Talos Rules 2018-09-20
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the deleted, file-image, file-other, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-09-20 23:42:34 UTC

Snort Subscriber Rules Update

Date: 2018-09-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47876 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.AnubisCrypt variant outbound post detected (malware-cnc.rules)
 * 1:47875 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF ALPHABLEND heap overflow attempt (file-image.rules)
 * 1:47874 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF ALPHABLEND heap overflow attempt (file-image.rules)
 * 1:47873 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script (malware-other.rules)
 * 1:47872 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script (malware-other.rules)
 * 1:47871 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script (malware-other.rules)
 * 1:47870 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script (malware-other.rules)
 * 1:47869 <-> ENABLED <-> MALWARE-OTHER Img.Trojan.Xbash variant PNG file with an embedded Windows executable (malware-other.rules)
 * 1:47868 <-> ENABLED <-> MALWARE-OTHER Img.Trojan.Xbash variant PNG file with an embedded Windows executable (malware-other.rules)
 * 1:47867 <-> ENABLED <-> MALWARE-OTHER Html.Dropper.Xbash variant obfuscated powershell invocation (malware-other.rules)
 * 1:47866 <-> ENABLED <-> MALWARE-OTHER Html.Dropper.Xbash variant obfuscated powershell invocation (malware-other.rules)
 * 1:47865 <-> DISABLED <-> SERVER-WEBAPP Opsview Web Management Console test_rancid_connection command injection attempt (server-webapp.rules)
 * 1:47864 <-> DISABLED <-> SERVER-WEBAPP Opsview Web Management Console test_rancid_connection command injection attempt (server-webapp.rules)
 * 1:47863 <-> DISABLED <-> SERVER-WEBAPP Opsview Web Management Console test_rancid_connection command injection attempt (server-webapp.rules)
 * 1:47862 <-> DISABLED <-> DELETED SERVER-WEBAPP SonicWall GMS XML set_time_config command injection attempt (deleted.rules)
 * 1:47861 <-> DISABLED <-> SERVER-WEBAPP Opsview Web Management Console testnotification command injection attempt (server-webapp.rules)
 * 1:47877 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.AnubisCrypt variant outbound post detected (malware-cnc.rules)
 * 1:47860 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Xamaria variant outbound connection (malware-cnc.rules)
 * 3:47878 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player stack buffer overflow attempt (file-other.rules)
 * 3:47879 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player stack buffer overflow attempt (file-other.rules)

Modified Rules:


 * 1:47692 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Shrug2 outbound connection (malware-cnc.rules)
 * 1:46482 <-> ENABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration (malware-cnc.rules)
 * 1:44889 <-> ENABLED <-> PUA-TOOLBARS WidgiToolbar toolbar runtime detection (pua-toolbars.rules)
 * 1:39743 <-> ENABLED <-> SERVER-WEBAPP Dell SonicWall GMS set_time_config XMLRPC method command injection attempt (server-webapp.rules)

2018-09-20 23:42:34 UTC

Snort Subscriber Rules Update

Date: 2018-09-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47866 <-> ENABLED <-> MALWARE-OTHER Html.Dropper.Xbash variant obfuscated powershell invocation (malware-other.rules)
 * 1:47860 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Xamaria variant outbound connection (malware-cnc.rules)
 * 1:47867 <-> ENABLED <-> MALWARE-OTHER Html.Dropper.Xbash variant obfuscated powershell invocation (malware-other.rules)
 * 1:47868 <-> ENABLED <-> MALWARE-OTHER Img.Trojan.Xbash variant PNG file with an embedded Windows executable (malware-other.rules)
 * 1:47870 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script (malware-other.rules)
 * 1:47871 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script (malware-other.rules)
 * 1:47877 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.AnubisCrypt variant outbound post detected (malware-cnc.rules)
 * 1:47876 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.AnubisCrypt variant outbound post detected (malware-cnc.rules)
 * 1:47872 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script (malware-other.rules)
 * 1:47873 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script (malware-other.rules)
 * 1:47865 <-> DISABLED <-> SERVER-WEBAPP Opsview Web Management Console test_rancid_connection command injection attempt (server-webapp.rules)
 * 1:47869 <-> ENABLED <-> MALWARE-OTHER Img.Trojan.Xbash variant PNG file with an embedded Windows executable (malware-other.rules)
 * 1:47861 <-> DISABLED <-> SERVER-WEBAPP Opsview Web Management Console testnotification command injection attempt (server-webapp.rules)
 * 1:47864 <-> DISABLED <-> SERVER-WEBAPP Opsview Web Management Console test_rancid_connection command injection attempt (server-webapp.rules)
 * 1:47874 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF ALPHABLEND heap overflow attempt (file-image.rules)
 * 1:47875 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF ALPHABLEND heap overflow attempt (file-image.rules)
 * 1:47863 <-> DISABLED <-> SERVER-WEBAPP Opsview Web Management Console test_rancid_connection command injection attempt (server-webapp.rules)
 * 1:47862 <-> DISABLED <-> DELETED SERVER-WEBAPP SonicWall GMS XML set_time_config command injection attempt (deleted.rules)
 * 3:47878 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player stack buffer overflow attempt (file-other.rules)
 * 3:47879 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player stack buffer overflow attempt (file-other.rules)

