Talos Rules 2018-04-03
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-image, file-java, malware-cnc, os-linux and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-04-03 13:09:55 UTC

Snort Subscriber Rules Update

Date: 2018-04-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46141 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Bandarchor variant outbound connection (malware-cnc.rules)
 * 1:46140 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Bandarchor variant outbound connection (malware-cnc.rules)
 * 1:46139 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Bandarchor variant outbound connection (malware-cnc.rules)
 * 1:46138 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Bandarchor variant outbound connection (malware-cnc.rules)
 * 1:46137 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cidox variant outbound connection attempt (malware-cnc.rules)
 * 1:46136 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Banbra variant outbound connection (malware-cnc.rules)
 * 1:46135 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Krodown variant connection attempt (malware-cnc.rules)
 * 1:46134 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Krodown variant connection attempt (malware-cnc.rules)
 * 1:46133 <-> DISABLED <-> SERVER-WEBAPP OpenEMR SQL injection attempt (server-webapp.rules)
 * 1:46132 <-> DISABLED <-> SERVER-WEBAPP OpenEMR SQL injection attempt (server-webapp.rules)
 * 1:46131 <-> DISABLED <-> SERVER-OTHER cPanel Mailman privilege escalation attempt (server-other.rules)
 * 1:46130 <-> DISABLED <-> SERVER-OTHER cPanel Mailman privilege escalation attempt (server-other.rules)
 * 1:46129 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HW32 variant outbound connection (malware-cnc.rules)
 * 3:46153 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)
 * 3:46154 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)
 * 3:46150 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)
 * 3:46149 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0554 attack attempt (server-webapp.rules)
 * 3:46151 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)
 * 3:46142 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0551 attack attempt (server-webapp.rules)
 * 3:46143 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules)
 * 3:46144 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules)
 * 3:46145 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules)
 * 3:46146 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules)
 * 3:46147 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0552 attack attempt (file-image.rules)
 * 3:46148 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0552 attack attempt (file-image.rules)
 * 3:46155 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)
 * 3:46152 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:35467 <-> DISABLED <-> FILE-JAVA Oracle Java VersionHelper loadClass sandbox bypass attempt (file-java.rules)
 * 1:35468 <-> DISABLED <-> FILE-JAVA Oracle Java VersionHelper loadClass sandbox bypass attempt (file-java.rules)
 * 1:40063 <-> DISABLED <-> OS-LINUX Linux Kernel Challenge ACK provocation attempt (os-linux.rules)
 * 1:40234 <-> ENABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes ping reply (malware-cnc.rules)

2018-04-03 13:09:55 UTC

Snort Subscriber Rules Update

Date: 2018-04-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46134 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Krodown variant connection attempt (malware-cnc.rules)
 * 1:46129 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HW32 variant outbound connection (malware-cnc.rules)
 * 1:46133 <-> DISABLED <-> SERVER-WEBAPP OpenEMR SQL injection attempt (server-webapp.rules)
 * 1:46140 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Bandarchor variant outbound connection (malware-cnc.rules)
 * 1:46130 <-> DISABLED <-> SERVER-OTHER cPanel Mailman privilege escalation attempt (server-other.rules)
 * 1:46139 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Bandarchor variant outbound connection (malware-cnc.rules)
 * 1:46141 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Bandarchor variant outbound connection (malware-cnc.rules)
 * 1:46135 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Krodown variant connection attempt (malware-cnc.rules)
 * 1:46132 <-> DISABLED <-> SERVER-WEBAPP OpenEMR SQL injection attempt (server-webapp.rules)
 * 1:46138 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Bandarchor variant outbound connection (malware-cnc.rules)
 * 1:46136 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Banbra variant outbound connection (malware-cnc.rules)
 * 1:46137 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cidox variant outbound connection attempt (malware-cnc.rules)
 * 1:46131 <-> DISABLED <-> SERVER-OTHER cPanel Mailman privilege escalation attempt (server-other.rules)
 * 3:46150 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)
 * 3:46151 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)
 * 3:46144 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules)
 * 3:46153 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)
 * 3:46145 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules)
 * 3:46148 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0552 attack attempt (file-image.rules)
 * 3:46146 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules)
 * 3:46149 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0554 attack attempt (server-webapp.rules)
 * 3:46142 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0551 attack attempt (server-webapp.rules)
 * 3:46143 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules)
 * 3:46154 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)
 * 3:46152 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)
 * 3:46147 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0552 attack attempt (file-image.rules)
 * 3:46155 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:35467 <-> DISABLED <-> FILE-JAVA Oracle Java VersionHelper loadClass sandbox bypass attempt (file-java.rules)
 * 1:35468 <-> DISABLED <-> FILE-JAVA Oracle Java VersionHelper loadClass sandbox bypass attempt (file-java.rules)
 * 1:40063 <-> DISABLED <-> OS-LINUX Linux Kernel Challenge ACK provocation attempt (os-linux.rules)
 * 1:40234 <-> ENABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes ping reply (malware-cnc.rules)

