Talos Rules 2019-11-07
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-other, file-pdf, indicator-compromise, malware-cnc, malware-other, os-mobile, policy-other, protocol-voip, pua-other, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-11-07 13:37:13 UTC

Snort Subscriber Rules Update

Date: 2019-11-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52123 <-> DISABLED <-> SERVER-WEBAPP PHP FPM env_path_info buffer underflow attempt (server-webapp.rules)
 * 1:52118 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Downloader.PowMet powershell script download attempt (indicator-compromise.rules)
 * 1:52117 <-> ENABLED <-> INDICATOR-COMPROMISE Xml.Downloader.PowMet fileless malware variant download attempt (indicator-compromise.rules)
 * 1:52116 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Downloader.PowMet powershell script download attempt (indicator-compromise.rules)
 * 1:52115 <-> ENABLED <-> INDICATOR-COMPROMISE Xml.Downloader.PowMet fileless malware variant download attempt (indicator-compromise.rules)
 * 1:52114 <-> DISABLED <-> FILE-OTHER Oracle Outside-In library CorelDRAW parsing integer overflow attempt (file-other.rules)
 * 1:52113 <-> DISABLED <-> FILE-OTHER Oracle Outside-In library CorelDRAW parsing integer overflow attempt (file-other.rules)
 * 1:52112 <-> DISABLED <-> SERVER-WEBAPP Git client path validation command execution attempt (server-webapp.rules)
 * 1:52101 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)
 * 1:52100 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)
 * 1:52099 <-> DISABLED <-> SERVER-WEBAPP Jenkins SCM Git Client plugin command injection attempt (server-webapp.rules)
 * 1:52144 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52143 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52142 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52141 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52140 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52139 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52138 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52137 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52136 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52135 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52134 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52133 <-> DISABLED <-> FILE-OTHER Libmspack cabd_sys_read_block off-by-one heap overflow attempt (file-other.rules)
 * 1:52132 <-> DISABLED <-> FILE-OTHER Libmspack cabd_sys_read_block off-by-one heap overflow attempt (file-other.rules)
 * 1:52130 <-> ENABLED <-> SERVER-WEBAPP Apache Struts OGNL expression injection attempt (server-webapp.rules)
 * 1:52125 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:52124 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:52147 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52146 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52145 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52149 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:52148 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection  (malware-cnc.rules)
 * 3:52121 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:52120 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:52111 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52119 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:52109 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52110 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52107 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52108 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52105 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52106 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52103 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52104 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52102 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52129 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure directory traversal attempt (server-webapp.rules)
 * 3:52131 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0948 attack attempt (server-other.rules)
 * 3:52127 <-> ENABLED <-> POLICY-OTHER Cisco Web Security Appliance system setup wizard access detected (policy-other.rules)
 * 3:52128 <-> ENABLED <-> POLICY-OTHER Cisco Web Security Appliance system setup wizard access detected (policy-other.rules)
 * 3:52122 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:52126 <-> ENABLED <-> SERVER-WEBAPP Cisco Wireless LAN Controller denial of service attempt (server-webapp.rules)

Modified Rules:


 * 1:16484 <-> ENABLED <-> MALWARE-CNC Koobface variant outbound connection (malware-cnc.rules)
 * 1:43351 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Erebus variant outbound connection (malware-cnc.rules)
 * 1:38563 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response (malware-cnc.rules)
 * 1:40081 <-> ENABLED <-> PUA-OTHER User-Agent known PUA user-agent string - TopTools100 (pua-other.rules)
 * 1:23631 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt - POST parameter (server-apache.rules)
 * 1:29978 <-> ENABLED <-> MALWARE-CNC ANDR.Trojan.FakeApp outbound connection (malware-cnc.rules)
 * 1:21760 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swisyn variant outbound connection (malware-cnc.rules)
 * 1:46240 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt (malware-cnc.rules)
 * 1:46792 <-> ENABLED <-> MALWARE-CNC Outbound malicious vbscript attempt (malware-cnc.rules)
 * 1:46238 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog outbound communication attempt (malware-cnc.rules)
 * 1:46239 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog outbound communication attempt (malware-cnc.rules)
 * 1:50378 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi variant download attempt (malware-other.rules)
 * 1:51504 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules)
 * 1:51760 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules)
 * 1:48356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banking download attempt initiated (malware-cnc.rules)
 * 1:51761 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules)
 * 1:48858 <-> ENABLED <-> MALWARE-CNC Win.Trojan.L0rdix send system log attempt (malware-cnc.rules)
 * 1:51509 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules)
 * 1:51767 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules)
 * 1:48857 <-> ENABLED <-> MALWARE-CNC Win.Trojan.L0rdix send client settings attempt (malware-cnc.rules)
 * 1:51508 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules)

