Talos Rules 2018-05-10
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the deleted, file-pdf, malware-cnc, malware-other, netbios, os-linux, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-05-10 17:26:16 UTC

Snort Subscriber Rules Update

Date: 2018-05-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46573 <-> DISABLED <-> DELETED SERVER-OTHER junky junk 100517 (deleted.rules)
 * 1:46571 <-> DISABLED <-> DELETED SERVER-OTHER junky junk 100515 (deleted.rules)
 * 1:46569 <-> DISABLED <-> DELETED SERVER-OTHER junky junk 100513 (deleted.rules)
 * 1:46567 <-> DISABLED <-> DELETED SERVER-OTHER junky junk 100511 (deleted.rules)
 * 1:46628 <-> ENABLED <-> MALWARE-CNC Rubella Macro Builder generated payload (malware-cnc.rules)
 * 1:46627 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules)
 * 1:46626 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules)
 * 1:46625 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules)
 * 1:46624 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules)
 * 1:46623 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server buffer overflow attempt (server-webapp.rules)
 * 1:46622 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server buffer overflow attempt (server-webapp.rules)
 * 1:46621 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server image converter arbitrary file upload attempt (server-webapp.rules)
 * 1:46620 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server image converter information leak attempt (server-webapp.rules)
 * 1:46619 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules)
 * 1:46618 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules)
 * 1:46617 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules)
 * 1:46616 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules)
 * 1:46615 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules)
 * 1:46614 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules)
 * 1:46613 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules)
 * 1:46612 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Unruy outbound callout (malware-cnc.rules)
 * 1:46611 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload second stage download request (malware-cnc.rules)
 * 1:46610 <-> DISABLED <-> SERVER-MAIL EHLO user overflow attempt (server-mail.rules)
 * 1:46609 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackIce variant outbound connection (malware-cnc.rules)
 * 1:46608 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Blackshades variant outbound communication (malware-cnc.rules)
 * 1:46637 <-> DISABLED <-> NETBIOS SMB client NULL deref race condition attempt  (netbios.rules)
 * 1:46636 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Gandcrab variant outbound connection (malware-cnc.rules)
 * 1:46633 <-> DISABLED <-> SERVER-MAIL Office 365 ATP Safe Links bypass attempt (server-mail.rules)
 * 1:46632 <-> DISABLED <-> SERVER-MAIL Office 365 ATP Safe Links bypass attempt (server-mail.rules)
 * 1:46631 <-> ENABLED <-> MALWARE-CNC Rubella Macro Builder generated payload (malware-cnc.rules)
 * 1:46630 <-> ENABLED <-> MALWARE-CNC Rubella Macro Builder generated payload (malware-cnc.rules)
 * 1:46629 <-> ENABLED <-> MALWARE-CNC Rubella Macro Builder generated payload (malware-cnc.rules)
 * 3:46634 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0592 attack attempt (file-pdf.rules)
 * 3:46635 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0592 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:16418 <-> DISABLED <-> NETBIOS SMB client NULL deref race condition attempt  (netbios.rules)
 * 1:33166 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt (server-webapp.rules)
 * 1:33168 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt (server-webapp.rules)
 * 1:45484 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Samsam propagation via SMB transfer attempt (malware-other.rules)
 * 1:45485 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Samsam propagation via SMB2 transfer attempt (malware-other.rules)
 * 1:45486 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Samsam upload attempt (malware-other.rules)
 * 1:46482 <-> DISABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration (malware-cnc.rules)
 * 1:46489 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUBackup SQL injection attempt (server-webapp.rules)
 * 1:33169 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt (server-webapp.rules)
 * 1:33167 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt (server-webapp.rules)
 * 3:46523 <-> ENABLED <-> SERVER-OTHER malicious HTML file transfer attempt (server-other.rules)