2018-04-03 13:09:55 UTC

Snort Subscriber Rules Update

Date: 2018-04-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46132 <-> DISABLED <-> SERVER-WEBAPP OpenEMR SQL injection attempt (snort3-server-webapp.rules)
 * 1:46129 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HW32 variant outbound connection (snort3-malware-cnc.rules)
 * 1:46131 <-> DISABLED <-> SERVER-OTHER cPanel Mailman privilege escalation attempt (snort3-server-other.rules)
 * 1:46141 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Bandarchor variant outbound connection (snort3-malware-cnc.rules)
 * 1:46134 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Krodown variant connection attempt (snort3-malware-cnc.rules)
 * 1:46138 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Bandarchor variant outbound connection (snort3-malware-cnc.rules)
 * 1:46137 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cidox variant outbound connection attempt (snort3-malware-cnc.rules)
 * 1:46130 <-> DISABLED <-> SERVER-OTHER cPanel Mailman privilege escalation attempt (snort3-server-other.rules)
 * 1:46135 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Krodown variant connection attempt (snort3-malware-cnc.rules)
 * 1:46140 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Bandarchor variant outbound connection (snort3-malware-cnc.rules)
 * 1:46139 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Bandarchor variant outbound connection (snort3-malware-cnc.rules)
 * 1:46133 <-> DISABLED <-> SERVER-WEBAPP OpenEMR SQL injection attempt (snort3-server-webapp.rules)
 * 1:46136 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Banbra variant outbound connection (snort3-malware-cnc.rules)

Modified Rules:


 * 1:35467 <-> DISABLED <-> FILE-JAVA Oracle Java VersionHelper loadClass sandbox bypass attempt (snort3-file-java.rules)
 * 1:40235 <-> DISABLED <-> DELETED MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes ping request (snort3-deleted.rules)
 * 1:40234 <-> ENABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes ping reply (snort3-malware-cnc.rules)
 * 1:40063 <-> DISABLED <-> OS-LINUX Linux Kernel Challenge ACK provocation attempt (snort3-os-linux.rules)
 * 1:35468 <-> DISABLED <-> FILE-JAVA Oracle Java VersionHelper loadClass sandbox bypass attempt (snort3-file-java.rules)

