Talos Rules 2018-01-02
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-pdf, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-01-03 01:08:39 UTC

Snort Subscriber Rules Update

Date: 2018-01-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45261 <-> DISABLED <-> SERVER-WEBAPP Vivotek IP Cameras remote stack buffer overflow attempt (server-webapp.rules)
 * 1:45262 <-> DISABLED <-> SERVER-WEBAPP Google App Engine open redirect attempt (server-webapp.rules)

Modified Rules:


 * 1:16911 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - ucsp0416.exe?t= (malware-cnc.rules)
 * 1:16912 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - net/cfg2.bin (malware-cnc.rules)
 * 1:16913 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - count_log/log/boot.php?p= (malware-cnc.rules)
 * 1:16914 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - .bin?ucsp (malware-cnc.rules)
 * 1:16915 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /MNG/Download/?File=AZF (malware-cnc.rules)
 * 1:16916 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /jarun/jezerce (malware-cnc.rules)
 * 1:16917 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /ekaterina/velika (malware-cnc.rules)
 * 1:16918 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /ultimate/fight (malware-cnc.rules)
 * 1:16919 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /tmp/pm.exe?t= (malware-cnc.rules)
 * 1:16920 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /DownLoadFile/BaePo/ver (malware-cnc.rules)
 * 1:16921 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /s1/launcher/update/Update/data/ (malware-cnc.rules)
 * 1:16922 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /cgi-bin/rd.cgi?f=/vercfg.dat?AgentID= (malware-cnc.rules)
 * 1:16923 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /search.php?username=coolweb07&keywords= (malware-cnc.rules)
 * 1:16924 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /inst.php?fff= (malware-cnc.rules)
 * 1:16925 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /message.php?subid= (malware-cnc.rules)
 * 1:16926 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - strMode=setup&strID=pcvaccine&strPC= (malware-cnc.rules)
 * 1:16927 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - MGWEB.php?c=TestUrl (malware-cnc.rules)
 * 1:16928 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /stat.html?0dPg0uXTraCSqrOdlrKpmpyorePbz (malware-cnc.rules)
 * 1:16929 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - gate.php?guid= (malware-cnc.rules)
 * 1:16930 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - count.asp?mac= (malware-cnc.rules)
 * 1:16931 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - feedbigfoot.php?m= (malware-cnc.rules)
 * 1:16932 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /qqnongchang/qqkj. (malware-cnc.rules)
 * 1:16933 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /root/9 frt.rar (malware-cnc.rules)
 * 1:17898 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /get2.php?c=VTOXUGUI&d= (malware-cnc.rules)
 * 1:17899 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /reques0.asp?kind=006&mac= (malware-cnc.rules)
 * 1:17900 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /basic/cn3c2/c.*dll (malware-cnc.rules)
 * 1:17901 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /mybackup21.rar (malware-cnc.rules)
 * 1:17902 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /?getexe=loader.exe (malware-cnc.rules)
 * 1:17903 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - stid= (malware-cnc.rules)
 * 1:17904 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /tongji.js (malware-cnc.rules)
 * 1:17905 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - 1de49069b6044785e9dfcd4c035cfd0c.php (malware-cnc.rules)
