Talos Rules 2018-03-27
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-image, file-office, file-other, malware-cnc, malware-other, netbios, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-03-27 12:12:44 UTC

Snort Subscriber Rules Update

Date: 2018-03-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46072 <-> DISABLED <-> FILE-OTHER Python lib wave.py wav zero channel denial of service attempt (file-other.rules)
 * 1:46071 <-> ENABLED <-> SERVER-APACHE Apache Tomcat Java JmxRemoteLifecycleListener unauthorized serialized object attempt (server-apache.rules)
 * 1:46070 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty file exfiltraion outbound request (malware-cnc.rules)
 * 1:46069 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty module request (malware-cnc.rules)
 * 1:46068 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty module download request (malware-cnc.rules)
 * 1:46067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty plugin downloader initial outbound connection (malware-cnc.rules)
 * 1:46066 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty second stage downloader initial outbound connection (malware-cnc.rules)
 * 1:46065 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Sigma outbound connection (malware-cnc.rules)
 * 1:46064 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Membership extension SQL injection attempt (server-webapp.rules)
 * 1:46063 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Membership extension SQL injection attempt (server-webapp.rules)
 * 1:46062 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Membership extension SQL injection attempt (server-webapp.rules)
 * 1:46061 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess webvrpcs service arbitrary pointer dereference attempt (server-other.rules)
 * 1:46054 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF malformed Object record out-of-bounds access attempt (file-other.rules)
 * 1:46053 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF malformed Object record out-of-bounds access attempt (file-other.rules)
 * 1:46052 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string Uploador - Win.Trojan.CrossRAT (malware-cnc.rules)
 * 1:46051 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bandook/Anbacas outbound connection attempt (malware-cnc.rules)
 * 1:46050 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrossRAT outbound connection attempt (malware-cnc.rules)
 * 1:46049 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fosniw variant connection attempt (malware-cnc.rules)
 * 1:46048 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gen variant outbound communication (malware-cnc.rules)
 * 1:46089 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Reverse Auction extension SQL injection attempt (server-webapp.rules)
 * 1:46088 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Reverse Auction extension SQL injection attempt (server-webapp.rules)
 * 1:46087 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Reverse Auction extension SQL injection attempt (server-webapp.rules)
 * 1:46086 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt (server-webapp.rules)
 * 1:46085 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt (server-webapp.rules)
 * 1:46084 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi directory traversal attempt (server-webapp.rules)
 * 1:46083 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi directory traversal attempt (server-webapp.rules)
 * 1:46082 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt (server-webapp.rules)
 * 1:46081 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi wait_time cross site scripting attempt (server-webapp.rules)
 * 1:46080 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi wait_time cross site scripting attempt (server-webapp.rules)
 * 1:46078 <-> DISABLED <-> FILE-IMAGE Gifsicle gifread double-free attempt (file-image.rules)
 * 1:46077 <-> DISABLED <-> FILE-IMAGE Gifsicle gifread double-free attempt (file-image.rules)
 * 1:46076 <-> DISABLED <-> NETBIOS MikroTik RouterOS buffer overflow attempt (netbios.rules)
 * 1:46075 <-> DISABLED <-> FILE-OTHER Microsoft Windows Remote Assistance external entity remote file download attempt (file-other.rules)
 * 1:46074 <-> DISABLED <-> FILE-OTHER Microsoft Windows Remote Assistance external entity remote file download attempt (file-other.rules)
 * 1:46073 <-> DISABLED <-> FILE-OTHER Python lib wave.py wav zero channel denial of service attempt (file-other.rules)
 * 1:46092 <-> DISABLED <-> MALWARE-OTHER VBscript downloader detected (malware-other.rules)
 * 1:46091 <-> DISABLED <-> MALWARE-OTHER VBscript downloader detected (malware-other.rules)
 * 3:46055 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0545 attack attempt (file-other.rules)
 * 3:46056 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0545 attack attempt (file-other.rules)
 * 3:46058 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0545 attack attempt (file-other.rules)
 * 3:46059 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0545 attack attempt (file-other.rules)
 * 3:46079 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0548 attack attempt (server-webapp.rules)
 * 3:46090 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0549 attack attempt (server-webapp.rules)
 * 3:46093 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0550 attack attempt (file-image.rules)
 * 3:46094 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0550 attack attempt (file-image.rules)

