Talos Rules 2020-02-04
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the app-detect, file-image, file-office, file-other, malware-backdoor, malware-cnc, malware-other, policy-other, server-other and sql rule sets to provide coverage for emerging threats from these technologies.

Change logs

2020-02-04 13:08:50 UTC

Snort Subscriber Rules Update

Date: 2020-02-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53025 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.VBGeneric-7564971-0 download attempt (malware-other.rules)
 * 1:53024 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Ako variant payload download attempt (malware-other.rules)
 * 1:53023 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Ako variant payload download attempt (malware-other.rules)
 * 1:53022 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Pakes-7564913-0 download attempt (malware-other.rules)
 * 1:53021 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Agen-7564562-0 download attempt (malware-other.rules)
 * 1:53020 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ursu-7564978-0 download attempt (malware-other.rules)
 * 1:53019 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.VBGeneric-7564976-0 download attempt (malware-other.rules)
 * 1:53018 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Fareitvb-7564626-0 download attempt (malware-other.rules)
 * 1:53017 <-> DISABLED <-> SERVER-WEBAPP NeoFrag CMS database information disclosure attempt (server-webapp.rules)
 * 1:53030 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565093-0 download attempt (malware-other.rules)
 * 1:53029 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565106-0 download attempt (malware-other.rules)
 * 1:53028 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565095-0 download attempt (malware-other.rules)
 * 1:53027 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565085-0 download attempt (malware-other.rules)
 * 1:53026 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565080-0 download attempt (malware-other.rules)
 * 3:53014 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)
 * 3:53015 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0987 attack attempt (file-image.rules)
 * 3:53012 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)
 * 3:53002 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0993 attack attempt (file-image.rules)
 * 3:53003 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0993 attack attempt (file-image.rules)
 * 3:53004 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0988 attack attempt (file-other.rules)
 * 3:53005 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0988 attack attempt (file-other.rules)
 * 3:53016 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0987 attack attempt (file-image.rules)
 * 3:53011 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)
 * 3:53010 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1003 attack attempt (policy-other.rules)
 * 3:53013 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)
 * 3:53006 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0998 attack attempt (file-image.rules)
 * 3:53007 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0998 attack attempt (file-image.rules)
 * 3:53008 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0989 attack attempt (file-other.rules)
 * 3:53009 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0989 attack attempt (file-other.rules)

Modified Rules:


 * 1:688 <-> ENABLED <-> SQL sa login failed (sql.rules)
 * 1:5797 <-> DISABLED <-> APP-DETECT Kontiki runtime detection (app-detect.rules)
 * 1:6472 <-> ENABLED <-> MALWARE-BACKDOOR bugs runtime detection - file manager client-to-server (malware-backdoor.rules)
 * 1:52285 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52286 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52283 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52284 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:45046 <-> ENABLED <-> SERVER-OTHER Exim malformed BDAT code execution attempt (server-other.rules)
 * 1:51377 <-> DISABLED <-> SERVER-WEBAPP Progress Telerik UI for ASP.NET AJAX arbitrary file upload attempt (server-webapp.rules)
 * 1:44561 <-> DISABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:44562 <-> DISABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:6473 <-> DISABLED <-> MALWARE-BACKDOOR bugs runtime detection - file manager server-to-client (malware-backdoor.rules)
 * 3:51531 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0892 attack attempt (file-image.rules)
 * 3:51530 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0892 attack attempt (file-image.rules)

