 * 1:42385 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Moonwind outbound connection (malware-cnc.rules)
 * 1:42386 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mikcer variant outbound connection (malware-cnc.rules)
 * 1:42390 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Moarider variant outbound connection (malware-cnc.rules)
 * 1:42391 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Moarider variant outbound connection (malware-cnc.rules)
 * 1:42398 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RedLeaves outbound connection (malware-cnc.rules)
 * 1:42447 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Batlopma variant outbound connection (malware-cnc.rules)
 * 1:42755 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word 2010 Sepx memory corruption attempt (file-office.rules)
 * 1:42756 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word 2010 Sepx memory corruption attempt (file-office.rules)
 * 1:42880 <-> ENABLED <-> MALWARE-CNC Deputy Dog implant outbound connection (malware-cnc.rules)
 * 1:42881 <-> ENABLED <-> MALWARE-CNC Deputy Dog implant outbound connection (malware-cnc.rules)
 * 1:42882 <-> ENABLED <-> MALWARE-CNC ZoxPNG initial outbound connection (malware-cnc.rules)
 * 1:42452 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Frethog variant outbound connection (malware-cnc.rules)
 * 1:42883 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MadMax implant outbound connection (malware-cnc.rules)
 * 1:42899 <-> ENABLED <-> MALWARE-CNC Jaff ransomware outbound connection (malware-cnc.rules)
 * 1:42126 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Acronym variant outbound connection (malware-cnc.rules)
 * 1:42892 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA outbound connection (malware-cnc.rules)
 * 1:42945 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Adylkuzz variant initial outbound connection (malware-cnc.rules)
 * 1:42929 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Niramdat variant initial outbound connection (malware-cnc.rules)
 * 1:42083 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downeks variant initial outbound connection (malware-cnc.rules)
 * 1:42997 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Spesseo variant outbound connection (malware-cnc.rules)
 * 1:42884 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MadMax implant outbound connection (malware-cnc.rules)
 * 1:43523 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Donvibs variant outbound connection (malware-cnc.rules)
 * 1:43129 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection (malware-cnc.rules)
 * 1:42926 <-> ENABLED <-> MALWARE-CNC Js.Keylogger.Scanbox outbound connection (malware-cnc.rules)
 * 1:42996 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Spesseo variant outbound connection (malware-cnc.rules)
 * 1:44212 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tarayt outbound connection (malware-cnc.rules)
 * 1:44313 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Totbrick variant outbound connection (malware-cnc.rules)
 * 1:44922 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager manageApplications.do SQL injection attempt (server-webapp.rules)
 * 1:43049 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gasonen variant outbound connection (malware-cnc.rules)
 * 1:42079 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jenxcus outbound connection with unique User-Agent (malware-cnc.rules)
 * 1:42925 <-> ENABLED <-> MALWARE-CNC Js.Keylogger.Scanbox outbound connection (malware-cnc.rules)
 * 1:44899 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner inbound connection detected (malware-cnc.rules)
 * 1:44799 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules)
 * 1:44659 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wraut variant outbound connection (malware-cnc.rules)
 * 1:44839 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word RTF memory corruption attempt (file-office.rules)
 * 1:44897 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner outbound connection (malware-cnc.rules)
 * 1:44797 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules)
 * 1:44802 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules)
 * 1:44570 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection (malware-cnc.rules)
 * 1:44789 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nymaim variant outbound connection (malware-cnc.rules)
 * 1:44807 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules)
 * 1:44821 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel use after free vulnerability exploit attempt (file-office.rules)
 * 1:44806 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules)
 * 1:44396 <-> ENABLED <-> MALWARE-CNC Win.Trojan.KediRAT outbound connection (malware-cnc.rules)
 * 1:44621 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection (malware-cnc.rules)
 * 1:44316 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ellell variant outbound connection (malware-cnc.rules)
 * 1:44689 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gen variant outbound connection (malware-cnc.rules)
 * 1:44895 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner inbound connection detected (malware-cnc.rules)
 * 1:44803 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules)
 * 1:44801 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules)
 * 1:44569 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection (malware-cnc.rules)
 * 1:44805 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules)
 * 1:44619 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection (malware-cnc.rules)
 * 1:44585 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word docx object type confusion attempt (file-office.rules)
 * 1:44787 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Godzilla outbound connection (malware-cnc.rules)
 * 1:44791 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Retadup variant outbound connection (malware-cnc.rules)
 * 1:44800 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules)
 * 1:44804 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules)
 * 1:44822 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel use after free vulnerability exploit attempt (file-office.rules)
 * 1:44898 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner outbound connection (malware-cnc.rules)
 * 1:44798 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules)
 * 1:44896 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner outbound connection (malware-cnc.rules)
 * 1:44788 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nymaim variant outbound connection (malware-cnc.rules)
 * 1:44972 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules)
 * 1:44838 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word RTF memory corruption attempt (file-office.rules)
 * 1:45050 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedId outbound connection (malware-cnc.rules)
 * 1:44975 <-> ENABLED <-> MALWARE-CNC Php.Dropper.Mayhem variant outbound connection (malware-cnc.rules)
 * 1:45062 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected (malware-cnc.rules)
 * 3:45049 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0493 attack attempt (server-webapp.rules)