Talos Rules 2018-06-19
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-chrome, exploit-kit, file-identify, file-office, file-other, indicator-compromise, malware-backdoor, malware-cnc, malware-other, netbios and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-06-19 12:15:15 UTC

Snort Subscriber Rules Update

Date: 2018-06-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46989 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.MBRLock file download (malware-other.rules)
 * 1:46988 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.MBRLock file download (malware-other.rules)
 * 1:46987 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Annabelle file download (malware-other.rules)
 * 1:46986 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Annabelle file download (malware-other.rules)
 * 1:46985 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Yoban RAT outbound connection (malware-cnc.rules)
 * 1:46984 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Yoban RAT outbound connection (malware-cnc.rules)
 * 1:46983 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe banner (indicator-compromise.rules)
 * 1:46982 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup SchedulesService.pm command injection attempt (server-webapp.rules)
 * 1:46981 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Orcus RAT inbound SSL certificate (malware-cnc.rules)
 * 1:46980 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Office Discovery User-Agent to a potential URL shortener service (indicator-compromise.rules)
 * 1:46979 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Office Discovery User-Agent to a potential URL shortener service (indicator-compromise.rules)
 * 1:46978 <-> DISABLED <-> BROWSER-CHROME Google Chrome Crankshaft type confusion attempt (browser-chrome.rules)
 * 1:46977 <-> DISABLED <-> BROWSER-CHROME Google Chrome Crankshaft type confusion attempt (browser-chrome.rules)
 * 1:46976 <-> DISABLED <-> BROWSER-CHROME Google Chrome Crankshaft type confusion attempt (browser-chrome.rules)
 * 1:46975 <-> DISABLED <-> BROWSER-CHROME Google Chrome Crankshaft type confusion attempt (browser-chrome.rules)

Modified Rules:


 * 1:15013 <-> ENABLED <-> FILE-IDENTIFY PDF file download request (file-identify.rules)
 * 1:13801 <-> ENABLED <-> FILE-IDENTIFY RTF file download request (file-identify.rules)
 * 1:20463 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:20260 <-> ENABLED <-> FILE-IDENTIFY Microsoft Client Agent Helper JAR file download request (file-identify.rules)
 * 1:20223 <-> ENABLED <-> FILE-IDENTIFY SMI file download request (file-identify.rules)
 * 1:19211 <-> ENABLED <-> FILE-IDENTIFY ZIP archive file download request (file-identify.rules)
 * 1:19190 <-> ENABLED <-> NETBIOS SMB-DS Trans2 Distributed File System GET_DFS_REFERRAL request (netbios.rules)
 * 1:17745 <-> ENABLED <-> NETBIOS SMB TRANS2 Find_First2 request attempt (netbios.rules)
 * 1:17733 <-> ENABLED <-> FILE-IDENTIFY XML file download request (file-identify.rules)
 * 1:17380 <-> ENABLED <-> FILE-IDENTIFY PNG file download request (file-identify.rules)
 * 1:17314 <-> ENABLED <-> FILE-IDENTIFY OLE document file magic detected (file-identify.rules)
 * 1:16529 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (file-identify.rules)
 * 1:16475 <-> ENABLED <-> FILE-IDENTIFY Microsoft Compound File Binary v4 file magic detected (file-identify.rules)
 * 1:16474 <-> ENABLED <-> FILE-IDENTIFY Microsoft Compound File Binary v3 file magic detected (file-identify.rules)
 * 1:16425 <-> ENABLED <-> FILE-IDENTIFY Portable Executable binary file download request (file-identify.rules)
 * 1:16407 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (file-identify.rules)
 * 1:16406 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (file-identify.rules)
 * 1:16294 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TCP stack zero window size exploit attempt (os-windows.rules)
 * 1:16205 <-> ENABLED <-> FILE-IDENTIFY BMP file download request (file-identify.rules)
 * 1:15587 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Word file download request (file-identify.rules)
 * 1:20964 <-> ENABLED <-> FILE-IDENTIFY SAMI file download request (file-identify.rules)
 * 1:20963 <-> ENABLED <-> FILE-IDENTIFY DIB file download request (file-identify.rules)
 * 1:20851 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows EMF metafile file attachment detected (file-identify.rules)
 * 1:20850 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows EMF metafile file attachment detected (file-identify.rules)
 * 1:20621 <-> ENABLED <-> FILE-IDENTIFY JAR file download request (file-identify.rules)
 * 1:20494 <-> ENABLED <-> FILE-IDENTIFY PDF file magic detected (file-identify.rules)
 * 1:20486 <-> ENABLED <-> FILE-IDENTIFY RTF file magic detected (file-identify.rules)
 * 1:20483 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detected (file-identify.rules)
 * 1:20480 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detection (file-identify.rules)
 * 1:20478 <-> ENABLED <-> FILE-IDENTIFY PNG file magic detected (file-identify.rules)
 * 1:20469 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:20468 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:20467 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:20466 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:20465 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:20464 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:20967 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (file-identify.rules)
 * 1:20965 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (file-identify.rules)
 * 1:20966 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (file-identify.rules)
 * 1:21284 <-> ENABLED <-> FILE-IDENTIFY XSL file attachment detected (file-identify.rules)
 * 1:21283 <-> ENABLED <-> FILE-IDENTIFY XSL file attachment detected (file-identify.rules)
 * 1:21282 <-> ENABLED <-> FILE-IDENTIFY XSL file download request (file-identify.rules)
 * 1:21036 <-> ENABLED <-> FILE-IDENTIFY PDF file attachment detected (file-identify.rules)
 * 1:21035 <-> ENABLED <-> FILE-IDENTIFY PDF file attachment detected (file-identify.rules)
 * 1:21288 <-> ENABLED <-> FILE-IDENTIFY XML download detected (file-identify.rules)
 * 1:21287 <-> ENABLED <-> FILE-IDENTIFY XSLT file attachment detected (file-identify.rules)
 * 1:21286 <-> ENABLED <-> FILE-IDENTIFY XSLT file attachment detected (file-identify.rules)
 * 1:21285 <-> ENABLED <-> FILE-IDENTIFY XSLT file download request (file-identify.rules)
 * 1:21410 <-> ENABLED <-> FILE-IDENTIFY paq8o file download request (file-identify.rules)
 * 1:21696 <-> ENABLED <-> FILE-IDENTIFY SMI file attachment detected (file-identify.rules)
 * 1:21500 <-> ENABLED <-> FILE-IDENTIFY XML file attachment detected (file-identify.rules)
 * 1:21499 <-> ENABLED <-> FILE-IDENTIFY XML file attachment detected (file-identify.rules)
 * 1:21498 <-> ENABLED <-> FILE-IDENTIFY XML file magic detected (file-identify.rules)
 * 1:21480 <-> ENABLED <-> FILE-IDENTIFY XML file magic detected (file-identify.rules)
 * 1:21412 <-> ENABLED <-> FILE-IDENTIFY paq8o file attachment detected (file-identify.rules)
 * 1:21411 <-> ENABLED <-> FILE-IDENTIFY paq8o file attachment detected (file-identify.rules)
 * 1:21695 <-> ENABLED <-> FILE-IDENTIFY SMI file attachment detected (file-identify.rules)
 * 1:21614 <-> ENABLED <-> FILE-IDENTIFY PNG file attachment detected (file-identify.rules)
 * 1:21613 <-> ENABLED <-> FILE-IDENTIFY PNG file attachment detected (file-identify.rules)
 * 1:23667 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detected (file-identify.rules)
 * 1:21856 <-> ENABLED <-> FILE-IDENTIFY ZIP file attachment detected (file-identify.rules)
 * 1:21747 <-> ENABLED <-> FILE-IDENTIFY RTF file attachment detected (file-identify.rules)
 * 1:21746 <-> ENABLED <-> FILE-IDENTIFY RTF file attachment detected (file-identify.rules)
 * 1:21739 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21738 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21737 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21736 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21735 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21734 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21733 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21732 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21731 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21730 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21729 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21728 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21727 <-> ENABLED <-> FILE-IDENTIFY ANI file magic detection (file-identify.rules)
 * 1:21726 <-> ENABLED <-> FILE-IDENTIFY ANI file attachment detected (file-identify.rules)
 * 1:21725 <-> ENABLED <-> FILE-IDENTIFY ANI file attachment detected (file-identify.rules)
 * 1:21724 <-> ENABLED <-> FILE-IDENTIFY ANI file download request (file-identify.rules)
 * 1:21698 <-> ENABLED <-> FILE-IDENTIFY SAMI file attachment detected (file-identify.rules)
 * 1:21697 <-> ENABLED <-> FILE-IDENTIFY SAMI file attachment detected (file-identify.rules)
 * 1:23664 <-> ENABLED <-> FILE-IDENTIFY PNG file magic detected (file-identify.rules)
 * 1:23657 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:23656 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:23655 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:23654 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:23653 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:23652 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:23651 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:22046 <-> ENABLED <-> FILE-IDENTIFY XM file magic detected (file-identify.rules)
 * 1:22045 <-> ENABLED <-> FILE-IDENTIFY XM file attachment detected (file-identify.rules)
 * 1:22044 <-> ENABLED <-> FILE-IDENTIFY XM file attachment detected (file-identify.rules)
 * 1:22043 <-> ENABLED <-> FILE-IDENTIFY XM file download request (file-identify.rules)
 * 1:21940 <-> ENABLED <-> FILE-IDENTIFY EMF file magic detected (file-identify.rules)
 * 1:21909 <-> ENABLED <-> FILE-IDENTIFY Portable Executable file attachment detected (file-identify.rules)
 * 1:21908 <-> ENABLED <-> FILE-IDENTIFY Portable Executable file attachment detected (file-identify.rules)
 * 1:21857 <-> ENABLED <-> FILE-IDENTIFY ZIP file attachment detected (file-identify.rules)
 * 1:23670 <-> ENABLED <-> FILE-IDENTIFY RTF file magic detected (file-identify.rules)
 * 1:23725 <-> ENABLED <-> FILE-IDENTIFY Portable Executable binary file magic detected (file-identify.rules)
 * 1:23711 <-> ENABLED <-> FILE-IDENTIFY OLE Document file magic detected (file-identify.rules)
 * 1:23708 <-> ENABLED <-> FILE-IDENTIFY Microsoft Compound File Binary v4 file magic detected (file-identify.rules)
 * 1:23707 <-> ENABLED <-> FILE-IDENTIFY Microsoft Compound File Binary v3 file magic detected (file-identify.rules)
 * 1:23678 <-> ENABLED <-> FILE-IDENTIFY PDF file magic detected (file-identify.rules)
 * 1:23758 <-> ENABLED <-> FILE-IDENTIFY XML file magic detected (file-identify.rules)
 * 1:24455 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detected (file-identify.rules)
 * 1:24359 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt (os-windows.rules)
 * 1:23773 <-> ENABLED <-> FILE-IDENTIFY XM file magic detected (file-identify.rules)
 * 1:23766 <-> ENABLED <-> FILE-IDENTIFY EMF file magic detected (file-identify.rules)
 * 1:23759 <-> ENABLED <-> FILE-IDENTIFY XML file magic detected (file-identify.rules)
 * 1:25513 <-> ENABLED <-> FILE-IDENTIFY Portable Executable download detected (file-identify.rules)
 * 1:24972 <-> ENABLED <-> NETBIOS SMB Trans2 FIND_FIRST2 find file and directory info request (netbios.rules)
 * 1:24458 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detected (file-identify.rules)
 * 1:24457 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detected (file-identify.rules)
 * 1:24456 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detected (file-identify.rules)
 * 1:30906 <-> ENABLED <-> FILE-OTHER RARLAB WinRAR ZIP format filename spoof attempt (file-other.rules)
 * 1:3083 <-> DISABLED <-> MALWARE-BACKDOOR Y3KRAT 1.5 Connection confirmation (malware-backdoor.rules)
 * 1:3082 <-> ENABLED <-> MALWARE-BACKDOOR Y3KRAT 1.5 Connect Client Response (malware-backdoor.rules)
 * 1:30319 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit malicious portable executable file request (exploit-kit.rules)
 * 1:30220 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound payload request (exploit-kit.rules)
 * 1:30003 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit payload download attempt (exploit-kit.rules)
 * 1:29386 <-> ENABLED <-> FILE-IDENTIFY Adobe AIR file attachment detected (file-identify.rules)
 * 1:29385 <-> ENABLED <-> FILE-IDENTIFY Adobe AIR file attachment detected (file-identify.rules)
 * 1:29384 <-> ENABLED <-> FILE-IDENTIFY Adobe AIR file download request (file-identify.rules)
 * 1:29189 <-> ENABLED <-> EXPLOIT-KIT Magnitude exploit kit Microsoft Internet Explorer Payload request (exploit-kit.rules)
 * 1:29166 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules)
 * 1:28969 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound payload retreival - specific string (exploit-kit.rules)
 * 1:28795 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit payload download attempt (exploit-kit.rules)
 * 1:28596 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit payload request (exploit-kit.rules)
 * 1:27110 <-> ENABLED <-> EXPLOIT-KIT Blackholev2/Cool exploit kit outbound portable executable request (exploit-kit.rules)
 * 1:26534 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit portable executable download (exploit-kit.rules)
 * 1:26251 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detected (file-identify.rules)
 * 1:26058 <-> ENABLED <-> FILE-IDENTIFY ZIP file attachment detected (file-identify.rules)
 * 1:26057 <-> ENABLED <-> FILE-IDENTIFY ZIP file download detected (file-identify.rules)
 * 1:25515 <-> ENABLED <-> FILE-IDENTIFY Portable Executable binary file magic detected (file-identify.rules)
 * 1:25514 <-> ENABLED <-> FILE-IDENTIFY Portable Executable download detected (file-identify.rules)
 * 1:8445 <-> ENABLED <-> FILE-OFFICE Microsoft Windows RTF file with embedded object package download attempt (file-office.rules)
 * 1:42332 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant ping command (malware-cnc.rules)
 * 1:42331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command (malware-cnc.rules)
 * 1:40036 <-> ENABLED <-> FILE-IDENTIFY XLSB file magic detected (file-identify.rules)
 * 1:40035 <-> ENABLED <-> FILE-IDENTIFY XLSB file magic detected (file-identify.rules)
 * 1:39903 <-> ENABLED <-> FILE-OFFICE Microsoft Windows RTF file with embedded object package SMTP upload attempt (file-office.rules)
 * 1:39803 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Dlhelper outbound connection detected (malware-other.rules)
 * 1:36058 <-> ENABLED <-> FILE-IDENTIFY OLE Document upload detected (file-identify.rules)
 * 1:35852 <-> ENABLED <-> FILE-IDENTIFY JPEG file upload detected (file-identify.rules)
 * 1:33825 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt (os-windows.rules)
 * 1:32386 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound structure (exploit-kit.rules)
 * 1:32380 <-> ENABLED <-> FILE-IDENTIFY dib file attachment detected (file-identify.rules)
 * 1:32378 <-> ENABLED <-> FILE-IDENTIFY bmp file attachment detected (file-identify.rules)
 * 1:31871 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detection (file-identify.rules)
 * 1:30973 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload request (exploit-kit.rules)
 * 1:30909 <-> ENABLED <-> FILE-OTHER RARLAB WinRAR ZIP format filename spoof attempt (file-other.rules)
 * 3:15912 <-> ENABLED <-> OS-WINDOWS TCP window closed before receiving data (os-windows.rules)

