Talos Rules 2018-04-19
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, browser-other, browser-plugins, file-executable, file-identify, file-other, indicator-compromise, malware-backdoor, malware-cnc, protocol-other, pua-adware, pua-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-04-19 13:29:38 UTC

Snort Subscriber Rules Update

Date: 2018-04-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46355 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk download-file directory traversal attempt (server-webapp.rules)
 * 1:46354 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk download-file directory traversal attempt (server-webapp.rules)
 * 1:46353 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk download-file directory traversal attempt (server-webapp.rules)
 * 1:46352 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi EZPcAut220 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:46351 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi EZPcAut220 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:46350 <-> ENABLED <-> SERVER-WEBAPP NetIQ Access Manager Identity Server directory traversal attempt (server-webapp.rules)
 * 1:46349 <-> ENABLED <-> SERVER-WEBAPP NetIQ Access Manager Identity Server directory traversal attempt (server-webapp.rules)
 * 1:46348 <-> ENABLED <-> SERVER-WEBAPP NetIQ Access Manager Identity Server directory traversal attempt (server-webapp.rules)
 * 1:46347 <-> DISABLED <-> SERVER-WEBAPP MediaWiki index.php rs cross site scripting attempt (server-webapp.rules)
 * 1:46372 <-> ENABLED <-> PUA-OTHER Moonify TLS client hello attempt (pua-other.rules)
 * 1:46371 <-> ENABLED <-> PUA-OTHER Moonify TLS server hello attempt (pua-other.rules)
 * 1:46370 <-> ENABLED <-> PUA-OTHER Moonify Miner client detected (pua-other.rules)
 * 1:46369 <-> DISABLED <-> MALWARE-BACKDOOR JSP Web shell access attempt (malware-backdoor.rules)
 * 1:46368 <-> DISABLED <-> MALWARE-BACKDOOR JSP Web shell upload attempt (malware-backdoor.rules)
 * 1:46367 <-> ENABLED <-> FILE-IDENTIFY WebAssembly file download detected (file-identify.rules)
 * 1:46366 <-> ENABLED <-> PUA-OTHER CryptoNight webassembly download attempt (pua-other.rules)
 * 1:46365 <-> ENABLED <-> PUA-OTHER CoinHive Miner client detected (pua-other.rules)
 * 1:46364 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules)
 * 1:46363 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules)
 * 1:46362 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules)
 * 1:46361 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules)
 * 1:46360 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules)
 * 1:46359 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules)
 * 1:46358 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules)
 * 1:46357 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules)
 * 1:46356 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules)
 * 1:46375 <-> DISABLED <-> SERVER-OTHER DualDesk v20 Proxy.exe long string denial of service attempt (server-other.rules)
 * 1:46374 <-> DISABLED <-> PROTOCOL-OTHER CLDAP potential reflected distributed denial of service attempt (protocol-other.rules)
 * 1:46373 <-> DISABLED <-> PROTOCOL-OTHER CLDAP potential reflected distributed denial of service attempt (protocol-other.rules)
 * 1:46378 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper variant outbound connection (malware-cnc.rules)
 * 1:46377 <-> DISABLED <-> SERVER-OTHER libgd heap-overflow attempt (server-other.rules)