2019-11-07 13:37:13 UTC

Snort Subscriber Rules Update

Date: 2019-11-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52130 <-> ENABLED <-> SERVER-WEBAPP Apache Struts OGNL expression injection attempt (server-webapp.rules)
 * 1:52118 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Downloader.PowMet powershell script download attempt (indicator-compromise.rules)
 * 1:52149 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:52132 <-> DISABLED <-> FILE-OTHER Libmspack cabd_sys_read_block off-by-one heap overflow attempt (file-other.rules)
 * 1:52125 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:52147 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52139 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52138 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52146 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52143 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52144 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52141 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52142 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52140 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52134 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52148 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection  (malware-cnc.rules)
 * 1:52123 <-> DISABLED <-> SERVER-WEBAPP PHP FPM env_path_info buffer underflow attempt (server-webapp.rules)
 * 1:52117 <-> ENABLED <-> INDICATOR-COMPROMISE Xml.Downloader.PowMet fileless malware variant download attempt (indicator-compromise.rules)
 * 1:52124 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:52137 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52101 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)
 * 1:52116 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Downloader.PowMet powershell script download attempt (indicator-compromise.rules)
 * 1:52114 <-> DISABLED <-> FILE-OTHER Oracle Outside-In library CorelDRAW parsing integer overflow attempt (file-other.rules)
 * 1:52133 <-> DISABLED <-> FILE-OTHER Libmspack cabd_sys_read_block off-by-one heap overflow attempt (file-other.rules)
 * 1:52145 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52099 <-> DISABLED <-> SERVER-WEBAPP Jenkins SCM Git Client plugin command injection attempt (server-webapp.rules)
 * 1:52136 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52135 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52115 <-> ENABLED <-> INDICATOR-COMPROMISE Xml.Downloader.PowMet fileless malware variant download attempt (indicator-compromise.rules)
 * 1:52112 <-> DISABLED <-> SERVER-WEBAPP Git client path validation command execution attempt (server-webapp.rules)
 * 1:52113 <-> DISABLED <-> FILE-OTHER Oracle Outside-In library CorelDRAW parsing integer overflow attempt (file-other.rules)
 * 1:52100 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)
 * 3:52131 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0948 attack attempt (server-other.rules)
 * 3:52128 <-> ENABLED <-> POLICY-OTHER Cisco Web Security Appliance system setup wizard access detected (policy-other.rules)
 * 3:52129 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure directory traversal attempt (server-webapp.rules)
 * 3:52126 <-> ENABLED <-> SERVER-WEBAPP Cisco Wireless LAN Controller denial of service attempt (server-webapp.rules)
 * 3:52127 <-> ENABLED <-> POLICY-OTHER Cisco Web Security Appliance system setup wizard access detected (policy-other.rules)
 * 3:52121 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:52122 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:52119 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:52120 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:52110 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52111 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52108 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52109 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52106 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52107 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52104 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52105 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52102 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52103 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)

Modified Rules:


 * 1:46240 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt (malware-cnc.rules)
 * 1:16484 <-> ENABLED <-> MALWARE-CNC Koobface variant outbound connection (malware-cnc.rules)
 * 1:51761 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules)
 * 1:29978 <-> ENABLED <-> MALWARE-CNC ANDR.Trojan.FakeApp outbound connection (malware-cnc.rules)
 * 1:50378 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi variant download attempt (malware-other.rules)
 * 1:48356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banking download attempt initiated (malware-cnc.rules)
 * 1:48858 <-> ENABLED <-> MALWARE-CNC Win.Trojan.L0rdix send system log attempt (malware-cnc.rules)
 * 1:23631 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt - POST parameter (server-apache.rules)
 * 1:51760 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules)
 * 1:38563 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response (malware-cnc.rules)
 * 1:51504 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules)
 * 1:21760 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swisyn variant outbound connection (malware-cnc.rules)
 * 1:43351 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Erebus variant outbound connection (malware-cnc.rules)
 * 1:46239 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog outbound communication attempt (malware-cnc.rules)
 * 1:40081 <-> ENABLED <-> PUA-OTHER User-Agent known PUA user-agent string - TopTools100 (pua-other.rules)
 * 1:46792 <-> ENABLED <-> MALWARE-CNC Outbound malicious vbscript attempt (malware-cnc.rules)
 * 1:46238 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog outbound communication attempt (malware-cnc.rules)
 * 1:51508 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules)
 * 1:51767 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules)
 * 1:48857 <-> ENABLED <-> MALWARE-CNC Win.Trojan.L0rdix send client settings attempt (malware-cnc.rules)
 * 1:51509 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules)

