Talos Rules 2019-09-17
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the indicator-shellcode, malware-cnc, malware-other, os-windows, protocol-services, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-09-17 13:02:44 UTC

Snort Subscriber Rules Update

Date: 2019-09-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51542 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules)
 * 1:51541 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules)
 * 1:51540 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 reverse connect shell (indicator-shellcode.rules)
 * 1:51539 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 reverse connect shell (indicator-shellcode.rules)
 * 1:51538 <-> DISABLED <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt (server-webapp.rules)
 * 1:51537 <-> ENABLED <-> SERVER-WEBAPP WordPress Print-My-Blog plugin server side request forgery attempt (server-webapp.rules)
 * 1:51536 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Agent IoT backdoor download (malware-other.rules)
 * 1:51557 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules)
 * 1:51556 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules)
 * 1:51555 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules)
 * 1:51554 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51553 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51552 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51551 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51550 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51549 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51548 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51547 <-> DISABLED <-> SERVER-APACHE Apache cookie logging denial of service attempt (server-apache.rules)
 * 1:51546 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules)
 * 1:51545 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules)
 * 1:51544 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules)
 * 1:51543 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules)

Modified Rules:


 * 1:601 <-> DISABLED <-> PROTOCOL-SERVICES rlogin LinuxNIS (protocol-services.rules)
 * 1:602 <-> DISABLED <-> PROTOCOL-SERVICES rlogin bin (protocol-services.rules)
 * 1:15680 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules)
 * 1:606 <-> DISABLED <-> PROTOCOL-SERVICES rlogin root (protocol-services.rules)
 * 1:605 <-> DISABLED <-> PROTOCOL-SERVICES rlogin login failure (protocol-services.rules)
 * 1:603 <-> DISABLED <-> PROTOCOL-SERVICES rlogin echo++ (protocol-services.rules)
 * 1:24628 <-> DISABLED <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt (server-webapp.rules)
 * 1:2582 <-> DISABLED <-> OS-WINDOWS SAP Crystal Reports crystalImageHandler.asp directory traversal attempt (os-windows.rules)
 * 1:49449 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules)
 * 1:49450 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules)
 * 1:49451 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules)
 * 1:49452 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules)
 * 1:49453 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules)
 * 1:49454 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules)
 * 1:49455 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules)
 * 1:49456 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules)
 * 1:49457 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules)
 * 1:49458 <-> ENABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules)
 * 1:49459 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules)
 * 1:49460 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules)

2019-09-17 13:02:44 UTC

Snort Subscriber Rules Update

Date: 2019-09-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51554 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51551 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51552 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51557 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules)
 * 1:51556 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules)
 * 1:51555 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules)
 * 1:51536 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Agent IoT backdoor download (malware-other.rules)
 * 1:51537 <-> ENABLED <-> SERVER-WEBAPP WordPress Print-My-Blog plugin server side request forgery attempt (server-webapp.rules)
 * 1:51538 <-> DISABLED <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt (server-webapp.rules)
 * 1:51542 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules)
 * 1:51544 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules)
 * 1:51547 <-> DISABLED <-> SERVER-APACHE Apache cookie logging denial of service attempt (server-apache.rules)
 * 1:51549 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51553 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51550 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51545 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules)
 * 1:51543 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules)
 * 1:51540 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 reverse connect shell (indicator-shellcode.rules)
 * 1:51541 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules)
 * 1:51539 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 reverse connect shell (indicator-shellcode.rules)
 * 1:51548 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51546 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules)

Modified Rules:


 * 1:602 <-> DISABLED <-> PROTOCOL-SERVICES rlogin bin (protocol-services.rules)
 * 1:603 <-> DISABLED <-> PROTOCOL-SERVICES rlogin echo++ (protocol-services.rules)
 * 1:606 <-> DISABLED <-> PROTOCOL-SERVICES rlogin root (protocol-services.rules)
 * 1:49453 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules)
 * 1:15680 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules)
 * 1:601 <-> DISABLED <-> PROTOCOL-SERVICES rlogin LinuxNIS (protocol-services.rules)
 * 1:49457 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules)
 * 1:49449 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules)
 * 1:49450 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules)
 * 1:49460 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules)
 * 1:24628 <-> DISABLED <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt (server-webapp.rules)
 * 1:49455 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules)
 * 1:49456 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules)
 * 1:49458 <-> ENABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules)
 * 1:49459 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules)
 * 1:2582 <-> DISABLED <-> OS-WINDOWS SAP Crystal Reports crystalImageHandler.asp directory traversal attempt (os-windows.rules)
 * 1:49454 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules)
 * 1:49452 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules)
 * 1:49451 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules)
 * 1:605 <-> DISABLED <-> PROTOCOL-SERVICES rlogin login failure (protocol-services.rules)