 * 1:46376 <-> DISABLED <-> SERVER-OTHER libgd heap-overflow attempt (server-other.rules)
 * 1:46385 <-> ENABLED <-> BROWSER-IE Internet Explorer URL file remote code execution attempt detected (browser-ie.rules)
 * 1:46379 <-> DISABLED <-> SERVER-WEBAPP Afian FileRun SQL injection attempt (server-webapp.rules)
 * 1:46382 <-> DISABLED <-> SERVER-OTHER Micro Focus Operations Orchestration denial of service attempt (server-other.rules)
 * 1:46381 <-> DISABLED <-> INDICATOR-COMPROMISE Potential data exfiltration through Google form submission (indicator-compromise.rules)
 * 1:46380 <-> DISABLED <-> SERVER-WEBAPP Afian FileRun SQL injection attempt (server-webapp.rules)
 * 1:46384 <-> ENABLED <-> BROWSER-IE Internet Explorer URL file remote code execution attempt detected (browser-ie.rules)
 * 1:46383 <-> DISABLED <-> SERVER-OTHER Micro Focus Operations Orchestration information disclosure attempt (server-other.rules)
 * 1:46399 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox table object integer underflow (browser-other.rules)
 * 1:46398 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox table object integer underflow (browser-other.rules)
 * 1:46397 <-> ENABLED <-> FILE-EXECUTABLE Win.Ransomware.Rapid download attempt (file-executable.rules)
 * 1:46396 <-> ENABLED <-> FILE-EXECUTABLE Win.Ransomware.Rapid download attempt (file-executable.rules)
 * 1:46394 <-> ENABLED <-> FILE-IDENTIFY WebAssembly file attachment detected (file-identify.rules)
 * 1:46393 <-> ENABLED <-> FILE-IDENTIFY WebAssembly file detected (file-identify.rules)
 * 1:46387 <-> DISABLED <-> SERVER-OTHER Multiple Vendors NTP zero-origin timestamp denial of service attempt (server-other.rules)
 * 3:46386 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI arbitrary file write attempt (server-webapp.rules)
 * 3:46388 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0579 attack attempt (file-other.rules)
 * 3:46389 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0579 attack attempt (file-other.rules)
 * 3:46390 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0577 attack attempt (server-webapp.rules)
 * 3:46391 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0577 attack attempt (server-webapp.rules)
 * 3:46392 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0577 attack attempt (server-webapp.rules)
 * 3:46395 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0578 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:44405 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44406 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44409 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44410 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:29991 <-> DISABLED <-> PUA-ADWARE The Best All Codecs App runtime detection (pua-adware.rules)
 * 1:44412 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44403 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44408 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44413 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44414 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44415 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:45647 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Lazarus initial download (malware-cnc.rules)
 * 1:45648 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Lazarus initial download (malware-cnc.rules)
 * 1:44411 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44407 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 3:46142 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0551 attack attempt (server-webapp.rules)

