Talos Rules 2019-06-13
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-image, malware-cnc and sql rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-06-13 17:47:13 UTC

Snort Subscriber Rules Update

Date: 2019-06-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50421 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:50420 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:50419 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:50418 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:50417 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:50416 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:50443 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:50442 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:50441 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:50440 <-> ENABLED <-> MALWARE-CNC Win.Malware.Ramnit inbound VERIFY_HOST response (malware-cnc.rules)
 * 1:50439 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.iSpyoo variant post-compromise outbound connection (malware-cnc.rules)
 * 1:50438 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.iSpyoo variant post-compromise outbound connection (malware-cnc.rules)
 * 1:50437 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.iSpyoo variant post-compromise outbound connection (malware-cnc.rules)
 * 1:50436 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.iSpyoo variant post-compromise outbound connection (malware-cnc.rules)
 * 1:50435 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.iSpyoo variant post-compromise outbound connection (malware-cnc.rules)
 * 1:50434 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Reptilicus variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50433 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Reptilicus variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50432 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Reptilicus variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50431 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Reptilicus variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50430 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Reptilicus variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50429 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Reptilicus variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50428 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server authenticated arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:50426 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buran malicious Buran ransomware download attempt (malware-cnc.rules)
 * 1:50425 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buran malicious Buran ransomware download attempt (malware-cnc.rules)
 * 1:50424 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user agent - BURAN - Win.Trojan.Buran (malware-cnc.rules)
 * 1:50423 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:50422 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:50446 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50445 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt (malware-cnc.rules)
 * 1:50444 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 3:50427 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI cross site request forgery attempt (server-webapp.rules)

Modified Rules:


 * 1:47244 <-> ENABLED <-> MALWARE-CNC Win.Malware.Ramnit outbound REGISTER_BOT beacon (malware-cnc.rules)
 * 1:49355 <-> ENABLED <-> MALWARE-CNC Win.Trojan.KerrDown variant outbound connection (malware-cnc.rules)
 * 1:50258 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50260 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt (malware-cnc.rules)
 * 1:50261 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50262 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt (malware-cnc.rules)
 * 1:50263 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50264 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:49666 <-> ENABLED <-> SQL HTTP URI blind injection attempt (sql.rules)

2019-06-13 17:47:13 UTC

Snort Subscriber Rules Update

Date: 2019-06-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50441 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:50428 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server authenticated arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:50418 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:50420 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:50423 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:50416 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:50417 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:50430 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Reptilicus variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50431 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Reptilicus variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50439 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.iSpyoo variant post-compromise outbound connection (malware-cnc.rules)
 * 1:50446 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50445 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt (malware-cnc.rules)
 * 1:50443 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:50442 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:50444 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:50440 <-> ENABLED <-> MALWARE-CNC Win.Malware.Ramnit inbound VERIFY_HOST response (malware-cnc.rules)
 * 1:50426 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buran malicious Buran ransomware download attempt (malware-cnc.rules)
 * 1:50424 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user agent - BURAN - Win.Trojan.Buran (malware-cnc.rules)
 * 1:50429 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Reptilicus variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50437 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.iSpyoo variant post-compromise outbound connection (malware-cnc.rules)
 * 1:50438 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.iSpyoo variant post-compromise outbound connection (malware-cnc.rules)
 * 1:50435 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.iSpyoo variant post-compromise outbound connection (malware-cnc.rules)
 * 1:50436 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.iSpyoo variant post-compromise outbound connection (malware-cnc.rules)
 * 1:50433 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Reptilicus variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50434 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Reptilicus variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50432 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Reptilicus variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50422 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:50421 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:50419 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:50425 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buran malicious Buran ransomware download attempt (malware-cnc.rules)
 * 3:50427 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI cross site request forgery attempt (server-webapp.rules)

Modified Rules:


 * 1:50261 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:49666 <-> ENABLED <-> SQL HTTP URI blind injection attempt (sql.rules)
 * 1:49355 <-> ENABLED <-> MALWARE-CNC Win.Trojan.KerrDown variant outbound connection (malware-cnc.rules)
 * 1:50258 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50262 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt (malware-cnc.rules)
 * 1:50263 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50264 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50260 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt (malware-cnc.rules)
 * 1:47244 <-> ENABLED <-> MALWARE-CNC Win.Malware.Ramnit outbound REGISTER_BOT beacon (malware-cnc.rules)