 * 1:17906 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - 2x/.*php (malware-cnc.rules)
 * 1:17907 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /MNG/Download/?File=AZF DATADIR Download (malware-cnc.rules)
 * 1:17908 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /images/crypt_22.exe (malware-cnc.rules)
 * 1:17909 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /images/css/1.exe (malware-cnc.rules)
 * 1:17910 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /7xdown.exe (malware-cnc.rules)
 * 1:17911 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /winhelper.exe (malware-cnc.rules)
 * 1:17912 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /upopwin/count.asp?mac= (malware-cnc.rules)
 * 1:17913 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /ok.exe (malware-cnc.rules)
 * 1:17914 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /LjBin/Bin.Dll (malware-cnc.rules)
 * 1:17915 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /1001ns/cfg3n.bin (malware-cnc.rules)
 * 1:17916 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /dh/stats.bin (malware-cnc.rules)
 * 1:17917 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /zeus/config.bin (malware-cnc.rules)
 * 1:19256 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - greenherbalteagirlholdingcup (malware-cnc.rules)
 * 1:19493 <-> ENABLED <-> MALWARE-CNC URI request for known malicious uri config.ini on 3322.org domain (malware-cnc.rules)
 * 1:19595 <-> DISABLED <-> MALWARE-OTHER known malicious email string - You have received a Hallmark E-Card (malware-other.rules)
 * 1:19622 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - pte.aspx?ver= (malware-cnc.rules)
 * 1:19623 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - vic.aspx?ver= (malware-cnc.rules)
 * 1:19625 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - .sys.php?getexe= (malware-cnc.rules)
 * 1:19626 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /setup_b.asp?prj= (malware-cnc.rules)
 * 1:19627 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /r_autoidcnt.asp?mer_seq= (malware-cnc.rules)
 * 1:19628 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /1cup/script.php (malware-cnc.rules)
 * 1:19631 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - AnSSip= (malware-cnc.rules)
 * 1:19632 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /VertexNet/adduser.php?uid= (malware-cnc.rules)
 * 1:19633 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /VertexNet/tasks.php?uid= (malware-cnc.rules)
 * 1:19635 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /app/?prj= (malware-cnc.rules)
 * 1:19636 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /blog/images/3521.jpg?v (malware-cnc.rules)
 * 1:19637 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /install.asp?mac= (malware-cnc.rules)
 * 1:19638 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /kx4.txt (malware-cnc.rules)
 * 1:19778 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /games/java_trust.php?f= (malware-cnc.rules)
 * 1:19882 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /160.rar - Win32/Morto.A (malware-cnc.rules)
 * 1:19913 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - optima/index.php (malware-cnc.rules)
 * 1:21255 <-> ENABLED <-> MALWARE-OTHER known malicious FTP login banner - 0wns j0 (malware-other.rules)
 * 1:21256 <-> ENABLED <-> MALWARE-OTHER known malicious FTP quit banner - Goodbye happy r00ting (malware-other.rules)
 * 1:21257 <-> DISABLED <-> MALWARE-CNC URI - known scanner tool muieblackcat (malware-cnc.rules)
 * 1:23473 <-> ENABLED <-> MALWARE-CNC URI request for runforestrun - JS.Runfore (malware-cnc.rules)
 * 1:24018 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - hello.icon.pk (malware-cnc.rules)