2018-04-19 13:29:39 UTC

Snort Subscriber Rules Update

Date: 2018-04-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46364 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules)
 * 1:46358 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules)
 * 1:46352 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi EZPcAut220 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:46359 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules)
 * 1:46360 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules)
 * 1:46361 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules)
 * 1:46383 <-> DISABLED <-> SERVER-OTHER Micro Focus Operations Orchestration information disclosure attempt (server-other.rules)
 * 1:46347 <-> DISABLED <-> SERVER-WEBAPP MediaWiki index.php rs cross site scripting attempt (server-webapp.rules)
 * 1:46365 <-> ENABLED <-> PUA-OTHER CoinHive Miner client detected (pua-other.rules)
 * 1:46348 <-> ENABLED <-> SERVER-WEBAPP NetIQ Access Manager Identity Server directory traversal attempt (server-webapp.rules)
 * 1:46349 <-> ENABLED <-> SERVER-WEBAPP NetIQ Access Manager Identity Server directory traversal attempt (server-webapp.rules)
 * 1:46350 <-> ENABLED <-> SERVER-WEBAPP NetIQ Access Manager Identity Server directory traversal attempt (server-webapp.rules)
 * 1:46351 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi EZPcAut220 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:46353 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk download-file directory traversal attempt (server-webapp.rules)
 * 1:46355 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk download-file directory traversal attempt (server-webapp.rules)
 * 1:46356 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules)
 * 1:46367 <-> ENABLED <-> FILE-IDENTIFY WebAssembly file download detected (file-identify.rules)
 * 1:46368 <-> DISABLED <-> MALWARE-BACKDOOR JSP Web shell upload attempt (malware-backdoor.rules)
 * 1:46370 <-> ENABLED <-> PUA-OTHER Moonify Miner client detected (pua-other.rules)
 * 1:46371 <-> ENABLED <-> PUA-OTHER Moonify TLS server hello attempt (pua-other.rules)
 * 1:46363 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules)
 * 1:46373 <-> DISABLED <-> PROTOCOL-OTHER CLDAP potential reflected distributed denial of service attempt (protocol-other.rules)
 * 1:46374 <-> DISABLED <-> PROTOCOL-OTHER CLDAP potential reflected distributed denial of service attempt (protocol-other.rules)
 * 1:46369 <-> DISABLED <-> MALWARE-BACKDOOR JSP Web shell access attempt (malware-backdoor.rules)
 * 1:46372 <-> ENABLED <-> PUA-OTHER Moonify TLS client hello attempt (pua-other.rules)
 * 1:46377 <-> DISABLED <-> SERVER-OTHER libgd heap-overflow attempt (server-other.rules)
 * 1:46378 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper variant outbound connection (malware-cnc.rules)
 * 1:46376 <-> DISABLED <-> SERVER-OTHER libgd heap-overflow attempt (server-other.rules)
 * 1:46379 <-> DISABLED <-> SERVER-WEBAPP Afian FileRun SQL injection attempt (server-webapp.rules)
 * 1:46380 <-> DISABLED <-> SERVER-WEBAPP Afian FileRun SQL injection attempt (server-webapp.rules)
 * 1:46362 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules)
 * 1:46375 <-> DISABLED <-> SERVER-OTHER DualDesk v20 Proxy.exe long string denial of service attempt (server-other.rules)
 * 1:46399 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox table object integer underflow (browser-other.rules)
 * 1:46398 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox table object integer underflow (browser-other.rules)
 * 1:46397 <-> ENABLED <-> FILE-EXECUTABLE Win.Ransomware.Rapid download attempt (file-executable.rules)
 * 1:46396 <-> ENABLED <-> FILE-EXECUTABLE Win.Ransomware.Rapid download attempt (file-executable.rules)
 * 1:46394 <-> ENABLED <-> FILE-IDENTIFY WebAssembly file attachment detected (file-identify.rules)
 * 1:46393 <-> ENABLED <-> FILE-IDENTIFY WebAssembly file detected (file-identify.rules)
 * 1:46384 <-> ENABLED <-> BROWSER-IE Internet Explorer URL file remote code execution attempt detected (browser-ie.rules)
 * 1:46385 <-> ENABLED <-> BROWSER-IE Internet Explorer URL file remote code execution attempt detected (browser-ie.rules)
 * 1:46387 <-> DISABLED <-> SERVER-OTHER Multiple Vendors NTP zero-origin timestamp denial of service attempt (server-other.rules)
 * 1:46381 <-> DISABLED <-> INDICATOR-COMPROMISE Potential data exfiltration through Google form submission (indicator-compromise.rules)
 * 1:46382 <-> DISABLED <-> SERVER-OTHER Micro Focus Operations Orchestration denial of service attempt (server-other.rules)
 * 1:46357 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules)
 * 1:46354 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk download-file directory traversal attempt (server-webapp.rules)
 * 1:46366 <-> ENABLED <-> PUA-OTHER CryptoNight webassembly download attempt (pua-other.rules)
 * 3:46391 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0577 attack attempt (server-webapp.rules)
 * 3:46386 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI arbitrary file write attempt (server-webapp.rules)
 * 3:46389 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0579 attack attempt (file-other.rules)
 * 3:46395 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0578 attack attempt (server-webapp.rules)
 * 3:46390 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0577 attack attempt (server-webapp.rules)
 * 3:46388 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0579 attack attempt (file-other.rules)
 * 3:46392 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0577 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:44405 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44406 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44410 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44403 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:29991 <-> DISABLED <-> PUA-ADWARE The Best All Codecs App runtime detection (pua-adware.rules)
 * 1:44412 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44413 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44408 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44414 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44415 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44409 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:45647 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Lazarus initial download (malware-cnc.rules)
 * 1:45648 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Lazarus initial download (malware-cnc.rules)
 * 1:44411 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44407 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 3:46142 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0551 attack attempt (server-webapp.rules)