2019-09-17 13:02:44 UTC

Snort Subscriber Rules Update

Date: 2019-09-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51556 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules)
 * 1:51557 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules)
 * 1:51552 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51554 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51551 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51549 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51536 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Agent IoT backdoor download (malware-other.rules)
 * 1:51537 <-> ENABLED <-> SERVER-WEBAPP WordPress Print-My-Blog plugin server side request forgery attempt (server-webapp.rules)
 * 1:51542 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules)
 * 1:51538 <-> DISABLED <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt (server-webapp.rules)
 * 1:51543 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules)
 * 1:51547 <-> DISABLED <-> SERVER-APACHE Apache cookie logging denial of service attempt (server-apache.rules)
 * 1:51539 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 reverse connect shell (indicator-shellcode.rules)
 * 1:51548 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51553 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51540 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 reverse connect shell (indicator-shellcode.rules)
 * 1:51550 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51555 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules)
 * 1:51544 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules)
 * 1:51545 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules)
 * 1:51546 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules)
 * 1:51541 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules)

Modified Rules:


 * 1:602 <-> DISABLED <-> PROTOCOL-SERVICES rlogin bin (protocol-services.rules)
 * 1:605 <-> DISABLED <-> PROTOCOL-SERVICES rlogin login failure (protocol-services.rules)
 * 1:49454 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules)
 * 1:49457 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules)
 * 1:606 <-> DISABLED <-> PROTOCOL-SERVICES rlogin root (protocol-services.rules)
 * 1:15680 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules)
 * 1:24628 <-> DISABLED <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt (server-webapp.rules)
 * 1:601 <-> DISABLED <-> PROTOCOL-SERVICES rlogin LinuxNIS (protocol-services.rules)
 * 1:603 <-> DISABLED <-> PROTOCOL-SERVICES rlogin echo++ (protocol-services.rules)
 * 1:49456 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules)
 * 1:49453 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules)
 * 1:49455 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules)
 * 1:49458 <-> ENABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules)
 * 1:49449 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules)
 * 1:49452 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules)
 * 1:2582 <-> DISABLED <-> OS-WINDOWS SAP Crystal Reports crystalImageHandler.asp directory traversal attempt (os-windows.rules)
 * 1:49450 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules)
 * 1:49459 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules)
 * 1:49460 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules)
 * 1:49451 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules)

2019-09-17 13:02:44 UTC

Snort Subscriber Rules Update

Date: 2019-09-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51552 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51551 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51541 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules)
 * 1:51539 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 reverse connect shell (indicator-shellcode.rules)
 * 1:51556 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules)
 * 1:51557 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules)
 * 1:51550 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51554 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51547 <-> DISABLED <-> SERVER-APACHE Apache cookie logging denial of service attempt (server-apache.rules)
 * 1:51548 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51542 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules)
 * 1:51543 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules)
 * 1:51553 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51536 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Agent IoT backdoor download (malware-other.rules)
 * 1:51555 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules)
 * 1:51545 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules)
 * 1:51549 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51538 <-> DISABLED <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt (server-webapp.rules)
 * 1:51537 <-> ENABLED <-> SERVER-WEBAPP WordPress Print-My-Blog plugin server side request forgery attempt (server-webapp.rules)
 * 1:51546 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules)
 * 1:51540 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 reverse connect shell (indicator-shellcode.rules)
 * 1:51544 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules)

Modified Rules:


 * 1:602 <-> DISABLED <-> PROTOCOL-SERVICES rlogin bin (protocol-services.rules)
 * 1:605 <-> DISABLED <-> PROTOCOL-SERVICES rlogin login failure (protocol-services.rules)
 * 1:15680 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules)
 * 1:49452 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules)
 * 1:606 <-> DISABLED <-> PROTOCOL-SERVICES rlogin root (protocol-services.rules)
 * 1:49455 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules)
 * 1:49449 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules)
 * 1:24628 <-> DISABLED <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt (server-webapp.rules)
 * 1:603 <-> DISABLED <-> PROTOCOL-SERVICES rlogin echo++ (protocol-services.rules)
 * 1:49458 <-> ENABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules)
 * 1:49453 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules)
 * 1:49450 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules)
 * 1:49454 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules)
 * 1:49457 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules)
 * 1:49460 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules)
 * 1:49451 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules)
 * 1:601 <-> DISABLED <-> PROTOCOL-SERVICES rlogin LinuxNIS (protocol-services.rules)
 * 1:49459 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules)
 * 1:49456 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules)
 * 1:2582 <-> DISABLED <-> OS-WINDOWS SAP Crystal Reports crystalImageHandler.asp directory traversal attempt (os-windows.rules)

2019-09-17 13:02:44 UTC

Snort Subscriber Rules Update

Date: 2019-09-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51548 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (snort3-malware-cnc.rules)
 * 1:51554 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (snort3-malware-cnc.rules)
 * 1:51552 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (snort3-malware-cnc.rules)
 * 1:51556 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (snort3-os-windows.rules)
 * 1:51555 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (snort3-os-windows.rules)
 * 1:51543 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (snort3-malware-cnc.rules)
 * 1:51557 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (snort3-os-windows.rules)
 * 1:51540 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 reverse connect shell (snort3-indicator-shellcode.rules)
 * 1:51541 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (snort3-malware-cnc.rules)
 * 1:51551 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (snort3-malware-cnc.rules)
 * 1:51536 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Agent IoT backdoor download (snort3-malware-other.rules)
 * 1:51546 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (snort3-malware-cnc.rules)
 * 1:51538 <-> DISABLED <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt (snort3-server-webapp.rules)
 * 1:51549 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (snort3-malware-cnc.rules)
 * 1:51553 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (snort3-malware-cnc.rules)
 * 1:51547 <-> DISABLED <-> SERVER-APACHE Apache cookie logging denial of service attempt (snort3-server-apache.rules)
 * 1:51542 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (snort3-malware-cnc.rules)
 * 1:51537 <-> ENABLED <-> SERVER-WEBAPP WordPress Print-My-Blog plugin server side request forgery attempt (snort3-server-webapp.rules)
 * 1:51550 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (snort3-malware-cnc.rules)
 * 1:51544 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (snort3-malware-cnc.rules)
 * 1:51545 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (snort3-malware-cnc.rules)
 * 1:51539 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 reverse connect shell (snort3-indicator-shellcode.rules)

Modified Rules:


 * 1:49449 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (snort3-server-other.rules)
 * 1:605 <-> DISABLED <-> PROTOCOL-SERVICES rlogin login failure (snort3-protocol-services.rules)
 * 1:49454 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (snort3-server-other.rules)
 * 1:602 <-> DISABLED <-> PROTOCOL-SERVICES rlogin bin (snort3-protocol-services.rules)
 * 1:603 <-> DISABLED <-> PROTOCOL-SERVICES rlogin echo++ (snort3-protocol-services.rules)
 * 1:49451 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (snort3-server-other.rules)
 * 1:49457 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (snort3-server-other.rules)
 * 1:49458 <-> ENABLED <-> SERVER-OTHER PHP webshell upload attempt (snort3-server-other.rules)
 * 1:15680 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (snort3-os-windows.rules)
 * 1:49450 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (snort3-server-other.rules)
 * 1:606 <-> DISABLED <-> PROTOCOL-SERVICES rlogin root (snort3-protocol-services.rules)
 * 1:24628 <-> DISABLED <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt (snort3-server-webapp.rules)
 * 1:2582 <-> DISABLED <-> OS-WINDOWS SAP Crystal Reports crystalImageHandler.asp directory traversal attempt (snort3-os-windows.rules)
 * 1:49456 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (snort3-server-other.rules)
 * 1:49459 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (snort3-server-other.rules)
 * 1:601 <-> DISABLED <-> PROTOCOL-SERVICES rlogin LinuxNIS (snort3-protocol-services.rules)
 * 1:49455 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (snort3-server-other.rules)
 * 1:49452 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (snort3-server-other.rules)
 * 1:49453 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (snort3-server-other.rules)
 * 1:49460 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (snort3-server-other.rules)

