Talos Rules 2018-11-06
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, file-other, file-pdf, indicator-shellcode, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-11-06 16:31:36 UTC

Snort Subscriber Rules Update

Date: 2018-11-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48271 <-> DISABLED <-> SERVER-WEBAPP Teltonika RUT9XX hotspotlogin.cgi command injection attempt (server-webapp.rules)
 * 1:48270 <-> DISABLED <-> SERVER-WEBAPP Teltonika RUT9XX autologin.cgi command injection attempt (server-webapp.rules)
 * 1:48269 <-> DISABLED <-> SERVER-WEBAPP Teltonika RUT9XX hotspotlogin.cgi command injection attempt (server-webapp.rules)
 * 1:48268 <-> DISABLED <-> SERVER-WEBAPP Teltonika RUT9XX hotspotlogin.cgi command injection attempt (server-webapp.rules)
 * 1:48267 <-> DISABLED <-> SERVER-WEBAPP Teltonika RUT9XX autologin.cgi command injection attempt (server-webapp.rules)
 * 1:48266 <-> DISABLED <-> SERVER-WEBAPP Teltonika RUT9XX autologin.cgi command injection attempt (server-webapp.rules)
 * 1:48265 <-> DISABLED <-> PROTOCOL-VOIP SIP wildcard VIA address flood attempt (protocol-voip.rules)
 * 1:48264 <-> DISABLED <-> PROTOCOL-VOIP SIP wildcard VIA address flood attempt (protocol-voip.rules)
 * 1:48292 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules)
 * 1:48291 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules)
 * 1:48290 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules)
 * 1:48289 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules)
 * 1:48288 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook variant outbound request detected (malware-cnc.rules)
 * 1:48287 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook variant outbound request detected (malware-cnc.rules)
 * 1:48286 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules)
 * 1:48285 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules)
 * 1:48284 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules)
 * 1:48283 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules)
 * 1:48282 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules)
 * 1:48281 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo downloader connection (malware-cnc.rules)
 * 1:48280 <-> ENABLED <-> MALWARE-CNC Rtf.Trojan.Felixroot variant download attempt (malware-cnc.rules)
 * 1:48279 <-> ENABLED <-> MALWARE-CNC Rtf.Trojan.Felixroot variant download attempt (malware-cnc.rules)
 * 1:48278 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Felixroot variant download attempt (malware-cnc.rules)
 * 1:48277 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Felixroot variant download attempt (malware-cnc.rules)
 * 1:48276 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Felixroot variant command-and-control communication attempt (malware-cnc.rules)
 * 1:48275 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Gafgyt variant new bot registered (malware-cnc.rules)
 * 1:48274 <-> DISABLED <-> SERVER-WEBAPP Cockpit CMS media API directory traversal attempt (server-webapp.rules)
 * 1:48273 <-> DISABLED <-> SERVER-WEBAPP Cockpit CMS media API directory traversal attempt (server-webapp.rules)
 * 1:48272 <-> DISABLED <-> SERVER-WEBAPP Netgear Router admin password access attempt (server-webapp.rules)
 * 3:48293 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0704 attack attempt (file-pdf.rules)
 * 3:48294 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0704 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:17340 <-> DISABLED <-> INDICATOR-SHELLCODE x86 OS agnostic alpha numeric upper case decoder (indicator-shellcode.rules)
 * 1:20395 <-> DISABLED <-> PROTOCOL-VOIP SIP REGISTER flood attempt (protocol-voip.rules)
 * 1:19389 <-> DISABLED <-> PROTOCOL-VOIP SIP REGISTER flood attempt (protocol-voip.rules)
 * 1:34098 <-> DISABLED <-> FILE-OTHER Multiple products external entity injection attempt (browser-ie.rules)
 * 1:34097 <-> DISABLED <-> FILE-OTHER Multiple products external entity injection attempt (browser-ie.rules)

