Talos Rules 2018-03-20
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the app-detect, exploit-kit, file-image, file-other, file-pdf, malware-backdoor, malware-cnc, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-03-20 13:59:47 UTC

Snort Subscriber Rules Update

Date: 2018-03-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45975 <-> ENABLED <-> MALWARE-BACKDOOR Unix.Malware.Chaos backdoor trigger attempt (malware-backdoor.rules)
 * 1:45974 <-> ENABLED <-> MALWARE-CNC Suspected Unix.Malware.GoScanSSH outbound beacon attempt (malware-cnc.rules)
 * 1:45973 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chafer malicious communication attempt (malware-cnc.rules)
 * 1:45972 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chafer malicious communication attempt (malware-cnc.rules)
 * 1:45971 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess webvrpcs service arbitrary command execution attempt (server-other.rules)
 * 1:45970 <-> DISABLED <-> SERVER-WEBAPP SugarCRM cross site scripting attempt (server-webapp.rules)
 * 1:45969 <-> DISABLED <-> SERVER-WEBAPP SugarCRM cross site scripting attempt (server-webapp.rules)
 * 1:45996 <-> DISABLED <-> SERVER-WEBAPP CoreOS etcd service private keys listing attempt (server-webapp.rules)
 * 1:45995 <-> DISABLED <-> SERVER-WEBAPP CoreOS etcd service private keys listing attempt (server-webapp.rules)
 * 1:45990 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro path element out of bounds memory access attempt (file-other.rules)
 * 1:45989 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro path element out of bounds memory access attempt (file-other.rules)
 * 1:45984 <-> DISABLED <-> SERVER-WEBAPP Joomla component Jimtawl 2.2.5 arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:45983 <-> DISABLED <-> POLICY-OTHER Sandvine PacketLogic http redirection attempt (policy-other.rules)
 * 1:45980 <-> ENABLED <-> MALWARE-CNC MultiOS.Trojan.OSCelestial variant inbound connection (malware-cnc.rules)
 * 1:45979 <-> ENABLED <-> MALWARE-CNC MultiOS.Trojan.OSCelestial variant outbound connection (malware-cnc.rules)
 * 1:45978 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB kernel heap memory leak attempt (os-windows.rules)
 * 1:45977 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB kernel heap memory leak attempt (os-windows.rules)
 * 1:45976 <-> ENABLED <-> SERVER-WEBAPP Pivotal Spring Data REST PATCH request remote code execution attempt (server-webapp.rules)
 * 3:45999 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules)
 * 3:46000 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules)
 * 3:45987 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0544 attack attempt (file-image.rules)
 * 3:46001 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0541 attack attempt (file-image.rules)
 * 3:46002 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0541 attack attempt (file-image.rules)
 * 3:45986 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0544 attack attempt (file-image.rules)
 * 3:45982 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0540 attack attempt (file-other.rules)
 * 3:45985 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0544 attack attempt (file-image.rules)
 * 3:45981 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0540 attack attempt (file-other.rules)
 * 3:45998 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules)
 * 3:45994 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0543 attack attempt (file-image.rules)
 * 3:45997 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules)
 * 3:45992 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0543 attack attempt (file-image.rules)
 * 3:45993 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0543 attack attempt (file-image.rules)
 * 3:45988 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0544 attack attempt (file-image.rules)
 * 3:45991 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0543 attack attempt (file-image.rules)

Modified Rules:


 * 1:45265 <-> ENABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules)
 * 1:44169 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (file-pdf.rules)
 * 1:44170 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (file-pdf.rules)
 * 1:39677 <-> DISABLED <-> EXPLOIT-KIT Pseudo-Darkleech gate redirect attempt (exploit-kit.rules)
 * 1:40335 <-> DISABLED <-> APP-DETECT OpenVAS Scanner User-Agent attempt (app-detect.rules)
 * 1:39081 <-> DISABLED <-> EXPLOIT-KIT Neutrino Exploit Kit Flash exploit download attempt (exploit-kit.rules)
 * 1:39240 <-> DISABLED <-> EXPLOIT-KIT Neutrino Exploit Kit exploitation attempt (exploit-kit.rules)
 * 1:37207 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page (exploit-kit.rules)
 * 1:37361 <-> DISABLED <-> EXPLOIT-KIT DarkLeech iframe injection tool detected (exploit-kit.rules)
 * 1:36797 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:36492 <-> DISABLED <-> EXPLOIT-KIT Neutrino exploit kit gate detected (exploit-kit.rules)
 * 1:36535 <-> DISABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page detected (exploit-kit.rules)