2018-05-10 17:26:16 UTC

Snort Subscriber Rules Update

Date: 2018-05-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46628 <-> ENABLED <-> MALWARE-CNC Rubella Macro Builder generated payload (malware-cnc.rules)
 * 1:46573 <-> DISABLED <-> DELETED SERVER-OTHER junky junk 100517 (deleted.rules)
 * 1:46629 <-> ENABLED <-> MALWARE-CNC Rubella Macro Builder generated payload (malware-cnc.rules)
 * 1:46630 <-> ENABLED <-> MALWARE-CNC Rubella Macro Builder generated payload (malware-cnc.rules)
 * 1:46613 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules)
 * 1:46571 <-> DISABLED <-> DELETED SERVER-OTHER junky junk 100515 (deleted.rules)
 * 1:46616 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules)
 * 1:46569 <-> DISABLED <-> DELETED SERVER-OTHER junky junk 100513 (deleted.rules)
 * 1:46567 <-> DISABLED <-> DELETED SERVER-OTHER junky junk 100511 (deleted.rules)
 * 1:46609 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackIce variant outbound connection (malware-cnc.rules)
 * 1:46610 <-> DISABLED <-> SERVER-MAIL EHLO user overflow attempt (server-mail.rules)
 * 1:46618 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules)
 * 1:46619 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules)
 * 1:46620 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server image converter information leak attempt (server-webapp.rules)
 * 1:46621 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server image converter arbitrary file upload attempt (server-webapp.rules)
 * 1:46622 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server buffer overflow attempt (server-webapp.rules)
 * 1:46623 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server buffer overflow attempt (server-webapp.rules)
 * 1:46624 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules)
 * 1:46615 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules)
 * 1:46637 <-> DISABLED <-> NETBIOS SMB client NULL deref race condition attempt  (netbios.rules)
 * 1:46636 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Gandcrab variant outbound connection (malware-cnc.rules)
 * 1:46633 <-> DISABLED <-> SERVER-MAIL Office 365 ATP Safe Links bypass attempt (server-mail.rules)
 * 1:46612 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Unruy outbound callout (malware-cnc.rules)
 * 1:46632 <-> DISABLED <-> SERVER-MAIL Office 365 ATP Safe Links bypass attempt (server-mail.rules)
 * 1:46631 <-> ENABLED <-> MALWARE-CNC Rubella Macro Builder generated payload (malware-cnc.rules)
 * 1:46614 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules)
 * 1:46608 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Blackshades variant outbound communication (malware-cnc.rules)
 * 1:46627 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules)
 * 1:46625 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules)
 * 1:46626 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules)
 * 1:46611 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload second stage download request (malware-cnc.rules)
 * 1:46617 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules)
 * 3:46634 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0592 attack attempt (file-pdf.rules)
 * 3:46635 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0592 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:33166 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt (server-webapp.rules)
 * 1:45485 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Samsam propagation via SMB2 transfer attempt (malware-other.rules)
 * 1:45484 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Samsam propagation via SMB transfer attempt (malware-other.rules)
 * 1:45486 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Samsam upload attempt (malware-other.rules)
 * 1:46482 <-> DISABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration (malware-cnc.rules)
 * 1:46489 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUBackup SQL injection attempt (server-webapp.rules)
 * 1:33169 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt (server-webapp.rules)
 * 1:33167 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt (server-webapp.rules)
 * 1:16418 <-> DISABLED <-> NETBIOS SMB client NULL deref race condition attempt  (netbios.rules)
 * 1:33168 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt (server-webapp.rules)
 * 3:46523 <-> ENABLED <-> SERVER-OTHER malicious HTML file transfer attempt (server-other.rules)

2018-05-10 17:26:16 UTC

Snort Subscriber Rules Update

Date: 2018-05-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46632 <-> DISABLED <-> SERVER-MAIL Office 365 ATP Safe Links bypass attempt (snort3-server-mail.rules)
 * 1:46612 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Unruy outbound callout (snort3-malware-cnc.rules)
 * 1:46631 <-> ENABLED <-> MALWARE-CNC Rubella Macro Builder generated payload (snort3-malware-cnc.rules)
 * 1:46610 <-> DISABLED <-> SERVER-MAIL EHLO user overflow attempt (snort3-server-mail.rules)
 * 1:46613 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (snort3-os-linux.rules)
 * 1:46637 <-> DISABLED <-> NETBIOS SMB client NULL deref race condition attempt  (snort3-netbios.rules)
 * 1:46633 <-> DISABLED <-> SERVER-MAIL Office 365 ATP Safe Links bypass attempt (snort3-server-mail.rules)
 * 1:46636 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Gandcrab variant outbound connection (snort3-malware-cnc.rules)
 * 1:46615 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (snort3-os-linux.rules)
 * 1:46567 <-> DISABLED <-> DELETED SERVER-OTHER junky junk 100511 (snort3-deleted.rules)
 * 1:46618 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (snort3-os-linux.rules)
 * 1:46619 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (snort3-os-linux.rules)
 * 1:46608 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Blackshades variant outbound communication (snort3-malware-cnc.rules)
 * 1:46614 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (snort3-os-linux.rules)
 * 1:46616 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (snort3-os-linux.rules)
 * 1:46569 <-> DISABLED <-> DELETED SERVER-OTHER junky junk 100513 (snort3-deleted.rules)
 * 1:46627 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (snort3-server-webapp.rules)
 * 1:46617 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (snort3-os-linux.rules)
 * 1:46625 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (snort3-server-webapp.rules)
 * 1:46626 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (snort3-server-webapp.rules)
 * 1:46623 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server buffer overflow attempt (snort3-server-webapp.rules)
 * 1:46624 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (snort3-server-webapp.rules)
 * 1:46621 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server image converter arbitrary file upload attempt (snort3-server-webapp.rules)
 * 1:46622 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server buffer overflow attempt (snort3-server-webapp.rules)
 * 1:46620 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server image converter information leak attempt (snort3-server-webapp.rules)
 * 1:46611 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload second stage download request (snort3-malware-cnc.rules)
 * 1:46630 <-> ENABLED <-> MALWARE-CNC Rubella Macro Builder generated payload (snort3-malware-cnc.rules)
 * 1:46571 <-> DISABLED <-> DELETED SERVER-OTHER junky junk 100515 (snort3-deleted.rules)
 * 1:46629 <-> ENABLED <-> MALWARE-CNC Rubella Macro Builder generated payload (snort3-malware-cnc.rules)
 * 1:46628 <-> ENABLED <-> MALWARE-CNC Rubella Macro Builder generated payload (snort3-malware-cnc.rules)
 * 1:46609 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackIce variant outbound connection (snort3-malware-cnc.rules)
 * 1:46573 <-> DISABLED <-> DELETED SERVER-OTHER junky junk 100517 (snort3-deleted.rules)

