Talos Rules 2019-11-19
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-other, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-11-19 13:37:57 UTC

Snort Subscriber Rules Update

Date: 2019-11-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52264 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules)
 * 1:52263 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules)
 * 1:52262 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules)
 * 1:52261 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules)
 * 1:52260 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules)
 * 1:52259 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules)
 * 1:52258 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules)
 * 1:52257 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules)
 * 1:52256 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant outbound connection (malware-cnc.rules)
 * 1:52255 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PowerShell variant outbound connection (malware-cnc.rules)
 * 1:52254 <-> DISABLED <-> FILE-OTHER libexpat internal entity heap over-read attempt (file-other.rules)
 * 1:52253 <-> DISABLED <-> FILE-OTHER libexpat internal entity heap over-read  attempt (file-other.rules)
 * 1:52282 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS telnet root default credentials login attempt (policy-other.rules)
 * 1:52281 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS telnet root default credentials login attempt (policy-other.rules)
 * 1:52280 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS admin default credentials login attempt (policy-other.rules)
 * 1:52279 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS buffer overflow attempt (server-webapp.rules)
 * 1:52278 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS command injection attempt (server-webapp.rules)
 * 1:52277 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS command injection attempt (server-webapp.rules)
 * 1:52276 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS buffer overflow attempt (server-webapp.rules)
 * 1:52273 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (server-webapp.rules)
 * 1:52272 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (server-webapp.rules)
 * 1:52271 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (server-webapp.rules)
 * 1:52268 <-> DISABLED <-> SERVER-WEBAPP OpenMRS insecure object deserialization attempt (server-webapp.rules)
 * 1:52267 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin delete server cross-site request forgery attempt (server-webapp.rules)
 * 1:52266 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin direct access server deletion attempt (server-webapp.rules)
 * 1:52265 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin delete server cross-site request forgery attempt (server-webapp.rules)
 * 3:52269 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0957 attack attempt (file-other.rules)
 * 3:52270 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0957 attack attempt (file-other.rules)
 * 3:52274 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0951 attack attempt (policy-other.rules)
 * 3:52275 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0951 attack attempt (policy-other.rules)

Modified Rules:


 * 1:29603 <-> DISABLED <-> SERVER-OTHER HP Data Protector Backup Client Service code execution attempt (server-other.rules)

2019-11-19 13:37:57 UTC

Snort Subscriber Rules Update

Date: 2019-11-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52277 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS command injection attempt (server-webapp.rules)
 * 1:52278 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS command injection attempt (server-webapp.rules)
 * 1:52255 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PowerShell variant outbound connection (malware-cnc.rules)
 * 1:52258 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules)
 * 1:52259 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules)
 * 1:52281 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS telnet root default credentials login attempt (policy-other.rules)
 * 1:52253 <-> DISABLED <-> FILE-OTHER libexpat internal entity heap over-read  attempt (file-other.rules)
 * 1:52280 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS admin default credentials login attempt (policy-other.rules)
 * 1:52279 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS buffer overflow attempt (server-webapp.rules)
 * 1:52261 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules)
 * 1:52262 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules)
 * 1:52263 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules)
 * 1:52264 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules)
 * 1:52265 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin delete server cross-site request forgery attempt (server-webapp.rules)
 * 1:52266 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin direct access server deletion attempt (server-webapp.rules)
 * 1:52267 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin delete server cross-site request forgery attempt (server-webapp.rules)
 * 1:52268 <-> DISABLED <-> SERVER-WEBAPP OpenMRS insecure object deserialization attempt (server-webapp.rules)
 * 1:52271 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (server-webapp.rules)
 * 1:52272 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (server-webapp.rules)
 * 1:52273 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (server-webapp.rules)
 * 1:52254 <-> DISABLED <-> FILE-OTHER libexpat internal entity heap over-read attempt (file-other.rules)
 * 1:52282 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS telnet root default credentials login attempt (policy-other.rules)
 * 1:52257 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules)
 * 1:52256 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant outbound connection (malware-cnc.rules)
 * 1:52276 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS buffer overflow attempt (server-webapp.rules)
 * 1:52260 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules)
 * 3:52275 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0951 attack attempt (policy-other.rules)
 * 3:52270 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0957 attack attempt (file-other.rules)
 * 3:52269 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0957 attack attempt (file-other.rules)
 * 3:52274 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0951 attack attempt (policy-other.rules)

Modified Rules:


 * 1:29603 <-> DISABLED <-> SERVER-OTHER HP Data Protector Backup Client Service code execution attempt (server-other.rules)