2018-06-19 12:15:15 UTC

Snort Subscriber Rules Update

Date: 2018-06-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46987 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Annabelle file download (malware-other.rules)
 * 1:46989 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.MBRLock file download (malware-other.rules)
 * 1:46988 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.MBRLock file download (malware-other.rules)
 * 1:46978 <-> DISABLED <-> BROWSER-CHROME Google Chrome Crankshaft type confusion attempt (browser-chrome.rules)
 * 1:46985 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Yoban RAT outbound connection (malware-cnc.rules)
 * 1:46977 <-> DISABLED <-> BROWSER-CHROME Google Chrome Crankshaft type confusion attempt (browser-chrome.rules)
 * 1:46982 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup SchedulesService.pm command injection attempt (server-webapp.rules)
 * 1:46975 <-> DISABLED <-> BROWSER-CHROME Google Chrome Crankshaft type confusion attempt (browser-chrome.rules)
 * 1:46979 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Office Discovery User-Agent to a potential URL shortener service (indicator-compromise.rules)
 * 1:46983 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe banner (indicator-compromise.rules)
 * 1:46981 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Orcus RAT inbound SSL certificate (malware-cnc.rules)
 * 1:46976 <-> DISABLED <-> BROWSER-CHROME Google Chrome Crankshaft type confusion attempt (browser-chrome.rules)
 * 1:46984 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Yoban RAT outbound connection (malware-cnc.rules)
 * 1:46986 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Annabelle file download (malware-other.rules)
 * 1:46980 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Office Discovery User-Agent to a potential URL shortener service (indicator-compromise.rules)

Modified Rules:


 * 1:24972 <-> ENABLED <-> NETBIOS SMB Trans2 FIND_FIRST2 find file and directory info request (netbios.rules)
 * 1:24458 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detected (file-identify.rules)
 * 1:25515 <-> ENABLED <-> FILE-IDENTIFY Portable Executable binary file magic detected (file-identify.rules)
 * 1:13801 <-> ENABLED <-> FILE-IDENTIFY RTF file download request (file-identify.rules)
 * 1:15013 <-> ENABLED <-> FILE-IDENTIFY PDF file download request (file-identify.rules)
 * 1:15587 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Word file download request (file-identify.rules)
 * 1:16205 <-> ENABLED <-> FILE-IDENTIFY BMP file download request (file-identify.rules)
 * 1:16294 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TCP stack zero window size exploit attempt (os-windows.rules)
 * 1:16406 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (file-identify.rules)
 * 1:16407 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (file-identify.rules)
 * 1:16425 <-> ENABLED <-> FILE-IDENTIFY Portable Executable binary file download request (file-identify.rules)
 * 1:16474 <-> ENABLED <-> FILE-IDENTIFY Microsoft Compound File Binary v3 file magic detected (file-identify.rules)
 * 1:16475 <-> ENABLED <-> FILE-IDENTIFY Microsoft Compound File Binary v4 file magic detected (file-identify.rules)
 * 1:16529 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (file-identify.rules)
 * 1:17314 <-> ENABLED <-> FILE-IDENTIFY OLE document file magic detected (file-identify.rules)
 * 1:17380 <-> ENABLED <-> FILE-IDENTIFY PNG file download request (file-identify.rules)
 * 1:17733 <-> ENABLED <-> FILE-IDENTIFY XML file download request (file-identify.rules)
 * 1:17745 <-> ENABLED <-> NETBIOS SMB TRANS2 Find_First2 request attempt (netbios.rules)
 * 1:19190 <-> ENABLED <-> NETBIOS SMB-DS Trans2 Distributed File System GET_DFS_REFERRAL request (netbios.rules)
 * 1:19211 <-> ENABLED <-> FILE-IDENTIFY ZIP archive file download request (file-identify.rules)
 * 1:20223 <-> ENABLED <-> FILE-IDENTIFY SMI file download request (file-identify.rules)
 * 1:20260 <-> ENABLED <-> FILE-IDENTIFY Microsoft Client Agent Helper JAR file download request (file-identify.rules)
 * 1:20463 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:20464 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:20465 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:20466 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:20467 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:20468 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:20469 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:20478 <-> ENABLED <-> FILE-IDENTIFY PNG file magic detected (file-identify.rules)
 * 1:20480 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detection (file-identify.rules)
 * 1:20483 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detected (file-identify.rules)
 * 1:20486 <-> ENABLED <-> FILE-IDENTIFY RTF file magic detected (file-identify.rules)
 * 1:20494 <-> ENABLED <-> FILE-IDENTIFY PDF file magic detected (file-identify.rules)
 * 1:20621 <-> ENABLED <-> FILE-IDENTIFY JAR file download request (file-identify.rules)
 * 1:20850 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows EMF metafile file attachment detected (file-identify.rules)
 * 1:20851 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows EMF metafile file attachment detected (file-identify.rules)
 * 1:20963 <-> ENABLED <-> FILE-IDENTIFY DIB file download request (file-identify.rules)
 * 1:20964 <-> ENABLED <-> FILE-IDENTIFY SAMI file download request (file-identify.rules)
 * 1:20965 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (file-identify.rules)
 * 1:20966 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (file-identify.rules)
 * 1:20967 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (file-identify.rules)
 * 1:21035 <-> ENABLED <-> FILE-IDENTIFY PDF file attachment detected (file-identify.rules)
 * 1:21036 <-> ENABLED <-> FILE-IDENTIFY PDF file attachment detected (file-identify.rules)
 * 1:21282 <-> ENABLED <-> FILE-IDENTIFY XSL file download request (file-identify.rules)
 * 1:21283 <-> ENABLED <-> FILE-IDENTIFY XSL file attachment detected (file-identify.rules)
 * 1:21284 <-> ENABLED <-> FILE-IDENTIFY XSL file attachment detected (file-identify.rules)
 * 1:21285 <-> ENABLED <-> FILE-IDENTIFY XSLT file download request (file-identify.rules)
 * 1:21286 <-> ENABLED <-> FILE-IDENTIFY XSLT file attachment detected (file-identify.rules)
 * 1:21287 <-> ENABLED <-> FILE-IDENTIFY XSLT file attachment detected (file-identify.rules)
 * 1:21288 <-> ENABLED <-> FILE-IDENTIFY XML download detected (file-identify.rules)
 * 1:21410 <-> ENABLED <-> FILE-IDENTIFY paq8o file download request (file-identify.rules)
 * 1:21411 <-> ENABLED <-> FILE-IDENTIFY paq8o file attachment detected (file-identify.rules)
 * 1:21412 <-> ENABLED <-> FILE-IDENTIFY paq8o file attachment detected (file-identify.rules)
 * 1:21480 <-> ENABLED <-> FILE-IDENTIFY XML file magic detected (file-identify.rules)
 * 1:21498 <-> ENABLED <-> FILE-IDENTIFY XML file magic detected (file-identify.rules)
 * 1:21499 <-> ENABLED <-> FILE-IDENTIFY XML file attachment detected (file-identify.rules)
 * 1:21500 <-> ENABLED <-> FILE-IDENTIFY XML file attachment detected (file-identify.rules)
 * 1:21613 <-> ENABLED <-> FILE-IDENTIFY PNG file attachment detected (file-identify.rules)
 * 1:21614 <-> ENABLED <-> FILE-IDENTIFY PNG file attachment detected (file-identify.rules)
 * 1:21695 <-> ENABLED <-> FILE-IDENTIFY SMI file attachment detected (file-identify.rules)
 * 1:21696 <-> ENABLED <-> FILE-IDENTIFY SMI file attachment detected (file-identify.rules)
 * 1:21697 <-> ENABLED <-> FILE-IDENTIFY SAMI file attachment detected (file-identify.rules)
 * 1:21698 <-> ENABLED <-> FILE-IDENTIFY SAMI file attachment detected (file-identify.rules)
 * 1:21724 <-> ENABLED <-> FILE-IDENTIFY ANI file download request (file-identify.rules)
 * 1:21725 <-> ENABLED <-> FILE-IDENTIFY ANI file attachment detected (file-identify.rules)
 * 1:21726 <-> ENABLED <-> FILE-IDENTIFY ANI file attachment detected (file-identify.rules)
 * 1:21727 <-> ENABLED <-> FILE-IDENTIFY ANI file magic detection (file-identify.rules)
 * 1:21728 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21729 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21730 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21731 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21732 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21733 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21734 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21735 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21736 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21737 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21738 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21739 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21746 <-> ENABLED <-> FILE-IDENTIFY RTF file attachment detected (file-identify.rules)
 * 1:21747 <-> ENABLED <-> FILE-IDENTIFY RTF file attachment detected (file-identify.rules)
 * 1:21856 <-> ENABLED <-> FILE-IDENTIFY ZIP file attachment detected (file-identify.rules)
 * 1:21857 <-> ENABLED <-> FILE-IDENTIFY ZIP file attachment detected (file-identify.rules)
 * 1:21908 <-> ENABLED <-> FILE-IDENTIFY Portable Executable file attachment detected (file-identify.rules)
 * 1:21909 <-> ENABLED <-> FILE-IDENTIFY Portable Executable file attachment detected (file-identify.rules)
 * 1:21940 <-> ENABLED <-> FILE-IDENTIFY EMF file magic detected (file-identify.rules)
 * 1:22043 <-> ENABLED <-> FILE-IDENTIFY XM file download request (file-identify.rules)
 * 1:22044 <-> ENABLED <-> FILE-IDENTIFY XM file attachment detected (file-identify.rules)
 * 1:22045 <-> ENABLED <-> FILE-IDENTIFY XM file attachment detected (file-identify.rules)
 * 1:22046 <-> ENABLED <-> FILE-IDENTIFY XM file magic detected (file-identify.rules)
 * 1:23651 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:23652 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:23653 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:23654 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:23655 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:23656 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:23657 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:23664 <-> ENABLED <-> FILE-IDENTIFY PNG file magic detected (file-identify.rules)
 * 1:23667 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detected (file-identify.rules)
 * 1:23670 <-> ENABLED <-> FILE-IDENTIFY RTF file magic detected (file-identify.rules)
 * 1:23678 <-> ENABLED <-> FILE-IDENTIFY PDF file magic detected (file-identify.rules)
 * 1:23707 <-> ENABLED <-> FILE-IDENTIFY Microsoft Compound File Binary v3 file magic detected (file-identify.rules)
 * 1:23708 <-> ENABLED <-> FILE-IDENTIFY Microsoft Compound File Binary v4 file magic detected (file-identify.rules)
 * 1:23711 <-> ENABLED <-> FILE-IDENTIFY OLE Document file magic detected (file-identify.rules)
 * 1:23725 <-> ENABLED <-> FILE-IDENTIFY Portable Executable binary file magic detected (file-identify.rules)
 * 1:23758 <-> ENABLED <-> FILE-IDENTIFY XML file magic detected (file-identify.rules)
 * 1:23759 <-> ENABLED <-> FILE-IDENTIFY XML file magic detected (file-identify.rules)
 * 1:23766 <-> ENABLED <-> FILE-IDENTIFY EMF file magic detected (file-identify.rules)
 * 1:23773 <-> ENABLED <-> FILE-IDENTIFY XM file magic detected (file-identify.rules)
 * 1:24359 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt (os-windows.rules)
 * 1:24455 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detected (file-identify.rules)
 * 1:24456 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detected (file-identify.rules)
 * 1:29189 <-> ENABLED <-> EXPLOIT-KIT Magnitude exploit kit Microsoft Internet Explorer Payload request (exploit-kit.rules)
 * 1:25513 <-> ENABLED <-> FILE-IDENTIFY Portable Executable download detected (file-identify.rules)
 * 1:27110 <-> ENABLED <-> EXPLOIT-KIT Blackholev2/Cool exploit kit outbound portable executable request (exploit-kit.rules)
 * 1:26534 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit portable executable download (exploit-kit.rules)
 * 1:26251 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detected (file-identify.rules)
 * 1:26058 <-> ENABLED <-> FILE-IDENTIFY ZIP file attachment detected (file-identify.rules)
 * 1:26057 <-> ENABLED <-> FILE-IDENTIFY ZIP file download detected (file-identify.rules)
 * 1:25514 <-> ENABLED <-> FILE-IDENTIFY Portable Executable download detected (file-identify.rules)
 * 1:29166 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules)
 * 1:28969 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound payload retreival - specific string (exploit-kit.rules)
 * 1:28795 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit payload download attempt (exploit-kit.rules)
 * 1:28596 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit payload request (exploit-kit.rules)
 * 1:30220 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound payload request (exploit-kit.rules)
 * 1:30003 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit payload download attempt (exploit-kit.rules)
 * 1:29386 <-> ENABLED <-> FILE-IDENTIFY Adobe AIR file attachment detected (file-identify.rules)
 * 1:29385 <-> ENABLED <-> FILE-IDENTIFY Adobe AIR file attachment detected (file-identify.rules)
 * 1:29384 <-> ENABLED <-> FILE-IDENTIFY Adobe AIR file download request (file-identify.rules)
 * 1:30319 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit malicious portable executable file request (exploit-kit.rules)
 * 1:30973 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload request (exploit-kit.rules)
 * 1:30909 <-> ENABLED <-> FILE-OTHER RARLAB WinRAR ZIP format filename spoof attempt (file-other.rules)
 * 1:30906 <-> ENABLED <-> FILE-OTHER RARLAB WinRAR ZIP format filename spoof attempt (file-other.rules)
 * 1:3083 <-> DISABLED <-> MALWARE-BACKDOOR Y3KRAT 1.5 Connection confirmation (malware-backdoor.rules)
 * 1:3082 <-> ENABLED <-> MALWARE-BACKDOOR Y3KRAT 1.5 Connect Client Response (malware-backdoor.rules)
 * 1:31871 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detection (file-identify.rules)
 * 1:35852 <-> ENABLED <-> FILE-IDENTIFY JPEG file upload detected (file-identify.rules)
 * 1:33825 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt (os-windows.rules)
 * 1:32386 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound structure (exploit-kit.rules)
 * 1:32380 <-> ENABLED <-> FILE-IDENTIFY dib file attachment detected (file-identify.rules)
 * 1:32378 <-> ENABLED <-> FILE-IDENTIFY bmp file attachment detected (file-identify.rules)
 * 1:36058 <-> ENABLED <-> FILE-IDENTIFY OLE Document upload detected (file-identify.rules)
 * 1:40036 <-> ENABLED <-> FILE-IDENTIFY XLSB file magic detected (file-identify.rules)
 * 1:40035 <-> ENABLED <-> FILE-IDENTIFY XLSB file magic detected (file-identify.rules)
 * 1:39903 <-> ENABLED <-> FILE-OFFICE Microsoft Windows RTF file with embedded object package SMTP upload attempt (file-office.rules)
 * 1:39803 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Dlhelper outbound connection detected (malware-other.rules)
 * 1:42332 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant ping command (malware-cnc.rules)
 * 1:42331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command (malware-cnc.rules)
 * 1:8445 <-> ENABLED <-> FILE-OFFICE Microsoft Windows RTF file with embedded object package download attempt (file-office.rules)
 * 1:24457 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detected (file-identify.rules)
 * 3:15912 <-> ENABLED <-> OS-WINDOWS TCP window closed before receiving data (os-windows.rules)