2019-09-17 13:02:44 UTC

Snort Subscriber Rules Update

Date: 2019-09-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51554 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51552 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51556 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules)
 * 1:51557 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules)
 * 1:51547 <-> DISABLED <-> SERVER-APACHE Apache cookie logging denial of service attempt (server-apache.rules)
 * 1:51542 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules)
 * 1:51540 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 reverse connect shell (indicator-shellcode.rules)
 * 1:51555 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules)
 * 1:51543 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules)
 * 1:51537 <-> ENABLED <-> SERVER-WEBAPP WordPress Print-My-Blog plugin server side request forgery attempt (server-webapp.rules)
 * 1:51553 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51551 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51549 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51550 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51544 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules)
 * 1:51548 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51538 <-> DISABLED <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt (server-webapp.rules)
 * 1:51536 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Agent IoT backdoor download (malware-other.rules)
 * 1:51545 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules)
 * 1:51541 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules)
 * 1:51546 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules)
 * 1:51539 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 reverse connect shell (indicator-shellcode.rules)

Modified Rules:


 * 1:602 <-> DISABLED <-> PROTOCOL-SERVICES rlogin bin (protocol-services.rules)
 * 1:605 <-> DISABLED <-> PROTOCOL-SERVICES rlogin login failure (protocol-services.rules)
 * 1:49457 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules)
 * 1:603 <-> DISABLED <-> PROTOCOL-SERVICES rlogin echo++ (protocol-services.rules)
 * 1:49449 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules)
 * 1:49450 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules)
 * 1:24628 <-> DISABLED <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt (server-webapp.rules)
 * 1:15680 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules)
 * 1:2582 <-> DISABLED <-> OS-WINDOWS SAP Crystal Reports crystalImageHandler.asp directory traversal attempt (os-windows.rules)
 * 1:49454 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules)
 * 1:601 <-> DISABLED <-> PROTOCOL-SERVICES rlogin LinuxNIS (protocol-services.rules)
 * 1:49458 <-> ENABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules)
 * 1:49453 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules)
 * 1:49456 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules)
 * 1:49460 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules)
 * 1:49459 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules)
 * 1:49455 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules)
 * 1:49451 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules)
 * 1:49452 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules)
 * 1:606 <-> DISABLED <-> PROTOCOL-SERVICES rlogin root (protocol-services.rules)

2019-09-17 13:02:44 UTC

Snort Subscriber Rules Update

Date: 2019-09-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51556 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules)
 * 1:51547 <-> DISABLED <-> SERVER-APACHE Apache cookie logging denial of service attempt (server-apache.rules)
 * 1:51551 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51536 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Agent IoT backdoor download (malware-other.rules)
 * 1:51552 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51539 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 reverse connect shell (indicator-shellcode.rules)
 * 1:51554 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51548 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51553 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51541 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules)
 * 1:51542 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules)
 * 1:51555 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules)
 * 1:51538 <-> DISABLED <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt (server-webapp.rules)
 * 1:51546 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules)
 * 1:51550 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51537 <-> ENABLED <-> SERVER-WEBAPP WordPress Print-My-Blog plugin server side request forgery attempt (server-webapp.rules)
 * 1:51544 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules)
 * 1:51545 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules)
 * 1:51543 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules)
 * 1:51540 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 reverse connect shell (indicator-shellcode.rules)
 * 1:51549 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51557 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules)

Modified Rules:


 * 1:602 <-> DISABLED <-> PROTOCOL-SERVICES rlogin bin (protocol-services.rules)
 * 1:15680 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules)
 * 1:49454 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules)
 * 1:49460 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules)
 * 1:2582 <-> DISABLED <-> OS-WINDOWS SAP Crystal Reports crystalImageHandler.asp directory traversal attempt (os-windows.rules)
 * 1:605 <-> DISABLED <-> PROTOCOL-SERVICES rlogin login failure (protocol-services.rules)
 * 1:603 <-> DISABLED <-> PROTOCOL-SERVICES rlogin echo++ (protocol-services.rules)
 * 1:606 <-> DISABLED <-> PROTOCOL-SERVICES rlogin root (protocol-services.rules)
 * 1:49452 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules)
 * 1:49455 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules)
 * 1:49457 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules)
 * 1:49459 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules)
 * 1:49451 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules)
 * 1:49449 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules)
 * 1:24628 <-> DISABLED <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt (server-webapp.rules)
 * 1:49450 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules)
 * 1:49456 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules)
 * 1:49458 <-> ENABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules)
 * 1:49453 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules)
 * 1:601 <-> DISABLED <-> PROTOCOL-SERVICES rlogin LinuxNIS (protocol-services.rules)