2018-03-20 13:59:47 UTC

Snort Subscriber Rules Update

Date: 2018-03-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45977 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB kernel heap memory leak attempt (os-windows.rules)
 * 1:45989 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro path element out of bounds memory access attempt (file-other.rules)
 * 1:45970 <-> DISABLED <-> SERVER-WEBAPP SugarCRM cross site scripting attempt (server-webapp.rules)
 * 1:45969 <-> DISABLED <-> SERVER-WEBAPP SugarCRM cross site scripting attempt (server-webapp.rules)
 * 1:45980 <-> ENABLED <-> MALWARE-CNC MultiOS.Trojan.OSCelestial variant inbound connection (malware-cnc.rules)
 * 1:45975 <-> ENABLED <-> MALWARE-BACKDOOR Unix.Malware.Chaos backdoor trigger attempt (malware-backdoor.rules)
 * 1:45984 <-> DISABLED <-> SERVER-WEBAPP Joomla component Jimtawl 2.2.5 arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:45990 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro path element out of bounds memory access attempt (file-other.rules)
 * 1:45996 <-> DISABLED <-> SERVER-WEBAPP CoreOS etcd service private keys listing attempt (server-webapp.rules)
 * 1:45983 <-> DISABLED <-> POLICY-OTHER Sandvine PacketLogic http redirection attempt (policy-other.rules)
 * 1:45995 <-> DISABLED <-> SERVER-WEBAPP CoreOS etcd service private keys listing attempt (server-webapp.rules)
 * 1:45978 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB kernel heap memory leak attempt (os-windows.rules)
 * 1:45971 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess webvrpcs service arbitrary command execution attempt (server-other.rules)
 * 1:45979 <-> ENABLED <-> MALWARE-CNC MultiOS.Trojan.OSCelestial variant outbound connection (malware-cnc.rules)
 * 1:45976 <-> ENABLED <-> SERVER-WEBAPP Pivotal Spring Data REST PATCH request remote code execution attempt (server-webapp.rules)
 * 1:45974 <-> ENABLED <-> MALWARE-CNC Suspected Unix.Malware.GoScanSSH outbound beacon attempt (malware-cnc.rules)
 * 1:45973 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chafer malicious communication attempt (malware-cnc.rules)
 * 1:45972 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chafer malicious communication attempt (malware-cnc.rules)
 * 3:45999 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules)
 * 3:45997 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules)
 * 3:46002 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0541 attack attempt (file-image.rules)
 * 3:46000 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules)
 * 3:45985 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0544 attack attempt (file-image.rules)
 * 3:45993 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0543 attack attempt (file-image.rules)
 * 3:45994 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0543 attack attempt (file-image.rules)
 * 3:45991 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0543 attack attempt (file-image.rules)
 * 3:45992 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0543 attack attempt (file-image.rules)
 * 3:45987 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0544 attack attempt (file-image.rules)
 * 3:45988 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0544 attack attempt (file-image.rules)
 * 3:45986 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0544 attack attempt (file-image.rules)
 * 3:45982 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0540 attack attempt (file-other.rules)
 * 3:45981 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0540 attack attempt (file-other.rules)
 * 3:45998 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules)
 * 3:46001 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0541 attack attempt (file-image.rules)

Modified Rules:


 * 1:45265 <-> ENABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules)
 * 1:44169 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (file-pdf.rules)
 * 1:44170 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (file-pdf.rules)
 * 1:39677 <-> DISABLED <-> EXPLOIT-KIT Pseudo-Darkleech gate redirect attempt (exploit-kit.rules)
 * 1:39081 <-> DISABLED <-> EXPLOIT-KIT Neutrino Exploit Kit Flash exploit download attempt (exploit-kit.rules)
 * 1:36535 <-> DISABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page detected (exploit-kit.rules)
 * 1:39240 <-> DISABLED <-> EXPLOIT-KIT Neutrino Exploit Kit exploitation attempt (exploit-kit.rules)
 * 1:37207 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page (exploit-kit.rules)
 * 1:37361 <-> DISABLED <-> EXPLOIT-KIT DarkLeech iframe injection tool detected (exploit-kit.rules)
 * 1:36797 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:36492 <-> DISABLED <-> EXPLOIT-KIT Neutrino exploit kit gate detected (exploit-kit.rules)
 * 1:40335 <-> DISABLED <-> APP-DETECT OpenVAS Scanner User-Agent attempt (app-detect.rules)