Modified Rules:


 * 1:39743 <-> ENABLED <-> SERVER-WEBAPP Dell SonicWall GMS set_time_config XMLRPC method command injection attempt (server-webapp.rules)
 * 1:47692 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Shrug2 outbound connection (malware-cnc.rules)
 * 1:46482 <-> ENABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration (malware-cnc.rules)
 * 1:44889 <-> ENABLED <-> PUA-TOOLBARS WidgiToolbar toolbar runtime detection (pua-toolbars.rules)

2018-09-20 23:42:34 UTC

Snort Subscriber Rules Update

Date: 2018-09-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:

 * 1:47865 <-> DISABLED <-> SERVER-WEBAPP Opsview Web Management Console test_rancid_connection command injection attempt (snort3-server-webapp.rules)
 * 1:47861 <-> DISABLED <-> SERVER-WEBAPP Opsview Web Management Console testnotification command injection attempt (snort3-server-webapp.rules)
 * 1:47868 <-> ENABLED <-> MALWARE-OTHER Img.Trojan.Xbash variant PNG file with an embedded Windows executable (snort3-malware-other.rules)
 * 1:47860 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Xamaria variant outbound connection (snort3-malware-cnc.rules)
 * 1:47862 <-> DISABLED <-> DELETED SERVER-WEBAPP SonicWall GMS XML set_time_config command injection attempt (snort3-deleted.rules)
 * 1:47869 <-> ENABLED <-> MALWARE-OTHER Img.Trojan.Xbash variant PNG file with an embedded Windows executable (snort3-malware-other.rules)
 * 1:47875 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF ALPHABLEND heap overflow attempt (snort3-file-image.rules)
 * 1:47871 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script (snort3-malware-other.rules)
 * 1:47867 <-> ENABLED <-> MALWARE-OTHER Html.Dropper.Xbash variant obfuscated powershell invocation (snort3-malware-other.rules)
 * 1:47863 <-> DISABLED <-> SERVER-WEBAPP Opsview Web Management Console test_rancid_connection command injection attempt (snort3-server-webapp.rules)
 * 1:47866 <-> ENABLED <-> MALWARE-OTHER Html.Dropper.Xbash variant obfuscated powershell invocation (snort3-malware-other.rules)
 * 1:47870 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script (snort3-malware-other.rules)
 * 1:47864 <-> DISABLED <-> SERVER-WEBAPP Opsview Web Management Console test_rancid_connection command injection attempt (snort3-server-webapp.rules)
 * 1:47876 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.AnubisCrypt variant outbound post detected (snort3-malware-cnc.rules)
 * 1:47872 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script (snort3-malware-other.rules)
 * 1:47873 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script (snort3-malware-other.rules)
 * 1:47874 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF ALPHABLEND heap overflow attempt (snort3-file-image.rules)
 * 1:47877 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.AnubisCrypt variant outbound post detected (snort3-malware-cnc.rules)

Modified Rules:


 * 1:39743 <-> ENABLED <-> SERVER-WEBAPP Dell SonicWall GMS set_time_config XMLRPC method command injection attempt (snort3-server-webapp.rules)
 * 1:46482 <-> ENABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration (snort3-malware-cnc.rules)
 * 1:47692 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Shrug2 outbound connection (snort3-malware-cnc.rules)
 * 1:44889 <-> ENABLED <-> PUA-TOOLBARS WidgiToolbar toolbar runtime detection (snort3-pua-toolbars.rules)