2020-02-04 13:08:50 UTC

Snort Subscriber Rules Update

Date: 2020-02-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53028 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565095-0 download attempt (malware-other.rules)
 * 1:53026 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565080-0 download attempt (malware-other.rules)
 * 1:53017 <-> DISABLED <-> SERVER-WEBAPP NeoFrag CMS database information disclosure attempt (server-webapp.rules)
 * 1:53018 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Fareitvb-7564626-0 download attempt (malware-other.rules)
 * 1:53029 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565106-0 download attempt (malware-other.rules)
 * 1:53030 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565093-0 download attempt (malware-other.rules)
 * 1:53027 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565085-0 download attempt (malware-other.rules)
 * 1:53025 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.VBGeneric-7564971-0 download attempt (malware-other.rules)
 * 1:53024 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Ako variant payload download attempt (malware-other.rules)
 * 1:53022 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Pakes-7564913-0 download attempt (malware-other.rules)
 * 1:53023 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Ako variant payload download attempt (malware-other.rules)
 * 1:53019 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.VBGeneric-7564976-0 download attempt (malware-other.rules)
 * 1:53020 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ursu-7564978-0 download attempt (malware-other.rules)
 * 1:53021 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Agen-7564562-0 download attempt (malware-other.rules)
 * 3:53010 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1003 attack attempt (policy-other.rules)
 * 3:53004 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0988 attack attempt (file-other.rules)
 * 3:53009 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0989 attack attempt (file-other.rules)
 * 3:53012 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)
 * 3:53011 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)
 * 3:53007 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0998 attack attempt (file-image.rules)
 * 3:53016 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0987 attack attempt (file-image.rules)
 * 3:53003 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0993 attack attempt (file-image.rules)
 * 3:53015 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0987 attack attempt (file-image.rules)
 * 3:53013 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)
 * 3:53005 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0988 attack attempt (file-other.rules)
 * 3:53008 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0989 attack attempt (file-other.rules)
 * 3:53014 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)
 * 3:53002 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0993 attack attempt (file-image.rules)
 * 3:53006 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0998 attack attempt (file-image.rules)

Modified Rules:


 * 1:688 <-> ENABLED <-> SQL sa login failed (sql.rules)
 * 1:6473 <-> DISABLED <-> MALWARE-BACKDOOR bugs runtime detection - file manager server-to-client (malware-backdoor.rules)
 * 1:45046 <-> ENABLED <-> SERVER-OTHER Exim malformed BDAT code execution attempt (server-other.rules)
 * 1:5797 <-> DISABLED <-> APP-DETECT Kontiki runtime detection (app-detect.rules)
 * 1:6472 <-> ENABLED <-> MALWARE-BACKDOOR bugs runtime detection - file manager client-to-server (malware-backdoor.rules)
 * 1:52285 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52286 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52283 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52284 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:51377 <-> DISABLED <-> SERVER-WEBAPP Progress Telerik UI for ASP.NET AJAX arbitrary file upload attempt (server-webapp.rules)
 * 1:44562 <-> DISABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:44561 <-> DISABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 3:51531 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0892 attack attempt (file-image.rules)
 * 3:51530 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0892 attack attempt (file-image.rules)

2020-02-04 13:08:50 UTC

Snort Subscriber Rules Update

Date: 2020-02-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53017 <-> DISABLED <-> SERVER-WEBAPP NeoFrag CMS database information disclosure attempt (server-webapp.rules)
 * 1:53027 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565085-0 download attempt (malware-other.rules)
 * 1:53025 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.VBGeneric-7564971-0 download attempt (malware-other.rules)
 * 1:53020 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ursu-7564978-0 download attempt (malware-other.rules)
 * 1:53024 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Ako variant payload download attempt (malware-other.rules)
 * 1:53028 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565095-0 download attempt (malware-other.rules)
 * 1:53022 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Pakes-7564913-0 download attempt (malware-other.rules)
 * 1:53018 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Fareitvb-7564626-0 download attempt (malware-other.rules)
 * 1:53023 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Ako variant payload download attempt (malware-other.rules)
 * 1:53019 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.VBGeneric-7564976-0 download attempt (malware-other.rules)
 * 1:53021 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Agen-7564562-0 download attempt (malware-other.rules)
 * 1:53029 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565106-0 download attempt (malware-other.rules)
 * 1:53026 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565080-0 download attempt (malware-other.rules)
 * 1:53030 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565093-0 download attempt (malware-other.rules)
 * 3:53016 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0987 attack attempt (file-image.rules)
 * 3:53010 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1003 attack attempt (policy-other.rules)
 * 3:53012 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)
 * 3:53005 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0988 attack attempt (file-other.rules)
 * 3:53002 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0993 attack attempt (file-image.rules)
 * 3:53004 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0988 attack attempt (file-other.rules)
 * 3:53003 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0993 attack attempt (file-image.rules)
 * 3:53015 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0987 attack attempt (file-image.rules)
 * 3:53009 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0989 attack attempt (file-other.rules)
 * 3:53011 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)
 * 3:53013 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)
 * 3:53007 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0998 attack attempt (file-image.rules)
 * 3:53008 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0989 attack attempt (file-other.rules)
 * 3:53006 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0998 attack attempt (file-image.rules)
 * 3:53014 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)

Modified Rules:


 * 1:6473 <-> DISABLED <-> MALWARE-BACKDOOR bugs runtime detection - file manager server-to-client (malware-backdoor.rules)
 * 1:688 <-> ENABLED <-> SQL sa login failed (sql.rules)
 * 1:6472 <-> ENABLED <-> MALWARE-BACKDOOR bugs runtime detection - file manager client-to-server (malware-backdoor.rules)
 * 1:52286 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52284 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52283 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:44562 <-> DISABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:51377 <-> DISABLED <-> SERVER-WEBAPP Progress Telerik UI for ASP.NET AJAX arbitrary file upload attempt (server-webapp.rules)
 * 1:44561 <-> DISABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:45046 <-> ENABLED <-> SERVER-OTHER Exim malformed BDAT code execution attempt (server-other.rules)
 * 1:52285 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:5797 <-> DISABLED <-> APP-DETECT Kontiki runtime detection (app-detect.rules)
 * 3:51530 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0892 attack attempt (file-image.rules)
 * 3:51531 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0892 attack attempt (file-image.rules)

2020-02-04 13:08:50 UTC

Snort Subscriber Rules Update

Date: 2020-02-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53026 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565080-0 download attempt (malware-other.rules)
 * 1:53025 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.VBGeneric-7564971-0 download attempt (malware-other.rules)
 * 1:53024 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Ako variant payload download attempt (malware-other.rules)
 * 1:53027 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565085-0 download attempt (malware-other.rules)
 * 1:53022 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Pakes-7564913-0 download attempt (malware-other.rules)
 * 1:53017 <-> DISABLED <-> SERVER-WEBAPP NeoFrag CMS database information disclosure attempt (server-webapp.rules)
 * 1:53023 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Ako variant payload download attempt (malware-other.rules)
 * 1:53028 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565095-0 download attempt (malware-other.rules)
 * 1:53020 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ursu-7564978-0 download attempt (malware-other.rules)
 * 1:53029 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565106-0 download attempt (malware-other.rules)
 * 1:53021 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Agen-7564562-0 download attempt (malware-other.rules)
 * 1:53018 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Fareitvb-7564626-0 download attempt (malware-other.rules)
 * 1:53019 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.VBGeneric-7564976-0 download attempt (malware-other.rules)
 * 1:53030 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565093-0 download attempt (malware-other.rules)
 * 3:53012 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)
 * 3:53010 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1003 attack attempt (policy-other.rules)
 * 3:53011 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)
 * 3:53015 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0987 attack attempt (file-image.rules)
 * 3:53007 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0998 attack attempt (file-image.rules)
 * 3:53003 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0993 attack attempt (file-image.rules)
 * 3:53008 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0989 attack attempt (file-other.rules)
 * 3:53009 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0989 attack attempt (file-other.rules)
 * 3:53014 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)
 * 3:53016 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0987 attack attempt (file-image.rules)
 * 3:53004 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0988 attack attempt (file-other.rules)
 * 3:53013 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)
 * 3:53002 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0993 attack attempt (file-image.rules)
 * 3:53006 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0998 attack attempt (file-image.rules)
 * 3:53005 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0988 attack attempt (file-other.rules)

Modified Rules:


 * 1:44562 <-> DISABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:6473 <-> DISABLED <-> MALWARE-BACKDOOR bugs runtime detection - file manager server-to-client (malware-backdoor.rules)
 * 1:52285 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52283 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52284 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:688 <-> ENABLED <-> SQL sa login failed (sql.rules)
 * 1:45046 <-> ENABLED <-> SERVER-OTHER Exim malformed BDAT code execution attempt (server-other.rules)
 * 1:51377 <-> DISABLED <-> SERVER-WEBAPP Progress Telerik UI for ASP.NET AJAX arbitrary file upload attempt (server-webapp.rules)
 * 1:44561 <-> DISABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:52286 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:6472 <-> ENABLED <-> MALWARE-BACKDOOR bugs runtime detection - file manager client-to-server (malware-backdoor.rules)
 * 1:5797 <-> DISABLED <-> APP-DETECT Kontiki runtime detection (app-detect.rules)
 * 3:51531 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0892 attack attempt (file-image.rules)
 * 3:51530 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0892 attack attempt (file-image.rules)