 * 1:24019 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - ok.XXX4.net/meeting/hi.exe (malware-cnc.rules)
 * 1:25018 <-> ENABLED <-> MALWARE-OTHER connection to malware sinkhole (malware-other.rules)
 * 1:25394 <-> ENABLED <-> MALWARE-CNC URI request for /cgi-bin/nt/th (malware-cnc.rules)
 * 1:25395 <-> ENABLED <-> MALWARE-CNC URI request for /cgi-bin/nt/sk (malware-cnc.rules)
 * 1:25396 <-> ENABLED <-> MALWARE-CNC URI request for /cgi-bin/dllhost/ac (malware-cnc.rules)
 * 1:25397 <-> ENABLED <-> MALWARE-CNC URI request for /cgi-bin/ms/check (malware-cnc.rules)
 * 1:25398 <-> ENABLED <-> MALWARE-CNC URI request for /cgi-bin/ms/flush (malware-cnc.rules)
 * 1:25399 <-> ENABLED <-> MALWARE-CNC URI request for /cgi-bin/win/wcx (malware-cnc.rules)
 * 1:25400 <-> ENABLED <-> MALWARE-CNC URI request for /cgi-bin/win/cab (malware-cnc.rules)
 * 1:27737 <-> DISABLED <-> MALWARE-CNC DNS suspicious .c0m.li dns query (malware-cnc.rules)
 * 1:27980 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /botnet/adduser.php?uid= (malware-cnc.rules)
 * 1:45117 <-> ENABLED <-> SERVER-WEBAPP Huawei DeviceUpgrade command injection attempt (server-webapp.rules)
 * 1:42841 <-> ENABLED <-> MALWARE-CNC DNS suspicious .bit tcp dns query (malware-cnc.rules)
 * 1:41083 <-> ENABLED <-> MALWARE-CNC DNS suspicious .bit dns query (malware-cnc.rules)
 * 1:36131 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - MyIE 3.01 (malware-cnc.rules)
 * 1:34834 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Darkcpn (malware-cnc.rules)
 * 1:34291 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string crackim (malware-cnc.rules)
 * 1:33513 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - XAgent - Operation Pawn Storm (malware-cnc.rules)
 * 1:33306 <-> ENABLED <-> MALWARE-OTHER connection to malware sinkhole (malware-other.rules)
 * 1:32001 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules)
 * 1:32000 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules)
 * 1:31999 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules)
 * 1:31998 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules)
 * 1:31997 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules)
 * 1:31996 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules)
 * 1:31995 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules)
 * 1:31994 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules)
 * 1:31993 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules)
 * 1:31992 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules)
 * 1:31949 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Skypee - Win.Trojan.Rukypee (malware-cnc.rules)
 * 1:31948 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - MyProgramm - Win.Trojan.Rukypee (malware-cnc.rules)
 * 1:31947 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - HttpCall - Win.Trojan.Rukypee (malware-cnc.rules)
 * 1:29999 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - MSIE 9.0 in version 10 format (malware-cnc.rules)
 * 1:31688 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Downloader 1.8 - Win.Trojan.Graftor (malware-cnc.rules)
 * 1:31422 <-> DISABLED <-> MALWARE-CNC User-Agent known malicious user-agent string Cactus (malware-cnc.rules)
 * 1:31543 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - MSIE 7.0 na - Win.Trojan.Koobface (malware-cnc.rules)
 * 1:31291 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DynamicAnnotStore exploit attempt (file-pdf.rules)
 * 1:30320 <-> ENABLED <-> MALWARE-OTHER connection to malware sinkhole (malware-other.rules)
 * 1:27981 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /botnet/tasks.php?uid= (malware-cnc.rules)
 * 1:31292 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DynamicAnnotStore exploit attempt (file-pdf.rules)