2019-11-19 13:37:57 UTC

Snort Subscriber Rules Update

Date: 2019-11-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52272 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (server-webapp.rules)
 * 1:52278 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS command injection attempt (server-webapp.rules)
 * 1:52253 <-> DISABLED <-> FILE-OTHER libexpat internal entity heap over-read  attempt (file-other.rules)
 * 1:52279 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS buffer overflow attempt (server-webapp.rules)
 * 1:52271 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (server-webapp.rules)
 * 1:52256 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant outbound connection (malware-cnc.rules)
 * 1:52276 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS buffer overflow attempt (server-webapp.rules)
 * 1:52273 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (server-webapp.rules)
 * 1:52282 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS telnet root default credentials login attempt (policy-other.rules)
 * 1:52254 <-> DISABLED <-> FILE-OTHER libexpat internal entity heap over-read attempt (file-other.rules)
 * 1:52281 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS telnet root default credentials login attempt (policy-other.rules)
 * 1:52280 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS admin default credentials login attempt (policy-other.rules)
 * 1:52258 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules)
 * 1:52257 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules)
 * 1:52261 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules)
 * 1:52262 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules)
 * 1:52264 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules)
 * 1:52265 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin delete server cross-site request forgery attempt (server-webapp.rules)
 * 1:52255 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PowerShell variant outbound connection (malware-cnc.rules)
 * 1:52260 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules)
 * 1:52259 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules)
 * 1:52277 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS command injection attempt (server-webapp.rules)
 * 1:52267 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin delete server cross-site request forgery attempt (server-webapp.rules)
 * 1:52268 <-> DISABLED <-> SERVER-WEBAPP OpenMRS insecure object deserialization attempt (server-webapp.rules)
 * 1:52266 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin direct access server deletion attempt (server-webapp.rules)
 * 1:52263 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules)
 * 3:52275 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0951 attack attempt (policy-other.rules)
 * 3:52270 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0957 attack attempt (file-other.rules)
 * 3:52274 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0951 attack attempt (policy-other.rules)
 * 3:52269 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0957 attack attempt (file-other.rules)

Modified Rules:


 * 1:29603 <-> DISABLED <-> SERVER-OTHER HP Data Protector Backup Client Service code execution attempt (server-other.rules)

2019-11-19 13:37:57 UTC

Snort Subscriber Rules Update

Date: 2019-11-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52278 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS command injection attempt (server-webapp.rules)
 * 1:52277 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS command injection attempt (server-webapp.rules)
 * 1:52282 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS telnet root default credentials login attempt (policy-other.rules)
 * 1:52280 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS admin default credentials login attempt (policy-other.rules)
 * 1:52254 <-> DISABLED <-> FILE-OTHER libexpat internal entity heap over-read attempt (file-other.rules)
 * 1:52263 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules)
 * 1:52258 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules)
 * 1:52253 <-> DISABLED <-> FILE-OTHER libexpat internal entity heap over-read  attempt (file-other.rules)
 * 1:52259 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules)
 * 1:52260 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules)
 * 1:52257 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules)
 * 1:52261 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules)
 * 1:52256 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant outbound connection (malware-cnc.rules)
 * 1:52262 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules)
 * 1:52281 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS telnet root default credentials login attempt (policy-other.rules)
 * 1:52271 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (server-webapp.rules)
 * 1:52265 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin delete server cross-site request forgery attempt (server-webapp.rules)
 * 1:52273 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (server-webapp.rules)
 * 1:52272 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (server-webapp.rules)
 * 1:52279 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS buffer overflow attempt (server-webapp.rules)
 * 1:52266 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin direct access server deletion attempt (server-webapp.rules)
 * 1:52264 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules)
 * 1:52268 <-> DISABLED <-> SERVER-WEBAPP OpenMRS insecure object deserialization attempt (server-webapp.rules)
 * 1:52267 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin delete server cross-site request forgery attempt (server-webapp.rules)
 * 1:52276 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS buffer overflow attempt (server-webapp.rules)
 * 1:52255 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PowerShell variant outbound connection (malware-cnc.rules)
 * 3:52269 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0957 attack attempt (file-other.rules)
 * 3:52270 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0957 attack attempt (file-other.rules)
 * 3:52275 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0951 attack attempt (policy-other.rules)
 * 3:52274 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0951 attack attempt (policy-other.rules)

Modified Rules:


 * 1:29603 <-> DISABLED <-> SERVER-OTHER HP Data Protector Backup Client Service code execution attempt (server-other.rules)