2020-02-04 13:08:50 UTC

Snort Subscriber Rules Update

Date: 2020-02-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53020 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ursu-7564978-0 download attempt (malware-other.rules)
 * 1:53022 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Pakes-7564913-0 download attempt (malware-other.rules)
 * 1:53027 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565085-0 download attempt (malware-other.rules)
 * 1:53026 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565080-0 download attempt (malware-other.rules)
 * 1:53024 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Ako variant payload download attempt (malware-other.rules)
 * 1:53029 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565106-0 download attempt (malware-other.rules)
 * 1:53023 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Ako variant payload download attempt (malware-other.rules)
 * 1:53030 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565093-0 download attempt (malware-other.rules)
 * 1:53018 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Fareitvb-7564626-0 download attempt (malware-other.rules)
 * 1:53025 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.VBGeneric-7564971-0 download attempt (malware-other.rules)
 * 1:53017 <-> DISABLED <-> SERVER-WEBAPP NeoFrag CMS database information disclosure attempt (server-webapp.rules)
 * 1:53021 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Agen-7564562-0 download attempt (malware-other.rules)
 * 1:53028 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565095-0 download attempt (malware-other.rules)
 * 1:53019 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.VBGeneric-7564976-0 download attempt (malware-other.rules)
 * 3:53010 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1003 attack attempt (policy-other.rules)
 * 3:53009 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0989 attack attempt (file-other.rules)
 * 3:53008 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0989 attack attempt (file-other.rules)
 * 3:53015 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0987 attack attempt (file-image.rules)
 * 3:53003 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0993 attack attempt (file-image.rules)
 * 3:53006 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0998 attack attempt (file-image.rules)
 * 3:53004 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0988 attack attempt (file-other.rules)
 * 3:53002 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0993 attack attempt (file-image.rules)
 * 3:53005 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0988 attack attempt (file-other.rules)
 * 3:53011 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)
 * 3:53012 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)
 * 3:53014 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)
 * 3:53007 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0998 attack attempt (file-image.rules)
 * 3:53016 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0987 attack attempt (file-image.rules)
 * 3:53013 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)

Modified Rules:


 * 1:688 <-> ENABLED <-> SQL sa login failed (sql.rules)
 * 1:52286 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:44561 <-> DISABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:44562 <-> DISABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:6472 <-> ENABLED <-> MALWARE-BACKDOOR bugs runtime detection - file manager client-to-server (malware-backdoor.rules)
 * 1:52285 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52283 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52284 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:6473 <-> DISABLED <-> MALWARE-BACKDOOR bugs runtime detection - file manager server-to-client (malware-backdoor.rules)
 * 1:51377 <-> DISABLED <-> SERVER-WEBAPP Progress Telerik UI for ASP.NET AJAX arbitrary file upload attempt (server-webapp.rules)
 * 1:5797 <-> DISABLED <-> APP-DETECT Kontiki runtime detection (app-detect.rules)
 * 1:45046 <-> ENABLED <-> SERVER-OTHER Exim malformed BDAT code execution attempt (server-other.rules)
 * 3:51531 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0892 attack attempt (file-image.rules)
 * 3:51530 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0892 attack attempt (file-image.rules)

2020-02-04 13:08:50 UTC

Snort Subscriber Rules Update

Date: 2020-02-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53017 <-> DISABLED <-> SERVER-WEBAPP NeoFrag CMS database information disclosure attempt (snort3-server-webapp.rules)
 * 1:53024 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Ako variant payload download attempt (snort3-malware-other.rules)
 * 1:53021 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Agen-7564562-0 download attempt (snort3-malware-other.rules)
 * 1:53019 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.VBGeneric-7564976-0 download attempt (snort3-malware-other.rules)
 * 1:53018 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Fareitvb-7564626-0 download attempt (snort3-malware-other.rules)
 * 1:53023 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Ako variant payload download attempt (snort3-malware-other.rules)
 * 1:53022 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Pakes-7564913-0 download attempt (snort3-malware-other.rules)
 * 1:53025 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.VBGeneric-7564971-0 download attempt (snort3-malware-other.rules)
 * 1:53030 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565093-0 download attempt (snort3-malware-other.rules)
 * 1:53028 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565095-0 download attempt (snort3-malware-other.rules)
 * 1:53029 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565106-0 download attempt (snort3-malware-other.rules)
 * 1:53026 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565080-0 download attempt (snort3-malware-other.rules)
 * 1:53020 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ursu-7564978-0 download attempt (snort3-malware-other.rules)
 * 1:53027 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565085-0 download attempt (snort3-malware-other.rules)

Modified Rules:


 * 1:52283 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (snort3-file-office.rules)
 * 1:45046 <-> ENABLED <-> SERVER-OTHER Exim malformed BDAT code execution attempt (snort3-server-other.rules)
 * 1:44562 <-> DISABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (snort3-malware-cnc.rules)
 * 1:6472 <-> ENABLED <-> MALWARE-BACKDOOR bugs runtime detection - file manager client-to-server (snort3-malware-backdoor.rules)
 * 1:6473 <-> DISABLED <-> MALWARE-BACKDOOR bugs runtime detection - file manager server-to-client (snort3-malware-backdoor.rules)
 * 1:52286 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (snort3-file-office.rules)
 * 1:44561 <-> DISABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (snort3-malware-cnc.rules)
 * 1:5797 <-> DISABLED <-> APP-DETECT Kontiki runtime detection (snort3-app-detect.rules)
 * 1:52285 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (snort3-file-office.rules)
 * 1:52284 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (snort3-file-office.rules)
 * 1:688 <-> ENABLED <-> SQL sa login failed (snort3-sql.rules)
 * 1:51377 <-> DISABLED <-> SERVER-WEBAPP Progress Telerik UI for ASP.NET AJAX arbitrary file upload attempt (snort3-server-webapp.rules)

2020-02-04 13:08:50 UTC

Snort Subscriber Rules Update

Date: 2020-02-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53018 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Fareitvb-7564626-0 download attempt (malware-other.rules)
 * 1:53023 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Ako variant payload download attempt (malware-other.rules)
 * 1:53024 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Ako variant payload download attempt (malware-other.rules)
 * 1:53025 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.VBGeneric-7564971-0 download attempt (malware-other.rules)
 * 1:53017 <-> DISABLED <-> SERVER-WEBAPP NeoFrag CMS database information disclosure attempt (server-webapp.rules)
 * 1:53022 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Pakes-7564913-0 download attempt (malware-other.rules)
 * 1:53019 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.VBGeneric-7564976-0 download attempt (malware-other.rules)
 * 1:53026 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565080-0 download attempt (malware-other.rules)
 * 1:53030 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565093-0 download attempt (malware-other.rules)
 * 1:53028 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565095-0 download attempt (malware-other.rules)
 * 1:53020 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ursu-7564978-0 download attempt (malware-other.rules)
 * 1:53021 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Agen-7564562-0 download attempt (malware-other.rules)
 * 1:53029 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565106-0 download attempt (malware-other.rules)
 * 1:53027 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565085-0 download attempt (malware-other.rules)
 * 3:53012 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)
 * 3:53008 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0989 attack attempt (file-other.rules)
 * 3:53010 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1003 attack attempt (policy-other.rules)
 * 3:53002 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0993 attack attempt (file-image.rules)
 * 3:53009 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0989 attack attempt (file-other.rules)
 * 3:53003 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0993 attack attempt (file-image.rules)
 * 3:53005 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0988 attack attempt (file-other.rules)
 * 3:53007 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0998 attack attempt (file-image.rules)
 * 3:53015 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0987 attack attempt (file-image.rules)
 * 3:53013 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)
 * 3:53006 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0998 attack attempt (file-image.rules)
 * 3:53011 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)
 * 3:53004 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0988 attack attempt (file-other.rules)
 * 3:53016 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0987 attack attempt (file-image.rules)
 * 3:53014 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)

Modified Rules:


 * 1:6473 <-> DISABLED <-> MALWARE-BACKDOOR bugs runtime detection - file manager server-to-client (malware-backdoor.rules)
 * 1:688 <-> ENABLED <-> SQL sa login failed (sql.rules)
 * 1:44561 <-> DISABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:6472 <-> ENABLED <-> MALWARE-BACKDOOR bugs runtime detection - file manager client-to-server (malware-backdoor.rules)
 * 1:52286 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52285 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52283 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:44562 <-> DISABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:52284 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:5797 <-> DISABLED <-> APP-DETECT Kontiki runtime detection (app-detect.rules)
 * 1:51377 <-> DISABLED <-> SERVER-WEBAPP Progress Telerik UI for ASP.NET AJAX arbitrary file upload attempt (server-webapp.rules)
 * 1:45046 <-> ENABLED <-> SERVER-OTHER Exim malformed BDAT code execution attempt (server-other.rules)
 * 3:51531 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0892 attack attempt (file-image.rules)
 * 3:51530 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0892 attack attempt (file-image.rules)