2018-01-03 01:08:39 UTC

Snort Subscriber Rules Update

Date: 2018-01-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45262 <-> DISABLED <-> SERVER-WEBAPP Google App Engine open redirect attempt (server-webapp.rules)
 * 1:45261 <-> DISABLED <-> SERVER-WEBAPP Vivotek IP Cameras remote stack buffer overflow attempt (server-webapp.rules)

Modified Rules:


 * 1:31949 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Skypee - Win.Trojan.Rukypee (malware-cnc.rules)
 * 1:31947 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - HttpCall - Win.Trojan.Rukypee (malware-cnc.rules)
 * 1:27981 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /botnet/tasks.php?uid= (malware-cnc.rules)
 * 1:27737 <-> DISABLED <-> MALWARE-CNC DNS suspicious .c0m.li dns query (malware-cnc.rules)
 * 1:27980 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /botnet/adduser.php?uid= (malware-cnc.rules)
 * 1:25399 <-> ENABLED <-> MALWARE-CNC URI request for /cgi-bin/win/wcx (malware-cnc.rules)
 * 1:25400 <-> ENABLED <-> MALWARE-CNC URI request for /cgi-bin/win/cab (malware-cnc.rules)
 * 1:25397 <-> ENABLED <-> MALWARE-CNC URI request for /cgi-bin/ms/check (malware-cnc.rules)
 * 1:25398 <-> ENABLED <-> MALWARE-CNC URI request for /cgi-bin/ms/flush (malware-cnc.rules)
 * 1:25395 <-> ENABLED <-> MALWARE-CNC URI request for /cgi-bin/nt/sk (malware-cnc.rules)
 * 1:25396 <-> ENABLED <-> MALWARE-CNC URI request for /cgi-bin/dllhost/ac (malware-cnc.rules)
 * 1:25394 <-> ENABLED <-> MALWARE-CNC URI request for /cgi-bin/nt/th (malware-cnc.rules)
 * 1:24019 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - ok.XXX4.net/meeting/hi.exe (malware-cnc.rules)
 * 1:25018 <-> ENABLED <-> MALWARE-OTHER connection to malware sinkhole (malware-other.rules)
 * 1:23473 <-> ENABLED <-> MALWARE-CNC URI request for runforestrun - JS.Runfore (malware-cnc.rules)
 * 1:24018 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - hello.icon.pk (malware-cnc.rules)
 * 1:21256 <-> ENABLED <-> MALWARE-OTHER known malicious FTP quit banner - Goodbye happy r00ting (malware-other.rules)
 * 1:21257 <-> DISABLED <-> MALWARE-CNC URI - known scanner tool muieblackcat (malware-cnc.rules)
 * 1:21255 <-> ENABLED <-> MALWARE-OTHER known malicious FTP login banner - 0wns j0 (malware-other.rules)
 * 1:19882 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /160.rar - Win32/Morto.A (malware-cnc.rules)
 * 1:19913 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - optima/index.php (malware-cnc.rules)
 * 1:19778 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /games/java_trust.php?f= (malware-cnc.rules)
 * 1:19637 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /install.asp?mac= (malware-cnc.rules)
 * 1:19638 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /kx4.txt (malware-cnc.rules)
 * 1:19636 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /blog/images/3521.jpg?v (malware-cnc.rules)
 * 1:19633 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /VertexNet/tasks.php?uid= (malware-cnc.rules)
 * 1:19635 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /app/?prj= (malware-cnc.rules)
 * 1:19631 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - AnSSip= (malware-cnc.rules)
 * 1:19632 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /VertexNet/adduser.php?uid= (malware-cnc.rules)
 * 1:19628 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /1cup/script.php (malware-cnc.rules)
 * 1:19626 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /setup_b.asp?prj= (malware-cnc.rules)
 * 1:19627 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /r_autoidcnt.asp?mer_seq= (malware-cnc.rules)
 * 1:19623 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - vic.aspx?ver= (malware-cnc.rules)
 * 1:19625 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - .sys.php?getexe= (malware-cnc.rules)
 * 1:19595 <-> DISABLED <-> MALWARE-OTHER known malicious email string - You have received a Hallmark E-Card (malware-other.rules)
 * 1:19622 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - pte.aspx?ver= (malware-cnc.rules)
 * 1:19493 <-> ENABLED <-> MALWARE-CNC URI request for known malicious uri config.ini on 3322.org domain (malware-cnc.rules)
 * 1:19256 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - greenherbalteagirlholdingcup (malware-cnc.rules)
 * 1:17916 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /dh/stats.bin (malware-cnc.rules)
 * 1:17917 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /zeus/config.bin (malware-cnc.rules)
 * 1:17915 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /1001ns/cfg3n.bin (malware-cnc.rules)
 * 1:17914 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /LjBin/Bin.Dll (malware-cnc.rules)
 * 1:17913 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /ok.exe (malware-cnc.rules)
 * 1:17911 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /winhelper.exe (malware-cnc.rules)
 * 1:17912 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /upopwin/count.asp?mac= (malware-cnc.rules)
 * 1:17909 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /images/css/1.exe (malware-cnc.rules)
 * 1:17910 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /7xdown.exe (malware-cnc.rules)
 * 1:17907 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /MNG/Download/?File=AZF DATADIR Download (malware-cnc.rules)
 * 1:17908 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /images/crypt_22.exe (malware-cnc.rules)
 * 1:17905 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - 1de49069b6044785e9dfcd4c035cfd0c.php (malware-cnc.rules)
 * 1:17906 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - 2x/.*php (malware-cnc.rules)