2019-11-19 13:37:57 UTC

Snort Subscriber Rules Update

Date: 2019-11-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52277 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS command injection attempt (server-webapp.rules)
 * 1:52278 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS command injection attempt (server-webapp.rules)
 * 1:52279 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS buffer overflow attempt (server-webapp.rules)
 * 1:52281 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS telnet root default credentials login attempt (policy-other.rules)
 * 1:52268 <-> DISABLED <-> SERVER-WEBAPP OpenMRS insecure object deserialization attempt (server-webapp.rules)
 * 1:52263 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules)
 * 1:52254 <-> DISABLED <-> FILE-OTHER libexpat internal entity heap over-read attempt (file-other.rules)
 * 1:52282 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS telnet root default credentials login attempt (policy-other.rules)
 * 1:52258 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules)
 * 1:52259 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules)
 * 1:52260 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules)
 * 1:52257 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules)
 * 1:52253 <-> DISABLED <-> FILE-OTHER libexpat internal entity heap over-read  attempt (file-other.rules)
 * 1:52273 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (server-webapp.rules)
 * 1:52261 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules)
 * 1:52262 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules)
 * 1:52272 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (server-webapp.rules)
 * 1:52265 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin delete server cross-site request forgery attempt (server-webapp.rules)
 * 1:52256 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant outbound connection (malware-cnc.rules)
 * 1:52271 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (server-webapp.rules)
 * 1:52280 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS admin default credentials login attempt (policy-other.rules)
 * 1:52255 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PowerShell variant outbound connection (malware-cnc.rules)
 * 1:52264 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules)
 * 1:52267 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin delete server cross-site request forgery attempt (server-webapp.rules)
 * 1:52266 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin direct access server deletion attempt (server-webapp.rules)
 * 1:52276 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS buffer overflow attempt (server-webapp.rules)
 * 3:52274 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0951 attack attempt (policy-other.rules)
 * 3:52269 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0957 attack attempt (file-other.rules)
 * 3:52275 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0951 attack attempt (policy-other.rules)
 * 3:52270 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0957 attack attempt (file-other.rules)

Modified Rules:


 * 1:29603 <-> DISABLED <-> SERVER-OTHER HP Data Protector Backup Client Service code execution attempt (server-other.rules)

2019-11-19 13:37:57 UTC

Snort Subscriber Rules Update

Date: 2019-11-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52253 <-> DISABLED <-> FILE-OTHER libexpat internal entity heap over-read  attempt (snort3-file-other.rules)
 * 1:52280 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS admin default credentials login attempt (snort3-policy-other.rules)
 * 1:52279 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS buffer overflow attempt (snort3-server-webapp.rules)
 * 1:52256 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant outbound connection (snort3-malware-cnc.rules)
 * 1:52281 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS telnet root default credentials login attempt (snort3-policy-other.rules)
 * 1:52255 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PowerShell variant outbound connection (snort3-malware-cnc.rules)
 * 1:52260 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (snort3-malware-cnc.rules)
 * 1:52259 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (snort3-malware-cnc.rules)
 * 1:52282 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS telnet root default credentials login attempt (snort3-policy-other.rules)
 * 1:52257 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (snort3-malware-cnc.rules)
 * 1:52261 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (snort3-malware-cnc.rules)
 * 1:52258 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (snort3-malware-cnc.rules)
 * 1:52262 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (snort3-malware-cnc.rules)
 * 1:52263 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (snort3-malware-cnc.rules)
 * 1:52278 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS command injection attempt (snort3-server-webapp.rules)
 * 1:52272 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (snort3-server-webapp.rules)
 * 1:52276 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS buffer overflow attempt (snort3-server-webapp.rules)
 * 1:52266 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin direct access server deletion attempt (snort3-server-webapp.rules)
 * 1:52268 <-> DISABLED <-> SERVER-WEBAPP OpenMRS insecure object deserialization attempt (snort3-server-webapp.rules)
 * 1:52277 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS command injection attempt (snort3-server-webapp.rules)
 * 1:52273 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (snort3-server-webapp.rules)
 * 1:52264 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (snort3-malware-cnc.rules)
 * 1:52271 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (snort3-server-webapp.rules)
 * 1:52267 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin delete server cross-site request forgery attempt (snort3-server-webapp.rules)
 * 1:52265 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin delete server cross-site request forgery attempt (snort3-server-webapp.rules)
 * 1:52254 <-> DISABLED <-> FILE-OTHER libexpat internal entity heap over-read attempt (snort3-file-other.rules)

Modified Rules:


 * 1:29603 <-> DISABLED <-> SERVER-OTHER HP Data Protector Backup Client Service code execution attempt (snort3-server-other.rules)