2018-04-19 13:29:39 UTC

Snort Subscriber Rules Update

Date: 2018-04-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46347 <-> DISABLED <-> SERVER-WEBAPP MediaWiki index.php rs cross site scripting attempt (snort3-server-webapp.rules)
 * 1:46394 <-> ENABLED <-> FILE-IDENTIFY WebAssembly file attachment detected (snort3-file-identify.rules)
 * 1:46369 <-> DISABLED <-> MALWARE-BACKDOOR JSP Web shell access attempt (snort3-malware-backdoor.rules)
 * 1:46379 <-> DISABLED <-> SERVER-WEBAPP Afian FileRun SQL injection attempt (snort3-server-webapp.rules)
 * 1:46393 <-> ENABLED <-> FILE-IDENTIFY WebAssembly file detected (snort3-file-identify.rules)
 * 1:46377 <-> DISABLED <-> SERVER-OTHER libgd heap-overflow attempt (snort3-server-other.rules)
 * 1:46362 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (snort3-malware-cnc.rules)
 * 1:46368 <-> DISABLED <-> MALWARE-BACKDOOR JSP Web shell upload attempt (snort3-malware-backdoor.rules)
 * 1:46353 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk download-file directory traversal attempt (snort3-server-webapp.rules)
 * 1:46399 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox table object integer underflow (snort3-browser-other.rules)
 * 1:46398 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox table object integer underflow (snort3-browser-other.rules)
 * 1:46396 <-> ENABLED <-> FILE-EXECUTABLE Win.Ransomware.Rapid download attempt (snort3-file-executable.rules)
 * 1:46397 <-> ENABLED <-> FILE-EXECUTABLE Win.Ransomware.Rapid download attempt (snort3-file-executable.rules)
 * 1:46356 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (snort3-malware-cnc.rules)
 * 1:46349 <-> ENABLED <-> SERVER-WEBAPP NetIQ Access Manager Identity Server directory traversal attempt (snort3-server-webapp.rules)
 * 1:46367 <-> ENABLED <-> FILE-IDENTIFY WebAssembly file download detected (snort3-file-identify.rules)
 * 1:46348 <-> ENABLED <-> SERVER-WEBAPP NetIQ Access Manager Identity Server directory traversal attempt (snort3-server-webapp.rules)
 * 1:46351 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi EZPcAut220 ActiveX clsid access attempt (snort3-browser-plugins.rules)
 * 1:46363 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (snort3-malware-cnc.rules)
 * 1:46387 <-> DISABLED <-> SERVER-OTHER Multiple Vendors NTP zero-origin timestamp denial of service attempt (snort3-server-other.rules)
 * 1:46354 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk download-file directory traversal attempt (snort3-server-webapp.rules)
 * 1:46364 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (snort3-malware-cnc.rules)
 * 1:46371 <-> ENABLED <-> PUA-OTHER Moonify TLS server hello attempt (snort3-pua-other.rules)
 * 1:46374 <-> DISABLED <-> PROTOCOL-OTHER CLDAP potential reflected distributed denial of service attempt (snort3-protocol-other.rules)
 * 1:46378 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper variant outbound connection (snort3-malware-cnc.rules)
 * 1:46372 <-> ENABLED <-> PUA-OTHER Moonify TLS client hello attempt (snort3-pua-other.rules)
 * 1:46365 <-> ENABLED <-> PUA-OTHER CoinHive Miner client detected (snort3-pua-other.rules)
 * 1:46373 <-> DISABLED <-> PROTOCOL-OTHER CLDAP potential reflected distributed denial of service attempt (snort3-protocol-other.rules)
 * 1:46375 <-> DISABLED <-> SERVER-OTHER DualDesk v20 Proxy.exe long string denial of service attempt (snort3-server-other.rules)
 * 1:46380 <-> DISABLED <-> SERVER-WEBAPP Afian FileRun SQL injection attempt (snort3-server-webapp.rules)
 * 1:46366 <-> ENABLED <-> PUA-OTHER CryptoNight webassembly download attempt (snort3-pua-other.rules)
 * 1:46381 <-> DISABLED <-> INDICATOR-COMPROMISE Potential data exfiltration through Google form submission (snort3-indicator-compromise.rules)
 * 1:46382 <-> DISABLED <-> SERVER-OTHER Micro Focus Operations Orchestration denial of service attempt (snort3-server-other.rules)
 * 1:46383 <-> DISABLED <-> SERVER-OTHER Micro Focus Operations Orchestration information disclosure attempt (snort3-server-other.rules)
 * 1:46384 <-> ENABLED <-> BROWSER-IE Internet Explorer URL file remote code execution attempt detected (snort3-browser-ie.rules)
 * 1:46376 <-> DISABLED <-> SERVER-OTHER libgd heap-overflow attempt (snort3-server-other.rules)
 * 1:46358 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (snort3-malware-cnc.rules)
 * 1:46370 <-> ENABLED <-> PUA-OTHER Moonify Miner client detected (snort3-pua-other.rules)
 * 1:46352 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi EZPcAut220 ActiveX clsid access attempt (snort3-browser-plugins.rules)
 * 1:46360 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (snort3-malware-cnc.rules)
 * 1:46359 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (snort3-malware-cnc.rules)
 * 1:46357 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (snort3-malware-cnc.rules)
 * 1:46355 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk download-file directory traversal attempt (snort3-server-webapp.rules)
 * 1:46385 <-> ENABLED <-> BROWSER-IE Internet Explorer URL file remote code execution attempt detected (snort3-browser-ie.rules)
 * 1:46361 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (snort3-malware-cnc.rules)
 * 1:46350 <-> ENABLED <-> SERVER-WEBAPP NetIQ Access Manager Identity Server directory traversal attempt (snort3-server-webapp.rules)