2019-06-13 17:47:13 UTC

Snort Subscriber Rules Update

Date: 2019-06-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50428 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server authenticated arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:50441 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:50418 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:50423 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:50417 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:50426 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buran malicious Buran ransomware download attempt (malware-cnc.rules)
 * 1:50446 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50445 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt (malware-cnc.rules)
 * 1:50444 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:50443 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:50442 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:50424 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user agent - BURAN - Win.Trojan.Buran (malware-cnc.rules)
 * 1:50420 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:50430 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Reptilicus variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50416 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:50431 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Reptilicus variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50439 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.iSpyoo variant post-compromise outbound connection (malware-cnc.rules)
 * 1:50440 <-> ENABLED <-> MALWARE-CNC Win.Malware.Ramnit inbound VERIFY_HOST response (malware-cnc.rules)
 * 1:50438 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.iSpyoo variant post-compromise outbound connection (malware-cnc.rules)
 * 1:50429 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Reptilicus variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50436 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.iSpyoo variant post-compromise outbound connection (malware-cnc.rules)
 * 1:50437 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.iSpyoo variant post-compromise outbound connection (malware-cnc.rules)
 * 1:50434 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Reptilicus variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50435 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.iSpyoo variant post-compromise outbound connection (malware-cnc.rules)
 * 1:50432 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Reptilicus variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50433 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Reptilicus variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50422 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:50421 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:50425 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buran malicious Buran ransomware download attempt (malware-cnc.rules)
 * 1:50419 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 3:50427 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI cross site request forgery attempt (server-webapp.rules)

Modified Rules:


 * 1:49355 <-> ENABLED <-> MALWARE-CNC Win.Trojan.KerrDown variant outbound connection (malware-cnc.rules)
 * 1:50259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50258 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50260 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt (malware-cnc.rules)
 * 1:50261 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50262 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt (malware-cnc.rules)
 * 1:49666 <-> ENABLED <-> SQL HTTP URI blind injection attempt (sql.rules)
 * 1:50264 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:47244 <-> ENABLED <-> MALWARE-CNC Win.Malware.Ramnit outbound REGISTER_BOT beacon (malware-cnc.rules)
 * 1:50263 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (malware-cnc.rules)

2019-06-13 17:47:13 UTC

Snort Subscriber Rules Update

Date: 2019-06-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50444 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (snort3-file-image.rules)
 * 1:50420 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (snort3-malware-cnc.rules)
 * 1:50419 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (snort3-malware-cnc.rules)
 * 1:50421 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (snort3-malware-cnc.rules)
 * 1:50442 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (snort3-file-image.rules)
 * 1:50428 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server authenticated arbitrary JSP file upload attempt (snort3-server-webapp.rules)
 * 1:50430 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Reptilicus variant post-compromise outbound connection detected (snort3-malware-cnc.rules)
 * 1:50416 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (snort3-malware-cnc.rules)
 * 1:50432 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Reptilicus variant post-compromise outbound connection detected (snort3-malware-cnc.rules)
 * 1:50424 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user agent - BURAN - Win.Trojan.Buran (snort3-malware-cnc.rules)
 * 1:50429 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Reptilicus variant post-compromise outbound connection detected (snort3-malware-cnc.rules)
 * 1:50445 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt (snort3-malware-cnc.rules)
 * 1:50434 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Reptilicus variant post-compromise outbound connection detected (snort3-malware-cnc.rules)
 * 1:50436 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.iSpyoo variant post-compromise outbound connection (snort3-malware-cnc.rules)
 * 1:50438 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.iSpyoo variant post-compromise outbound connection (snort3-malware-cnc.rules)
 * 1:50435 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.iSpyoo variant post-compromise outbound connection (snort3-malware-cnc.rules)
 * 1:50439 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.iSpyoo variant post-compromise outbound connection (snort3-malware-cnc.rules)
 * 1:50437 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.iSpyoo variant post-compromise outbound connection (snort3-malware-cnc.rules)
 * 1:50417 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (snort3-malware-cnc.rules)
 * 1:50441 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (snort3-file-image.rules)
 * 1:50426 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buran malicious Buran ransomware download attempt (snort3-malware-cnc.rules)
 * 1:50418 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (snort3-malware-cnc.rules)
 * 1:50425 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buran malicious Buran ransomware download attempt (snort3-malware-cnc.rules)
 * 1:50443 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (snort3-file-image.rules)
 * 1:50422 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (snort3-malware-cnc.rules)
 * 1:50446 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection (snort3-malware-cnc.rules)
 * 1:50433 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Reptilicus variant post-compromise outbound connection detected (snort3-malware-cnc.rules)
 * 1:50440 <-> ENABLED <-> MALWARE-CNC Win.Malware.Ramnit inbound VERIFY_HOST response (snort3-malware-cnc.rules)
 * 1:50431 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Reptilicus variant post-compromise outbound connection detected (snort3-malware-cnc.rules)
 * 1:50423 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (snort3-malware-cnc.rules)

Modified Rules:


 * 1:50260 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt (snort3-malware-cnc.rules)
 * 1:49666 <-> ENABLED <-> SQL HTTP URI blind injection attempt (snort3-sql.rules)
 * 1:50261 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (snort3-malware-cnc.rules)
 * 1:50262 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt (snort3-malware-cnc.rules)
 * 1:47244 <-> ENABLED <-> MALWARE-CNC Win.Malware.Ramnit outbound REGISTER_BOT beacon (snort3-malware-cnc.rules)
 * 1:50258 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection (snort3-malware-cnc.rules)
 * 1:50259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (snort3-malware-cnc.rules)
 * 1:50263 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (snort3-malware-cnc.rules)
 * 1:50264 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection (snort3-malware-cnc.rules)
 * 1:49355 <-> ENABLED <-> MALWARE-CNC Win.Trojan.KerrDown variant outbound connection (snort3-malware-cnc.rules)

2019-06-13 17:47:13 UTC

Snort Subscriber Rules Update

Date: 2019-06-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50419 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:50442 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:50429 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Reptilicus variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50425 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buran malicious Buran ransomware download attempt (malware-cnc.rules)
 * 1:50435 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.iSpyoo variant post-compromise outbound connection (malware-cnc.rules)
 * 1:50426 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buran malicious Buran ransomware download attempt (malware-cnc.rules)
 * 1:50441 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:50443 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:50433 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Reptilicus variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50434 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Reptilicus variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50436 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.iSpyoo variant post-compromise outbound connection (malware-cnc.rules)
 * 1:50428 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server authenticated arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:50437 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.iSpyoo variant post-compromise outbound connection (malware-cnc.rules)
 * 1:50424 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user agent - BURAN - Win.Trojan.Buran (malware-cnc.rules)
 * 1:50445 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt (malware-cnc.rules)
 * 1:50416 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:50417 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:50421 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:50420 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:50418 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:50430 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Reptilicus variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50422 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:50432 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Reptilicus variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50438 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.iSpyoo variant post-compromise outbound connection (malware-cnc.rules)
 * 1:50431 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Reptilicus variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50446 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50444 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:50440 <-> ENABLED <-> MALWARE-CNC Win.Malware.Ramnit inbound VERIFY_HOST response (malware-cnc.rules)
 * 1:50423 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:50439 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.iSpyoo variant post-compromise outbound connection (malware-cnc.rules)
 * 3:50427 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI cross site request forgery attempt (server-webapp.rules)

Modified Rules:


 * 1:49355 <-> ENABLED <-> MALWARE-CNC Win.Trojan.KerrDown variant outbound connection (malware-cnc.rules)
 * 1:49666 <-> ENABLED <-> SQL HTTP URI blind injection attempt (sql.rules)
 * 1:50258 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50264 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50260 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt (malware-cnc.rules)
 * 1:50263 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50261 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:47244 <-> ENABLED <-> MALWARE-CNC Win.Malware.Ramnit outbound REGISTER_BOT beacon (malware-cnc.rules)
 * 1:50262 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt (malware-cnc.rules)

2019-06-13 17:47:13 UTC

Snort Subscriber Rules Update

Date: 2019-06-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50423 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:50416 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:50428 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server authenticated arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:50442 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:50425 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buran malicious Buran ransomware download attempt (malware-cnc.rules)
 * 1:50424 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user agent - BURAN - Win.Trojan.Buran (malware-cnc.rules)
 * 1:50421 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:50441 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:50419 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:50429 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Reptilicus variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50436 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.iSpyoo variant post-compromise outbound connection (malware-cnc.rules)
 * 1:50437 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.iSpyoo variant post-compromise outbound connection (malware-cnc.rules)
 * 1:50435 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.iSpyoo variant post-compromise outbound connection (malware-cnc.rules)
 * 1:50432 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Reptilicus variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50433 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Reptilicus variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50422 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:50426 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buran malicious Buran ransomware download attempt (malware-cnc.rules)
 * 1:50430 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Reptilicus variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50438 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.iSpyoo variant post-compromise outbound connection (malware-cnc.rules)
 * 1:50434 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Reptilicus variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50420 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:50431 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Reptilicus variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50446 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50443 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:50418 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:50444 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:50445 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt (malware-cnc.rules)
 * 1:50439 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.iSpyoo variant post-compromise outbound connection (malware-cnc.rules)
 * 1:50440 <-> ENABLED <-> MALWARE-CNC Win.Malware.Ramnit inbound VERIFY_HOST response (malware-cnc.rules)
 * 1:50417 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 3:50427 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI cross site request forgery attempt (server-webapp.rules)

Modified Rules:


 * 1:50259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:47244 <-> ENABLED <-> MALWARE-CNC Win.Malware.Ramnit outbound REGISTER_BOT beacon (malware-cnc.rules)
 * 1:49355 <-> ENABLED <-> MALWARE-CNC Win.Trojan.KerrDown variant outbound connection (malware-cnc.rules)
 * 1:50258 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50264 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50260 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt (malware-cnc.rules)
 * 1:50261 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:49666 <-> ENABLED <-> SQL HTTP URI blind injection attempt (sql.rules)
 * 1:50263 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50262 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt (malware-cnc.rules)