Talos Rules 2018-07-31
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-image, file-office, file-other, file-pdf, indicator-compromise, indicator-obfuscation, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-07-31 17:39:38 UTC

Snort Subscriber Rules Update

Date: 2018-07-31

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47384 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (file-other.rules)
 * 1:47383 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro use after free attempt (file-image.rules)
 * 1:47382 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro use after free attempt (file-image.rules)
 * 1:47381 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:47380 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:47379 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds read attempt (file-pdf.rules)
 * 1:47378 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds read attempt (file-pdf.rules)
 * 1:47377 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter plugin variant connection attempt (malware-cnc.rules)
 * 1:47376 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PyroMineIoT outbound connection (malware-cnc.rules)
 * 1:47375 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PyroMineIoT outbound connection (malware-cnc.rules)
 * 1:47374 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PyroMineIoT outbound connection (malware-cnc.rules)
 * 1:47373 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PyroMineIoT outbound connection (malware-cnc.rules)
 * 1:47372 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT engine use after free attempt (file-pdf.rules)
 * 1:47371 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT engine use after free attempt (file-pdf.rules)
 * 1:47370 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds memory access attempt (file-other.rules)
 * 1:47369 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds memory access attempt (file-other.rules)
 * 1:47368 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro PSD malformed image data out-of-bounds write attempt (file-image.rules)
 * 1:47367 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro PSD malformed image data out-of-bounds write attempt (file-image.rules)
 * 1:47402 <-> DISABLED <-> INDICATOR-OBFUSCATION FTP file upload over non-standard port attempt (indicator-obfuscation.rules)
 * 1:47401 <-> DISABLED <-> INDICATOR-OBFUSCATION ICMP HTTP tunneling attempt (indicator-obfuscation.rules)
 * 1:47400 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft powershell.exe outbound shell attempt (indicator-compromise.rules)
 * 1:47399 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt (indicator-compromise.rules)
 * 1:47398 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt (indicator-compromise.rules)
 * 1:47397 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader malformed JPEG quantization table out-of-bounds write attempt (file-image.rules)
 * 1:47396 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader malformed JPEG quantization table out-of-bounds write attempt (file-image.rules)
 * 1:47393 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API set_VM_network command injection attempt (server-webapp.rules)
 * 1:47392 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API set_VM_network command injection attempt (server-webapp.rules)
 * 1:47391 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API set_VM_network command injection attempt (server-webapp.rules)
 * 1:47390 <-> ENABLED <-> SERVER-WEBAPP Oracle WebLogic Server arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:47389 <-> ENABLED <-> SERVER-WEBAPP Oracle WebLogic Server arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:47388 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server potential precursor to keystore attack attempt (server-webapp.rules)
 * 1:47387 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server potential unauthenticated reconnaissance attempt (server-webapp.rules)
 * 1:47386 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated modified JSP access attempt (server-webapp.rules)
 * 1:47385 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (file-other.rules)
 * 3:47412 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules)
 * 3:47410 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules)
 * 3:47411 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules)
 * 3:47408 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules)
 * 3:47409 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules)
 * 3:47406 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules)
 * 3:47407 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules)
 * 3:47404 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules)
 * 3:47405 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules)
 * 3:47395 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player out of bounds write attempt (file-other.rules)
 * 3:47403 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules)
 * 3:47394 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player out of bounds write attempt (file-other.rules)

Modified Rules:


 * 1:47326 <-> ENABLED <-> MALWARE-OTHER known malicious user-agent string - DanaBot (malware-other.rules)
 * 1:47139 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusDrawBeziers out-of-bounds read attempt (file-other.rules)
 * 1:47140 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusDrawBeziers out-of-bounds read attempt (file-other.rules)
 * 1:46783 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant SSL connection attempt (malware-cnc.rules)
 * 1:47084 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant connection attempt (malware-cnc.rules)
 * 1:45564 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant outbound connection attempt (malware-cnc.rules)
 * 1:46782 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant SSL connection attempt (malware-cnc.rules)
 * 1:45563 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant outbound connection attempt (malware-cnc.rules)
 * 1:47333 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds write attempt (file-other.rules)
 * 1:47332 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds write attempt (file-other.rules)
 * 3:47336 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0638 attack attempt (file-image.rules)
 * 3:47337 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0638 attack attempt (file-image.rules)