2019-11-07 13:37:13 UTC

Snort Subscriber Rules Update

Date: 2019-11-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52145 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52149 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:52144 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52141 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52148 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection  (malware-cnc.rules)
 * 1:52146 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52130 <-> ENABLED <-> SERVER-WEBAPP Apache Struts OGNL expression injection attempt (server-webapp.rules)
 * 1:52147 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52139 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52142 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52138 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52124 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:52101 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)
 * 1:52118 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Downloader.PowMet powershell script download attempt (indicator-compromise.rules)
 * 1:52140 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52143 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52125 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:52132 <-> DISABLED <-> FILE-OTHER Libmspack cabd_sys_read_block off-by-one heap overflow attempt (file-other.rules)
 * 1:52134 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52099 <-> DISABLED <-> SERVER-WEBAPP Jenkins SCM Git Client plugin command injection attempt (server-webapp.rules)
 * 1:52113 <-> DISABLED <-> FILE-OTHER Oracle Outside-In library CorelDRAW parsing integer overflow attempt (file-other.rules)
 * 1:52133 <-> DISABLED <-> FILE-OTHER Libmspack cabd_sys_read_block off-by-one heap overflow attempt (file-other.rules)
 * 1:52114 <-> DISABLED <-> FILE-OTHER Oracle Outside-In library CorelDRAW parsing integer overflow attempt (file-other.rules)
 * 1:52100 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)
 * 1:52112 <-> DISABLED <-> SERVER-WEBAPP Git client path validation command execution attempt (server-webapp.rules)
 * 1:52117 <-> ENABLED <-> INDICATOR-COMPROMISE Xml.Downloader.PowMet fileless malware variant download attempt (indicator-compromise.rules)
 * 1:52115 <-> ENABLED <-> INDICATOR-COMPROMISE Xml.Downloader.PowMet fileless malware variant download attempt (indicator-compromise.rules)
 * 1:52123 <-> DISABLED <-> SERVER-WEBAPP PHP FPM env_path_info buffer underflow attempt (server-webapp.rules)
 * 1:52116 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Downloader.PowMet powershell script download attempt (indicator-compromise.rules)
 * 1:52135 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52136 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52137 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 3:52110 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52122 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:52119 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:52120 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:52106 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52111 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52108 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52109 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52102 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52107 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52104 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52105 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52103 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52128 <-> ENABLED <-> POLICY-OTHER Cisco Web Security Appliance system setup wizard access detected (policy-other.rules)
 * 3:52131 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0948 attack attempt (server-other.rules)
 * 3:52121 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:52129 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure directory traversal attempt (server-webapp.rules)
 * 3:52126 <-> ENABLED <-> SERVER-WEBAPP Cisco Wireless LAN Controller denial of service attempt (server-webapp.rules)
 * 3:52127 <-> ENABLED <-> POLICY-OTHER Cisco Web Security Appliance system setup wizard access detected (policy-other.rules)

Modified Rules:


 * 1:48858 <-> ENABLED <-> MALWARE-CNC Win.Trojan.L0rdix send system log attempt (malware-cnc.rules)
 * 1:51760 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules)
 * 1:46240 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt (malware-cnc.rules)
 * 1:23631 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt - POST parameter (server-apache.rules)
 * 1:43351 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Erebus variant outbound connection (malware-cnc.rules)
 * 1:46792 <-> ENABLED <-> MALWARE-CNC Outbound malicious vbscript attempt (malware-cnc.rules)
 * 1:16484 <-> ENABLED <-> MALWARE-CNC Koobface variant outbound connection (malware-cnc.rules)
 * 1:46239 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog outbound communication attempt (malware-cnc.rules)
 * 1:51767 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules)
 * 1:51761 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules)
 * 1:48356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banking download attempt initiated (malware-cnc.rules)
 * 1:46238 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog outbound communication attempt (malware-cnc.rules)
 * 1:51504 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules)
 * 1:50378 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi variant download attempt (malware-other.rules)
 * 1:21760 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swisyn variant outbound connection (malware-cnc.rules)
 * 1:38563 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response (malware-cnc.rules)
 * 1:40081 <-> ENABLED <-> PUA-OTHER User-Agent known PUA user-agent string - TopTools100 (pua-other.rules)
 * 1:29978 <-> ENABLED <-> MALWARE-CNC ANDR.Trojan.FakeApp outbound connection (malware-cnc.rules)
 * 1:48857 <-> ENABLED <-> MALWARE-CNC Win.Trojan.L0rdix send client settings attempt (malware-cnc.rules)
 * 1:51508 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules)
 * 1:51509 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules)