 * 1:17904 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /tongji.js (malware-cnc.rules)
 * 1:17902 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /?getexe=loader.exe (malware-cnc.rules)
 * 1:17903 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - stid= (malware-cnc.rules)
 * 1:17900 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /basic/cn3c2/c.*dll (malware-cnc.rules)
 * 1:17901 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /mybackup21.rar (malware-cnc.rules)
 * 1:17898 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /get2.php?c=VTOXUGUI&d= (malware-cnc.rules)
 * 1:17899 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /reques0.asp?kind=006&mac= (malware-cnc.rules)
 * 1:16932 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /qqnongchang/qqkj. (malware-cnc.rules)
 * 1:16933 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /root/9 frt.rar (malware-cnc.rules)
 * 1:16930 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - count.asp?mac= (malware-cnc.rules)
 * 1:16931 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - feedbigfoot.php?m= (malware-cnc.rules)
 * 1:16929 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - gate.php?guid= (malware-cnc.rules)
 * 1:16927 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - MGWEB.php?c=TestUrl (malware-cnc.rules)
 * 1:16928 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /stat.html?0dPg0uXTraCSqrOdlrKpmpyorePbz (malware-cnc.rules)
 * 1:16925 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /message.php?subid= (malware-cnc.rules)
 * 1:16926 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - strMode=setup&strID=pcvaccine&strPC= (malware-cnc.rules)
 * 1:16923 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /search.php?username=coolweb07&keywords= (malware-cnc.rules)
 * 1:16924 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /inst.php?fff= (malware-cnc.rules)
 * 1:16922 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /cgi-bin/rd.cgi?f=/vercfg.dat?AgentID= (malware-cnc.rules)
 * 1:16920 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /DownLoadFile/BaePo/ver (malware-cnc.rules)
 * 1:16921 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /s1/launcher/update/Update/data/ (malware-cnc.rules)
 * 1:16918 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /ultimate/fight (malware-cnc.rules)
 * 1:16919 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /tmp/pm.exe?t= (malware-cnc.rules)
 * 1:16917 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /ekaterina/velika (malware-cnc.rules)
 * 1:16915 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /MNG/Download/?File=AZF (malware-cnc.rules)
 * 1:16916 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /jarun/jezerce (malware-cnc.rules)
 * 1:16913 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - count_log/log/boot.php?p= (malware-cnc.rules)
 * 1:16914 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - .bin?ucsp (malware-cnc.rules)
 * 1:16911 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - ucsp0416.exe?t= (malware-cnc.rules)
 * 1:16912 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - net/cfg2.bin (malware-cnc.rules)
 * 1:31992 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules)
 * 1:31993 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules)
 * 1:31994 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules)
 * 1:31995 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules)
 * 1:31996 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules)
 * 1:31997 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules)
 * 1:31998 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules)
 * 1:31999 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules)
 * 1:32000 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules)
 * 1:32001 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules)
 * 1:33306 <-> ENABLED <-> MALWARE-OTHER connection to malware sinkhole (malware-other.rules)
 * 1:33513 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - XAgent - Operation Pawn Storm (malware-cnc.rules)
 * 1:34291 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string crackim (malware-cnc.rules)
 * 1:34834 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Darkcpn (malware-cnc.rules)
 * 1:36131 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - MyIE 3.01 (malware-cnc.rules)
 * 1:41083 <-> ENABLED <-> MALWARE-CNC DNS suspicious .bit dns query (malware-cnc.rules)
 * 1:42841 <-> ENABLED <-> MALWARE-CNC DNS suspicious .bit tcp dns query (malware-cnc.rules)
 * 1:45117 <-> ENABLED <-> SERVER-WEBAPP Huawei DeviceUpgrade command injection attempt (server-webapp.rules)
 * 1:29999 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - MSIE 9.0 in version 10 format (malware-cnc.rules)
 * 1:31292 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DynamicAnnotStore exploit attempt (file-pdf.rules)
 * 1:31422 <-> DISABLED <-> MALWARE-CNC User-Agent known malicious user-agent string Cactus (malware-cnc.rules)
 * 1:30320 <-> ENABLED <-> MALWARE-OTHER connection to malware sinkhole (malware-other.rules)
 * 1:31688 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Downloader 1.8 - Win.Trojan.Graftor (malware-cnc.rules)
 * 1:31543 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - MSIE 7.0 na - Win.Trojan.Koobface (malware-cnc.rules)
 * 1:31948 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - MyProgramm - Win.Trojan.Rukypee (malware-cnc.rules)
 * 1:31291 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DynamicAnnotStore exploit attempt (file-pdf.rules)