Modified Rules:


 * 1:46482 <-> DISABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration (snort3-malware-cnc.rules)
 * 1:33166 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt (snort3-server-webapp.rules)
 * 1:33168 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt (snort3-server-webapp.rules)
 * 1:33167 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt (snort3-server-webapp.rules)
 * 1:16418 <-> DISABLED <-> NETBIOS SMB client NULL deref race condition attempt  (snort3-netbios.rules)
 * 1:45485 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Samsam propagation via SMB2 transfer attempt (snort3-malware-other.rules)
 * 1:45486 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Samsam upload attempt (snort3-malware-other.rules)
 * 1:45484 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Samsam propagation via SMB transfer attempt (snort3-malware-other.rules)
 * 1:46489 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUBackup SQL injection attempt (snort3-server-webapp.rules)
 * 1:33169 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt (snort3-server-webapp.rules)

2018-05-10 17:26:16 UTC

Snort Subscriber Rules Update

Date: 2018-05-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46628 <-> ENABLED <-> MALWARE-CNC Rubella Macro Builder generated payload (malware-cnc.rules)
 * 1:46569 <-> DISABLED <-> DELETED SERVER-OTHER junky junk 100513 (deleted.rules)
 * 1:46630 <-> ENABLED <-> MALWARE-CNC Rubella Macro Builder generated payload (malware-cnc.rules)
 * 1:46636 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Gandcrab variant outbound connection (malware-cnc.rules)
 * 1:46631 <-> ENABLED <-> MALWARE-CNC Rubella Macro Builder generated payload (malware-cnc.rules)
 * 1:46629 <-> ENABLED <-> MALWARE-CNC Rubella Macro Builder generated payload (malware-cnc.rules)
 * 1:46610 <-> DISABLED <-> SERVER-MAIL EHLO user overflow attempt (server-mail.rules)
 * 1:46633 <-> DISABLED <-> SERVER-MAIL Office 365 ATP Safe Links bypass attempt (server-mail.rules)
 * 1:46637 <-> DISABLED <-> NETBIOS SMB client NULL deref race condition attempt  (netbios.rules)
 * 1:46627 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules)
 * 1:46609 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackIce variant outbound connection (malware-cnc.rules)
 * 1:46608 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Blackshades variant outbound communication (malware-cnc.rules)
 * 1:46632 <-> DISABLED <-> SERVER-MAIL Office 365 ATP Safe Links bypass attempt (server-mail.rules)
 * 1:46567 <-> DISABLED <-> DELETED SERVER-OTHER junky junk 100511 (deleted.rules)
 * 1:46617 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules)
 * 1:46618 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules)
 * 1:46619 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules)
 * 1:46620 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server image converter information leak attempt (server-webapp.rules)
 * 1:46621 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server image converter arbitrary file upload attempt (server-webapp.rules)
 * 1:46622 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server buffer overflow attempt (server-webapp.rules)
 * 1:46623 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server buffer overflow attempt (server-webapp.rules)
 * 1:46614 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules)
 * 1:46625 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules)
 * 1:46573 <-> DISABLED <-> DELETED SERVER-OTHER junky junk 100517 (deleted.rules)
 * 1:46626 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules)
 * 1:46613 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules)
 * 1:46616 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules)
 * 1:46615 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules)
 * 1:46611 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload second stage download request (malware-cnc.rules)
 * 1:46612 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Unruy outbound callout (malware-cnc.rules)
 * 1:46571 <-> DISABLED <-> DELETED SERVER-OTHER junky junk 100515 (deleted.rules)
 * 1:46624 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules)
 * 3:46634 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0592 attack attempt (file-pdf.rules)
 * 3:46635 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0592 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:33167 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt (server-webapp.rules)
 * 1:16418 <-> DISABLED <-> NETBIOS SMB client NULL deref race condition attempt  (netbios.rules)
 * 1:46482 <-> DISABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration (malware-cnc.rules)
 * 1:33166 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt (server-webapp.rules)
 * 1:45484 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Samsam propagation via SMB transfer attempt (malware-other.rules)
 * 1:45485 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Samsam propagation via SMB2 transfer attempt (malware-other.rules)
 * 1:46489 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUBackup SQL injection attempt (server-webapp.rules)
 * 1:33168 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt (server-webapp.rules)
 * 1:33169 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt (server-webapp.rules)
 * 1:45486 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Samsam upload attempt (malware-other.rules)
 * 3:46523 <-> ENABLED <-> SERVER-OTHER malicious HTML file transfer attempt (server-other.rules)

2018-05-10 17:26:16 UTC

Snort Subscriber Rules Update

Date: 2018-05-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46625 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules)
 * 1:46611 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload second stage download request (malware-cnc.rules)
 * 1:46624 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules)
 * 1:46620 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server image converter information leak attempt (server-webapp.rules)
 * 1:46608 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Blackshades variant outbound communication (malware-cnc.rules)
 * 1:46629 <-> ENABLED <-> MALWARE-CNC Rubella Macro Builder generated payload (malware-cnc.rules)
 * 1:46571 <-> DISABLED <-> DELETED SERVER-OTHER junky junk 100515 (deleted.rules)
 * 1:46621 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server image converter arbitrary file upload attempt (server-webapp.rules)
 * 1:46609 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackIce variant outbound connection (malware-cnc.rules)
 * 1:46610 <-> DISABLED <-> SERVER-MAIL EHLO user overflow attempt (server-mail.rules)
 * 1:46623 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server buffer overflow attempt (server-webapp.rules)
 * 1:46630 <-> ENABLED <-> MALWARE-CNC Rubella Macro Builder generated payload (malware-cnc.rules)
 * 1:46631 <-> ENABLED <-> MALWARE-CNC Rubella Macro Builder generated payload (malware-cnc.rules)
 * 1:46632 <-> DISABLED <-> SERVER-MAIL Office 365 ATP Safe Links bypass attempt (server-mail.rules)
 * 1:46633 <-> DISABLED <-> SERVER-MAIL Office 365 ATP Safe Links bypass attempt (server-mail.rules)
 * 1:46636 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Gandcrab variant outbound connection (malware-cnc.rules)
 * 1:46637 <-> DISABLED <-> NETBIOS SMB client NULL deref race condition attempt  (netbios.rules)
 * 1:46569 <-> DISABLED <-> DELETED SERVER-OTHER junky junk 100513 (deleted.rules)
 * 1:46627 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules)
 * 1:46622 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server buffer overflow attempt (server-webapp.rules)
 * 1:46628 <-> ENABLED <-> MALWARE-CNC Rubella Macro Builder generated payload (malware-cnc.rules)
 * 1:46567 <-> DISABLED <-> DELETED SERVER-OTHER junky junk 100511 (deleted.rules)
 * 1:46573 <-> DISABLED <-> DELETED SERVER-OTHER junky junk 100517 (deleted.rules)
 * 1:46626 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules)
 * 1:46612 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Unruy outbound callout (malware-cnc.rules)
 * 3:46634 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0592 attack attempt (file-pdf.rules)
 * 3:46635 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0592 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:33168 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt (server-webapp.rules)
 * 1:33169 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt (server-webapp.rules)
 * 1:16418 <-> DISABLED <-> NETBIOS SMB client NULL deref race condition attempt  (netbios.rules)
 * 1:33167 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt (server-webapp.rules)
 * 1:33166 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt (server-webapp.rules)
 * 1:46489 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUBackup SQL injection attempt (server-webapp.rules)
 * 1:45486 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Samsam upload attempt (malware-other.rules)
 * 1:46482 <-> DISABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration (malware-cnc.rules)
 * 1:45485 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Samsam propagation via SMB2 transfer attempt (malware-other.rules)
 * 1:45484 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Samsam propagation via SMB transfer attempt (malware-other.rules)
 * 3:46523 <-> ENABLED <-> SERVER-OTHER malicious HTML file transfer attempt (server-other.rules)