2019-11-07 13:37:13 UTC

Snort Subscriber Rules Update

Date: 2019-11-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52149 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:52141 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52125 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:52130 <-> ENABLED <-> SERVER-WEBAPP Apache Struts OGNL expression injection attempt (server-webapp.rules)
 * 1:52140 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52146 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52116 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Downloader.PowMet powershell script download attempt (indicator-compromise.rules)
 * 1:52138 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52113 <-> DISABLED <-> FILE-OTHER Oracle Outside-In library CorelDRAW parsing integer overflow attempt (file-other.rules)
 * 1:52143 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52112 <-> DISABLED <-> SERVER-WEBAPP Git client path validation command execution attempt (server-webapp.rules)
 * 1:52139 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52147 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52132 <-> DISABLED <-> FILE-OTHER Libmspack cabd_sys_read_block off-by-one heap overflow attempt (file-other.rules)
 * 1:52145 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52101 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)
 * 1:52134 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52133 <-> DISABLED <-> FILE-OTHER Libmspack cabd_sys_read_block off-by-one heap overflow attempt (file-other.rules)
 * 1:52099 <-> DISABLED <-> SERVER-WEBAPP Jenkins SCM Git Client plugin command injection attempt (server-webapp.rules)
 * 1:52117 <-> ENABLED <-> INDICATOR-COMPROMISE Xml.Downloader.PowMet fileless malware variant download attempt (indicator-compromise.rules)
 * 1:52124 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:52118 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Downloader.PowMet powershell script download attempt (indicator-compromise.rules)
 * 1:52123 <-> DISABLED <-> SERVER-WEBAPP PHP FPM env_path_info buffer underflow attempt (server-webapp.rules)
 * 1:52135 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52136 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52144 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52142 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52137 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52115 <-> ENABLED <-> INDICATOR-COMPROMISE Xml.Downloader.PowMet fileless malware variant download attempt (indicator-compromise.rules)
 * 1:52114 <-> DISABLED <-> FILE-OTHER Oracle Outside-In library CorelDRAW parsing integer overflow attempt (file-other.rules)
 * 1:52100 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)
 * 1:52148 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection  (malware-cnc.rules)
 * 3:52131 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0948 attack attempt (server-other.rules)
 * 3:52128 <-> ENABLED <-> POLICY-OTHER Cisco Web Security Appliance system setup wizard access detected (policy-other.rules)
 * 3:52126 <-> ENABLED <-> SERVER-WEBAPP Cisco Wireless LAN Controller denial of service attempt (server-webapp.rules)
 * 3:52121 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:52129 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure directory traversal attempt (server-webapp.rules)
 * 3:52119 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:52127 <-> ENABLED <-> POLICY-OTHER Cisco Web Security Appliance system setup wizard access detected (policy-other.rules)
 * 3:52110 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52122 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:52108 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52120 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:52106 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52111 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52104 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52109 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52102 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52107 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52105 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52103 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)

Modified Rules:


 * 1:38563 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response (malware-cnc.rules)
 * 1:51761 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules)
 * 1:29978 <-> ENABLED <-> MALWARE-CNC ANDR.Trojan.FakeApp outbound connection (malware-cnc.rules)
 * 1:48356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banking download attempt initiated (malware-cnc.rules)
 * 1:46792 <-> ENABLED <-> MALWARE-CNC Outbound malicious vbscript attempt (malware-cnc.rules)
 * 1:51504 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules)
 * 1:50378 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi variant download attempt (malware-other.rules)
 * 1:48858 <-> ENABLED <-> MALWARE-CNC Win.Trojan.L0rdix send system log attempt (malware-cnc.rules)
 * 1:46239 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog outbound communication attempt (malware-cnc.rules)
 * 1:48857 <-> ENABLED <-> MALWARE-CNC Win.Trojan.L0rdix send client settings attempt (malware-cnc.rules)
 * 1:51508 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules)
 * 1:51767 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules)
 * 1:43351 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Erebus variant outbound connection (malware-cnc.rules)
 * 1:21760 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swisyn variant outbound connection (malware-cnc.rules)
 * 1:40081 <-> ENABLED <-> PUA-OTHER User-Agent known PUA user-agent string - TopTools100 (pua-other.rules)
 * 1:51760 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules)
 * 1:46238 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog outbound communication attempt (malware-cnc.rules)
 * 1:46240 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt (malware-cnc.rules)
 * 1:23631 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt - POST parameter (server-apache.rules)
 * 1:16484 <-> ENABLED <-> MALWARE-CNC Koobface variant outbound connection (malware-cnc.rules)
 * 1:51509 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules)