2018-01-03 01:08:39 UTC

Snort Subscriber Rules Update

Date: 2018-01-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45262 <-> DISABLED <-> SERVER-WEBAPP Google App Engine open redirect attempt (server-webapp.rules)
 * 1:45261 <-> DISABLED <-> SERVER-WEBAPP Vivotek IP Cameras remote stack buffer overflow attempt (server-webapp.rules)

Modified Rules:


 * 1:31291 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DynamicAnnotStore exploit attempt (file-pdf.rules)
 * 1:16911 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - ucsp0416.exe?t= (malware-cnc.rules)
 * 1:16912 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - net/cfg2.bin (malware-cnc.rules)
 * 1:16913 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - count_log/log/boot.php?p= (malware-cnc.rules)
 * 1:16914 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - .bin?ucsp (malware-cnc.rules)
 * 1:16915 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /MNG/Download/?File=AZF (malware-cnc.rules)
 * 1:16916 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /jarun/jezerce (malware-cnc.rules)
 * 1:16917 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /ekaterina/velika (malware-cnc.rules)
 * 1:16918 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /ultimate/fight (malware-cnc.rules)
 * 1:16919 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /tmp/pm.exe?t= (malware-cnc.rules)
 * 1:16920 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /DownLoadFile/BaePo/ver (malware-cnc.rules)
 * 1:16921 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /s1/launcher/update/Update/data/ (malware-cnc.rules)
 * 1:16922 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /cgi-bin/rd.cgi?f=/vercfg.dat?AgentID= (malware-cnc.rules)
 * 1:16923 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /search.php?username=coolweb07&keywords= (malware-cnc.rules)
 * 1:16924 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /inst.php?fff= (malware-cnc.rules)
 * 1:16925 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /message.php?subid= (malware-cnc.rules)
 * 1:16926 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - strMode=setup&strID=pcvaccine&strPC= (malware-cnc.rules)
 * 1:16927 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - MGWEB.php?c=TestUrl (malware-cnc.rules)
 * 1:16928 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /stat.html?0dPg0uXTraCSqrOdlrKpmpyorePbz (malware-cnc.rules)
 * 1:16929 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - gate.php?guid= (malware-cnc.rules)
 * 1:16930 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - count.asp?mac= (malware-cnc.rules)
 * 1:16931 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - feedbigfoot.php?m= (malware-cnc.rules)
 * 1:16932 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /qqnongchang/qqkj. (malware-cnc.rules)
 * 1:16933 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /root/9 frt.rar (malware-cnc.rules)
 * 1:17898 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /get2.php?c=VTOXUGUI&d= (malware-cnc.rules)
 * 1:17899 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /reques0.asp?kind=006&mac= (malware-cnc.rules)
 * 1:17900 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /basic/cn3c2/c.*dll (malware-cnc.rules)
 * 1:17901 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /mybackup21.rar (malware-cnc.rules)
 * 1:17902 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /?getexe=loader.exe (malware-cnc.rules)
 * 1:17903 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - stid= (malware-cnc.rules)
 * 1:17904 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /tongji.js (malware-cnc.rules)
 * 1:17905 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - 1de49069b6044785e9dfcd4c035cfd0c.php (malware-cnc.rules)
 * 1:17906 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - 2x/.*php (malware-cnc.rules)
 * 1:17907 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /MNG/Download/?File=AZF DATADIR Download (malware-cnc.rules)
 * 1:17908 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /images/crypt_22.exe (malware-cnc.rules)
 * 1:17909 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /images/css/1.exe (malware-cnc.rules)
 * 1:17910 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /7xdown.exe (malware-cnc.rules)
 * 1:17911 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /winhelper.exe (malware-cnc.rules)
 * 1:17912 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /upopwin/count.asp?mac= (malware-cnc.rules)
 * 1:17913 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /ok.exe (malware-cnc.rules)
 * 1:17914 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /LjBin/Bin.Dll (malware-cnc.rules)
 * 1:17915 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /1001ns/cfg3n.bin (malware-cnc.rules)
 * 1:17916 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /dh/stats.bin (malware-cnc.rules)
 * 1:17917 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /zeus/config.bin (malware-cnc.rules)
 * 1:19256 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - greenherbalteagirlholdingcup (malware-cnc.rules)
 * 1:19493 <-> ENABLED <-> MALWARE-CNC URI request for known malicious uri config.ini on 3322.org domain (malware-cnc.rules)
 * 1:19595 <-> DISABLED <-> MALWARE-OTHER known malicious email string - You have received a Hallmark E-Card (malware-other.rules)
 * 1:19622 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - pte.aspx?ver= (malware-cnc.rules)
 * 1:19623 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - vic.aspx?ver= (malware-cnc.rules)
