Talos Rules 2020-02-14
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the malware-cnc, malware-other and server-other rule sets to provide coverage for emerging threats from these technologies.

Change logs

2020-02-14 19:30:15 UTC

Snort Subscriber Rules Update

Date: 2020-02-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53108 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant outbound connection (malware-cnc.rules)
 * 1:53107 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Snake malicious executable download attempt (malware-other.rules)
 * 1:53106 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Snake malicious executable download attempt (malware-other.rules)
 * 1:53105 <-> DISABLED <-> SERVER-ORACLE Oracle WebLogic unsafe deserialization remote code execution attempt (server-oracle.rules)

Modified Rules:


 * 1:46445 <-> ENABLED <-> SERVER-OTHER Oracle WebLogic unsafe deserialization remote code execution attempt detected (server-other.rules)

2020-02-14 19:30:15 UTC

Snort Subscriber Rules Update

Date: 2020-02-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53106 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Snake malicious executable download attempt (malware-other.rules)
 * 1:53107 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Snake malicious executable download attempt (malware-other.rules)
 * 1:53108 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant outbound connection (malware-cnc.rules)
 * 1:53105 <-> DISABLED <-> SERVER-ORACLE Oracle WebLogic unsafe deserialization remote code execution attempt (server-oracle.rules)

Modified Rules:


 * 1:46445 <-> ENABLED <-> SERVER-OTHER Oracle WebLogic unsafe deserialization remote code execution attempt detected (server-other.rules)

2020-02-14 19:30:15 UTC

Snort Subscriber Rules Update

Date: 2020-02-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53107 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Snake malicious executable download attempt (malware-other.rules)
 * 1:53108 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant outbound connection (malware-cnc.rules)
 * 1:53106 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Snake malicious executable download attempt (malware-other.rules)
 * 1:53105 <-> DISABLED <-> SERVER-ORACLE Oracle WebLogic unsafe deserialization remote code execution attempt (server-oracle.rules)

Modified Rules:


 * 1:46445 <-> ENABLED <-> SERVER-OTHER Oracle WebLogic unsafe deserialization remote code execution attempt detected (server-other.rules)

2020-02-14 19:30:15 UTC

Snort Subscriber Rules Update

Date: 2020-02-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53105 <-> DISABLED <-> SERVER-ORACLE Oracle WebLogic unsafe deserialization remote code execution attempt (server-oracle.rules)
 * 1:53108 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant outbound connection (malware-cnc.rules)
 * 1:53106 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Snake malicious executable download attempt (malware-other.rules)
 * 1:53107 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Snake malicious executable download attempt (malware-other.rules)

Modified Rules:


 * 1:46445 <-> ENABLED <-> SERVER-OTHER Oracle WebLogic unsafe deserialization remote code execution attempt detected (server-other.rules)

2020-02-14 19:30:15 UTC

Snort Subscriber Rules Update

Date: 2020-02-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53108 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant outbound connection (malware-cnc.rules)
 * 1:53105 <-> DISABLED <-> SERVER-ORACLE Oracle WebLogic unsafe deserialization remote code execution attempt (server-oracle.rules)
 * 1:53106 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Snake malicious executable download attempt (malware-other.rules)
 * 1:53107 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Snake malicious executable download attempt (malware-other.rules)

Modified Rules:


 * 1:46445 <-> ENABLED <-> SERVER-OTHER Oracle WebLogic unsafe deserialization remote code execution attempt detected (server-other.rules)

2020-02-14 19:30:15 UTC

Snort Subscriber Rules Update

Date: 2020-02-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53106 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Snake malicious executable download attempt (snort3-malware-other.rules)
 * 1:53107 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Snake malicious executable download attempt (snort3-malware-other.rules)
 * 1:53105 <-> DISABLED <-> SERVER-ORACLE Oracle WebLogic unsafe deserialization remote code execution attempt (snort3-server-oracle.rules)
 * 1:53108 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant outbound connection (snort3-malware-cnc.rules)

Modified Rules:


 * 1:46445 <-> ENABLED <-> SERVER-OTHER Oracle WebLogic unsafe deserialization remote code execution attempt detected (snort3-server-other.rules)

2020-02-14 19:30:15 UTC

Snort Subscriber Rules Update

Date: 2020-02-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53105 <-> DISABLED <-> SERVER-ORACLE Oracle WebLogic unsafe deserialization remote code execution attempt (server-oracle.rules)
 * 1:53108 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant outbound connection (malware-cnc.rules)
 * 1:53107 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Snake malicious executable download attempt (malware-other.rules)
 * 1:53106 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Snake malicious executable download attempt (malware-other.rules)

Modified Rules:


 * 1:46445 <-> ENABLED <-> SERVER-OTHER Oracle WebLogic unsafe deserialization remote code execution attempt detected (server-other.rules)