2019-11-07 13:37:13 UTC

Snort Subscriber Rules Update

Date: 2019-11-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52149 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:52140 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52112 <-> DISABLED <-> SERVER-WEBAPP Git client path validation command execution attempt (server-webapp.rules)
 * 1:52141 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52148 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection  (malware-cnc.rules)
 * 1:52130 <-> ENABLED <-> SERVER-WEBAPP Apache Struts OGNL expression injection attempt (server-webapp.rules)
 * 1:52139 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52146 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52138 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52144 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52145 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52114 <-> DISABLED <-> FILE-OTHER Oracle Outside-In library CorelDRAW parsing integer overflow attempt (file-other.rules)
 * 1:52132 <-> DISABLED <-> FILE-OTHER Libmspack cabd_sys_read_block off-by-one heap overflow attempt (file-other.rules)
 * 1:52134 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52099 <-> DISABLED <-> SERVER-WEBAPP Jenkins SCM Git Client plugin command injection attempt (server-webapp.rules)
 * 1:52133 <-> DISABLED <-> FILE-OTHER Libmspack cabd_sys_read_block off-by-one heap overflow attempt (file-other.rules)
 * 1:52116 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Downloader.PowMet powershell script download attempt (indicator-compromise.rules)
 * 1:52125 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:52117 <-> ENABLED <-> INDICATOR-COMPROMISE Xml.Downloader.PowMet fileless malware variant download attempt (indicator-compromise.rules)
 * 1:52115 <-> ENABLED <-> INDICATOR-COMPROMISE Xml.Downloader.PowMet fileless malware variant download attempt (indicator-compromise.rules)
 * 1:52123 <-> DISABLED <-> SERVER-WEBAPP PHP FPM env_path_info buffer underflow attempt (server-webapp.rules)
 * 1:52101 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)
 * 1:52124 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:52135 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52136 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52118 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Downloader.PowMet powershell script download attempt (indicator-compromise.rules)
 * 1:52142 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52100 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)
 * 1:52113 <-> DISABLED <-> FILE-OTHER Oracle Outside-In library CorelDRAW parsing integer overflow attempt (file-other.rules)
 * 1:52137 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52143 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52147 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 3:52126 <-> ENABLED <-> SERVER-WEBAPP Cisco Wireless LAN Controller denial of service attempt (server-webapp.rules)
 * 3:52128 <-> ENABLED <-> POLICY-OTHER Cisco Web Security Appliance system setup wizard access detected (policy-other.rules)
 * 3:52110 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52120 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:52111 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52108 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52109 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52106 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52104 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52102 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52107 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52105 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52103 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52131 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0948 attack attempt (server-other.rules)
 * 3:52119 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:52121 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:52129 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure directory traversal attempt (server-webapp.rules)
 * 3:52127 <-> ENABLED <-> POLICY-OTHER Cisco Web Security Appliance system setup wizard access detected (policy-other.rules)
 * 3:52122 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:51508 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules)
 * 1:43351 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Erebus variant outbound connection (malware-cnc.rules)
 * 1:51761 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules)
 * 1:51767 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules)
 * 1:51760 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules)
 * 1:16484 <-> ENABLED <-> MALWARE-CNC Koobface variant outbound connection (malware-cnc.rules)
 * 1:46238 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog outbound communication attempt (malware-cnc.rules)
 * 1:48356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banking download attempt initiated (malware-cnc.rules)
 * 1:23631 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt - POST parameter (server-apache.rules)
 * 1:48857 <-> ENABLED <-> MALWARE-CNC Win.Trojan.L0rdix send client settings attempt (malware-cnc.rules)
 * 1:46792 <-> ENABLED <-> MALWARE-CNC Outbound malicious vbscript attempt (malware-cnc.rules)
 * 1:51509 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules)
 * 1:29978 <-> ENABLED <-> MALWARE-CNC ANDR.Trojan.FakeApp outbound connection (malware-cnc.rules)
 * 1:51504 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules)
 * 1:48858 <-> ENABLED <-> MALWARE-CNC Win.Trojan.L0rdix send system log attempt (malware-cnc.rules)
 * 1:40081 <-> ENABLED <-> PUA-OTHER User-Agent known PUA user-agent string - TopTools100 (pua-other.rules)
 * 1:38563 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response (malware-cnc.rules)
 * 1:46239 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog outbound communication attempt (malware-cnc.rules)
 * 1:46240 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt (malware-cnc.rules)
 * 1:50378 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi variant download attempt (malware-other.rules)
 * 1:21760 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swisyn variant outbound connection (malware-cnc.rules)