2018-07-31 17:39:38 UTC

Snort Subscriber Rules Update

Date: 2018-07-31

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47370 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds memory access attempt (file-other.rules)
 * 1:47381 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:47382 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro use after free attempt (file-image.rules)
 * 1:47383 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro use after free attempt (file-image.rules)
 * 1:47371 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT engine use after free attempt (file-pdf.rules)
 * 1:47379 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds read attempt (file-pdf.rules)
 * 1:47386 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated modified JSP access attempt (server-webapp.rules)
 * 1:47376 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PyroMineIoT outbound connection (malware-cnc.rules)
 * 1:47387 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server potential unauthenticated reconnaissance attempt (server-webapp.rules)
 * 1:47375 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PyroMineIoT outbound connection (malware-cnc.rules)
 * 1:47372 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT engine use after free attempt (file-pdf.rules)
 * 1:47374 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PyroMineIoT outbound connection (malware-cnc.rules)
 * 1:47378 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds read attempt (file-pdf.rules)
 * 1:47388 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server potential precursor to keystore attack attempt (server-webapp.rules)
 * 1:47389 <-> ENABLED <-> SERVER-WEBAPP Oracle WebLogic Server arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:47368 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro PSD malformed image data out-of-bounds write attempt (file-image.rules)
 * 1:47390 <-> ENABLED <-> SERVER-WEBAPP Oracle WebLogic Server arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:47377 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter plugin variant connection attempt (malware-cnc.rules)
 * 1:47391 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API set_VM_network command injection attempt (server-webapp.rules)
 * 1:47392 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API set_VM_network command injection attempt (server-webapp.rules)
 * 1:47385 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (file-other.rules)
 * 1:47393 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API set_VM_network command injection attempt (server-webapp.rules)
 * 1:47396 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader malformed JPEG quantization table out-of-bounds write attempt (file-image.rules)
 * 1:47397 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader malformed JPEG quantization table out-of-bounds write attempt (file-image.rules)
 * 1:47380 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:47400 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft powershell.exe outbound shell attempt (indicator-compromise.rules)
 * 1:47384 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (file-other.rules)
 * 1:47398 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt (indicator-compromise.rules)
 * 1:47399 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt (indicator-compromise.rules)
 * 1:47401 <-> DISABLED <-> INDICATOR-OBFUSCATION ICMP HTTP tunneling attempt (indicator-obfuscation.rules)
 * 1:47402 <-> DISABLED <-> INDICATOR-OBFUSCATION FTP file upload over non-standard port attempt (indicator-obfuscation.rules)
 * 1:47373 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PyroMineIoT outbound connection (malware-cnc.rules)
 * 1:47367 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro PSD malformed image data out-of-bounds write attempt (file-image.rules)
 * 1:47369 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds memory access attempt (file-other.rules)
 * 3:47411 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules)
 * 3:47412 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules)
 * 3:47409 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules)
 * 3:47410 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules)
 * 3:47407 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules)
 * 3:47408 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules)
 * 3:47405 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules)
 * 3:47406 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules)
 * 3:47403 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules)
 * 3:47404 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules)
 * 3:47394 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player out of bounds write attempt (file-other.rules)
 * 3:47395 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player out of bounds write attempt (file-other.rules)

Modified Rules:


 * 1:47332 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds write attempt (file-other.rules)
 * 1:47326 <-> ENABLED <-> MALWARE-OTHER known malicious user-agent string - DanaBot (malware-other.rules)
 * 1:47140 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusDrawBeziers out-of-bounds read attempt (file-other.rules)
 * 1:45564 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant outbound connection attempt (malware-cnc.rules)
 * 1:47333 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds write attempt (file-other.rules)
 * 1:47139 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusDrawBeziers out-of-bounds read attempt (file-other.rules)
 * 1:46783 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant SSL connection attempt (malware-cnc.rules)
 * 1:46782 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant SSL connection attempt (malware-cnc.rules)
 * 1:47084 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant connection attempt (malware-cnc.rules)
 * 1:45563 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant outbound connection attempt (malware-cnc.rules)
 * 3:47336 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0638 attack attempt (file-image.rules)
 * 3:47337 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0638 attack attempt (file-image.rules)