 * 1:19625 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - .sys.php?getexe= (malware-cnc.rules)
 * 1:19626 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /setup_b.asp?prj= (malware-cnc.rules)
 * 1:19627 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /r_autoidcnt.asp?mer_seq= (malware-cnc.rules)
 * 1:19628 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /1cup/script.php (malware-cnc.rules)
 * 1:19631 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - AnSSip= (malware-cnc.rules)
 * 1:27981 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /botnet/tasks.php?uid= (malware-cnc.rules)
 * 1:19632 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /VertexNet/adduser.php?uid= (malware-cnc.rules)
 * 1:19633 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /VertexNet/tasks.php?uid= (malware-cnc.rules)
 * 1:19635 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /app/?prj= (malware-cnc.rules)
 * 1:19636 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /blog/images/3521.jpg?v (malware-cnc.rules)
 * 1:19637 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /install.asp?mac= (malware-cnc.rules)
 * 1:19638 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /kx4.txt (malware-cnc.rules)
 * 1:19778 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /games/java_trust.php?f= (malware-cnc.rules)
 * 1:19882 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /160.rar - Win32/Morto.A (malware-cnc.rules)
 * 1:19913 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - optima/index.php (malware-cnc.rules)
 * 1:21255 <-> ENABLED <-> MALWARE-OTHER known malicious FTP login banner - 0wns j0 (malware-other.rules)
 * 1:21256 <-> ENABLED <-> MALWARE-OTHER known malicious FTP quit banner - Goodbye happy r00ting (malware-other.rules)
 * 1:21257 <-> DISABLED <-> MALWARE-CNC URI - known scanner tool muieblackcat (malware-cnc.rules)
 * 1:23473 <-> ENABLED <-> MALWARE-CNC URI request for runforestrun - JS.Runfore (malware-cnc.rules)
 * 1:24018 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - hello.icon.pk (malware-cnc.rules)
 * 1:24019 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - ok.XXX4.net/meeting/hi.exe (malware-cnc.rules)
 * 1:25018 <-> ENABLED <-> MALWARE-OTHER connection to malware sinkhole (malware-other.rules)
 * 1:25394 <-> ENABLED <-> MALWARE-CNC URI request for /cgi-bin/nt/th (malware-cnc.rules)
 * 1:25395 <-> ENABLED <-> MALWARE-CNC URI request for /cgi-bin/nt/sk (malware-cnc.rules)
 * 1:31992 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules)
 * 1:31993 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules)
 * 1:31994 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules)
 * 1:31995 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules)
 * 1:31996 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules)
 * 1:31997 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules)
 * 1:31998 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules)
 * 1:31999 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules)
 * 1:32000 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules)
 * 1:32001 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules)
 * 1:33306 <-> ENABLED <-> MALWARE-OTHER connection to malware sinkhole (malware-other.rules)
 * 1:33513 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - XAgent - Operation Pawn Storm (malware-cnc.rules)
 * 1:34291 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string crackim (malware-cnc.rules)
 * 1:34834 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Darkcpn (malware-cnc.rules)
 * 1:36131 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - MyIE 3.01 (malware-cnc.rules)
 * 1:41083 <-> ENABLED <-> MALWARE-CNC DNS suspicious .bit dns query (malware-cnc.rules)
 * 1:42841 <-> ENABLED <-> MALWARE-CNC DNS suspicious .bit tcp dns query (malware-cnc.rules)
 * 1:45117 <-> ENABLED <-> SERVER-WEBAPP Huawei DeviceUpgrade command injection attempt (server-webapp.rules)
 * 1:30320 <-> ENABLED <-> MALWARE-OTHER connection to malware sinkhole (malware-other.rules)
 * 1:29999 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - MSIE 9.0 in version 10 format (malware-cnc.rules)
 * 1:31292 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DynamicAnnotStore exploit attempt (file-pdf.rules)
 * 1:31422 <-> DISABLED <-> MALWARE-CNC User-Agent known malicious user-agent string Cactus (malware-cnc.rules)
 * 1:25396 <-> ENABLED <-> MALWARE-CNC URI request for /cgi-bin/dllhost/ac (malware-cnc.rules)
 * 1:25397 <-> ENABLED <-> MALWARE-CNC URI request for /cgi-bin/ms/check (malware-cnc.rules)
 * 1:31543 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - MSIE 7.0 na - Win.Trojan.Koobface (malware-cnc.rules)
 * 1:31948 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - MyProgramm - Win.Trojan.Rukypee (malware-cnc.rules)
 * 1:31688 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Downloader 1.8 - Win.Trojan.Graftor (malware-cnc.rules)
 * 1:25398 <-> ENABLED <-> MALWARE-CNC URI request for /cgi-bin/ms/flush (malware-cnc.rules)
 * 1:25399 <-> ENABLED <-> MALWARE-CNC URI request for /cgi-bin/win/wcx (malware-cnc.rules)
 * 1:31949 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Skypee - Win.Trojan.Rukypee (malware-cnc.rules)
 * 1:31947 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - HttpCall - Win.Trojan.Rukypee (malware-cnc.rules)
 * 1:25400 <-> ENABLED <-> MALWARE-CNC URI request for /cgi-bin/win/cab (malware-cnc.rules)
 * 1:27737 <-> DISABLED <-> MALWARE-CNC DNS suspicious .c0m.li dns query (malware-cnc.rules)
 * 1:27980 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /botnet/adduser.php?uid= (malware-cnc.rules)