2018-04-03 13:09:55 UTC

Snort Subscriber Rules Update

Date: 2018-04-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46130 <-> DISABLED <-> SERVER-OTHER cPanel Mailman privilege escalation attempt (server-other.rules)
 * 1:46137 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cidox variant outbound connection attempt (malware-cnc.rules)
 * 1:46139 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Bandarchor variant outbound connection (malware-cnc.rules)
 * 1:46138 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Bandarchor variant outbound connection (malware-cnc.rules)
 * 1:46135 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Krodown variant connection attempt (malware-cnc.rules)
 * 1:46133 <-> DISABLED <-> SERVER-WEBAPP OpenEMR SQL injection attempt (server-webapp.rules)
 * 1:46140 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Bandarchor variant outbound connection (malware-cnc.rules)
 * 1:46136 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Banbra variant outbound connection (malware-cnc.rules)
 * 1:46134 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Krodown variant connection attempt (malware-cnc.rules)
 * 1:46132 <-> DISABLED <-> SERVER-WEBAPP OpenEMR SQL injection attempt (server-webapp.rules)
 * 1:46141 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Bandarchor variant outbound connection (malware-cnc.rules)
 * 1:46129 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HW32 variant outbound connection (malware-cnc.rules)
 * 1:46131 <-> DISABLED <-> SERVER-OTHER cPanel Mailman privilege escalation attempt (server-other.rules)
 * 3:46154 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)
 * 3:46148 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0552 attack attempt (file-image.rules)
 * 3:46150 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)
 * 3:46144 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules)
 * 3:46153 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)
 * 3:46142 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0551 attack attempt (server-webapp.rules)
 * 3:46146 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules)
 * 3:46151 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)
 * 3:46149 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0554 attack attempt (server-webapp.rules)
 * 3:46145 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules)
 * 3:46152 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)
 * 3:46147 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0552 attack attempt (file-image.rules)
 * 3:46155 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)
 * 3:46143 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules)

Modified Rules:


 * 1:35467 <-> DISABLED <-> FILE-JAVA Oracle Java VersionHelper loadClass sandbox bypass attempt (file-java.rules)
 * 1:35468 <-> DISABLED <-> FILE-JAVA Oracle Java VersionHelper loadClass sandbox bypass attempt (file-java.rules)
 * 1:40063 <-> DISABLED <-> OS-LINUX Linux Kernel Challenge ACK provocation attempt (os-linux.rules)
 * 1:40234 <-> ENABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes ping reply (malware-cnc.rules)

2018-04-03 13:09:55 UTC

Snort Subscriber Rules Update

Date: 2018-04-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46131 <-> DISABLED <-> SERVER-OTHER cPanel Mailman privilege escalation attempt (server-other.rules)
 * 1:46138 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Bandarchor variant outbound connection (malware-cnc.rules)
 * 1:46129 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HW32 variant outbound connection (malware-cnc.rules)
 * 1:46136 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Banbra variant outbound connection (malware-cnc.rules)
 * 1:46137 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cidox variant outbound connection attempt (malware-cnc.rules)
 * 1:46140 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Bandarchor variant outbound connection (malware-cnc.rules)
 * 1:46141 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Bandarchor variant outbound connection (malware-cnc.rules)
 * 1:46135 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Krodown variant connection attempt (malware-cnc.rules)
 * 1:46139 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Bandarchor variant outbound connection (malware-cnc.rules)
 * 1:46133 <-> DISABLED <-> SERVER-WEBAPP OpenEMR SQL injection attempt (server-webapp.rules)
 * 1:46134 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Krodown variant connection attempt (malware-cnc.rules)
 * 1:46132 <-> DISABLED <-> SERVER-WEBAPP OpenEMR SQL injection attempt (server-webapp.rules)
 * 1:46130 <-> DISABLED <-> SERVER-OTHER cPanel Mailman privilege escalation attempt (server-other.rules)
 * 3:46147 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0552 attack attempt (file-image.rules)
 * 3:46149 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0554 attack attempt (server-webapp.rules)
 * 3:46144 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules)
 * 3:46155 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)
 * 3:46152 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)
 * 3:46148 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0552 attack attempt (file-image.rules)
 * 3:46143 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules)
 * 3:46153 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)
 * 3:46142 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0551 attack attempt (server-webapp.rules)
 * 3:46145 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules)
 * 3:46154 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)
 * 3:46150 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)
 * 3:46146 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules)
 * 3:46151 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:35467 <-> DISABLED <-> FILE-JAVA Oracle Java VersionHelper loadClass sandbox bypass attempt (file-java.rules)
 * 1:35468 <-> DISABLED <-> FILE-JAVA Oracle Java VersionHelper loadClass sandbox bypass attempt (file-java.rules)
 * 1:40063 <-> DISABLED <-> OS-LINUX Linux Kernel Challenge ACK provocation attempt (os-linux.rules)
 * 1:40234 <-> ENABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes ping reply (malware-cnc.rules)