2019-11-07 13:37:13 UTC

Snort Subscriber Rules Update

Date: 2019-11-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52112 <-> DISABLED <-> SERVER-WEBAPP Git client path validation command execution attempt (snort3-server-webapp.rules)
 * 1:52140 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (snort3-malware-other.rules)
 * 1:52144 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (snort3-malware-other.rules)
 * 1:52149 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (snort3-malware-cnc.rules)
 * 1:52143 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (snort3-malware-other.rules)
 * 1:52114 <-> DISABLED <-> FILE-OTHER Oracle Outside-In library CorelDRAW parsing integer overflow attempt (snort3-file-other.rules)
 * 1:52115 <-> ENABLED <-> INDICATOR-COMPROMISE Xml.Downloader.PowMet fileless malware variant download attempt (snort3-indicator-compromise.rules)
 * 1:52142 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (snort3-malware-other.rules)
 * 1:52116 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Downloader.PowMet powershell script download attempt (snort3-indicator-compromise.rules)
 * 1:52117 <-> ENABLED <-> INDICATOR-COMPROMISE Xml.Downloader.PowMet fileless malware variant download attempt (snort3-indicator-compromise.rules)
 * 1:52118 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Downloader.PowMet powershell script download attempt (snort3-indicator-compromise.rules)
 * 1:52123 <-> DISABLED <-> SERVER-WEBAPP PHP FPM env_path_info buffer underflow attempt (snort3-server-webapp.rules)
 * 1:52124 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (snort3-file-pdf.rules)
 * 1:52148 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection  (snort3-malware-cnc.rules)
 * 1:52125 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (snort3-file-pdf.rules)
 * 1:52130 <-> ENABLED <-> SERVER-WEBAPP Apache Struts OGNL expression injection attempt (snort3-server-webapp.rules)
 * 1:52132 <-> DISABLED <-> FILE-OTHER Libmspack cabd_sys_read_block off-by-one heap overflow attempt (snort3-file-other.rules)
 * 1:52133 <-> DISABLED <-> FILE-OTHER Libmspack cabd_sys_read_block off-by-one heap overflow attempt (snort3-file-other.rules)
 * 1:52134 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (snort3-malware-other.rules)
 * 1:52135 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (snort3-malware-other.rules)
 * 1:52136 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (snort3-malware-other.rules)
 * 1:52100 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (snort3-os-mobile.rules)
 * 1:52137 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (snort3-malware-other.rules)
 * 1:52138 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (snort3-malware-other.rules)
 * 1:52139 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (snort3-malware-other.rules)
 * 1:52101 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (snort3-os-mobile.rules)
 * 1:52141 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (snort3-malware-other.rules)
 * 1:52113 <-> DISABLED <-> FILE-OTHER Oracle Outside-In library CorelDRAW parsing integer overflow attempt (snort3-file-other.rules)
 * 1:52146 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (snort3-malware-other.rules)
 * 1:52099 <-> DISABLED <-> SERVER-WEBAPP Jenkins SCM Git Client plugin command injection attempt (snort3-server-webapp.rules)
 * 1:52145 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (snort3-malware-other.rules)
 * 1:52147 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (snort3-malware-other.rules)

Modified Rules:


 * 1:51761 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (snort3-protocol-voip.rules)
 * 1:46239 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog outbound communication attempt (snort3-malware-cnc.rules)
 * 1:21760 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swisyn variant outbound connection (snort3-malware-cnc.rules)
 * 1:48857 <-> ENABLED <-> MALWARE-CNC Win.Trojan.L0rdix send client settings attempt (snort3-malware-cnc.rules)
 * 1:29978 <-> ENABLED <-> MALWARE-CNC ANDR.Trojan.FakeApp outbound connection (snort3-malware-cnc.rules)
 * 1:43351 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Erebus variant outbound connection (snort3-malware-cnc.rules)
 * 1:48356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banking download attempt initiated (snort3-malware-cnc.rules)
 * 1:51508 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (snort3-protocol-voip.rules)
 * 1:50378 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi variant download attempt (snort3-malware-other.rules)
 * 1:51504 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (snort3-protocol-voip.rules)
 * 1:23631 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt - POST parameter (snort3-server-apache.rules)
 * 1:51767 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (snort3-protocol-voip.rules)
 * 1:40081 <-> ENABLED <-> PUA-OTHER User-Agent known PUA user-agent string - TopTools100 (snort3-pua-other.rules)
 * 1:46238 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog outbound communication attempt (snort3-malware-cnc.rules)
 * 1:16484 <-> ENABLED <-> MALWARE-CNC Koobface variant outbound connection (snort3-malware-cnc.rules)
 * 1:46792 <-> ENABLED <-> MALWARE-CNC Outbound malicious vbscript attempt (snort3-malware-cnc.rules)
 * 1:46240 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt (snort3-malware-cnc.rules)
 * 1:48858 <-> ENABLED <-> MALWARE-CNC Win.Trojan.L0rdix send system log attempt (snort3-malware-cnc.rules)
 * 1:38563 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response (snort3-malware-cnc.rules)
 * 1:51509 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (snort3-protocol-voip.rules)
 * 1:51760 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (snort3-protocol-voip.rules)