Modified Rules:


 * 1:26279 <-> DISABLED <-> SERVER-WEBAPP Linksys E1500/E2500 apply.cgi unauthenticated password reset attempt (server-webapp.rules)
 * 1:26626 <-> DISABLED <-> FILE-OFFICE XML parameter entity reference local file disclosure attempt (file-office.rules)
 * 1:29830 <-> ENABLED <-> SERVER-WEBAPP Linksys E-series HNAP TheMoon remote code execution attempt (server-webapp.rules)
 * 1:29831 <-> ENABLED <-> SERVER-WEBAPP Linksys E-series HNAP TheMoon remote code execution attempt (server-webapp.rules)
 * 1:41818 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (server-apache.rules)
 * 1:45826 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Smominru outbound call (malware-cnc.rules)
 * 3:45999 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules)
 * 3:46000 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules)
 * 3:45998 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules)
 * 3:45997 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules)

2018-03-27 12:12:44 UTC

Snort Subscriber Rules Update

Date: 2018-03-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46083 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi directory traversal attempt (server-webapp.rules)
 * 1:46084 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi directory traversal attempt (server-webapp.rules)
 * 1:46085 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt (server-webapp.rules)
 * 1:46065 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Sigma outbound connection (malware-cnc.rules)
 * 1:46054 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF malformed Object record out-of-bounds access attempt (file-other.rules)
 * 1:46049 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fosniw variant connection attempt (malware-cnc.rules)
 * 1:46069 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty module request (malware-cnc.rules)
 * 1:46070 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty file exfiltraion outbound request (malware-cnc.rules)
 * 1:46048 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gen variant outbound communication (malware-cnc.rules)
 * 1:46052 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string Uploador - Win.Trojan.CrossRAT (malware-cnc.rules)
 * 1:46071 <-> ENABLED <-> SERVER-APACHE Apache Tomcat Java JmxRemoteLifecycleListener unauthorized serialized object attempt (server-apache.rules)
 * 1:46072 <-> DISABLED <-> FILE-OTHER Python lib wave.py wav zero channel denial of service attempt (file-other.rules)
 * 1:46073 <-> DISABLED <-> FILE-OTHER Python lib wave.py wav zero channel denial of service attempt (file-other.rules)
 * 1:46074 <-> DISABLED <-> FILE-OTHER Microsoft Windows Remote Assistance external entity remote file download attempt (file-other.rules)
 * 1:46075 <-> DISABLED <-> FILE-OTHER Microsoft Windows Remote Assistance external entity remote file download attempt (file-other.rules)
 * 1:46076 <-> DISABLED <-> NETBIOS MikroTik RouterOS buffer overflow attempt (netbios.rules)
 * 1:46077 <-> DISABLED <-> FILE-IMAGE Gifsicle gifread double-free attempt (file-image.rules)
 * 1:46078 <-> DISABLED <-> FILE-IMAGE Gifsicle gifread double-free attempt (file-image.rules)
 * 1:46080 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi wait_time cross site scripting attempt (server-webapp.rules)
 * 1:46081 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi wait_time cross site scripting attempt (server-webapp.rules)
 * 1:46082 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt (server-webapp.rules)
 * 1:46053 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF malformed Object record out-of-bounds access attempt (file-other.rules)
 * 1:46087 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Reverse Auction extension SQL injection attempt (server-webapp.rules)
 * 1:46086 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt (server-webapp.rules)
 * 1:46061 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess webvrpcs service arbitrary pointer dereference attempt (server-other.rules)
 * 1:46091 <-> DISABLED <-> MALWARE-OTHER VBscript downloader detected (malware-other.rules)
 * 1:46089 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Reverse Auction extension SQL injection attempt (server-webapp.rules)
 * 1:46088 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Reverse Auction extension SQL injection attempt (server-webapp.rules)
 * 1:46062 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Membership extension SQL injection attempt (server-webapp.rules)
 * 1:46092 <-> DISABLED <-> MALWARE-OTHER VBscript downloader detected (malware-other.rules)
 * 1:46063 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Membership extension SQL injection attempt (server-webapp.rules)
 * 1:46067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty plugin downloader initial outbound connection (malware-cnc.rules)
 * 1:46068 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty module download request (malware-cnc.rules)
 * 1:46066 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty second stage downloader initial outbound connection (malware-cnc.rules)
 * 1:46050 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrossRAT outbound connection attempt (malware-cnc.rules)
 * 1:46051 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bandook/Anbacas outbound connection attempt (malware-cnc.rules)
 * 1:46064 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Membership extension SQL injection attempt (server-webapp.rules)
 * 3:46056 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0545 attack attempt (file-other.rules)
 * 3:46055 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0545 attack attempt (file-other.rules)
 * 3:46058 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0545 attack attempt (file-other.rules)
 * 3:46079 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0548 attack attempt (server-webapp.rules)
 * 3:46094 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0550 attack attempt (file-image.rules)
 * 3:46090 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0549 attack attempt (server-webapp.rules)
 * 3:46059 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0545 attack attempt (file-other.rules)
 * 3:46093 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0550 attack attempt (file-image.rules)