Modified Rules:


 * 1:44414 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (snort3-malware-cnc.rules)
 * 1:44412 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (snort3-malware-cnc.rules)
 * 1:29991 <-> DISABLED <-> PUA-ADWARE The Best All Codecs App runtime detection (snort3-pua-adware.rules)
 * 1:44415 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (snort3-malware-cnc.rules)
 * 1:44408 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (snort3-malware-cnc.rules)
 * 1:44409 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (snort3-malware-cnc.rules)
 * 1:44411 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (snort3-malware-cnc.rules)
 * 1:45647 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Lazarus initial download (snort3-malware-cnc.rules)
 * 1:44410 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (snort3-malware-cnc.rules)
 * 1:44403 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (snort3-malware-cnc.rules)
 * 1:44413 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (snort3-malware-cnc.rules)
 * 1:44405 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (snort3-malware-cnc.rules)
 * 1:44406 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (snort3-malware-cnc.rules)
 * 1:45648 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Lazarus initial download (snort3-malware-cnc.rules)
 * 1:44407 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (snort3-malware-cnc.rules)

2018-04-19 13:29:39 UTC

Snort Subscriber Rules Update

Date: 2018-04-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46385 <-> ENABLED <-> BROWSER-IE Internet Explorer URL file remote code execution attempt detected (browser-ie.rules)
 * 1:46354 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk download-file directory traversal attempt (server-webapp.rules)
 * 1:46387 <-> DISABLED <-> SERVER-OTHER Multiple Vendors NTP zero-origin timestamp denial of service attempt (server-other.rules)
 * 1:46397 <-> ENABLED <-> FILE-EXECUTABLE Win.Ransomware.Rapid download attempt (file-executable.rules)
 * 1:46355 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk download-file directory traversal attempt (server-webapp.rules)
 * 1:46356 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules)
 * 1:46362 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules)
 * 1:46357 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules)
 * 1:46398 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox table object integer underflow (browser-other.rules)
 * 1:46399 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox table object integer underflow (browser-other.rules)
 * 1:46396 <-> ENABLED <-> FILE-EXECUTABLE Win.Ransomware.Rapid download attempt (file-executable.rules)
 * 1:46381 <-> DISABLED <-> INDICATOR-COMPROMISE Potential data exfiltration through Google form submission (indicator-compromise.rules)
 * 1:46382 <-> DISABLED <-> SERVER-OTHER Micro Focus Operations Orchestration denial of service attempt (server-other.rules)
 * 1:46380 <-> DISABLED <-> SERVER-WEBAPP Afian FileRun SQL injection attempt (server-webapp.rules)
 * 1:46360 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules)
 * 1:46383 <-> DISABLED <-> SERVER-OTHER Micro Focus Operations Orchestration information disclosure attempt (server-other.rules)
 * 1:46393 <-> ENABLED <-> FILE-IDENTIFY WebAssembly file detected (file-identify.rules)
 * 1:46350 <-> ENABLED <-> SERVER-WEBAPP NetIQ Access Manager Identity Server directory traversal attempt (server-webapp.rules)
 * 1:46358 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules)
 * 1:46376 <-> DISABLED <-> SERVER-OTHER libgd heap-overflow attempt (server-other.rules)
 * 1:46351 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi EZPcAut220 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:46374 <-> DISABLED <-> PROTOCOL-OTHER CLDAP potential reflected distributed denial of service attempt (protocol-other.rules)
 * 1:46364 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules)
 * 1:46366 <-> ENABLED <-> PUA-OTHER CryptoNight webassembly download attempt (pua-other.rules)