2018-03-20 13:59:47 UTC

Snort Subscriber Rules Update

Date: 2018-03-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45971 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess webvrpcs service arbitrary command execution attempt (snort3-server-other.rules)
 * 1:45995 <-> DISABLED <-> SERVER-WEBAPP CoreOS etcd service private keys listing attempt (snort3-server-webapp.rules)
 * 1:45969 <-> DISABLED <-> SERVER-WEBAPP SugarCRM cross site scripting attempt (snort3-server-webapp.rules)
 * 1:45972 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chafer malicious communication attempt (snort3-malware-cnc.rules)
 * 1:45973 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chafer malicious communication attempt (snort3-malware-cnc.rules)
 * 1:45978 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB kernel heap memory leak attempt (snort3-os-windows.rules)
 * 1:45976 <-> ENABLED <-> SERVER-WEBAPP Pivotal Spring Data REST PATCH request remote code execution attempt (snort3-server-webapp.rules)
 * 1:45989 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro path element out of bounds memory access attempt (snort3-file-other.rules)
 * 1:45979 <-> ENABLED <-> MALWARE-CNC MultiOS.Trojan.OSCelestial variant outbound connection (snort3-malware-cnc.rules)
 * 1:45990 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro path element out of bounds memory access attempt (snort3-file-other.rules)
 * 1:45970 <-> DISABLED <-> SERVER-WEBAPP SugarCRM cross site scripting attempt (snort3-server-webapp.rules)
 * 1:45996 <-> DISABLED <-> SERVER-WEBAPP CoreOS etcd service private keys listing attempt (snort3-server-webapp.rules)
 * 1:45980 <-> ENABLED <-> MALWARE-CNC MultiOS.Trojan.OSCelestial variant inbound connection (snort3-malware-cnc.rules)
 * 1:45983 <-> DISABLED <-> POLICY-OTHER Sandvine PacketLogic http redirection attempt (snort3-policy-other.rules)
 * 1:45984 <-> DISABLED <-> SERVER-WEBAPP Joomla component Jimtawl 2.2.5 arbitrary PHP file upload attempt (snort3-server-webapp.rules)
 * 1:45974 <-> ENABLED <-> MALWARE-CNC Suspected Unix.Malware.GoScanSSH outbound beacon attempt (snort3-malware-cnc.rules)
 * 1:45975 <-> ENABLED <-> MALWARE-BACKDOOR Unix.Malware.Chaos backdoor trigger attempt (snort3-malware-backdoor.rules)
 * 1:45977 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB kernel heap memory leak attempt (snort3-os-windows.rules)

Modified Rules:


 * 1:37361 <-> DISABLED <-> EXPLOIT-KIT DarkLeech iframe injection tool detected (snort3-exploit-kit.rules)
 * 1:36797 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (snort3-exploit-kit.rules)
 * 1:40335 <-> DISABLED <-> APP-DETECT OpenVAS Scanner User-Agent attempt (snort3-app-detect.rules)
 * 1:39240 <-> DISABLED <-> EXPLOIT-KIT Neutrino Exploit Kit exploitation attempt (snort3-exploit-kit.rules)
 * 1:37207 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page (snort3-exploit-kit.rules)
 * 1:44170 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (snort3-file-pdf.rules)
 * 1:39677 <-> DISABLED <-> EXPLOIT-KIT Pseudo-Darkleech gate redirect attempt (snort3-exploit-kit.rules)
 * 1:36492 <-> DISABLED <-> EXPLOIT-KIT Neutrino exploit kit gate detected (snort3-exploit-kit.rules)
 * 1:44169 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (snort3-file-pdf.rules)
 * 1:36535 <-> DISABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page detected (snort3-exploit-kit.rules)
 * 1:39081 <-> DISABLED <-> EXPLOIT-KIT Neutrino Exploit Kit Flash exploit download attempt (snort3-exploit-kit.rules)
 * 1:45265 <-> ENABLED <-> POLICY-OTHER CoinHive Miner client detected (snort3-policy-other.rules)