2018-11-06 16:31:36 UTC

Snort Subscriber Rules Update

Date: 2018-11-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48269 <-> DISABLED <-> SERVER-WEBAPP Teltonika RUT9XX hotspotlogin.cgi command injection attempt (server-webapp.rules)
 * 1:48287 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook variant outbound request detected (malware-cnc.rules)
 * 1:48266 <-> DISABLED <-> SERVER-WEBAPP Teltonika RUT9XX autologin.cgi command injection attempt (server-webapp.rules)
 * 1:48270 <-> DISABLED <-> SERVER-WEBAPP Teltonika RUT9XX autologin.cgi command injection attempt (server-webapp.rules)
 * 1:48271 <-> DISABLED <-> SERVER-WEBAPP Teltonika RUT9XX hotspotlogin.cgi command injection attempt (server-webapp.rules)
 * 1:48272 <-> DISABLED <-> SERVER-WEBAPP Netgear Router admin password access attempt (server-webapp.rules)
 * 1:48268 <-> DISABLED <-> SERVER-WEBAPP Teltonika RUT9XX hotspotlogin.cgi command injection attempt (server-webapp.rules)
 * 1:48274 <-> DISABLED <-> SERVER-WEBAPP Cockpit CMS media API directory traversal attempt (server-webapp.rules)
 * 1:48275 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Gafgyt variant new bot registered (malware-cnc.rules)
 * 1:48276 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Felixroot variant command-and-control communication attempt (malware-cnc.rules)
 * 1:48277 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Felixroot variant download attempt (malware-cnc.rules)
 * 1:48278 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Felixroot variant download attempt (malware-cnc.rules)
 * 1:48279 <-> ENABLED <-> MALWARE-CNC Rtf.Trojan.Felixroot variant download attempt (malware-cnc.rules)
 * 1:48280 <-> ENABLED <-> MALWARE-CNC Rtf.Trojan.Felixroot variant download attempt (malware-cnc.rules)
 * 1:48281 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo downloader connection (malware-cnc.rules)
 * 1:48282 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules)
 * 1:48283 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules)
 * 1:48284 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules)
 * 1:48265 <-> DISABLED <-> PROTOCOL-VOIP SIP wildcard VIA address flood attempt (protocol-voip.rules)
 * 1:48292 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules)
 * 1:48290 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules)
 * 1:48291 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules)
 * 1:48289 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules)
 * 1:48288 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook variant outbound request detected (malware-cnc.rules)
 * 1:48285 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules)
 * 1:48273 <-> DISABLED <-> SERVER-WEBAPP Cockpit CMS media API directory traversal attempt (server-webapp.rules)
 * 1:48264 <-> DISABLED <-> PROTOCOL-VOIP SIP wildcard VIA address flood attempt (protocol-voip.rules)
 * 1:48286 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules)
 * 1:48267 <-> DISABLED <-> SERVER-WEBAPP Teltonika RUT9XX autologin.cgi command injection attempt (server-webapp.rules)
 * 3:48294 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0704 attack attempt (file-pdf.rules)
 * 3:48293 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0704 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:17340 <-> DISABLED <-> INDICATOR-SHELLCODE x86 OS agnostic alpha numeric upper case decoder (indicator-shellcode.rules)
 * 1:19389 <-> DISABLED <-> PROTOCOL-VOIP SIP REGISTER flood attempt (protocol-voip.rules)
 * 1:20395 <-> DISABLED <-> PROTOCOL-VOIP SIP REGISTER flood attempt (protocol-voip.rules)
 * 1:34098 <-> DISABLED <-> FILE-OTHER Multiple products external entity injection attempt (browser-ie.rules)
 * 1:34097 <-> DISABLED <-> FILE-OTHER Multiple products external entity injection attempt (browser-ie.rules)