2019-11-07 13:37:13 UTC

Snort Subscriber Rules Update

Date: 2019-11-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52136 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52125 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:52123 <-> DISABLED <-> SERVER-WEBAPP PHP FPM env_path_info buffer underflow attempt (server-webapp.rules)
 * 1:52124 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:52139 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52130 <-> ENABLED <-> SERVER-WEBAPP Apache Struts OGNL expression injection attempt (server-webapp.rules)
 * 1:52132 <-> DISABLED <-> FILE-OTHER Libmspack cabd_sys_read_block off-by-one heap overflow attempt (file-other.rules)
 * 1:52147 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52140 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52115 <-> ENABLED <-> INDICATOR-COMPROMISE Xml.Downloader.PowMet fileless malware variant download attempt (indicator-compromise.rules)
 * 1:52144 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52133 <-> DISABLED <-> FILE-OTHER Libmspack cabd_sys_read_block off-by-one heap overflow attempt (file-other.rules)
 * 1:52134 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52135 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52148 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection  (malware-cnc.rules)
 * 1:52113 <-> DISABLED <-> FILE-OTHER Oracle Outside-In library CorelDRAW parsing integer overflow attempt (file-other.rules)
 * 1:52145 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52116 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Downloader.PowMet powershell script download attempt (indicator-compromise.rules)
 * 1:52138 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52146 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52117 <-> ENABLED <-> INDICATOR-COMPROMISE Xml.Downloader.PowMet fileless malware variant download attempt (indicator-compromise.rules)
 * 1:52149 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:52137 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52112 <-> DISABLED <-> SERVER-WEBAPP Git client path validation command execution attempt (server-webapp.rules)
 * 1:52114 <-> DISABLED <-> FILE-OTHER Oracle Outside-In library CorelDRAW parsing integer overflow attempt (file-other.rules)
 * 1:52099 <-> DISABLED <-> SERVER-WEBAPP Jenkins SCM Git Client plugin command injection attempt (server-webapp.rules)
 * 1:52100 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)
 * 1:52143 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52142 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52118 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Downloader.PowMet powershell script download attempt (indicator-compromise.rules)
 * 1:52101 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)
 * 1:52141 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 3:52103 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52104 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52108 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52119 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:52109 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52102 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52120 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:52127 <-> ENABLED <-> POLICY-OTHER Cisco Web Security Appliance system setup wizard access detected (policy-other.rules)
 * 3:52105 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52128 <-> ENABLED <-> POLICY-OTHER Cisco Web Security Appliance system setup wizard access detected (policy-other.rules)
 * 3:52126 <-> ENABLED <-> SERVER-WEBAPP Cisco Wireless LAN Controller denial of service attempt (server-webapp.rules)
 * 3:52131 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0948 attack attempt (server-other.rules)
 * 3:52111 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52121 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:52122 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:52106 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52110 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52107 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52129 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 1:38563 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response (malware-cnc.rules)
 * 1:51760 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules)
 * 1:46238 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog outbound communication attempt (malware-cnc.rules)
 * 1:51509 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules)
 * 1:46792 <-> ENABLED <-> MALWARE-CNC Outbound malicious vbscript attempt (malware-cnc.rules)
 * 1:48858 <-> ENABLED <-> MALWARE-CNC Win.Trojan.L0rdix send system log attempt (malware-cnc.rules)
 * 1:51761 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules)
 * 1:48857 <-> ENABLED <-> MALWARE-CNC Win.Trojan.L0rdix send client settings attempt (malware-cnc.rules)
 * 1:21760 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swisyn variant outbound connection (malware-cnc.rules)
 * 1:46239 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog outbound communication attempt (malware-cnc.rules)
 * 1:48356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banking download attempt initiated (malware-cnc.rules)
 * 1:46240 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt (malware-cnc.rules)
 * 1:50378 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi variant download attempt (malware-other.rules)
 * 1:51504 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules)
 * 1:51508 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules)
 * 1:51767 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules)
 * 1:16484 <-> ENABLED <-> MALWARE-CNC Koobface variant outbound connection (malware-cnc.rules)
 * 1:29978 <-> ENABLED <-> MALWARE-CNC ANDR.Trojan.FakeApp outbound connection (malware-cnc.rules)
 * 1:23631 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt - POST parameter (server-apache.rules)
 * 1:40081 <-> ENABLED <-> PUA-OTHER User-Agent known PUA user-agent string - TopTools100 (pua-other.rules)
 * 1:43351 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Erebus variant outbound connection (malware-cnc.rules)