 * 1:46367 <-> ENABLED <-> FILE-IDENTIFY WebAssembly file download detected (file-identify.rules)
 * 1:46363 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules)
 * 1:46368 <-> DISABLED <-> MALWARE-BACKDOOR JSP Web shell upload attempt (malware-backdoor.rules)
 * 1:46365 <-> ENABLED <-> PUA-OTHER CoinHive Miner client detected (pua-other.rules)
 * 1:46370 <-> ENABLED <-> PUA-OTHER Moonify Miner client detected (pua-other.rules)
 * 1:46371 <-> ENABLED <-> PUA-OTHER Moonify TLS server hello attempt (pua-other.rules)
 * 1:46379 <-> DISABLED <-> SERVER-WEBAPP Afian FileRun SQL injection attempt (server-webapp.rules)
 * 1:46384 <-> ENABLED <-> BROWSER-IE Internet Explorer URL file remote code execution attempt detected (browser-ie.rules)
 * 1:46372 <-> ENABLED <-> PUA-OTHER Moonify TLS client hello attempt (pua-other.rules)
 * 1:46359 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules)
 * 1:46348 <-> ENABLED <-> SERVER-WEBAPP NetIQ Access Manager Identity Server directory traversal attempt (server-webapp.rules)
 * 1:46361 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules)
 * 1:46352 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi EZPcAut220 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:46378 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper variant outbound connection (malware-cnc.rules)
 * 1:46353 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk download-file directory traversal attempt (server-webapp.rules)
 * 1:46347 <-> DISABLED <-> SERVER-WEBAPP MediaWiki index.php rs cross site scripting attempt (server-webapp.rules)
 * 1:46377 <-> DISABLED <-> SERVER-OTHER libgd heap-overflow attempt (server-other.rules)
 * 1:46369 <-> DISABLED <-> MALWARE-BACKDOOR JSP Web shell access attempt (malware-backdoor.rules)
 * 1:46373 <-> DISABLED <-> PROTOCOL-OTHER CLDAP potential reflected distributed denial of service attempt (protocol-other.rules)
 * 1:46375 <-> DISABLED <-> SERVER-OTHER DualDesk v20 Proxy.exe long string denial of service attempt (server-other.rules)
 * 1:46394 <-> ENABLED <-> FILE-IDENTIFY WebAssembly file attachment detected (file-identify.rules)
 * 1:46349 <-> ENABLED <-> SERVER-WEBAPP NetIQ Access Manager Identity Server directory traversal attempt (server-webapp.rules)
 * 3:46388 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0579 attack attempt (file-other.rules)
 * 3:46395 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0578 attack attempt (server-webapp.rules)
 * 3:46386 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI arbitrary file write attempt (server-webapp.rules)
 * 3:46391 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0577 attack attempt (server-webapp.rules)
 * 3:46389 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0579 attack attempt (file-other.rules)
 * 3:46392 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0577 attack attempt (server-webapp.rules)
 * 3:46390 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0577 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:44406 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44410 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44405 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:29991 <-> DISABLED <-> PUA-ADWARE The Best All Codecs App runtime detection (pua-adware.rules)
 * 1:44403 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44413 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44414 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44415 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:45647 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Lazarus initial download (malware-cnc.rules)
 * 1:45648 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Lazarus initial download (malware-cnc.rules)
 * 1:44411 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44408 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44409 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44407 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44412 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 3:46142 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0551 attack attempt (server-webapp.rules)