2018-09-20 23:42:34 UTC

Snort Subscriber Rules Update

Date: 2018-09-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47861 <-> DISABLED <-> SERVER-WEBAPP Opsview Web Management Console testnotification command injection attempt (server-webapp.rules)
 * 1:47877 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.AnubisCrypt variant outbound post detected (malware-cnc.rules)
 * 1:47873 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script (malware-other.rules)
 * 1:47860 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Xamaria variant outbound connection (malware-cnc.rules)
 * 1:47870 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script (malware-other.rules)
 * 1:47863 <-> DISABLED <-> SERVER-WEBAPP Opsview Web Management Console test_rancid_connection command injection attempt (server-webapp.rules)
 * 1:47872 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script (malware-other.rules)
 * 1:47864 <-> DISABLED <-> SERVER-WEBAPP Opsview Web Management Console test_rancid_connection command injection attempt (server-webapp.rules)
 * 1:47874 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF ALPHABLEND heap overflow attempt (file-image.rules)
 * 1:47876 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.AnubisCrypt variant outbound post detected (malware-cnc.rules)
 * 1:47871 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script (malware-other.rules)
 * 1:47862 <-> DISABLED <-> DELETED SERVER-WEBAPP SonicWall GMS XML set_time_config command injection attempt (deleted.rules)
 * 1:47866 <-> ENABLED <-> MALWARE-OTHER Html.Dropper.Xbash variant obfuscated powershell invocation (malware-other.rules)
 * 1:47867 <-> ENABLED <-> MALWARE-OTHER Html.Dropper.Xbash variant obfuscated powershell invocation (malware-other.rules)
 * 1:47868 <-> ENABLED <-> MALWARE-OTHER Img.Trojan.Xbash variant PNG file with an embedded Windows executable (malware-other.rules)
 * 1:47869 <-> ENABLED <-> MALWARE-OTHER Img.Trojan.Xbash variant PNG file with an embedded Windows executable (malware-other.rules)
 * 1:47865 <-> DISABLED <-> SERVER-WEBAPP Opsview Web Management Console test_rancid_connection command injection attempt (server-webapp.rules)
 * 1:47875 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF ALPHABLEND heap overflow attempt (file-image.rules)
 * 3:47878 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player stack buffer overflow attempt (file-other.rules)
 * 3:47879 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player stack buffer overflow attempt (file-other.rules)

Modified Rules:


 * 1:44889 <-> ENABLED <-> PUA-TOOLBARS WidgiToolbar toolbar runtime detection (pua-toolbars.rules)
 * 1:47692 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Shrug2 outbound connection (malware-cnc.rules)
 * 1:39743 <-> ENABLED <-> SERVER-WEBAPP Dell SonicWall GMS set_time_config XMLRPC method command injection attempt (server-webapp.rules)
 * 1:46482 <-> ENABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration (malware-cnc.rules)

2018-09-20 23:42:34 UTC

Snort Subscriber Rules Update

Date: 2018-09-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47875 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF ALPHABLEND heap overflow attempt (file-image.rules)
 * 1:47861 <-> DISABLED <-> SERVER-WEBAPP Opsview Web Management Console testnotification command injection attempt (server-webapp.rules)
 * 1:47868 <-> ENABLED <-> MALWARE-OTHER Img.Trojan.Xbash variant PNG file with an embedded Windows executable (malware-other.rules)
 * 1:47863 <-> DISABLED <-> SERVER-WEBAPP Opsview Web Management Console test_rancid_connection command injection attempt (server-webapp.rules)
 * 1:47871 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script (malware-other.rules)
 * 1:47870 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script (malware-other.rules)
 * 1:47873 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script (malware-other.rules)
 * 1:47867 <-> ENABLED <-> MALWARE-OTHER Html.Dropper.Xbash variant obfuscated powershell invocation (malware-other.rules)
 * 1:47862 <-> DISABLED <-> DELETED SERVER-WEBAPP SonicWall GMS XML set_time_config command injection attempt (deleted.rules)
 * 1:47869 <-> ENABLED <-> MALWARE-OTHER Img.Trojan.Xbash variant PNG file with an embedded Windows executable (malware-other.rules)
 * 1:47860 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Xamaria variant outbound connection (malware-cnc.rules)
 * 1:47866 <-> ENABLED <-> MALWARE-OTHER Html.Dropper.Xbash variant obfuscated powershell invocation (malware-other.rules)
 * 1:47864 <-> DISABLED <-> SERVER-WEBAPP Opsview Web Management Console test_rancid_connection command injection attempt (server-webapp.rules)
 * 1:47877 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.AnubisCrypt variant outbound post detected (malware-cnc.rules)
 * 1:47874 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF ALPHABLEND heap overflow attempt (file-image.rules)
 * 1:47872 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script (malware-other.rules)
 * 1:47876 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.AnubisCrypt variant outbound post detected (malware-cnc.rules)
 * 1:47865 <-> DISABLED <-> SERVER-WEBAPP Opsview Web Management Console test_rancid_connection command injection attempt (server-webapp.rules)
 * 3:47878 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player stack buffer overflow attempt (file-other.rules)
 * 3:47879 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player stack buffer overflow attempt (file-other.rules)

Modified Rules:


 * 1:47692 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Shrug2 outbound connection (malware-cnc.rules)
 * 1:46482 <-> ENABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration (malware-cnc.rules)
 * 1:39743 <-> ENABLED <-> SERVER-WEBAPP Dell SonicWall GMS set_time_config XMLRPC method command injection attempt (server-webapp.rules)
 * 1:44889 <-> ENABLED <-> PUA-TOOLBARS WidgiToolbar toolbar runtime detection (pua-toolbars.rules)