2019-11-07 13:37:13 UTC

Snort Subscriber Rules Update

Date: 2019-11-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52118 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Downloader.PowMet powershell script download attempt (indicator-compromise.rules)
 * 1:52147 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52149 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:52100 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)
 * 1:52099 <-> DISABLED <-> SERVER-WEBAPP Jenkins SCM Git Client plugin command injection attempt (server-webapp.rules)
 * 1:52135 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52144 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52133 <-> DISABLED <-> FILE-OTHER Libmspack cabd_sys_read_block off-by-one heap overflow attempt (file-other.rules)
 * 1:52140 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52139 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52115 <-> ENABLED <-> INDICATOR-COMPROMISE Xml.Downloader.PowMet fileless malware variant download attempt (indicator-compromise.rules)
 * 1:52146 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52142 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52132 <-> DISABLED <-> FILE-OTHER Libmspack cabd_sys_read_block off-by-one heap overflow attempt (file-other.rules)
 * 1:52123 <-> DISABLED <-> SERVER-WEBAPP PHP FPM env_path_info buffer underflow attempt (server-webapp.rules)
 * 1:52136 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52143 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52101 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)
 * 1:52125 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:52124 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:52116 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Downloader.PowMet powershell script download attempt (indicator-compromise.rules)
 * 1:52113 <-> DISABLED <-> FILE-OTHER Oracle Outside-In library CorelDRAW parsing integer overflow attempt (file-other.rules)
 * 1:52138 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52117 <-> ENABLED <-> INDICATOR-COMPROMISE Xml.Downloader.PowMet fileless malware variant download attempt (indicator-compromise.rules)
 * 1:52134 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52145 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52112 <-> DISABLED <-> SERVER-WEBAPP Git client path validation command execution attempt (server-webapp.rules)
 * 1:52114 <-> DISABLED <-> FILE-OTHER Oracle Outside-In library CorelDRAW parsing integer overflow attempt (file-other.rules)
 * 1:52137 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52148 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection  (malware-cnc.rules)
 * 1:52141 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules)
 * 1:52130 <-> ENABLED <-> SERVER-WEBAPP Apache Struts OGNL expression injection attempt (server-webapp.rules)
 * 3:52128 <-> ENABLED <-> POLICY-OTHER Cisco Web Security Appliance system setup wizard access detected (policy-other.rules)
 * 3:52122 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:52110 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52127 <-> ENABLED <-> POLICY-OTHER Cisco Web Security Appliance system setup wizard access detected (policy-other.rules)
 * 3:52111 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52126 <-> ENABLED <-> SERVER-WEBAPP Cisco Wireless LAN Controller denial of service attempt (server-webapp.rules)
 * 3:52106 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52129 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure directory traversal attempt (server-webapp.rules)
 * 3:52120 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:52103 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52107 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52121 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:52119 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:52108 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52109 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52104 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52105 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52102 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:52131 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0948 attack attempt (server-other.rules)

Modified Rules:


 * 1:29978 <-> ENABLED <-> MALWARE-CNC ANDR.Trojan.FakeApp outbound connection (malware-cnc.rules)
 * 1:48857 <-> ENABLED <-> MALWARE-CNC Win.Trojan.L0rdix send client settings attempt (malware-cnc.rules)
 * 1:46792 <-> ENABLED <-> MALWARE-CNC Outbound malicious vbscript attempt (malware-cnc.rules)
 * 1:46240 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt (malware-cnc.rules)
 * 1:51509 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules)
 * 1:51761 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules)
 * 1:48858 <-> ENABLED <-> MALWARE-CNC Win.Trojan.L0rdix send system log attempt (malware-cnc.rules)
 * 1:51508 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules)
 * 1:51767 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules)
 * 1:46238 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog outbound communication attempt (malware-cnc.rules)
 * 1:43351 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Erebus variant outbound connection (malware-cnc.rules)
 * 1:51760 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules)
 * 1:50378 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi variant download attempt (malware-other.rules)
 * 1:23631 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt - POST parameter (server-apache.rules)
 * 1:51504 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules)
 * 1:16484 <-> ENABLED <-> MALWARE-CNC Koobface variant outbound connection (malware-cnc.rules)
 * 1:40081 <-> ENABLED <-> PUA-OTHER User-Agent known PUA user-agent string - TopTools100 (pua-other.rules)
 * 1:48356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banking download attempt initiated (malware-cnc.rules)
 * 1:38563 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response (malware-cnc.rules)
 * 1:21760 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swisyn variant outbound connection (malware-cnc.rules)
 * 1:46239 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog outbound communication attempt (malware-cnc.rules)