2018-11-06 16:31:36 UTC

Snort Subscriber Rules Update

Date: 2018-11-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48285 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules)
 * 1:48284 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules)
 * 1:48292 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules)
 * 1:48291 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules)
 * 1:48290 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules)
 * 1:48289 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules)
 * 1:48268 <-> DISABLED <-> SERVER-WEBAPP Teltonika RUT9XX hotspotlogin.cgi command injection attempt (server-webapp.rules)
 * 1:48270 <-> DISABLED <-> SERVER-WEBAPP Teltonika RUT9XX autologin.cgi command injection attempt (server-webapp.rules)
 * 1:48271 <-> DISABLED <-> SERVER-WEBAPP Teltonika RUT9XX hotspotlogin.cgi command injection attempt (server-webapp.rules)
 * 1:48272 <-> DISABLED <-> SERVER-WEBAPP Netgear Router admin password access attempt (server-webapp.rules)
 * 1:48275 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Gafgyt variant new bot registered (malware-cnc.rules)
 * 1:48277 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Felixroot variant download attempt (malware-cnc.rules)
 * 1:48288 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook variant outbound request detected (malware-cnc.rules)
 * 1:48280 <-> ENABLED <-> MALWARE-CNC Rtf.Trojan.Felixroot variant download attempt (malware-cnc.rules)
 * 1:48279 <-> ENABLED <-> MALWARE-CNC Rtf.Trojan.Felixroot variant download attempt (malware-cnc.rules)
 * 1:48281 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo downloader connection (malware-cnc.rules)
 * 1:48282 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules)
 * 1:48286 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules)
 * 1:48276 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Felixroot variant command-and-control communication attempt (malware-cnc.rules)
 * 1:48273 <-> DISABLED <-> SERVER-WEBAPP Cockpit CMS media API directory traversal attempt (server-webapp.rules)
 * 1:48269 <-> DISABLED <-> SERVER-WEBAPP Teltonika RUT9XX hotspotlogin.cgi command injection attempt (server-webapp.rules)
 * 1:48264 <-> DISABLED <-> PROTOCOL-VOIP SIP wildcard VIA address flood attempt (protocol-voip.rules)
 * 1:48267 <-> DISABLED <-> SERVER-WEBAPP Teltonika RUT9XX autologin.cgi command injection attempt (server-webapp.rules)
 * 1:48274 <-> DISABLED <-> SERVER-WEBAPP Cockpit CMS media API directory traversal attempt (server-webapp.rules)
 * 1:48265 <-> DISABLED <-> PROTOCOL-VOIP SIP wildcard VIA address flood attempt (protocol-voip.rules)
 * 1:48278 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Felixroot variant download attempt (malware-cnc.rules)
 * 1:48266 <-> DISABLED <-> SERVER-WEBAPP Teltonika RUT9XX autologin.cgi command injection attempt (server-webapp.rules)
 * 1:48283 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules)
 * 1:48287 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook variant outbound request detected (malware-cnc.rules)
 * 3:48294 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0704 attack attempt (file-pdf.rules)
 * 3:48293 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0704 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:17340 <-> DISABLED <-> INDICATOR-SHELLCODE x86 OS agnostic alpha numeric upper case decoder (indicator-shellcode.rules)
 * 1:34098 <-> DISABLED <-> FILE-OTHER Multiple products external entity injection attempt (browser-ie.rules)
 * 1:34097 <-> DISABLED <-> FILE-OTHER Multiple products external entity injection attempt (browser-ie.rules)
 * 1:20395 <-> DISABLED <-> PROTOCOL-VOIP SIP REGISTER flood attempt (protocol-voip.rules)
 * 1:19389 <-> DISABLED <-> PROTOCOL-VOIP SIP REGISTER flood attempt (protocol-voip.rules)

2018-11-06 16:31:36 UTC

Snort Subscriber Rules Update

Date: 2018-11-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48289 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (snort3-file-other.rules)
 * 1:48266 <-> DISABLED <-> SERVER-WEBAPP Teltonika RUT9XX autologin.cgi command injection attempt (snort3-server-webapp.rules)
 * 1:48287 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook variant outbound request detected (snort3-malware-cnc.rules)
 * 1:48264 <-> DISABLED <-> PROTOCOL-VOIP SIP wildcard VIA address flood attempt (snort3-protocol-voip.rules)
 * 1:48291 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (snort3-file-other.rules)
 * 1:48270 <-> DISABLED <-> SERVER-WEBAPP Teltonika RUT9XX autologin.cgi command injection attempt (snort3-server-webapp.rules)
 * 1:48271 <-> DISABLED <-> SERVER-WEBAPP Teltonika RUT9XX hotspotlogin.cgi command injection attempt (snort3-server-webapp.rules)
 * 1:48272 <-> DISABLED <-> SERVER-WEBAPP Netgear Router admin password access attempt (snort3-server-webapp.rules)
 * 1:48273 <-> DISABLED <-> SERVER-WEBAPP Cockpit CMS media API directory traversal attempt (snort3-server-webapp.rules)
 * 1:48268 <-> DISABLED <-> SERVER-WEBAPP Teltonika RUT9XX hotspotlogin.cgi command injection attempt (snort3-server-webapp.rules)
 * 1:48275 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Gafgyt variant new bot registered (snort3-malware-cnc.rules)
 * 1:48269 <-> DISABLED <-> SERVER-WEBAPP Teltonika RUT9XX hotspotlogin.cgi command injection attempt (snort3-server-webapp.rules)
 * 1:48290 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (snort3-file-other.rules)
 * 1:48276 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Felixroot variant command-and-control communication attempt (snort3-malware-cnc.rules)
 * 1:48277 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Felixroot variant download attempt (snort3-malware-cnc.rules)
 * 1:48265 <-> DISABLED <-> PROTOCOL-VOIP SIP wildcard VIA address flood attempt (snort3-protocol-voip.rules)
 * 1:48282 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (snort3-malware-cnc.rules)
 * 1:48284 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (snort3-malware-cnc.rules)
 * 1:48285 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (snort3-malware-cnc.rules)
 * 1:48278 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Felixroot variant download attempt (snort3-malware-cnc.rules)
 * 1:48283 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (snort3-malware-cnc.rules)
 * 1:48280 <-> ENABLED <-> MALWARE-CNC Rtf.Trojan.Felixroot variant download attempt (snort3-malware-cnc.rules)
 * 1:48281 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo downloader connection (snort3-malware-cnc.rules)
 * 1:48279 <-> ENABLED <-> MALWARE-CNC Rtf.Trojan.Felixroot variant download attempt (snort3-malware-cnc.rules)
 * 1:48292 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (snort3-file-other.rules)
 * 1:48274 <-> DISABLED <-> SERVER-WEBAPP Cockpit CMS media API directory traversal attempt (snort3-server-webapp.rules)
 * 1:48286 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (snort3-malware-cnc.rules)
 * 1:48288 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook variant outbound request detected (snort3-malware-cnc.rules)
 * 1:48267 <-> DISABLED <-> SERVER-WEBAPP Teltonika RUT9XX autologin.cgi command injection attempt (snort3-server-webapp.rules)