2019-11-19 13:37:57 UTC

Snort Subscriber Rules Update

Date: 2019-11-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52273 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (server-webapp.rules)
 * 1:52281 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS telnet root default credentials login attempt (policy-other.rules)
 * 1:52267 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin delete server cross-site request forgery attempt (server-webapp.rules)
 * 1:52276 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS buffer overflow attempt (server-webapp.rules)
 * 1:52258 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules)
 * 1:52282 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS telnet root default credentials login attempt (policy-other.rules)
 * 1:52280 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS admin default credentials login attempt (policy-other.rules)
 * 1:52278 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS command injection attempt (server-webapp.rules)
 * 1:52272 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (server-webapp.rules)
 * 1:52266 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin direct access server deletion attempt (server-webapp.rules)
 * 1:52268 <-> DISABLED <-> SERVER-WEBAPP OpenMRS insecure object deserialization attempt (server-webapp.rules)
 * 1:52264 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules)
 * 1:52271 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (server-webapp.rules)
 * 1:52255 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PowerShell variant outbound connection (malware-cnc.rules)
 * 1:52257 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules)
 * 1:52259 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules)
 * 1:52256 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant outbound connection (malware-cnc.rules)
 * 1:52261 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules)
 * 1:52263 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules)
 * 1:52260 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules)
 * 1:52279 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS buffer overflow attempt (server-webapp.rules)
 * 1:52262 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules)
 * 1:52277 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS command injection attempt (server-webapp.rules)
 * 1:52254 <-> DISABLED <-> FILE-OTHER libexpat internal entity heap over-read attempt (file-other.rules)
 * 1:52253 <-> DISABLED <-> FILE-OTHER libexpat internal entity heap over-read  attempt (file-other.rules)
 * 1:52265 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin delete server cross-site request forgery attempt (server-webapp.rules)
 * 3:52274 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0951 attack attempt (policy-other.rules)
 * 3:52270 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0957 attack attempt (file-other.rules)
 * 3:52275 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0951 attack attempt (policy-other.rules)
 * 3:52269 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0957 attack attempt (file-other.rules)

Modified Rules:


 * 1:29603 <-> DISABLED <-> SERVER-OTHER HP Data Protector Backup Client Service code execution attempt (server-other.rules)

2019-11-19 13:37:57 UTC

Snort Subscriber Rules Update

Date: 2019-11-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52258 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules)
 * 1:52259 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules)
 * 1:52278 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS command injection attempt (server-webapp.rules)
 * 1:52277 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS command injection attempt (server-webapp.rules)
 * 1:52280 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS admin default credentials login attempt (policy-other.rules)
 * 1:52255 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PowerShell variant outbound connection (malware-cnc.rules)
 * 1:52272 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (server-webapp.rules)
 * 1:52273 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (server-webapp.rules)
 * 1:52271 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (server-webapp.rules)
 * 1:52263 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules)
 * 1:52262 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules)
 * 1:52254 <-> DISABLED <-> FILE-OTHER libexpat internal entity heap over-read attempt (file-other.rules)
 * 1:52281 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS telnet root default credentials login attempt (policy-other.rules)
 * 1:52279 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS buffer overflow attempt (server-webapp.rules)
 * 1:52266 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin direct access server deletion attempt (server-webapp.rules)
 * 1:52267 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin delete server cross-site request forgery attempt (server-webapp.rules)
 * 1:52276 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS buffer overflow attempt (server-webapp.rules)
 * 1:52268 <-> DISABLED <-> SERVER-WEBAPP OpenMRS insecure object deserialization attempt (server-webapp.rules)
 * 1:52261 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules)
 * 1:52253 <-> DISABLED <-> FILE-OTHER libexpat internal entity heap over-read  attempt (file-other.rules)
 * 1:52260 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules)
 * 1:52282 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS telnet root default credentials login attempt (policy-other.rules)
 * 1:52256 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant outbound connection (malware-cnc.rules)
 * 1:52257 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules)
 * 1:52264 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules)
 * 1:52265 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin delete server cross-site request forgery attempt (server-webapp.rules)
 * 3:52274 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0951 attack attempt (policy-other.rules)
 * 3:52269 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0957 attack attempt (file-other.rules)
 * 3:52275 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0951 attack attempt (policy-other.rules)
 * 3:52270 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0957 attack attempt (file-other.rules)

Modified Rules:


 * 1:29603 <-> DISABLED <-> SERVER-OTHER HP Data Protector Backup Client Service code execution attempt (server-other.rules)