Modified Rules:


 * 1:45826 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Smominru outbound call (malware-cnc.rules)
 * 1:41818 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (server-apache.rules)
 * 1:26279 <-> DISABLED <-> SERVER-WEBAPP Linksys E1500/E2500 apply.cgi unauthenticated password reset attempt (server-webapp.rules)
 * 1:26626 <-> DISABLED <-> FILE-OFFICE XML parameter entity reference local file disclosure attempt (file-office.rules)
 * 1:29830 <-> ENABLED <-> SERVER-WEBAPP Linksys E-series HNAP TheMoon remote code execution attempt (server-webapp.rules)
 * 1:29831 <-> ENABLED <-> SERVER-WEBAPP Linksys E-series HNAP TheMoon remote code execution attempt (server-webapp.rules)
 * 3:46000 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules)
 * 3:45997 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules)
 * 3:45999 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules)
 * 3:45998 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules)

2018-03-27 12:12:44 UTC

Snort Subscriber Rules Update

Date: 2018-03-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46050 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrossRAT outbound connection attempt (snort3-malware-cnc.rules)
 * 1:46091 <-> DISABLED <-> MALWARE-OTHER VBscript downloader detected (snort3-malware-other.rules)
 * 1:46092 <-> DISABLED <-> MALWARE-OTHER VBscript downloader detected (snort3-malware-other.rules)
 * 1:46068 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty module download request (snort3-malware-cnc.rules)
 * 1:46067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty plugin downloader initial outbound connection (snort3-malware-cnc.rules)
 * 1:46084 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi directory traversal attempt (snort3-server-webapp.rules)
 * 1:46088 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Reverse Auction extension SQL injection attempt (snort3-server-webapp.rules)
 * 1:46053 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF malformed Object record out-of-bounds access attempt (snort3-file-other.rules)
 * 1:46089 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Reverse Auction extension SQL injection attempt (snort3-server-webapp.rules)
 * 1:46087 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Reverse Auction extension SQL injection attempt (snort3-server-webapp.rules)
 * 1:46049 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fosniw variant connection attempt (snort3-malware-cnc.rules)
 * 1:46052 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string Uploador - Win.Trojan.CrossRAT (snort3-malware-cnc.rules)
 * 1:46086 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt (snort3-server-webapp.rules)
 * 1:46085 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt (snort3-server-webapp.rules)
 * 1:46081 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi wait_time cross site scripting attempt (snort3-server-webapp.rules)
 * 1:46071 <-> ENABLED <-> SERVER-APACHE Apache Tomcat Java JmxRemoteLifecycleListener unauthorized serialized object attempt (snort3-server-apache.rules)
 * 1:46061 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess webvrpcs service arbitrary pointer dereference attempt (snort3-server-other.rules)
 * 1:46048 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gen variant outbound communication (snort3-malware-cnc.rules)
 * 1:46065 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Sigma outbound connection (snort3-malware-cnc.rules)
 * 1:46075 <-> DISABLED <-> FILE-OTHER Microsoft Windows Remote Assistance external entity remote file download attempt (snort3-file-other.rules)
 * 1:46076 <-> DISABLED <-> NETBIOS MikroTik RouterOS buffer overflow attempt (snort3-netbios.rules)
 * 1:46064 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Membership extension SQL injection attempt (snort3-server-webapp.rules)
 * 1:46054 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF malformed Object record out-of-bounds access attempt (snort3-file-other.rules)
 * 1:46078 <-> DISABLED <-> FILE-IMAGE Gifsicle gifread double-free attempt (snort3-file-image.rules)
 * 1:46080 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi wait_time cross site scripting attempt (snort3-server-webapp.rules)
 * 1:46082 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt (snort3-server-webapp.rules)
 * 1:46077 <-> DISABLED <-> FILE-IMAGE Gifsicle gifread double-free attempt (snort3-file-image.rules)
 * 1:46073 <-> DISABLED <-> FILE-OTHER Python lib wave.py wav zero channel denial of service attempt (snort3-file-other.rules)
 * 1:46074 <-> DISABLED <-> FILE-OTHER Microsoft Windows Remote Assistance external entity remote file download attempt (snort3-file-other.rules)
 * 1:46072 <-> DISABLED <-> FILE-OTHER Python lib wave.py wav zero channel denial of service attempt (snort3-file-other.rules)
 * 1:46062 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Membership extension SQL injection attempt (snort3-server-webapp.rules)
 * 1:46063 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Membership extension SQL injection attempt (snort3-server-webapp.rules)
 * 1:46070 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty file exfiltraion outbound request (snort3-malware-cnc.rules)
 * 1:46069 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty module request (snort3-malware-cnc.rules)
 * 1:46066 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty second stage downloader initial outbound connection (snort3-malware-cnc.rules)
 * 1:46083 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi directory traversal attempt (snort3-server-webapp.rules)
 * 1:46051 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bandook/Anbacas outbound connection attempt (snort3-malware-cnc.rules)