Modified Rules:


 * 1:20395 <-> DISABLED <-> PROTOCOL-VOIP SIP REGISTER flood attempt (snort3-protocol-voip.rules)
 * 1:34097 <-> DISABLED <-> FILE-OTHER Multiple products external entity injection attempt (snort3-browser-ie.rules)
 * 1:34098 <-> DISABLED <-> FILE-OTHER Multiple products external entity injection attempt (snort3-browser-ie.rules)
 * 1:19389 <-> DISABLED <-> PROTOCOL-VOIP SIP REGISTER flood attempt (snort3-protocol-voip.rules)
 * 1:17340 <-> DISABLED <-> INDICATOR-SHELLCODE x86 OS agnostic alpha numeric upper case decoder (snort3-indicator-shellcode.rules)

2018-11-06 16:31:36 UTC

Snort Subscriber Rules Update

Date: 2018-11-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48272 <-> DISABLED <-> SERVER-WEBAPP Netgear Router admin password access attempt (server-webapp.rules)
 * 1:48264 <-> DISABLED <-> PROTOCOL-VOIP SIP wildcard VIA address flood attempt (protocol-voip.rules)
 * 1:48287 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook variant outbound request detected (malware-cnc.rules)
 * 1:48289 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules)
 * 1:48285 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules)
 * 1:48290 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules)
 * 1:48265 <-> DISABLED <-> PROTOCOL-VOIP SIP wildcard VIA address flood attempt (protocol-voip.rules)
 * 1:48292 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules)
 * 1:48291 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules)
 * 1:48268 <-> DISABLED <-> SERVER-WEBAPP Teltonika RUT9XX hotspotlogin.cgi command injection attempt (server-webapp.rules)
 * 1:48269 <-> DISABLED <-> SERVER-WEBAPP Teltonika RUT9XX hotspotlogin.cgi command injection attempt (server-webapp.rules)
 * 1:48270 <-> DISABLED <-> SERVER-WEBAPP Teltonika RUT9XX autologin.cgi command injection attempt (server-webapp.rules)
 * 1:48284 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules)
 * 1:48278 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Felixroot variant download attempt (malware-cnc.rules)
 * 1:48279 <-> ENABLED <-> MALWARE-CNC Rtf.Trojan.Felixroot variant download attempt (malware-cnc.rules)
 * 1:48280 <-> ENABLED <-> MALWARE-CNC Rtf.Trojan.Felixroot variant download attempt (malware-cnc.rules)
 * 1:48281 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo downloader connection (malware-cnc.rules)
 * 1:48274 <-> DISABLED <-> SERVER-WEBAPP Cockpit CMS media API directory traversal attempt (server-webapp.rules)
 * 1:48275 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Gafgyt variant new bot registered (malware-cnc.rules)
 * 1:48276 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Felixroot variant command-and-control communication attempt (malware-cnc.rules)
 * 1:48277 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Felixroot variant download attempt (malware-cnc.rules)
 * 1:48286 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules)
 * 1:48282 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules)
 * 1:48283 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules)
 * 1:48271 <-> DISABLED <-> SERVER-WEBAPP Teltonika RUT9XX hotspotlogin.cgi command injection attempt (server-webapp.rules)
 * 1:48266 <-> DISABLED <-> SERVER-WEBAPP Teltonika RUT9XX autologin.cgi command injection attempt (server-webapp.rules)
 * 1:48267 <-> DISABLED <-> SERVER-WEBAPP Teltonika RUT9XX autologin.cgi command injection attempt (server-webapp.rules)
 * 1:48288 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook variant outbound request detected (malware-cnc.rules)
 * 1:48273 <-> DISABLED <-> SERVER-WEBAPP Cockpit CMS media API directory traversal attempt (server-webapp.rules)
 * 3:48293 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0704 attack attempt (file-pdf.rules)
 * 3:48294 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0704 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:17340 <-> DISABLED <-> INDICATOR-SHELLCODE x86 OS agnostic alpha numeric upper case decoder (indicator-shellcode.rules)
 * 1:19389 <-> DISABLED <-> PROTOCOL-VOIP SIP REGISTER flood attempt (protocol-voip.rules)
 * 1:34097 <-> DISABLED <-> FILE-OTHER Multiple products external entity injection attempt (browser-ie.rules)
 * 1:34098 <-> DISABLED <-> FILE-OTHER Multiple products external entity injection attempt (browser-ie.rules)
 * 1:20395 <-> DISABLED <-> PROTOCOL-VOIP SIP REGISTER flood attempt (protocol-voip.rules)