2018-07-31 17:39:38 UTC

Snort Subscriber Rules Update

Date: 2018-07-31

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47373 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PyroMineIoT outbound connection (snort3-malware-cnc.rules)
 * 1:47377 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter plugin variant connection attempt (snort3-malware-cnc.rules)
 * 1:47391 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API set_VM_network command injection attempt (snort3-server-webapp.rules)
 * 1:47388 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server potential precursor to keystore attack attempt (snort3-server-webapp.rules)
 * 1:47389 <-> ENABLED <-> SERVER-WEBAPP Oracle WebLogic Server arbitrary JSP file upload attempt (snort3-server-webapp.rules)
 * 1:47390 <-> ENABLED <-> SERVER-WEBAPP Oracle WebLogic Server arbitrary JSP file upload attempt (snort3-server-webapp.rules)
 * 1:47379 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds read attempt (snort3-file-pdf.rules)
 * 1:47385 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (snort3-file-other.rules)
 * 1:47383 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro use after free attempt (snort3-file-image.rules)
 * 1:47378 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds read attempt (snort3-file-pdf.rules)
 * 1:47387 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server potential unauthenticated reconnaissance attempt (snort3-server-webapp.rules)
 * 1:47393 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API set_VM_network command injection attempt (snort3-server-webapp.rules)
 * 1:47386 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated modified JSP access attempt (snort3-server-webapp.rules)
 * 1:47368 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro PSD malformed image data out-of-bounds write attempt (snort3-file-image.rules)
 * 1:47382 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro use after free attempt (snort3-file-image.rules)
 * 1:47396 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader malformed JPEG quantization table out-of-bounds write attempt (snort3-file-image.rules)
 * 1:47399 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt (snort3-indicator-compromise.rules)
 * 1:47381 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Agent variant download attempt (snort3-malware-other.rules)
 * 1:47397 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader malformed JPEG quantization table out-of-bounds write attempt (snort3-file-image.rules)
 * 1:47384 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (snort3-file-other.rules)
 * 1:47398 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt (snort3-indicator-compromise.rules)
 * 1:47401 <-> DISABLED <-> INDICATOR-OBFUSCATION ICMP HTTP tunneling attempt (snort3-indicator-obfuscation.rules)
 * 1:47400 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft powershell.exe outbound shell attempt (snort3-indicator-compromise.rules)
 * 1:47371 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT engine use after free attempt (snort3-file-pdf.rules)
 * 1:47402 <-> DISABLED <-> INDICATOR-OBFUSCATION FTP file upload over non-standard port attempt (snort3-indicator-obfuscation.rules)
 * 1:47392 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API set_VM_network command injection attempt (snort3-server-webapp.rules)
 * 1:47375 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PyroMineIoT outbound connection (snort3-malware-cnc.rules)
 * 1:47380 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Agent variant download attempt (snort3-malware-other.rules)
 * 1:47367 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro PSD malformed image data out-of-bounds write attempt (snort3-file-image.rules)
 * 1:47374 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PyroMineIoT outbound connection (snort3-malware-cnc.rules)
 * 1:47372 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT engine use after free attempt (snort3-file-pdf.rules)
 * 1:47376 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PyroMineIoT outbound connection (snort3-malware-cnc.rules)
 * 1:47369 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds memory access attempt (snort3-file-other.rules)
 * 1:47370 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds memory access attempt (snort3-file-other.rules)

Modified Rules:


 * 1:47084 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant connection attempt (snort3-malware-cnc.rules)
 * 1:46783 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant SSL connection attempt (snort3-malware-cnc.rules)
 * 1:45564 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant outbound connection attempt (snort3-malware-cnc.rules)
 * 1:46782 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant SSL connection attempt (snort3-malware-cnc.rules)
 * 1:47140 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusDrawBeziers out-of-bounds read attempt (snort3-file-other.rules)
 * 1:47326 <-> ENABLED <-> MALWARE-OTHER known malicious user-agent string - DanaBot (snort3-malware-other.rules)
 * 1:47139 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusDrawBeziers out-of-bounds read attempt (snort3-file-other.rules)
 * 1:47333 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds write attempt (snort3-file-other.rules)
 * 1:45563 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant outbound connection attempt (snort3-malware-cnc.rules)
 * 1:47332 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds write attempt (snort3-file-other.rules)