Modified Rules:


 * 1:26279 <-> DISABLED <-> SERVER-WEBAPP Linksys E1500/E2500 apply.cgi unauthenticated password reset attempt (snort3-server-webapp.rules)
 * 1:26626 <-> DISABLED <-> FILE-OFFICE XML parameter entity reference local file disclosure attempt (snort3-file-office.rules)
 * 1:29830 <-> ENABLED <-> SERVER-WEBAPP Linksys E-series HNAP TheMoon remote code execution attempt (snort3-server-webapp.rules)
 * 1:29831 <-> ENABLED <-> SERVER-WEBAPP Linksys E-series HNAP TheMoon remote code execution attempt (snort3-server-webapp.rules)
 * 1:41818 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (snort3-server-apache.rules)
 * 1:45826 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Smominru outbound call (snort3-malware-cnc.rules)

2018-03-27 12:12:44 UTC

Snort Subscriber Rules Update

Date: 2018-03-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46084 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi directory traversal attempt (server-webapp.rules)
 * 1:46085 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt (server-webapp.rules)
 * 1:46078 <-> DISABLED <-> FILE-IMAGE Gifsicle gifread double-free attempt (file-image.rules)
 * 1:46062 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Membership extension SQL injection attempt (server-webapp.rules)
 * 1:46091 <-> DISABLED <-> MALWARE-OTHER VBscript downloader detected (malware-other.rules)
 * 1:46089 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Reverse Auction extension SQL injection attempt (server-webapp.rules)
 * 1:46087 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Reverse Auction extension SQL injection attempt (server-webapp.rules)
 * 1:46092 <-> DISABLED <-> MALWARE-OTHER VBscript downloader detected (malware-other.rules)
 * 1:46086 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt (server-webapp.rules)
 * 1:46081 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi wait_time cross site scripting attempt (server-webapp.rules)
 * 1:46074 <-> DISABLED <-> FILE-OTHER Microsoft Windows Remote Assistance external entity remote file download attempt (file-other.rules)
 * 1:46080 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi wait_time cross site scripting attempt (server-webapp.rules)
 * 1:46077 <-> DISABLED <-> FILE-IMAGE Gifsicle gifread double-free attempt (file-image.rules)
 * 1:46076 <-> DISABLED <-> NETBIOS MikroTik RouterOS buffer overflow attempt (netbios.rules)
 * 1:46049 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fosniw variant connection attempt (malware-cnc.rules)
 * 1:46083 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi directory traversal attempt (server-webapp.rules)
 * 1:46082 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt (server-webapp.rules)
 * 1:46048 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gen variant outbound communication (malware-cnc.rules)
 * 1:46070 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty file exfiltraion outbound request (malware-cnc.rules)
 * 1:46071 <-> ENABLED <-> SERVER-APACHE Apache Tomcat Java JmxRemoteLifecycleListener unauthorized serialized object attempt (server-apache.rules)
 * 1:46052 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string Uploador - Win.Trojan.CrossRAT (malware-cnc.rules)
 * 1:46053 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF malformed Object record out-of-bounds access attempt (file-other.rules)
 * 1:46050 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrossRAT outbound connection attempt (malware-cnc.rules)