2018-11-06 16:31:36 UTC

Snort Subscriber Rules Update

Date: 2018-11-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48286 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules)
 * 1:48284 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules)
 * 1:48265 <-> DISABLED <-> PROTOCOL-VOIP SIP wildcard VIA address flood attempt (protocol-voip.rules)
 * 1:48288 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook variant outbound request detected (malware-cnc.rules)
 * 1:48274 <-> DISABLED <-> SERVER-WEBAPP Cockpit CMS media API directory traversal attempt (server-webapp.rules)
 * 1:48282 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules)
 * 1:48283 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules)
 * 1:48281 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo downloader connection (malware-cnc.rules)
 * 1:48278 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Felixroot variant download attempt (malware-cnc.rules)
 * 1:48279 <-> ENABLED <-> MALWARE-CNC Rtf.Trojan.Felixroot variant download attempt (malware-cnc.rules)
 * 1:48280 <-> ENABLED <-> MALWARE-CNC Rtf.Trojan.Felixroot variant download attempt (malware-cnc.rules)
 * 1:48277 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Felixroot variant download attempt (malware-cnc.rules)
 * 1:48275 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Gafgyt variant new bot registered (malware-cnc.rules)
 * 1:48276 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Felixroot variant command-and-control communication attempt (malware-cnc.rules)
 * 1:48264 <-> DISABLED <-> PROTOCOL-VOIP SIP wildcard VIA address flood attempt (protocol-voip.rules)
 * 1:48269 <-> DISABLED <-> SERVER-WEBAPP Teltonika RUT9XX hotspotlogin.cgi command injection attempt (server-webapp.rules)
 * 1:48270 <-> DISABLED <-> SERVER-WEBAPP Teltonika RUT9XX autologin.cgi command injection attempt (server-webapp.rules)
 * 1:48271 <-> DISABLED <-> SERVER-WEBAPP Teltonika RUT9XX hotspotlogin.cgi command injection attempt (server-webapp.rules)
 * 1:48272 <-> DISABLED <-> SERVER-WEBAPP Netgear Router admin password access attempt (server-webapp.rules)
 * 1:48267 <-> DISABLED <-> SERVER-WEBAPP Teltonika RUT9XX autologin.cgi command injection attempt (server-webapp.rules)
 * 1:48268 <-> DISABLED <-> SERVER-WEBAPP Teltonika RUT9XX hotspotlogin.cgi command injection attempt (server-webapp.rules)
 * 1:48285 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules)
 * 1:48289 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules)
 * 1:48291 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules)
 * 1:48292 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules)
 * 1:48266 <-> DISABLED <-> SERVER-WEBAPP Teltonika RUT9XX autologin.cgi command injection attempt (server-webapp.rules)
 * 1:48290 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules)
 * 1:48273 <-> DISABLED <-> SERVER-WEBAPP Cockpit CMS media API directory traversal attempt (server-webapp.rules)
 * 1:48287 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FormBook variant outbound request detected (malware-cnc.rules)
 * 3:48293 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0704 attack attempt (file-pdf.rules)
 * 3:48294 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0704 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:17340 <-> DISABLED <-> INDICATOR-SHELLCODE x86 OS agnostic alpha numeric upper case decoder (indicator-shellcode.rules)
 * 1:20395 <-> DISABLED <-> PROTOCOL-VOIP SIP REGISTER flood attempt (protocol-voip.rules)
 * 1:19389 <-> DISABLED <-> PROTOCOL-VOIP SIP REGISTER flood attempt (protocol-voip.rules)
 * 1:34098 <-> DISABLED <-> FILE-OTHER Multiple products external entity injection attempt (browser-ie.rules)
 * 1:34097 <-> DISABLED <-> FILE-OTHER Multiple products external entity injection attempt (browser-ie.rules)