2018-03-20 13:59:47 UTC

Snort Subscriber Rules Update

Date: 2018-03-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45975 <-> ENABLED <-> MALWARE-BACKDOOR Unix.Malware.Chaos backdoor trigger attempt (malware-backdoor.rules)
 * 1:45976 <-> ENABLED <-> SERVER-WEBAPP Pivotal Spring Data REST PATCH request remote code execution attempt (server-webapp.rules)
 * 1:45977 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB kernel heap memory leak attempt (os-windows.rules)
 * 1:45969 <-> DISABLED <-> SERVER-WEBAPP SugarCRM cross site scripting attempt (server-webapp.rules)
 * 1:45996 <-> DISABLED <-> SERVER-WEBAPP CoreOS etcd service private keys listing attempt (server-webapp.rules)
 * 1:45990 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro path element out of bounds memory access attempt (file-other.rules)
 * 1:45979 <-> ENABLED <-> MALWARE-CNC MultiOS.Trojan.OSCelestial variant outbound connection (malware-cnc.rules)
 * 1:45972 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chafer malicious communication attempt (malware-cnc.rules)
 * 1:45995 <-> DISABLED <-> SERVER-WEBAPP CoreOS etcd service private keys listing attempt (server-webapp.rules)
 * 1:45970 <-> DISABLED <-> SERVER-WEBAPP SugarCRM cross site scripting attempt (server-webapp.rules)
 * 1:45989 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro path element out of bounds memory access attempt (file-other.rules)
 * 1:45974 <-> ENABLED <-> MALWARE-CNC Suspected Unix.Malware.GoScanSSH outbound beacon attempt (malware-cnc.rules)
 * 1:45971 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess webvrpcs service arbitrary command execution attempt (server-other.rules)
 * 1:45980 <-> ENABLED <-> MALWARE-CNC MultiOS.Trojan.OSCelestial variant inbound connection (malware-cnc.rules)
 * 1:45978 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB kernel heap memory leak attempt (os-windows.rules)
 * 1:45983 <-> DISABLED <-> POLICY-OTHER Sandvine PacketLogic http redirection attempt (policy-other.rules)
 * 1:45973 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chafer malicious communication attempt (malware-cnc.rules)
 * 1:45984 <-> DISABLED <-> SERVER-WEBAPP Joomla component Jimtawl 2.2.5 arbitrary PHP file upload attempt (server-webapp.rules)
 * 3:46001 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0541 attack attempt (file-image.rules)
 * 3:46000 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules)
 * 3:45985 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0544 attack attempt (file-image.rules)
 * 3:45982 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0540 attack attempt (file-other.rules)
 * 3:45981 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0540 attack attempt (file-other.rules)
 * 3:45999 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules)
 * 3:45998 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules)
 * 3:45993 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0543 attack attempt (file-image.rules)
 * 3:45994 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0543 attack attempt (file-image.rules)
 * 3:45997 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules)
 * 3:45992 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0543 attack attempt (file-image.rules)
 * 3:45988 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0544 attack attempt (file-image.rules)
 * 3:45991 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0543 attack attempt (file-image.rules)
 * 3:46002 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0541 attack attempt (file-image.rules)
 * 3:45987 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0544 attack attempt (file-image.rules)
 * 3:45986 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0544 attack attempt (file-image.rules)

Modified Rules:


 * 1:44170 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (file-pdf.rules)
 * 1:37361 <-> DISABLED <-> EXPLOIT-KIT DarkLeech iframe injection tool detected (exploit-kit.rules)
 * 1:37207 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page (exploit-kit.rules)
 * 1:40335 <-> DISABLED <-> APP-DETECT OpenVAS Scanner User-Agent attempt (app-detect.rules)
 * 1:36535 <-> DISABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page detected (exploit-kit.rules)
 * 1:36492 <-> DISABLED <-> EXPLOIT-KIT Neutrino exploit kit gate detected (exploit-kit.rules)
 * 1:44169 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (file-pdf.rules)
 * 1:39240 <-> DISABLED <-> EXPLOIT-KIT Neutrino Exploit Kit exploitation attempt (exploit-kit.rules)
 * 1:39677 <-> DISABLED <-> EXPLOIT-KIT Pseudo-Darkleech gate redirect attempt (exploit-kit.rules)
 * 1:39081 <-> DISABLED <-> EXPLOIT-KIT Neutrino Exploit Kit Flash exploit download attempt (exploit-kit.rules)
 * 1:45265 <-> ENABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules)
 * 1:36797 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)