2018-06-19 12:15:15 UTC

Snort Subscriber Rules Update

Date: 2018-06-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46989 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.MBRLock file download (snort3-malware-other.rules)
 * 1:46984 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Yoban RAT outbound connection (snort3-malware-cnc.rules)
 * 1:46979 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Office Discovery User-Agent to a potential URL shortener service (snort3-indicator-compromise.rules)
 * 1:46986 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Annabelle file download (snort3-malware-other.rules)
 * 1:46981 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Orcus RAT inbound SSL certificate (snort3-malware-cnc.rules)
 * 1:46987 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Annabelle file download (snort3-malware-other.rules)
 * 1:46977 <-> DISABLED <-> BROWSER-CHROME Google Chrome Crankshaft type confusion attempt (snort3-browser-chrome.rules)
 * 1:46980 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Office Discovery User-Agent to a potential URL shortener service (snort3-indicator-compromise.rules)
 * 1:46975 <-> DISABLED <-> BROWSER-CHROME Google Chrome Crankshaft type confusion attempt (snort3-browser-chrome.rules)
 * 1:46985 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Yoban RAT outbound connection (snort3-malware-cnc.rules)
 * 1:46978 <-> DISABLED <-> BROWSER-CHROME Google Chrome Crankshaft type confusion attempt (snort3-browser-chrome.rules)
 * 1:46976 <-> DISABLED <-> BROWSER-CHROME Google Chrome Crankshaft type confusion attempt (snort3-browser-chrome.rules)
 * 1:46982 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup SchedulesService.pm command injection attempt (snort3-server-webapp.rules)
 * 1:46988 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.MBRLock file download (snort3-malware-other.rules)
 * 1:46983 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe banner (snort3-indicator-compromise.rules)

Modified Rules:


 * 1:30003 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit payload download attempt (snort3-exploit-kit.rules)
 * 1:24972 <-> ENABLED <-> NETBIOS SMB Trans2 FIND_FIRST2 find file and directory info request (snort3-netbios.rules)
 * 1:25513 <-> ENABLED <-> FILE-IDENTIFY Portable Executable download detected (snort3-file-identify.rules)
 * 1:3082 <-> ENABLED <-> MALWARE-BACKDOOR Y3KRAT 1.5 Connect Client Response (snort3-malware-backdoor.rules)
 * 1:29386 <-> ENABLED <-> FILE-IDENTIFY Adobe AIR file attachment detected (snort3-file-identify.rules)
 * 1:26057 <-> ENABLED <-> FILE-IDENTIFY ZIP file download detected (snort3-file-identify.rules)
 * 1:30319 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit malicious portable executable file request (snort3-exploit-kit.rules)
 * 1:30220 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound payload request (snort3-exploit-kit.rules)
 * 1:25514 <-> ENABLED <-> FILE-IDENTIFY Portable Executable download detected (snort3-file-identify.rules)
 * 1:25515 <-> ENABLED <-> FILE-IDENTIFY Portable Executable binary file magic detected (snort3-file-identify.rules)
 * 1:32378 <-> ENABLED <-> FILE-IDENTIFY bmp file attachment detected (snort3-file-identify.rules)
 * 1:26251 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detected (snort3-file-identify.rules)
 * 1:26534 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit portable executable download (snort3-exploit-kit.rules)
 * 1:27110 <-> ENABLED <-> EXPLOIT-KIT Blackholev2/Cool exploit kit outbound portable executable request (snort3-exploit-kit.rules)
 * 1:31871 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detection (snort3-file-identify.rules)
 * 1:28596 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit payload request (snort3-exploit-kit.rules)
 * 1:28795 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit payload download attempt (snort3-exploit-kit.rules)
 * 1:28969 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound payload retreival - specific string (snort3-exploit-kit.rules)
 * 1:29166 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (snort3-exploit-kit.rules)
 * 1:29189 <-> ENABLED <-> EXPLOIT-KIT Magnitude exploit kit Microsoft Internet Explorer Payload request (snort3-exploit-kit.rules)
 * 1:30973 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload request (snort3-exploit-kit.rules)
 * 1:29384 <-> ENABLED <-> FILE-IDENTIFY Adobe AIR file download request (snort3-file-identify.rules)
 * 1:32380 <-> ENABLED <-> FILE-IDENTIFY dib file attachment detected (snort3-file-identify.rules)
 * 1:30906 <-> ENABLED <-> FILE-OTHER RARLAB WinRAR ZIP format filename spoof attempt (snort3-file-other.rules)
 * 1:3083 <-> DISABLED <-> MALWARE-BACKDOOR Y3KRAT 1.5 Connection confirmation (snort3-malware-backdoor.rules)
 * 1:8445 <-> ENABLED <-> FILE-OFFICE Microsoft Windows RTF file with embedded object package download attempt (snort3-file-office.rules)
 * 1:30909 <-> ENABLED <-> FILE-OTHER RARLAB WinRAR ZIP format filename spoof attempt (snort3-file-other.rules)
 * 1:42332 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant ping command (snort3-malware-cnc.rules)
 * 1:42331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command (snort3-malware-cnc.rules)
 * 1:40036 <-> ENABLED <-> FILE-IDENTIFY XLSB file magic detected (snort3-file-identify.rules)
 * 1:40035 <-> ENABLED <-> FILE-IDENTIFY XLSB file magic detected (snort3-file-identify.rules)
 * 1:39903 <-> ENABLED <-> FILE-OFFICE Microsoft Windows RTF file with embedded object package SMTP upload attempt (snort3-file-office.rules)
 * 1:39803 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Dlhelper outbound connection detected (snort3-malware-other.rules)
 * 1:36058 <-> ENABLED <-> FILE-IDENTIFY OLE Document upload detected (snort3-file-identify.rules)
 * 1:35852 <-> ENABLED <-> FILE-IDENTIFY JPEG file upload detected (snort3-file-identify.rules)
 * 1:33825 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt (snort3-os-windows.rules)
 * 1:32386 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound structure (snort3-exploit-kit.rules)
 * 1:24458 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detected (snort3-file-identify.rules)
 * 1:29385 <-> ENABLED <-> FILE-IDENTIFY Adobe AIR file attachment detected (snort3-file-identify.rules)
 * 1:26058 <-> ENABLED <-> FILE-IDENTIFY ZIP file attachment detected (snort3-file-identify.rules)
 * 1:13801 <-> ENABLED <-> FILE-IDENTIFY RTF file download request (snort3-file-identify.rules)
 * 1:15013 <-> ENABLED <-> FILE-IDENTIFY PDF file download request (snort3-file-identify.rules)
 * 1:15587 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Word file download request (snort3-file-identify.rules)
 * 1:16205 <-> ENABLED <-> FILE-IDENTIFY BMP file download request (snort3-file-identify.rules)
 * 1:16294 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TCP stack zero window size exploit attempt (snort3-os-windows.rules)
 * 1:16406 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (snort3-file-identify.rules)
 * 1:16407 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (snort3-file-identify.rules)
 * 1:16425 <-> ENABLED <-> FILE-IDENTIFY Portable Executable binary file download request (snort3-file-identify.rules)
 * 1:16474 <-> ENABLED <-> FILE-IDENTIFY Microsoft Compound File Binary v3 file magic detected (snort3-file-identify.rules)
 * 1:16475 <-> ENABLED <-> FILE-IDENTIFY Microsoft Compound File Binary v4 file magic detected (snort3-file-identify.rules)
 * 1:16529 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (snort3-file-identify.rules)
 * 1:17314 <-> ENABLED <-> FILE-IDENTIFY OLE document file magic detected (snort3-file-identify.rules)
 * 1:17380 <-> ENABLED <-> FILE-IDENTIFY PNG file download request (snort3-file-identify.rules)
 * 1:17733 <-> ENABLED <-> FILE-IDENTIFY XML file download request (snort3-file-identify.rules)
 * 1:17745 <-> ENABLED <-> NETBIOS SMB TRANS2 Find_First2 request attempt (snort3-netbios.rules)
 * 1:19190 <-> ENABLED <-> NETBIOS SMB-DS Trans2 Distributed File System GET_DFS_REFERRAL request (snort3-netbios.rules)
 * 1:19211 <-> ENABLED <-> FILE-IDENTIFY ZIP archive file download request (snort3-file-identify.rules)
 * 1:20223 <-> ENABLED <-> FILE-IDENTIFY SMI file download request (snort3-file-identify.rules)
 * 1:20260 <-> ENABLED <-> FILE-IDENTIFY Microsoft Client Agent Helper JAR file download request (snort3-file-identify.rules)
 * 1:20463 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (snort3-file-identify.rules)
 * 1:20464 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (snort3-file-identify.rules)
 * 1:20465 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (snort3-file-identify.rules)
 * 1:20466 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (snort3-file-identify.rules)
 * 1:20467 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (snort3-file-identify.rules)
 * 1:20468 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (snort3-file-identify.rules)
 * 1:20469 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (snort3-file-identify.rules)
 * 1:20478 <-> ENABLED <-> FILE-IDENTIFY PNG file magic detected (snort3-file-identify.rules)
 * 1:20480 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detection (snort3-file-identify.rules)
 * 1:20483 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detected (snort3-file-identify.rules)
 * 1:20486 <-> ENABLED <-> FILE-IDENTIFY RTF file magic detected (snort3-file-identify.rules)
 * 1:20494 <-> ENABLED <-> FILE-IDENTIFY PDF file magic detected (snort3-file-identify.rules)
 * 1:20621 <-> ENABLED <-> FILE-IDENTIFY JAR file download request (snort3-file-identify.rules)
 * 1:20850 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows EMF metafile file attachment detected (snort3-file-identify.rules)
 * 1:20851 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows EMF metafile file attachment detected (snort3-file-identify.rules)
 * 1:20963 <-> ENABLED <-> FILE-IDENTIFY DIB file download request (snort3-file-identify.rules)
 * 1:20964 <-> ENABLED <-> FILE-IDENTIFY SAMI file download request (snort3-file-identify.rules)
 * 1:20965 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (snort3-file-identify.rules)
 * 1:20966 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (snort3-file-identify.rules)
 * 1:20967 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (snort3-file-identify.rules)
 * 1:21035 <-> ENABLED <-> FILE-IDENTIFY PDF file attachment detected (snort3-file-identify.rules)
 * 1:21036 <-> ENABLED <-> FILE-IDENTIFY PDF file attachment detected (snort3-file-identify.rules)
 * 1:21282 <-> ENABLED <-> FILE-IDENTIFY XSL file download request (snort3-file-identify.rules)
 * 1:21283 <-> ENABLED <-> FILE-IDENTIFY XSL file attachment detected (snort3-file-identify.rules)
 * 1:21284 <-> ENABLED <-> FILE-IDENTIFY XSL file attachment detected (snort3-file-identify.rules)
 * 1:21285 <-> ENABLED <-> FILE-IDENTIFY XSLT file download request (snort3-file-identify.rules)
 * 1:21286 <-> ENABLED <-> FILE-IDENTIFY XSLT file attachment detected (snort3-file-identify.rules)
 * 1:21287 <-> ENABLED <-> FILE-IDENTIFY XSLT file attachment detected (snort3-file-identify.rules)
 * 1:21288 <-> ENABLED <-> FILE-IDENTIFY XML download detected (snort3-file-identify.rules)
 * 1:21410 <-> ENABLED <-> FILE-IDENTIFY paq8o file download request (snort3-file-identify.rules)
 * 1:21411 <-> ENABLED <-> FILE-IDENTIFY paq8o file attachment detected (snort3-file-identify.rules)
 * 1:21412 <-> ENABLED <-> FILE-IDENTIFY paq8o file attachment detected (snort3-file-identify.rules)
 * 1:21480 <-> ENABLED <-> FILE-IDENTIFY XML file magic detected (snort3-file-identify.rules)
 * 1:21498 <-> ENABLED <-> FILE-IDENTIFY XML file magic detected (snort3-file-identify.rules)
 * 1:21499 <-> ENABLED <-> FILE-IDENTIFY XML file attachment detected (snort3-file-identify.rules)
 * 1:21500 <-> ENABLED <-> FILE-IDENTIFY XML file attachment detected (snort3-file-identify.rules)
 * 1:21613 <-> ENABLED <-> FILE-IDENTIFY PNG file attachment detected (snort3-file-identify.rules)
 * 1:21614 <-> ENABLED <-> FILE-IDENTIFY PNG file attachment detected (snort3-file-identify.rules)
 * 1:21695 <-> ENABLED <-> FILE-IDENTIFY SMI file attachment detected (snort3-file-identify.rules)
 * 1:21696 <-> ENABLED <-> FILE-IDENTIFY SMI file attachment detected (snort3-file-identify.rules)
 * 1:21697 <-> ENABLED <-> FILE-IDENTIFY SAMI file attachment detected (snort3-file-identify.rules)
 * 1:21698 <-> ENABLED <-> FILE-IDENTIFY SAMI file attachment detected (snort3-file-identify.rules)
 * 1:21724 <-> ENABLED <-> FILE-IDENTIFY ANI file download request (snort3-file-identify.rules)
 * 1:21725 <-> ENABLED <-> FILE-IDENTIFY ANI file attachment detected (snort3-file-identify.rules)
 * 1:21726 <-> ENABLED <-> FILE-IDENTIFY ANI file attachment detected (snort3-file-identify.rules)
 * 1:21727 <-> ENABLED <-> FILE-IDENTIFY ANI file magic detection (snort3-file-identify.rules)
 * 1:21728 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (snort3-file-identify.rules)
 * 1:21729 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (snort3-file-identify.rules)
 * 1:21730 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (snort3-file-identify.rules)
 * 1:21731 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (snort3-file-identify.rules)
 * 1:21732 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (snort3-file-identify.rules)
 * 1:21733 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (snort3-file-identify.rules)
 * 1:21734 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (snort3-file-identify.rules)
 * 1:21735 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (snort3-file-identify.rules)
 * 1:21736 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (snort3-file-identify.rules)
 * 1:21737 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (snort3-file-identify.rules)
 * 1:21738 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (snort3-file-identify.rules)
 * 1:21739 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (snort3-file-identify.rules)
 * 1:21746 <-> ENABLED <-> FILE-IDENTIFY RTF file attachment detected (snort3-file-identify.rules)
 * 1:21747 <-> ENABLED <-> FILE-IDENTIFY RTF file attachment detected (snort3-file-identify.rules)
 * 1:21856 <-> ENABLED <-> FILE-IDENTIFY ZIP file attachment detected (snort3-file-identify.rules)
 * 1:21857 <-> ENABLED <-> FILE-IDENTIFY ZIP file attachment detected (snort3-file-identify.rules)
 * 1:21908 <-> ENABLED <-> FILE-IDENTIFY Portable Executable file attachment detected (snort3-file-identify.rules)
 * 1:21909 <-> ENABLED <-> FILE-IDENTIFY Portable Executable file attachment detected (snort3-file-identify.rules)
 * 1:21940 <-> ENABLED <-> FILE-IDENTIFY EMF file magic detected (snort3-file-identify.rules)
 * 1:22043 <-> ENABLED <-> FILE-IDENTIFY XM file download request (snort3-file-identify.rules)
 * 1:22044 <-> ENABLED <-> FILE-IDENTIFY XM file attachment detected (snort3-file-identify.rules)
 * 1:22045 <-> ENABLED <-> FILE-IDENTIFY XM file attachment detected (snort3-file-identify.rules)
 * 1:22046 <-> ENABLED <-> FILE-IDENTIFY XM file magic detected (snort3-file-identify.rules)
 * 1:23651 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (snort3-file-identify.rules)
 * 1:23652 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (snort3-file-identify.rules)
 * 1:23653 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (snort3-file-identify.rules)
 * 1:23654 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (snort3-file-identify.rules)
 * 1:23655 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (snort3-file-identify.rules)
 * 1:23656 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (snort3-file-identify.rules)
 * 1:23657 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (snort3-file-identify.rules)
 * 1:23664 <-> ENABLED <-> FILE-IDENTIFY PNG file magic detected (snort3-file-identify.rules)
 * 1:23667 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detected (snort3-file-identify.rules)
 * 1:23670 <-> ENABLED <-> FILE-IDENTIFY RTF file magic detected (snort3-file-identify.rules)
 * 1:23678 <-> ENABLED <-> FILE-IDENTIFY PDF file magic detected (snort3-file-identify.rules)
 * 1:23707 <-> ENABLED <-> FILE-IDENTIFY Microsoft Compound File Binary v3 file magic detected (snort3-file-identify.rules)
 * 1:23708 <-> ENABLED <-> FILE-IDENTIFY Microsoft Compound File Binary v4 file magic detected (snort3-file-identify.rules)
 * 1:23711 <-> ENABLED <-> FILE-IDENTIFY OLE Document file magic detected (snort3-file-identify.rules)
 * 1:23725 <-> ENABLED <-> FILE-IDENTIFY Portable Executable binary file magic detected (snort3-file-identify.rules)
 * 1:23758 <-> ENABLED <-> FILE-IDENTIFY XML file magic detected (snort3-file-identify.rules)
 * 1:23759 <-> ENABLED <-> FILE-IDENTIFY XML file magic detected (snort3-file-identify.rules)
 * 1:23766 <-> ENABLED <-> FILE-IDENTIFY EMF file magic detected (snort3-file-identify.rules)
 * 1:23773 <-> ENABLED <-> FILE-IDENTIFY XM file magic detected (snort3-file-identify.rules)
 * 1:24359 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt (snort3-os-windows.rules)
 * 1:24455 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detected (snort3-file-identify.rules)
 * 1:24456 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detected (snort3-file-identify.rules)
 * 1:24457 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detected (snort3-file-identify.rules)

2018-06-19 12:15:15 UTC

Snort Subscriber Rules Update

Date: 2018-06-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46979 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Office Discovery User-Agent to a potential URL shortener service (indicator-compromise.rules)
 * 1:46986 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Annabelle file download (malware-other.rules)
 * 1:46980 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Office Discovery User-Agent to a potential URL shortener service (indicator-compromise.rules)
 * 1:46981 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Orcus RAT inbound SSL certificate (malware-cnc.rules)
 * 1:46984 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Yoban RAT outbound connection (malware-cnc.rules)
 * 1:46976 <-> DISABLED <-> BROWSER-CHROME Google Chrome Crankshaft type confusion attempt (browser-chrome.rules)
 * 1:46987 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Annabelle file download (malware-other.rules)
 * 1:46982 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup SchedulesService.pm command injection attempt (server-webapp.rules)
 * 1:46975 <-> DISABLED <-> BROWSER-CHROME Google Chrome Crankshaft type confusion attempt (browser-chrome.rules)
 * 1:46989 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.MBRLock file download (malware-other.rules)
 * 1:46978 <-> DISABLED <-> BROWSER-CHROME Google Chrome Crankshaft type confusion attempt (browser-chrome.rules)
 * 1:46985 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Yoban RAT outbound connection (malware-cnc.rules)
 * 1:46983 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe banner (indicator-compromise.rules)
 * 1:46977 <-> DISABLED <-> BROWSER-CHROME Google Chrome Crankshaft type confusion attempt (browser-chrome.rules)
 * 1:46988 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.MBRLock file download (malware-other.rules)

Modified Rules:


 * 1:33825 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt (os-windows.rules)
 * 1:25514 <-> ENABLED <-> FILE-IDENTIFY Portable Executable download detected (file-identify.rules)
 * 1:26057 <-> ENABLED <-> FILE-IDENTIFY ZIP file download detected (file-identify.rules)
 * 1:30220 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound payload request (exploit-kit.rules)
 * 1:32380 <-> ENABLED <-> FILE-IDENTIFY dib file attachment detected (file-identify.rules)
 * 1:26058 <-> ENABLED <-> FILE-IDENTIFY ZIP file attachment detected (file-identify.rules)
 * 1:31871 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detection (file-identify.rules)
 * 1:30909 <-> ENABLED <-> FILE-OTHER RARLAB WinRAR ZIP format filename spoof attempt (file-other.rules)
 * 1:30906 <-> ENABLED <-> FILE-OTHER RARLAB WinRAR ZIP format filename spoof attempt (file-other.rules)
 * 1:28795 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit payload download attempt (exploit-kit.rules)
 * 1:29386 <-> ENABLED <-> FILE-IDENTIFY Adobe AIR file attachment detected (file-identify.rules)
 * 1:3083 <-> DISABLED <-> MALWARE-BACKDOOR Y3KRAT 1.5 Connection confirmation (malware-backdoor.rules)
 * 1:29384 <-> ENABLED <-> FILE-IDENTIFY Adobe AIR file download request (file-identify.rules)
 * 1:28969 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound payload retreival - specific string (exploit-kit.rules)
 * 1:3082 <-> ENABLED <-> MALWARE-BACKDOOR Y3KRAT 1.5 Connect Client Response (malware-backdoor.rules)
 * 1:24458 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detected (file-identify.rules)
 * 1:29166 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules)
 * 1:27110 <-> ENABLED <-> EXPLOIT-KIT Blackholev2/Cool exploit kit outbound portable executable request (exploit-kit.rules)
 * 1:29385 <-> ENABLED <-> FILE-IDENTIFY Adobe AIR file attachment detected (file-identify.rules)
 * 1:29189 <-> ENABLED <-> EXPLOIT-KIT Magnitude exploit kit Microsoft Internet Explorer Payload request (exploit-kit.rules)
 * 1:32378 <-> ENABLED <-> FILE-IDENTIFY bmp file attachment detected (file-identify.rules)
 * 1:30003 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit payload download attempt (exploit-kit.rules)
 * 1:32386 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound structure (exploit-kit.rules)
 * 1:26251 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detected (file-identify.rules)
 * 1:26534 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit portable executable download (exploit-kit.rules)
 * 1:28596 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit payload request (exploit-kit.rules)
 * 1:24972 <-> ENABLED <-> NETBIOS SMB Trans2 FIND_FIRST2 find file and directory info request (netbios.rules)
 * 1:25515 <-> ENABLED <-> FILE-IDENTIFY Portable Executable binary file magic detected (file-identify.rules)
 * 1:30319 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit malicious portable executable file request (exploit-kit.rules)
 * 1:25513 <-> ENABLED <-> FILE-IDENTIFY Portable Executable download detected (file-identify.rules)
 * 1:13801 <-> ENABLED <-> FILE-IDENTIFY RTF file download request (file-identify.rules)
 * 1:15013 <-> ENABLED <-> FILE-IDENTIFY PDF file download request (file-identify.rules)
 * 1:15587 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Word file download request (file-identify.rules)
 * 1:35852 <-> ENABLED <-> FILE-IDENTIFY JPEG file upload detected (file-identify.rules)
 * 1:36058 <-> ENABLED <-> FILE-IDENTIFY OLE Document upload detected (file-identify.rules)
 * 1:39803 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Dlhelper outbound connection detected (malware-other.rules)
 * 1:39903 <-> ENABLED <-> FILE-OFFICE Microsoft Windows RTF file with embedded object package SMTP upload attempt (file-office.rules)
 * 1:40035 <-> ENABLED <-> FILE-IDENTIFY XLSB file magic detected (file-identify.rules)
 * 1:40036 <-> ENABLED <-> FILE-IDENTIFY XLSB file magic detected (file-identify.rules)
 * 1:42331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command (malware-cnc.rules)
 * 1:42332 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant ping command (malware-cnc.rules)
 * 1:8445 <-> ENABLED <-> FILE-OFFICE Microsoft Windows RTF file with embedded object package download attempt (file-office.rules)
 * 1:30973 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload request (exploit-kit.rules)
 * 1:16205 <-> ENABLED <-> FILE-IDENTIFY BMP file download request (file-identify.rules)
 * 1:16294 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TCP stack zero window size exploit attempt (os-windows.rules)
 * 1:16406 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (file-identify.rules)
 * 1:16407 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (file-identify.rules)
 * 1:16425 <-> ENABLED <-> FILE-IDENTIFY Portable Executable binary file download request (file-identify.rules)
 * 1:16474 <-> ENABLED <-> FILE-IDENTIFY Microsoft Compound File Binary v3 file magic detected (file-identify.rules)
 * 1:16475 <-> ENABLED <-> FILE-IDENTIFY Microsoft Compound File Binary v4 file magic detected (file-identify.rules)
 * 1:16529 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (file-identify.rules)
 * 1:17314 <-> ENABLED <-> FILE-IDENTIFY OLE document file magic detected (file-identify.rules)
 * 1:17380 <-> ENABLED <-> FILE-IDENTIFY PNG file download request (file-identify.rules)
 * 1:17733 <-> ENABLED <-> FILE-IDENTIFY XML file download request (file-identify.rules)
 * 1:17745 <-> ENABLED <-> NETBIOS SMB TRANS2 Find_First2 request attempt (netbios.rules)
 * 1:19190 <-> ENABLED <-> NETBIOS SMB-DS Trans2 Distributed File System GET_DFS_REFERRAL request (netbios.rules)
 * 1:19211 <-> ENABLED <-> FILE-IDENTIFY ZIP archive file download request (file-identify.rules)
 * 1:20223 <-> ENABLED <-> FILE-IDENTIFY SMI file download request (file-identify.rules)
 * 1:20260 <-> ENABLED <-> FILE-IDENTIFY Microsoft Client Agent Helper JAR file download request (file-identify.rules)
 * 1:20463 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:20464 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:20465 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:20466 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:20467 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:20468 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:20469 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:20478 <-> ENABLED <-> FILE-IDENTIFY PNG file magic detected (file-identify.rules)
 * 1:20480 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detection (file-identify.rules)
 * 1:20483 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detected (file-identify.rules)
 * 1:20486 <-> ENABLED <-> FILE-IDENTIFY RTF file magic detected (file-identify.rules)
 * 1:20494 <-> ENABLED <-> FILE-IDENTIFY PDF file magic detected (file-identify.rules)
 * 1:20621 <-> ENABLED <-> FILE-IDENTIFY JAR file download request (file-identify.rules)
 * 1:20850 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows EMF metafile file attachment detected (file-identify.rules)
 * 1:20851 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows EMF metafile file attachment detected (file-identify.rules)
 * 1:20963 <-> ENABLED <-> FILE-IDENTIFY DIB file download request (file-identify.rules)
 * 1:20964 <-> ENABLED <-> FILE-IDENTIFY SAMI file download request (file-identify.rules)
 * 1:20965 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (file-identify.rules)
 * 1:20966 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (file-identify.rules)
 * 1:20967 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (file-identify.rules)
 * 1:21035 <-> ENABLED <-> FILE-IDENTIFY PDF file attachment detected (file-identify.rules)
 * 1:21036 <-> ENABLED <-> FILE-IDENTIFY PDF file attachment detected (file-identify.rules)
 * 1:21282 <-> ENABLED <-> FILE-IDENTIFY XSL file download request (file-identify.rules)
 * 1:21283 <-> ENABLED <-> FILE-IDENTIFY XSL file attachment detected (file-identify.rules)
 * 1:21284 <-> ENABLED <-> FILE-IDENTIFY XSL file attachment detected (file-identify.rules)
 * 1:21285 <-> ENABLED <-> FILE-IDENTIFY XSLT file download request (file-identify.rules)
 * 1:21286 <-> ENABLED <-> FILE-IDENTIFY XSLT file attachment detected (file-identify.rules)
 * 1:21287 <-> ENABLED <-> FILE-IDENTIFY XSLT file attachment detected (file-identify.rules)
 * 1:21288 <-> ENABLED <-> FILE-IDENTIFY XML download detected (file-identify.rules)
 * 1:21410 <-> ENABLED <-> FILE-IDENTIFY paq8o file download request (file-identify.rules)
 * 1:21411 <-> ENABLED <-> FILE-IDENTIFY paq8o file attachment detected (file-identify.rules)
 * 1:21412 <-> ENABLED <-> FILE-IDENTIFY paq8o file attachment detected (file-identify.rules)
 * 1:21480 <-> ENABLED <-> FILE-IDENTIFY XML file magic detected (file-identify.rules)
 * 1:21498 <-> ENABLED <-> FILE-IDENTIFY XML file magic detected (file-identify.rules)
 * 1:21499 <-> ENABLED <-> FILE-IDENTIFY XML file attachment detected (file-identify.rules)
 * 1:21500 <-> ENABLED <-> FILE-IDENTIFY XML file attachment detected (file-identify.rules)
 * 1:21613 <-> ENABLED <-> FILE-IDENTIFY PNG file attachment detected (file-identify.rules)
 * 1:21614 <-> ENABLED <-> FILE-IDENTIFY PNG file attachment detected (file-identify.rules)
 * 1:21695 <-> ENABLED <-> FILE-IDENTIFY SMI file attachment detected (file-identify.rules)
 * 1:21696 <-> ENABLED <-> FILE-IDENTIFY SMI file attachment detected (file-identify.rules)
 * 1:21697 <-> ENABLED <-> FILE-IDENTIFY SAMI file attachment detected (file-identify.rules)
 * 1:21698 <-> ENABLED <-> FILE-IDENTIFY SAMI file attachment detected (file-identify.rules)
 * 1:21724 <-> ENABLED <-> FILE-IDENTIFY ANI file download request (file-identify.rules)
 * 1:21725 <-> ENABLED <-> FILE-IDENTIFY ANI file attachment detected (file-identify.rules)
 * 1:21726 <-> ENABLED <-> FILE-IDENTIFY ANI file attachment detected (file-identify.rules)
 * 1:21727 <-> ENABLED <-> FILE-IDENTIFY ANI file magic detection (file-identify.rules)
 * 1:21728 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21729 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21730 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21731 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21732 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21733 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21734 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21735 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21736 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21737 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21738 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21739 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21746 <-> ENABLED <-> FILE-IDENTIFY RTF file attachment detected (file-identify.rules)
 * 1:21747 <-> ENABLED <-> FILE-IDENTIFY RTF file attachment detected (file-identify.rules)
 * 1:21856 <-> ENABLED <-> FILE-IDENTIFY ZIP file attachment detected (file-identify.rules)
 * 1:21857 <-> ENABLED <-> FILE-IDENTIFY ZIP file attachment detected (file-identify.rules)
 * 1:21908 <-> ENABLED <-> FILE-IDENTIFY Portable Executable file attachment detected (file-identify.rules)
 * 1:21909 <-> ENABLED <-> FILE-IDENTIFY Portable Executable file attachment detected (file-identify.rules)
 * 1:21940 <-> ENABLED <-> FILE-IDENTIFY EMF file magic detected (file-identify.rules)
 * 1:22043 <-> ENABLED <-> FILE-IDENTIFY XM file download request (file-identify.rules)
 * 1:22044 <-> ENABLED <-> FILE-IDENTIFY XM file attachment detected (file-identify.rules)
 * 1:22045 <-> ENABLED <-> FILE-IDENTIFY XM file attachment detected (file-identify.rules)
 * 1:22046 <-> ENABLED <-> FILE-IDENTIFY XM file magic detected (file-identify.rules)
 * 1:23651 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:23652 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:23653 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:23654 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:23655 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:23656 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:23657 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:23664 <-> ENABLED <-> FILE-IDENTIFY PNG file magic detected (file-identify.rules)
 * 1:23667 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detected (file-identify.rules)
 * 1:23670 <-> ENABLED <-> FILE-IDENTIFY RTF file magic detected (file-identify.rules)
 * 1:23678 <-> ENABLED <-> FILE-IDENTIFY PDF file magic detected (file-identify.rules)
 * 1:23707 <-> ENABLED <-> FILE-IDENTIFY Microsoft Compound File Binary v3 file magic detected (file-identify.rules)
 * 1:23708 <-> ENABLED <-> FILE-IDENTIFY Microsoft Compound File Binary v4 file magic detected (file-identify.rules)
 * 1:23711 <-> ENABLED <-> FILE-IDENTIFY OLE Document file magic detected (file-identify.rules)
 * 1:23725 <-> ENABLED <-> FILE-IDENTIFY Portable Executable binary file magic detected (file-identify.rules)
 * 1:23758 <-> ENABLED <-> FILE-IDENTIFY XML file magic detected (file-identify.rules)
 * 1:23759 <-> ENABLED <-> FILE-IDENTIFY XML file magic detected (file-identify.rules)
 * 1:23766 <-> ENABLED <-> FILE-IDENTIFY EMF file magic detected (file-identify.rules)
 * 1:23773 <-> ENABLED <-> FILE-IDENTIFY XM file magic detected (file-identify.rules)
 * 1:24359 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt (os-windows.rules)
 * 1:24455 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detected (file-identify.rules)
 * 1:24456 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detected (file-identify.rules)
 * 1:24457 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detected (file-identify.rules)
 * 3:15912 <-> ENABLED <-> OS-WINDOWS TCP window closed before receiving data (os-windows.rules)

2018-06-19 12:15:15 UTC

Snort Subscriber Rules Update

Date: 2018-06-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46980 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Office Discovery User-Agent to a potential URL shortener service (indicator-compromise.rules)
 * 1:46975 <-> DISABLED <-> BROWSER-CHROME Google Chrome Crankshaft type confusion attempt (browser-chrome.rules)
 * 1:46987 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Annabelle file download (malware-other.rules)
 * 1:46977 <-> DISABLED <-> BROWSER-CHROME Google Chrome Crankshaft type confusion attempt (browser-chrome.rules)
 * 1:46978 <-> DISABLED <-> BROWSER-CHROME Google Chrome Crankshaft type confusion attempt (browser-chrome.rules)
 * 1:46976 <-> DISABLED <-> BROWSER-CHROME Google Chrome Crankshaft type confusion attempt (browser-chrome.rules)
 * 1:46988 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.MBRLock file download (malware-other.rules)
 * 1:46982 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup SchedulesService.pm command injection attempt (server-webapp.rules)
 * 1:46984 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Yoban RAT outbound connection (malware-cnc.rules)
 * 1:46985 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Yoban RAT outbound connection (malware-cnc.rules)
 * 1:46979 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Office Discovery User-Agent to a potential URL shortener service (indicator-compromise.rules)
 * 1:46983 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe banner (indicator-compromise.rules)
 * 1:46989 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.MBRLock file download (malware-other.rules)
 * 1:46986 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Annabelle file download (malware-other.rules)
 * 1:46981 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Orcus RAT inbound SSL certificate (malware-cnc.rules)

Modified Rules:


 * 1:30003 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit payload download attempt (exploit-kit.rules)
 * 1:30319 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit malicious portable executable file request (exploit-kit.rules)
 * 1:29386 <-> ENABLED <-> FILE-IDENTIFY Adobe AIR file attachment detected (file-identify.rules)
 * 1:30220 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound payload request (exploit-kit.rules)
 * 1:33825 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt (os-windows.rules)
 * 1:32386 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound structure (exploit-kit.rules)
 * 1:26057 <-> ENABLED <-> FILE-IDENTIFY ZIP file download detected (file-identify.rules)
 * 1:16294 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TCP stack zero window size exploit attempt (os-windows.rules)
 * 1:3083 <-> DISABLED <-> MALWARE-BACKDOOR Y3KRAT 1.5 Connection confirmation (malware-backdoor.rules)
 * 1:32380 <-> ENABLED <-> FILE-IDENTIFY dib file attachment detected (file-identify.rules)
 * 1:3082 <-> ENABLED <-> MALWARE-BACKDOOR Y3KRAT 1.5 Connect Client Response (malware-backdoor.rules)
 * 1:26058 <-> ENABLED <-> FILE-IDENTIFY ZIP file attachment detected (file-identify.rules)
 * 1:31871 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detection (file-identify.rules)
 * 1:25515 <-> ENABLED <-> FILE-IDENTIFY Portable Executable binary file magic detected (file-identify.rules)
 * 1:29385 <-> ENABLED <-> FILE-IDENTIFY Adobe AIR file attachment detected (file-identify.rules)
 * 1:25514 <-> ENABLED <-> FILE-IDENTIFY Portable Executable download detected (file-identify.rules)
 * 1:30906 <-> ENABLED <-> FILE-OTHER RARLAB WinRAR ZIP format filename spoof attempt (file-other.rules)
 * 1:32378 <-> ENABLED <-> FILE-IDENTIFY bmp file attachment detected (file-identify.rules)
 * 1:25513 <-> ENABLED <-> FILE-IDENTIFY Portable Executable download detected (file-identify.rules)
 * 1:13801 <-> ENABLED <-> FILE-IDENTIFY RTF file download request (file-identify.rules)
 * 1:15013 <-> ENABLED <-> FILE-IDENTIFY PDF file download request (file-identify.rules)
 * 1:15587 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Word file download request (file-identify.rules)
 * 1:16205 <-> ENABLED <-> FILE-IDENTIFY BMP file download request (file-identify.rules)
 * 1:24458 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detected (file-identify.rules)
 * 1:35852 <-> ENABLED <-> FILE-IDENTIFY JPEG file upload detected (file-identify.rules)
 * 1:36058 <-> ENABLED <-> FILE-IDENTIFY OLE Document upload detected (file-identify.rules)
 * 1:39803 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Dlhelper outbound connection detected (malware-other.rules)
 * 1:39903 <-> ENABLED <-> FILE-OFFICE Microsoft Windows RTF file with embedded object package SMTP upload attempt (file-office.rules)
 * 1:40035 <-> ENABLED <-> FILE-IDENTIFY XLSB file magic detected (file-identify.rules)
 * 1:40036 <-> ENABLED <-> FILE-IDENTIFY XLSB file magic detected (file-identify.rules)
 * 1:42331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command (malware-cnc.rules)
 * 1:42332 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant ping command (malware-cnc.rules)
 * 1:8445 <-> ENABLED <-> FILE-OFFICE Microsoft Windows RTF file with embedded object package download attempt (file-office.rules)
 * 1:30973 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload request (exploit-kit.rules)
 * 1:24972 <-> ENABLED <-> NETBIOS SMB Trans2 FIND_FIRST2 find file and directory info request (netbios.rules)
 * 1:28596 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit payload request (exploit-kit.rules)
 * 1:29189 <-> ENABLED <-> EXPLOIT-KIT Magnitude exploit kit Microsoft Internet Explorer Payload request (exploit-kit.rules)
 * 1:27110 <-> ENABLED <-> EXPLOIT-KIT Blackholev2/Cool exploit kit outbound portable executable request (exploit-kit.rules)
 * 1:30909 <-> ENABLED <-> FILE-OTHER RARLAB WinRAR ZIP format filename spoof attempt (file-other.rules)
 * 1:29166 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules)
 * 1:20621 <-> ENABLED <-> FILE-IDENTIFY JAR file download request (file-identify.rules)
 * 1:20464 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:20465 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:20260 <-> ENABLED <-> FILE-IDENTIFY Microsoft Client Agent Helper JAR file download request (file-identify.rules)
 * 1:19190 <-> ENABLED <-> NETBIOS SMB-DS Trans2 Distributed File System GET_DFS_REFERRAL request (netbios.rules)
 * 1:19211 <-> ENABLED <-> FILE-IDENTIFY ZIP archive file download request (file-identify.rules)
 * 1:20223 <-> ENABLED <-> FILE-IDENTIFY SMI file download request (file-identify.rules)
 * 1:17745 <-> ENABLED <-> NETBIOS SMB TRANS2 Find_First2 request attempt (netbios.rules)
 * 1:17314 <-> ENABLED <-> FILE-IDENTIFY OLE document file magic detected (file-identify.rules)
 * 1:17380 <-> ENABLED <-> FILE-IDENTIFY PNG file download request (file-identify.rules)
 * 1:17733 <-> ENABLED <-> FILE-IDENTIFY XML file download request (file-identify.rules)
 * 1:16529 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (file-identify.rules)
 * 1:16425 <-> ENABLED <-> FILE-IDENTIFY Portable Executable binary file download request (file-identify.rules)
 * 1:16475 <-> ENABLED <-> FILE-IDENTIFY Microsoft Compound File Binary v4 file magic detected (file-identify.rules)
 * 1:16474 <-> ENABLED <-> FILE-IDENTIFY Microsoft Compound File Binary v3 file magic detected (file-identify.rules)
 * 1:16407 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (file-identify.rules)
 * 1:16406 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (file-identify.rules)
 * 1:20963 <-> ENABLED <-> FILE-IDENTIFY DIB file download request (file-identify.rules)
 * 1:20850 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows EMF metafile file attachment detected (file-identify.rules)
 * 1:20851 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows EMF metafile file attachment detected (file-identify.rules)
 * 1:20494 <-> ENABLED <-> FILE-IDENTIFY PDF file magic detected (file-identify.rules)
 * 1:20480 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detection (file-identify.rules)
 * 1:20483 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detected (file-identify.rules)
 * 1:20486 <-> ENABLED <-> FILE-IDENTIFY RTF file magic detected (file-identify.rules)
 * 1:20478 <-> ENABLED <-> FILE-IDENTIFY PNG file magic detected (file-identify.rules)
 * 1:20467 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:20468 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:20469 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:20466 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:20463 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:21738 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21696 <-> ENABLED <-> FILE-IDENTIFY SMI file attachment detected (file-identify.rules)
 * 1:21613 <-> ENABLED <-> FILE-IDENTIFY PNG file attachment detected (file-identify.rules)
 * 1:21614 <-> ENABLED <-> FILE-IDENTIFY PNG file attachment detected (file-identify.rules)
 * 1:21695 <-> ENABLED <-> FILE-IDENTIFY SMI file attachment detected (file-identify.rules)
 * 1:21500 <-> ENABLED <-> FILE-IDENTIFY XML file attachment detected (file-identify.rules)
 * 1:21480 <-> ENABLED <-> FILE-IDENTIFY XML file magic detected (file-identify.rules)
 * 1:21498 <-> ENABLED <-> FILE-IDENTIFY XML file magic detected (file-identify.rules)
 * 1:21499 <-> ENABLED <-> FILE-IDENTIFY XML file attachment detected (file-identify.rules)
 * 1:21412 <-> ENABLED <-> FILE-IDENTIFY paq8o file attachment detected (file-identify.rules)
 * 1:21288 <-> ENABLED <-> FILE-IDENTIFY XML download detected (file-identify.rules)
 * 1:21410 <-> ENABLED <-> FILE-IDENTIFY paq8o file download request (file-identify.rules)
 * 1:21411 <-> ENABLED <-> FILE-IDENTIFY paq8o file attachment detected (file-identify.rules)
 * 1:21287 <-> ENABLED <-> FILE-IDENTIFY XSLT file attachment detected (file-identify.rules)
 * 1:21284 <-> ENABLED <-> FILE-IDENTIFY XSL file attachment detected (file-identify.rules)
 * 1:21286 <-> ENABLED <-> FILE-IDENTIFY XSLT file attachment detected (file-identify.rules)
 * 1:21285 <-> ENABLED <-> FILE-IDENTIFY XSLT file download request (file-identify.rules)
 * 1:21283 <-> ENABLED <-> FILE-IDENTIFY XSL file attachment detected (file-identify.rules)
 * 1:21035 <-> ENABLED <-> FILE-IDENTIFY PDF file attachment detected (file-identify.rules)
 * 1:21282 <-> ENABLED <-> FILE-IDENTIFY XSL file download request (file-identify.rules)
 * 1:21036 <-> ENABLED <-> FILE-IDENTIFY PDF file attachment detected (file-identify.rules)
 * 1:20967 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (file-identify.rules)
 * 1:20964 <-> ENABLED <-> FILE-IDENTIFY SAMI file download request (file-identify.rules)
 * 1:20965 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (file-identify.rules)
 * 1:20966 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (file-identify.rules)
 * 1:21747 <-> ENABLED <-> FILE-IDENTIFY RTF file attachment detected (file-identify.rules)
 * 1:21739 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21746 <-> ENABLED <-> FILE-IDENTIFY RTF file attachment detected (file-identify.rules)
 * 1:21737 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21734 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21735 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21736 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21733 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21730 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21731 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21732 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21729 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21726 <-> ENABLED <-> FILE-IDENTIFY ANI file attachment detected (file-identify.rules)
 * 1:21727 <-> ENABLED <-> FILE-IDENTIFY ANI file magic detection (file-identify.rules)
 * 1:21728 <-> ENABLED <-> FILE-IDENTIFY JPG file attachment detected (file-identify.rules)
 * 1:21725 <-> ENABLED <-> FILE-IDENTIFY ANI file attachment detected (file-identify.rules)
 * 1:21697 <-> ENABLED <-> FILE-IDENTIFY SAMI file attachment detected (file-identify.rules)
 * 1:21698 <-> ENABLED <-> FILE-IDENTIFY SAMI file attachment detected (file-identify.rules)
 * 1:21724 <-> ENABLED <-> FILE-IDENTIFY ANI file download request (file-identify.rules)
 * 1:22043 <-> ENABLED <-> FILE-IDENTIFY XM file download request (file-identify.rules)
 * 1:21909 <-> ENABLED <-> FILE-IDENTIFY Portable Executable file attachment detected (file-identify.rules)
 * 1:21856 <-> ENABLED <-> FILE-IDENTIFY ZIP file attachment detected (file-identify.rules)
 * 1:21857 <-> ENABLED <-> FILE-IDENTIFY ZIP file attachment detected (file-identify.rules)
 * 1:21908 <-> ENABLED <-> FILE-IDENTIFY Portable Executable file attachment detected (file-identify.rules)
 * 1:24456 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detected (file-identify.rules)
 * 1:24457 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detected (file-identify.rules)
 * 1:23758 <-> ENABLED <-> FILE-IDENTIFY XML file magic detected (file-identify.rules)
 * 1:24455 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detected (file-identify.rules)
 * 1:23773 <-> ENABLED <-> FILE-IDENTIFY XM file magic detected (file-identify.rules)
 * 1:23766 <-> ENABLED <-> FILE-IDENTIFY EMF file magic detected (file-identify.rules)
 * 1:23759 <-> ENABLED <-> FILE-IDENTIFY XML file magic detected (file-identify.rules)
 * 1:23707 <-> ENABLED <-> FILE-IDENTIFY Microsoft Compound File Binary v3 file magic detected (file-identify.rules)
 * 1:23711 <-> ENABLED <-> FILE-IDENTIFY OLE Document file magic detected (file-identify.rules)
 * 1:23725 <-> ENABLED <-> FILE-IDENTIFY Portable Executable binary file magic detected (file-identify.rules)
 * 1:23664 <-> ENABLED <-> FILE-IDENTIFY PNG file magic detected (file-identify.rules)
 * 1:23708 <-> ENABLED <-> FILE-IDENTIFY Microsoft Compound File Binary v4 file magic detected (file-identify.rules)
 * 1:23670 <-> ENABLED <-> FILE-IDENTIFY RTF file magic detected (file-identify.rules)
 * 1:23678 <-> ENABLED <-> FILE-IDENTIFY PDF file magic detected (file-identify.rules)
 * 1:23654 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:23667 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detected (file-identify.rules)
 * 1:23656 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:23657 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:22046 <-> ENABLED <-> FILE-IDENTIFY XM file magic detected (file-identify.rules)
 * 1:23655 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:23652 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:23653 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:21940 <-> ENABLED <-> FILE-IDENTIFY EMF file magic detected (file-identify.rules)
 * 1:23651 <-> ENABLED <-> FILE-IDENTIFY JAR/ZIP file magic detected (file-identify.rules)
 * 1:22044 <-> ENABLED <-> FILE-IDENTIFY XM file attachment detected (file-identify.rules)
 * 1:22045 <-> ENABLED <-> FILE-IDENTIFY XM file attachment detected (file-identify.rules)
 * 1:24359 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt (os-windows.rules)
 * 1:26534 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit portable executable download (exploit-kit.rules)
 * 1:28969 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound payload retreival - specific string (exploit-kit.rules)
 * 1:29384 <-> ENABLED <-> FILE-IDENTIFY Adobe AIR file download request (file-identify.rules)
 * 1:26251 <-> ENABLED <-> FILE-IDENTIFY JPEG file magic detected (file-identify.rules)
 * 1:28795 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit payload download attempt (exploit-kit.rules)
 * 3:15912 <-> ENABLED <-> OS-WINDOWS TCP window closed before receiving data (os-windows.rules)