 * 1:46065 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Sigma outbound connection (malware-cnc.rules)
 * 1:46075 <-> DISABLED <-> FILE-OTHER Microsoft Windows Remote Assistance external entity remote file download attempt (file-other.rules)
 * 1:46064 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Membership extension SQL injection attempt (server-webapp.rules)
 * 1:46051 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bandook/Anbacas outbound connection attempt (malware-cnc.rules)
 * 1:46066 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty second stage downloader initial outbound connection (malware-cnc.rules)
 * 1:46063 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Membership extension SQL injection attempt (server-webapp.rules)
 * 1:46061 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess webvrpcs service arbitrary pointer dereference attempt (server-other.rules)
 * 1:46072 <-> DISABLED <-> FILE-OTHER Python lib wave.py wav zero channel denial of service attempt (file-other.rules)
 * 1:46054 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF malformed Object record out-of-bounds access attempt (file-other.rules)
 * 1:46073 <-> DISABLED <-> FILE-OTHER Python lib wave.py wav zero channel denial of service attempt (file-other.rules)
 * 1:46068 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty module download request (malware-cnc.rules)
 * 1:46069 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty module request (malware-cnc.rules)
 * 1:46067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty plugin downloader initial outbound connection (malware-cnc.rules)
 * 1:46088 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Reverse Auction extension SQL injection attempt (server-webapp.rules)
 * 3:46090 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0549 attack attempt (server-webapp.rules)
 * 3:46059 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0545 attack attempt (file-other.rules)
 * 3:46056 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0545 attack attempt (file-other.rules)
 * 3:46058 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0545 attack attempt (file-other.rules)
 * 3:46079 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0548 attack attempt (server-webapp.rules)
 * 3:46093 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0550 attack attempt (file-image.rules)
 * 3:46055 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0545 attack attempt (file-other.rules)
 * 3:46094 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0550 attack attempt (file-image.rules)

Modified Rules:


 * 1:45826 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Smominru outbound call (malware-cnc.rules)
 * 1:26279 <-> DISABLED <-> SERVER-WEBAPP Linksys E1500/E2500 apply.cgi unauthenticated password reset attempt (server-webapp.rules)
 * 1:26626 <-> DISABLED <-> FILE-OFFICE XML parameter entity reference local file disclosure attempt (file-office.rules)
 * 1:29830 <-> ENABLED <-> SERVER-WEBAPP Linksys E-series HNAP TheMoon remote code execution attempt (server-webapp.rules)
 * 1:29831 <-> ENABLED <-> SERVER-WEBAPP Linksys E-series HNAP TheMoon remote code execution attempt (server-webapp.rules)
 * 1:41818 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (server-apache.rules)
 * 3:46000 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules)
 * 3:45999 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules)
 * 3:45998 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules)
 * 3:45997 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules)