2018-03-20 13:59:47 UTC

Snort Subscriber Rules Update

Date: 2018-03-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45972 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chafer malicious communication attempt (malware-cnc.rules)
 * 1:45970 <-> DISABLED <-> SERVER-WEBAPP SugarCRM cross site scripting attempt (server-webapp.rules)
 * 1:45979 <-> ENABLED <-> MALWARE-CNC MultiOS.Trojan.OSCelestial variant outbound connection (malware-cnc.rules)
 * 1:45989 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro path element out of bounds memory access attempt (file-other.rules)
 * 1:45984 <-> DISABLED <-> SERVER-WEBAPP Joomla component Jimtawl 2.2.5 arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:45977 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB kernel heap memory leak attempt (os-windows.rules)
 * 1:45973 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chafer malicious communication attempt (malware-cnc.rules)
 * 1:45976 <-> ENABLED <-> SERVER-WEBAPP Pivotal Spring Data REST PATCH request remote code execution attempt (server-webapp.rules)
 * 1:45990 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro path element out of bounds memory access attempt (file-other.rules)
 * 1:45983 <-> DISABLED <-> POLICY-OTHER Sandvine PacketLogic http redirection attempt (policy-other.rules)
 * 1:45969 <-> DISABLED <-> SERVER-WEBAPP SugarCRM cross site scripting attempt (server-webapp.rules)
 * 1:45995 <-> DISABLED <-> SERVER-WEBAPP CoreOS etcd service private keys listing attempt (server-webapp.rules)
 * 1:45980 <-> ENABLED <-> MALWARE-CNC MultiOS.Trojan.OSCelestial variant inbound connection (malware-cnc.rules)
 * 1:45975 <-> ENABLED <-> MALWARE-BACKDOOR Unix.Malware.Chaos backdoor trigger attempt (malware-backdoor.rules)
 * 1:45978 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB kernel heap memory leak attempt (os-windows.rules)
 * 1:45974 <-> ENABLED <-> MALWARE-CNC Suspected Unix.Malware.GoScanSSH outbound beacon attempt (malware-cnc.rules)
 * 1:45996 <-> DISABLED <-> SERVER-WEBAPP CoreOS etcd service private keys listing attempt (server-webapp.rules)
 * 1:45971 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess webvrpcs service arbitrary command execution attempt (server-other.rules)
 * 3:45997 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules)
 * 3:46000 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules)
 * 3:45994 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0543 attack attempt (file-image.rules)
 * 3:45985 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0544 attack attempt (file-image.rules)
 * 3:45981 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0540 attack attempt (file-other.rules)
 * 3:45999 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules)
 * 3:46002 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0541 attack attempt (file-image.rules)
 * 3:45982 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0540 attack attempt (file-other.rules)
 * 3:45993 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0543 attack attempt (file-image.rules)
 * 3:45992 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0543 attack attempt (file-image.rules)
 * 3:45988 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0544 attack attempt (file-image.rules)
 * 3:45991 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0543 attack attempt (file-image.rules)
 * 3:45987 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0544 attack attempt (file-image.rules)
 * 3:45998 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules)
 * 3:46001 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0541 attack attempt (file-image.rules)
 * 3:45986 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0544 attack attempt (file-image.rules)

Modified Rules:


 * 1:45265 <-> ENABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules)
 * 1:36492 <-> DISABLED <-> EXPLOIT-KIT Neutrino exploit kit gate detected (exploit-kit.rules)
 * 1:36797 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:37207 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page (exploit-kit.rules)
 * 1:39240 <-> DISABLED <-> EXPLOIT-KIT Neutrino Exploit Kit exploitation attempt (exploit-kit.rules)
 * 1:39081 <-> DISABLED <-> EXPLOIT-KIT Neutrino Exploit Kit Flash exploit download attempt (exploit-kit.rules)
 * 1:37361 <-> DISABLED <-> EXPLOIT-KIT DarkLeech iframe injection tool detected (exploit-kit.rules)
 * 1:40335 <-> DISABLED <-> APP-DETECT OpenVAS Scanner User-Agent attempt (app-detect.rules)
 * 1:39677 <-> DISABLED <-> EXPLOIT-KIT Pseudo-Darkleech gate redirect attempt (exploit-kit.rules)
 * 1:44170 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (file-pdf.rules)
 * 1:36535 <-> DISABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page detected (exploit-kit.rules)
 * 1:44169 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (file-pdf.rules)