2018-04-19 13:29:39 UTC

Snort Subscriber Rules Update

Date: 2018-04-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46387 <-> DISABLED <-> SERVER-OTHER Multiple Vendors NTP zero-origin timestamp denial of service attempt (server-other.rules)
 * 1:46362 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules)
 * 1:46363 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules)
 * 1:46364 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules)
 * 1:46352 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi EZPcAut220 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:46385 <-> ENABLED <-> BROWSER-IE Internet Explorer URL file remote code execution attempt detected (browser-ie.rules)
 * 1:46383 <-> DISABLED <-> SERVER-OTHER Micro Focus Operations Orchestration information disclosure attempt (server-other.rules)
 * 1:46365 <-> ENABLED <-> PUA-OTHER CoinHive Miner client detected (pua-other.rules)
 * 1:46358 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules)
 * 1:46374 <-> DISABLED <-> PROTOCOL-OTHER CLDAP potential reflected distributed denial of service attempt (protocol-other.rules)
 * 1:46359 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules)
 * 1:46373 <-> DISABLED <-> PROTOCOL-OTHER CLDAP potential reflected distributed denial of service attempt (protocol-other.rules)
 * 1:46382 <-> DISABLED <-> SERVER-OTHER Micro Focus Operations Orchestration denial of service attempt (server-other.rules)
 * 1:46351 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi EZPcAut220 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:46349 <-> ENABLED <-> SERVER-WEBAPP NetIQ Access Manager Identity Server directory traversal attempt (server-webapp.rules)
 * 1:46396 <-> ENABLED <-> FILE-EXECUTABLE Win.Ransomware.Rapid download attempt (file-executable.rules)
 * 1:46376 <-> DISABLED <-> SERVER-OTHER libgd heap-overflow attempt (server-other.rules)
 * 1:46377 <-> DISABLED <-> SERVER-OTHER libgd heap-overflow attempt (server-other.rules)
 * 1:46384 <-> ENABLED <-> BROWSER-IE Internet Explorer URL file remote code execution attempt detected (browser-ie.rules)
 * 1:46353 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk download-file directory traversal attempt (server-webapp.rules)
 * 1:46378 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper variant outbound connection (malware-cnc.rules)
 * 1:46360 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules)
 * 1:46368 <-> DISABLED <-> MALWARE-BACKDOOR JSP Web shell upload attempt (malware-backdoor.rules)
 * 1:46370 <-> ENABLED <-> PUA-OTHER Moonify Miner client detected (pua-other.rules)
 * 1:46375 <-> DISABLED <-> SERVER-OTHER DualDesk v20 Proxy.exe long string denial of service attempt (server-other.rules)
 * 1:46361 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules)
 * 1:46367 <-> ENABLED <-> FILE-IDENTIFY WebAssembly file download detected (file-identify.rules)
 * 1:46369 <-> DISABLED <-> MALWARE-BACKDOOR JSP Web shell access attempt (malware-backdoor.rules)
 * 1:46371 <-> ENABLED <-> PUA-OTHER Moonify TLS server hello attempt (pua-other.rules)
 * 1:46372 <-> ENABLED <-> PUA-OTHER Moonify TLS client hello attempt (pua-other.rules)
 * 1:46347 <-> DISABLED <-> SERVER-WEBAPP MediaWiki index.php rs cross site scripting attempt (server-webapp.rules)
 * 1:46399 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox table object integer underflow (browser-other.rules)
 * 1:46348 <-> ENABLED <-> SERVER-WEBAPP NetIQ Access Manager Identity Server directory traversal attempt (server-webapp.rules)
 * 1:46357 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules)
 * 1:46366 <-> ENABLED <-> PUA-OTHER CryptoNight webassembly download attempt (pua-other.rules)
 * 1:46354 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk download-file directory traversal attempt (server-webapp.rules)
 * 1:46350 <-> ENABLED <-> SERVER-WEBAPP NetIQ Access Manager Identity Server directory traversal attempt (server-webapp.rules)
 * 1:46398 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox table object integer underflow (browser-other.rules)
 * 1:46380 <-> DISABLED <-> SERVER-WEBAPP Afian FileRun SQL injection attempt (server-webapp.rules)
 * 1:46356 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules)
 * 1:46381 <-> DISABLED <-> INDICATOR-COMPROMISE Potential data exfiltration through Google form submission (indicator-compromise.rules)
 * 1:46379 <-> DISABLED <-> SERVER-WEBAPP Afian FileRun SQL injection attempt (server-webapp.rules)
 * 1:46355 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk download-file directory traversal attempt (server-webapp.rules)
 * 1:46393 <-> ENABLED <-> FILE-IDENTIFY WebAssembly file detected (file-identify.rules)
 * 1:46394 <-> ENABLED <-> FILE-IDENTIFY WebAssembly file attachment detected (file-identify.rules)
 * 1:46397 <-> ENABLED <-> FILE-EXECUTABLE Win.Ransomware.Rapid download attempt (file-executable.rules)
 * 3:46389 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0579 attack attempt (file-other.rules)
 * 3:46391 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0577 attack attempt (server-webapp.rules)
 * 3:46390 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0577 attack attempt (server-webapp.rules)
 * 3:46392 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0577 attack attempt (server-webapp.rules)
 * 3:46395 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0578 attack attempt (server-webapp.rules)
 * 3:46386 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI arbitrary file write attempt (server-webapp.rules)
 * 3:46388 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0579 attack attempt (file-other.rules)

Modified Rules:


 * 1:44406 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44410 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44403 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44405 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:29991 <-> DISABLED <-> PUA-ADWARE The Best All Codecs App runtime detection (pua-adware.rules)
 * 1:44413 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44414 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44415 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44409 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:45647 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Lazarus initial download (malware-cnc.rules)
 * 1:45648 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Lazarus initial download (malware-cnc.rules)
 * 1:44411 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44412 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44408 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44407 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 3:46142 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0551 attack attempt (server-webapp.rules)