2018-03-27 12:12:45 UTC

Snort Subscriber Rules Update

Date: 2018-03-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46054 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF malformed Object record out-of-bounds access attempt (file-other.rules)
 * 1:46083 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi directory traversal attempt (server-webapp.rules)
 * 1:46086 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt (server-webapp.rules)
 * 1:46085 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt (server-webapp.rules)
 * 1:46065 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Sigma outbound connection (malware-cnc.rules)
 * 1:46049 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fosniw variant connection attempt (malware-cnc.rules)
 * 1:46091 <-> DISABLED <-> MALWARE-OTHER VBscript downloader detected (malware-other.rules)
 * 1:46061 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess webvrpcs service arbitrary pointer dereference attempt (server-other.rules)
 * 1:46072 <-> DISABLED <-> FILE-OTHER Python lib wave.py wav zero channel denial of service attempt (file-other.rules)
 * 1:46087 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Reverse Auction extension SQL injection attempt (server-webapp.rules)
 * 1:46084 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi directory traversal attempt (server-webapp.rules)
 * 1:46088 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Reverse Auction extension SQL injection attempt (server-webapp.rules)
 * 1:46076 <-> DISABLED <-> NETBIOS MikroTik RouterOS buffer overflow attempt (netbios.rules)
 * 1:46078 <-> DISABLED <-> FILE-IMAGE Gifsicle gifread double-free attempt (file-image.rules)
 * 1:46073 <-> DISABLED <-> FILE-OTHER Python lib wave.py wav zero channel denial of service attempt (file-other.rules)
 * 1:46080 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi wait_time cross site scripting attempt (server-webapp.rules)
 * 1:46081 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi wait_time cross site scripting attempt (server-webapp.rules)
 * 1:46082 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt (server-webapp.rules)
 * 1:46071 <-> ENABLED <-> SERVER-APACHE Apache Tomcat Java JmxRemoteLifecycleListener unauthorized serialized object attempt (server-apache.rules)
 * 1:46048 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gen variant outbound communication (malware-cnc.rules)
 * 1:46074 <-> DISABLED <-> FILE-OTHER Microsoft Windows Remote Assistance external entity remote file download attempt (file-other.rules)
 * 1:46077 <-> DISABLED <-> FILE-IMAGE Gifsicle gifread double-free attempt (file-image.rules)
 * 1:46075 <-> DISABLED <-> FILE-OTHER Microsoft Windows Remote Assistance external entity remote file download attempt (file-other.rules)
 * 1:46051 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bandook/Anbacas outbound connection attempt (malware-cnc.rules)
 * 1:46064 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Membership extension SQL injection attempt (server-webapp.rules)
 * 1:46063 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Membership extension SQL injection attempt (server-webapp.rules)
 * 1:46062 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Membership extension SQL injection attempt (server-webapp.rules)
 * 1:46069 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty module request (malware-cnc.rules)
 * 1:46070 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty file exfiltraion outbound request (malware-cnc.rules)
 * 1:46052 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string Uploador - Win.Trojan.CrossRAT (malware-cnc.rules)
 * 1:46092 <-> DISABLED <-> MALWARE-OTHER VBscript downloader detected (malware-other.rules)
 * 1:46053 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF malformed Object record out-of-bounds access attempt (file-other.rules)
 * 1:46068 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty module download request (malware-cnc.rules)
 * 1:46050 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrossRAT outbound connection attempt (malware-cnc.rules)
 * 1:46066 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty second stage downloader initial outbound connection (malware-cnc.rules)
 * 1:46067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty plugin downloader initial outbound connection (malware-cnc.rules)
 * 1:46089 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Reverse Auction extension SQL injection attempt (server-webapp.rules)
 * 3:46055 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0545 attack attempt (file-other.rules)
 * 3:46058 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0545 attack attempt (file-other.rules)
 * 3:46079 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0548 attack attempt (server-webapp.rules)
 * 3:46056 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0545 attack attempt (file-other.rules)
 * 3:46093 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0550 attack attempt (file-image.rules)
 * 3:46090 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0549 attack attempt (server-webapp.rules)
 * 3:46059 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0545 attack attempt (file-other.rules)
 * 3:46094 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0550 attack attempt (file-image.rules)

Modified Rules:


 * 1:45826 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Smominru outbound call (malware-cnc.rules)
 * 1:26279 <-> DISABLED <-> SERVER-WEBAPP Linksys E1500/E2500 apply.cgi unauthenticated password reset attempt (server-webapp.rules)
 * 1:26626 <-> DISABLED <-> FILE-OFFICE XML parameter entity reference local file disclosure attempt (file-office.rules)
 * 1:41818 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (server-apache.rules)
 * 1:29830 <-> ENABLED <-> SERVER-WEBAPP Linksys E-series HNAP TheMoon remote code execution attempt (server-webapp.rules)
 * 1:29831 <-> ENABLED <-> SERVER-WEBAPP Linksys E-series HNAP TheMoon remote code execution attempt (server-webapp.rules)
 * 3:46000 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules)
 * 3:45998 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules)
 * 3:45999 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules)
 * 3:45997 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules)