Talos Rules 2018-05-29
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-other, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-05-29 18:08:06 UTC

Snort Subscriber Rules Update

Date: 2018-05-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46824 <-> DISABLED <-> SERVER-WEBAPP DotNetNuke DreamSlider arbitrary file download attempt (server-webapp.rules)
 * 1:46823 <-> ENABLED <-> SERVER-WEBAPP Spring Security OAuth remote code execution attempt (server-webapp.rules)
 * 1:46822 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud raid_cgi.php arbitrary command execution attempt (server-webapp.rules)
 * 1:46821 <-> ENABLED <-> MALWARE-CNC Win.Trojan.N40 variant outbound connection (malware-cnc.rules)
 * 1:46820 <-> ENABLED <-> MALWARE-CNC Win.Downloader.QuantLoader variant outbound connection attempt (malware-cnc.rules)
 * 1:46819 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Satan payload download (malware-other.rules)
 * 1:46818 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Satan outbound connection (malware-cnc.rules)
 * 1:46817 <-> DISABLED <-> SERVER-WEBAPP FLIR Breakstream 2300 unauthenticated information disclosure attempt (server-webapp.rules)
 * 1:46816 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud login_mgr.cgi command injection attempt (server-webapp.rules)
 * 1:46815 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud login_mgr.cgi command injection attempt (server-webapp.rules)
 * 1:46814 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud login_mgr.cgi command injection attempt (server-webapp.rules)
 * 1:46813 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds read attempt (file-other.rules)
 * 1:46812 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds read attempt (file-other.rules)
 * 1:46838 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vega variant outbound connection detected (malware-cnc.rules)
 * 1:46837 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Vega variant outbound connection detected (malware-cnc.rules)
 * 1:46836 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Vega variant outbound connection detected (malware-cnc.rules)
 * 1:46835 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:46834 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:46833 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ROP gadget locate attempt (os-windows.rules)
 * 1:46832 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ROP gadget locate attempt (os-windows.rules)
 * 1:46831 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:46830 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:46829 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-620 index.cgi command injection attempt (server-webapp.rules)
 * 1:46828 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-620 index.cgi command injection attempt (server-webapp.rules)
 * 1:46827 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dunihi outbound connection (malware-cnc.rules)
 * 1:46826 <-> DISABLED <-> SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt (server-webapp.rules)
 * 1:46825 <-> ENABLED <-> SERVER-WEBAPP Multiple products DVR admin password leak attempt (server-webapp.rules)

Modified Rules:


 * 1:42080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jenxcus outbound connection with unique User-Agent (malware-cnc.rules)
 * 1:28817 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Iniduoh variant outbound connection (malware-cnc.rules)

2018-05-29 18:08:07 UTC

Snort Subscriber Rules Update

Date: 2018-05-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46833 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ROP gadget locate attempt (os-windows.rules)
 * 1:46814 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud login_mgr.cgi command injection attempt (server-webapp.rules)
 * 1:46813 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds read attempt (file-other.rules)
 * 1:46815 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud login_mgr.cgi command injection attempt (server-webapp.rules)
 * 1:46816 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud login_mgr.cgi command injection attempt (server-webapp.rules)
 * 1:46817 <-> DISABLED <-> SERVER-WEBAPP FLIR Breakstream 2300 unauthenticated information disclosure attempt (server-webapp.rules)
 * 1:46818 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Satan outbound connection (malware-cnc.rules)
 * 1:46812 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds read attempt (file-other.rules)
 * 1:46837 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Vega variant outbound connection detected (malware-cnc.rules)
 * 1:46836 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Vega variant outbound connection detected (malware-cnc.rules)
 * 1:46835 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:46819 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Satan payload download (malware-other.rules)
 * 1:46820 <-> ENABLED <-> MALWARE-CNC Win.Downloader.QuantLoader variant outbound connection attempt (malware-cnc.rules)
 * 1:46821 <-> ENABLED <-> MALWARE-CNC Win.Trojan.N40 variant outbound connection (malware-cnc.rules)
 * 1:46822 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud raid_cgi.php arbitrary command execution attempt (server-webapp.rules)
 * 1:46823 <-> ENABLED <-> SERVER-WEBAPP Spring Security OAuth remote code execution attempt (server-webapp.rules)
 * 1:46824 <-> DISABLED <-> SERVER-WEBAPP DotNetNuke DreamSlider arbitrary file download attempt (server-webapp.rules)
 * 1:46825 <-> ENABLED <-> SERVER-WEBAPP Multiple products DVR admin password leak attempt (server-webapp.rules)
 * 1:46826 <-> DISABLED <-> SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt (server-webapp.rules)
 * 1:46827 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dunihi outbound connection (malware-cnc.rules)
 * 1:46828 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-620 index.cgi command injection attempt (server-webapp.rules)
 * 1:46829 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-620 index.cgi command injection attempt (server-webapp.rules)
 * 1:46830 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:46831 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:46838 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vega variant outbound connection detected (malware-cnc.rules)
 * 1:46834 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:46832 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ROP gadget locate attempt (os-windows.rules)

Modified Rules:


 * 1:42080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jenxcus outbound connection with unique User-Agent (malware-cnc.rules)
 * 1:28817 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Iniduoh variant outbound connection (malware-cnc.rules)

2018-05-29 18:08:07 UTC

Snort Subscriber Rules Update

Date: 2018-05-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46834 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (snort3-os-windows.rules)
 * 1:46836 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Vega variant outbound connection detected (snort3-malware-cnc.rules)
 * 1:46815 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud login_mgr.cgi command injection attempt (snort3-server-webapp.rules)
 * 1:46814 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud login_mgr.cgi command injection attempt (snort3-server-webapp.rules)
 * 1:46813 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds read attempt (snort3-file-other.rules)
 * 1:46838 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vega variant outbound connection detected (snort3-malware-cnc.rules)
 * 1:46837 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Vega variant outbound connection detected (snort3-malware-cnc.rules)
 * 1:46816 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud login_mgr.cgi command injection attempt (snort3-server-webapp.rules)
 * 1:46817 <-> DISABLED <-> SERVER-WEBAPP FLIR Breakstream 2300 unauthenticated information disclosure attempt (snort3-server-webapp.rules)
 * 1:46818 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Satan outbound connection (snort3-malware-cnc.rules)
 * 1:46819 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Satan payload download (snort3-malware-other.rules)
 * 1:46820 <-> ENABLED <-> MALWARE-CNC Win.Downloader.QuantLoader variant outbound connection attempt (snort3-malware-cnc.rules)
 * 1:46821 <-> ENABLED <-> MALWARE-CNC Win.Trojan.N40 variant outbound connection (snort3-malware-cnc.rules)
 * 1:46822 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud raid_cgi.php arbitrary command execution attempt (snort3-server-webapp.rules)
 * 1:46823 <-> ENABLED <-> SERVER-WEBAPP Spring Security OAuth remote code execution attempt (snort3-server-webapp.rules)
 * 1:46824 <-> DISABLED <-> SERVER-WEBAPP DotNetNuke DreamSlider arbitrary file download attempt (snort3-server-webapp.rules)
 * 1:46825 <-> ENABLED <-> SERVER-WEBAPP Multiple products DVR admin password leak attempt (snort3-server-webapp.rules)
 * 1:46826 <-> DISABLED <-> SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt (snort3-server-webapp.rules)
 * 1:46827 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dunihi outbound connection (snort3-malware-cnc.rules)
 * 1:46828 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-620 index.cgi command injection attempt (snort3-server-webapp.rules)
 * 1:46829 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-620 index.cgi command injection attempt (snort3-server-webapp.rules)
 * 1:46830 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (snort3-os-windows.rules)
 * 1:46831 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (snort3-os-windows.rules)
 * 1:46832 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ROP gadget locate attempt (snort3-os-windows.rules)
 * 1:46835 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (snort3-os-windows.rules)
 * 1:46833 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ROP gadget locate attempt (snort3-os-windows.rules)
 * 1:46812 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds read attempt (snort3-file-other.rules)

Modified Rules:


 * 1:28817 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Iniduoh variant outbound connection (snort3-malware-cnc.rules)
 * 1:42080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jenxcus outbound connection with unique User-Agent (snort3-malware-cnc.rules)

2018-05-29 18:08:07 UTC

Snort Subscriber Rules Update

Date: 2018-05-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46833 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ROP gadget locate attempt (os-windows.rules)
 * 1:46834 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:46835 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:46813 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds read attempt (file-other.rules)
 * 1:46816 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud login_mgr.cgi command injection attempt (server-webapp.rules)
 * 1:46812 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds read attempt (file-other.rules)
 * 1:46814 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud login_mgr.cgi command injection attempt (server-webapp.rules)
 * 1:46838 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vega variant outbound connection detected (malware-cnc.rules)
 * 1:46828 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-620 index.cgi command injection attempt (server-webapp.rules)
 * 1:46823 <-> ENABLED <-> SERVER-WEBAPP Spring Security OAuth remote code execution attempt (server-webapp.rules)
 * 1:46825 <-> ENABLED <-> SERVER-WEBAPP Multiple products DVR admin password leak attempt (server-webapp.rules)
 * 1:46826 <-> DISABLED <-> SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt (server-webapp.rules)
 * 1:46819 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Satan payload download (malware-other.rules)
 * 1:46824 <-> DISABLED <-> SERVER-WEBAPP DotNetNuke DreamSlider arbitrary file download attempt (server-webapp.rules)
 * 1:46821 <-> ENABLED <-> MALWARE-CNC Win.Trojan.N40 variant outbound connection (malware-cnc.rules)
 * 1:46822 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud raid_cgi.php arbitrary command execution attempt (server-webapp.rules)
 * 1:46815 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud login_mgr.cgi command injection attempt (server-webapp.rules)
 * 1:46820 <-> ENABLED <-> MALWARE-CNC Win.Downloader.QuantLoader variant outbound connection attempt (malware-cnc.rules)
 * 1:46817 <-> DISABLED <-> SERVER-WEBAPP FLIR Breakstream 2300 unauthenticated information disclosure attempt (server-webapp.rules)
 * 1:46818 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Satan outbound connection (malware-cnc.rules)
 * 1:46832 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ROP gadget locate attempt (os-windows.rules)
 * 1:46831 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:46827 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dunihi outbound connection (malware-cnc.rules)
 * 1:46829 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-620 index.cgi command injection attempt (server-webapp.rules)
 * 1:46830 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:46837 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Vega variant outbound connection detected (malware-cnc.rules)
 * 1:46836 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Vega variant outbound connection detected (malware-cnc.rules)

Modified Rules:


 * 1:28817 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Iniduoh variant outbound connection (malware-cnc.rules)
 * 1:42080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jenxcus outbound connection with unique User-Agent (malware-cnc.rules)

2018-05-29 18:08:07 UTC

Snort Subscriber Rules Update

Date: 2018-05-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46835 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:46828 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-620 index.cgi command injection attempt (server-webapp.rules)
 * 1:46833 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ROP gadget locate attempt (os-windows.rules)
 * 1:46838 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vega variant outbound connection detected (malware-cnc.rules)
 * 1:46834 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:46827 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dunihi outbound connection (malware-cnc.rules)
 * 1:46837 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Vega variant outbound connection detected (malware-cnc.rules)
 * 1:46836 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Vega variant outbound connection detected (malware-cnc.rules)
 * 1:46832 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ROP gadget locate attempt (os-windows.rules)
 * 1:46831 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:46817 <-> DISABLED <-> SERVER-WEBAPP FLIR Breakstream 2300 unauthenticated information disclosure attempt (server-webapp.rules)
 * 1:46812 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds read attempt (file-other.rules)
 * 1:46813 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds read attempt (file-other.rules)
 * 1:46814 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud login_mgr.cgi command injection attempt (server-webapp.rules)
 * 1:46826 <-> DISABLED <-> SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt (server-webapp.rules)
 * 1:46819 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Satan payload download (malware-other.rules)
 * 1:46825 <-> ENABLED <-> SERVER-WEBAPP Multiple products DVR admin password leak attempt (server-webapp.rules)
 * 1:46823 <-> ENABLED <-> SERVER-WEBAPP Spring Security OAuth remote code execution attempt (server-webapp.rules)
 * 1:46820 <-> ENABLED <-> MALWARE-CNC Win.Downloader.QuantLoader variant outbound connection attempt (malware-cnc.rules)
 * 1:46822 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud raid_cgi.php arbitrary command execution attempt (server-webapp.rules)
 * 1:46816 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud login_mgr.cgi command injection attempt (server-webapp.rules)
 * 1:46824 <-> DISABLED <-> SERVER-WEBAPP DotNetNuke DreamSlider arbitrary file download attempt (server-webapp.rules)
 * 1:46821 <-> ENABLED <-> MALWARE-CNC Win.Trojan.N40 variant outbound connection (malware-cnc.rules)
 * 1:46830 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules)
 * 1:46829 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-620 index.cgi command injection attempt (server-webapp.rules)
 * 1:46815 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud login_mgr.cgi command injection attempt (server-webapp.rules)
 * 1:46818 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Satan outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:42080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jenxcus outbound connection with unique User-Agent (malware-cnc.rules)
 * 1:28817 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Iniduoh variant outbound connection (malware-cnc.rules)