2018-07-31 17:39:38 UTC

Snort Subscriber Rules Update

Date: 2018-07-31

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47386 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated modified JSP access attempt (server-webapp.rules)
 * 1:47400 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft powershell.exe outbound shell attempt (indicator-compromise.rules)
 * 1:47373 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PyroMineIoT outbound connection (malware-cnc.rules)
 * 1:47402 <-> DISABLED <-> INDICATOR-OBFUSCATION FTP file upload over non-standard port attempt (indicator-obfuscation.rules)
 * 1:47397 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader malformed JPEG quantization table out-of-bounds write attempt (file-image.rules)
 * 1:47398 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt (indicator-compromise.rules)
 * 1:47391 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API set_VM_network command injection attempt (server-webapp.rules)
 * 1:47389 <-> ENABLED <-> SERVER-WEBAPP Oracle WebLogic Server arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:47390 <-> ENABLED <-> SERVER-WEBAPP Oracle WebLogic Server arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:47401 <-> DISABLED <-> INDICATOR-OBFUSCATION ICMP HTTP tunneling attempt (indicator-obfuscation.rules)
 * 1:47387 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server potential unauthenticated reconnaissance attempt (server-webapp.rules)
 * 1:47388 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server potential precursor to keystore attack attempt (server-webapp.rules)
 * 1:47369 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds memory access attempt (file-other.rules)
 * 1:47393 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API set_VM_network command injection attempt (server-webapp.rules)
 * 1:47392 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API set_VM_network command injection attempt (server-webapp.rules)
 * 1:47367 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro PSD malformed image data out-of-bounds write attempt (file-image.rules)
 * 1:47370 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds memory access attempt (file-other.rules)
 * 1:47381 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:47382 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro use after free attempt (file-image.rules)
 * 1:47384 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (file-other.rules)
 * 1:47385 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (file-other.rules)
 * 1:47383 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro use after free attempt (file-image.rules)
 * 1:47371 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT engine use after free attempt (file-pdf.rules)
 * 1:47377 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter plugin variant connection attempt (malware-cnc.rules)
 * 1:47380 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:47378 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds read attempt (file-pdf.rules)
 * 1:47379 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds read attempt (file-pdf.rules)
 * 1:47376 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PyroMineIoT outbound connection (malware-cnc.rules)
 * 1:47374 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PyroMineIoT outbound connection (malware-cnc.rules)
 * 1:47375 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PyroMineIoT outbound connection (malware-cnc.rules)
 * 1:47396 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader malformed JPEG quantization table out-of-bounds write attempt (file-image.rules)
 * 1:47399 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt (indicator-compromise.rules)
 * 1:47368 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro PSD malformed image data out-of-bounds write attempt (file-image.rules)
 * 1:47372 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT engine use after free attempt (file-pdf.rules)
 * 3:47403 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules)
 * 3:47412 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules)
 * 3:47411 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules)
 * 3:47408 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules)
 * 3:47410 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules)
 * 3:47409 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules)
 * 3:47407 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules)
 * 3:47404 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules)
 * 3:47405 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules)
 * 3:47406 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules)
 * 3:47394 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player out of bounds write attempt (file-other.rules)
 * 3:47395 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player out of bounds write attempt (file-other.rules)

Modified Rules:


 * 1:47326 <-> ENABLED <-> MALWARE-OTHER known malicious user-agent string - DanaBot (malware-other.rules)
 * 1:47332 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds write attempt (file-other.rules)
 * 1:47139 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusDrawBeziers out-of-bounds read attempt (file-other.rules)
 * 1:47140 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusDrawBeziers out-of-bounds read attempt (file-other.rules)
 * 1:47333 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds write attempt (file-other.rules)
 * 1:46783 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant SSL connection attempt (malware-cnc.rules)
 * 1:46782 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant SSL connection attempt (malware-cnc.rules)
 * 1:45563 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant outbound connection attempt (malware-cnc.rules)
 * 1:47084 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant connection attempt (malware-cnc.rules)
 * 1:45564 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant outbound connection attempt (malware-cnc.rules)
 * 3:47337 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0638 attack attempt (file-image.rules)
 * 3:47336 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0638 attack attempt (file-image.rules)

2018-07-31 17:39:38 UTC

Snort Subscriber Rules Update

Date: 2018-07-31

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47380 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:47379 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds read attempt (file-pdf.rules)
 * 1:47381 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:47382 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro use after free attempt (file-image.rules)
 * 1:47383 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro use after free attempt (file-image.rules)
 * 1:47378 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds read attempt (file-pdf.rules)
 * 1:47389 <-> ENABLED <-> SERVER-WEBAPP Oracle WebLogic Server arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:47370 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds memory access attempt (file-other.rules)
 * 1:47374 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PyroMineIoT outbound connection (malware-cnc.rules)
 * 1:47371 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT engine use after free attempt (file-pdf.rules)
 * 1:47386 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated modified JSP access attempt (server-webapp.rules)
 * 1:47397 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader malformed JPEG quantization table out-of-bounds write attempt (file-image.rules)
 * 1:47401 <-> DISABLED <-> INDICATOR-OBFUSCATION ICMP HTTP tunneling attempt (indicator-obfuscation.rules)
 * 1:47388 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server potential precursor to keystore attack attempt (server-webapp.rules)
 * 1:47387 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server potential unauthenticated reconnaissance attempt (server-webapp.rules)
 * 1:47375 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PyroMineIoT outbound connection (malware-cnc.rules)
 * 1:47396 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader malformed JPEG quantization table out-of-bounds write attempt (file-image.rules)
 * 1:47399 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt (indicator-compromise.rules)
 * 1:47385 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (file-other.rules)
 * 1:47392 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API set_VM_network command injection attempt (server-webapp.rules)
 * 1:47391 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API set_VM_network command injection attempt (server-webapp.rules)
 * 1:47384 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (file-other.rules)
 * 1:47393 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API set_VM_network command injection attempt (server-webapp.rules)
 * 1:47367 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro PSD malformed image data out-of-bounds write attempt (file-image.rules)
 * 1:47369 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds memory access attempt (file-other.rules)
 * 1:47398 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt (indicator-compromise.rules)
 * 1:47372 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT engine use after free attempt (file-pdf.rules)
 * 1:47377 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter plugin variant connection attempt (malware-cnc.rules)
 * 1:47376 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PyroMineIoT outbound connection (malware-cnc.rules)
 * 1:47390 <-> ENABLED <-> SERVER-WEBAPP Oracle WebLogic Server arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:47402 <-> DISABLED <-> INDICATOR-OBFUSCATION FTP file upload over non-standard port attempt (indicator-obfuscation.rules)
 * 1:47400 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft powershell.exe outbound shell attempt (indicator-compromise.rules)
 * 1:47368 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro PSD malformed image data out-of-bounds write attempt (file-image.rules)
 * 1:47373 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PyroMineIoT outbound connection (malware-cnc.rules)
 * 3:47403 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules)
 * 3:47395 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player out of bounds write attempt (file-other.rules)
 * 3:47394 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player out of bounds write attempt (file-other.rules)
 * 3:47408 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules)
 * 3:47405 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules)
 * 3:47406 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules)
 * 3:47404 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules)
 * 3:47407 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules)
 * 3:47412 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules)
 * 3:47409 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules)
 * 3:47410 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules)
 * 3:47411 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules)

Modified Rules:


 * 1:45564 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant outbound connection attempt (malware-cnc.rules)
 * 1:46783 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant SSL connection attempt (malware-cnc.rules)
 * 1:47326 <-> ENABLED <-> MALWARE-OTHER known malicious user-agent string - DanaBot (malware-other.rules)
 * 1:47333 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds write attempt (file-other.rules)
 * 1:47332 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds write attempt (file-other.rules)
 * 1:45563 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant outbound connection attempt (malware-cnc.rules)
 * 1:47140 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusDrawBeziers out-of-bounds read attempt (file-other.rules)
 * 1:47139 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusDrawBeziers out-of-bounds read attempt (file-other.rules)
 * 1:46782 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant SSL connection attempt (malware-cnc.rules)
 * 1:47084 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant connection attempt (malware-cnc.rules)
 * 3:47336 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0638 attack attempt (file-image.rules)
 * 3:47337 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0638 attack attempt (file-image.rules)