Talos Rules 2020-02-27
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the indicator-scan, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2020-02-27 13:28:54 UTC

Snort Subscriber Rules Update

Date: 2020-02-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53360 <-> DISABLED <-> MALWARE-TOOLS Win.Worm.Emotet WiFi Spreader variant download attempt (malware-tools.rules)
 * 1:53359 <-> ENABLED <-> MALWARE-TOOLS Win.Worm.Emotet WiFi Spreader variant download attempt (malware-tools.rules)
 * 1:53358 <-> DISABLED <-> MALWARE-TOOLS Win.Worm.Emotet WiFi Spreader variant download attempt (malware-tools.rules)
 * 1:53357 <-> ENABLED <-> MALWARE-TOOLS Win.Worm.Emotet WiFi Spreader variant download attempt (malware-tools.rules)
 * 1:53356 <-> ENABLED <-> MALWARE-TOOLS Win.Worm.Emotet WiFi Spreader variant download attempt (malware-tools.rules)
 * 1:53355 <-> DISABLED <-> MALWARE-TOOLS Win.Worm.Emotet WiFi Spreader variant download attempt (malware-tools.rules)
 * 1:53354 <-> ENABLED <-> MALWARE-CNC Win.Worm.Emotet WiFi Spreader variant outbound connection (malware-cnc.rules)
 * 1:53353 <-> ENABLED <-> MALWARE-CNC Win.Worm.Emotet WiFi Spreader variant outbound connection (malware-cnc.rules)
 * 1:53352 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AZORult variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:19559 <-> DISABLED <-> INDICATOR-SCAN SSH brute force login attempt (indicator-scan.rules)
 * 1:53245 <-> DISABLED <-> SERVER-WEBAPP OpenEMR command injection attempt (server-webapp.rules)

2020-02-27 13:28:54 UTC

Snort Subscriber Rules Update

Date: 2020-02-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53360 <-> DISABLED <-> MALWARE-TOOLS Win.Worm.Emotet WiFi Spreader variant download attempt (malware-tools.rules)
 * 1:53353 <-> ENABLED <-> MALWARE-CNC Win.Worm.Emotet WiFi Spreader variant outbound connection (malware-cnc.rules)
 * 1:53355 <-> DISABLED <-> MALWARE-TOOLS Win.Worm.Emotet WiFi Spreader variant download attempt (malware-tools.rules)
 * 1:53356 <-> ENABLED <-> MALWARE-TOOLS Win.Worm.Emotet WiFi Spreader variant download attempt (malware-tools.rules)
 * 1:53357 <-> ENABLED <-> MALWARE-TOOLS Win.Worm.Emotet WiFi Spreader variant download attempt (malware-tools.rules)
 * 1:53358 <-> DISABLED <-> MALWARE-TOOLS Win.Worm.Emotet WiFi Spreader variant download attempt (malware-tools.rules)
 * 1:53352 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AZORult variant outbound connection (malware-cnc.rules)
 * 1:53354 <-> ENABLED <-> MALWARE-CNC Win.Worm.Emotet WiFi Spreader variant outbound connection (malware-cnc.rules)
 * 1:53359 <-> ENABLED <-> MALWARE-TOOLS Win.Worm.Emotet WiFi Spreader variant download attempt (malware-tools.rules)

Modified Rules:


 * 1:53245 <-> DISABLED <-> SERVER-WEBAPP OpenEMR command injection attempt (server-webapp.rules)
 * 1:19559 <-> DISABLED <-> INDICATOR-SCAN SSH brute force login attempt (indicator-scan.rules)

2020-02-27 13:28:54 UTC

Snort Subscriber Rules Update

Date: 2020-02-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53354 <-> ENABLED <-> MALWARE-CNC Win.Worm.Emotet WiFi Spreader variant outbound connection (malware-cnc.rules)
 * 1:53353 <-> ENABLED <-> MALWARE-CNC Win.Worm.Emotet WiFi Spreader variant outbound connection (malware-cnc.rules)
 * 1:53356 <-> ENABLED <-> MALWARE-TOOLS Win.Worm.Emotet WiFi Spreader variant download attempt (malware-tools.rules)
 * 1:53360 <-> DISABLED <-> MALWARE-TOOLS Win.Worm.Emotet WiFi Spreader variant download attempt (malware-tools.rules)
 * 1:53359 <-> ENABLED <-> MALWARE-TOOLS Win.Worm.Emotet WiFi Spreader variant download attempt (malware-tools.rules)
 * 1:53352 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AZORult variant outbound connection (malware-cnc.rules)
 * 1:53358 <-> DISABLED <-> MALWARE-TOOLS Win.Worm.Emotet WiFi Spreader variant download attempt (malware-tools.rules)
 * 1:53355 <-> DISABLED <-> MALWARE-TOOLS Win.Worm.Emotet WiFi Spreader variant download attempt (malware-tools.rules)
 * 1:53357 <-> ENABLED <-> MALWARE-TOOLS Win.Worm.Emotet WiFi Spreader variant download attempt (malware-tools.rules)

Modified Rules:


 * 1:53245 <-> DISABLED <-> SERVER-WEBAPP OpenEMR command injection attempt (server-webapp.rules)
 * 1:19559 <-> DISABLED <-> INDICATOR-SCAN SSH brute force login attempt (indicator-scan.rules)

2020-02-27 13:28:54 UTC

Snort Subscriber Rules Update

Date: 2020-02-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53353 <-> ENABLED <-> MALWARE-CNC Win.Worm.Emotet WiFi Spreader variant outbound connection (malware-cnc.rules)
 * 1:53360 <-> DISABLED <-> MALWARE-TOOLS Win.Worm.Emotet WiFi Spreader variant download attempt (malware-tools.rules)
 * 1:53355 <-> DISABLED <-> MALWARE-TOOLS Win.Worm.Emotet WiFi Spreader variant download attempt (malware-tools.rules)
 * 1:53358 <-> DISABLED <-> MALWARE-TOOLS Win.Worm.Emotet WiFi Spreader variant download attempt (malware-tools.rules)
 * 1:53352 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AZORult variant outbound connection (malware-cnc.rules)
 * 1:53359 <-> ENABLED <-> MALWARE-TOOLS Win.Worm.Emotet WiFi Spreader variant download attempt (malware-tools.rules)
 * 1:53354 <-> ENABLED <-> MALWARE-CNC Win.Worm.Emotet WiFi Spreader variant outbound connection (malware-cnc.rules)
 * 1:53356 <-> ENABLED <-> MALWARE-TOOLS Win.Worm.Emotet WiFi Spreader variant download attempt (malware-tools.rules)
 * 1:53357 <-> ENABLED <-> MALWARE-TOOLS Win.Worm.Emotet WiFi Spreader variant download attempt (malware-tools.rules)

Modified Rules:


 * 1:19559 <-> DISABLED <-> INDICATOR-SCAN SSH brute force login attempt (indicator-scan.rules)
 * 1:53245 <-> DISABLED <-> SERVER-WEBAPP OpenEMR command injection attempt (server-webapp.rules)

2020-02-27 13:28:54 UTC

Snort Subscriber Rules Update

Date: 2020-02-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53357 <-> ENABLED <-> MALWARE-TOOLS Win.Worm.Emotet WiFi Spreader variant download attempt (malware-tools.rules)
 * 1:53352 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AZORult variant outbound connection (malware-cnc.rules)
 * 1:53359 <-> ENABLED <-> MALWARE-TOOLS Win.Worm.Emotet WiFi Spreader variant download attempt (malware-tools.rules)
 * 1:53353 <-> ENABLED <-> MALWARE-CNC Win.Worm.Emotet WiFi Spreader variant outbound connection (malware-cnc.rules)
 * 1:53356 <-> ENABLED <-> MALWARE-TOOLS Win.Worm.Emotet WiFi Spreader variant download attempt (malware-tools.rules)
 * 1:53354 <-> ENABLED <-> MALWARE-CNC Win.Worm.Emotet WiFi Spreader variant outbound connection (malware-cnc.rules)
 * 1:53355 <-> DISABLED <-> MALWARE-TOOLS Win.Worm.Emotet WiFi Spreader variant download attempt (malware-tools.rules)
 * 1:53358 <-> DISABLED <-> MALWARE-TOOLS Win.Worm.Emotet WiFi Spreader variant download attempt (malware-tools.rules)
 * 1:53360 <-> DISABLED <-> MALWARE-TOOLS Win.Worm.Emotet WiFi Spreader variant download attempt (malware-tools.rules)

Modified Rules:


 * 1:53245 <-> DISABLED <-> SERVER-WEBAPP OpenEMR command injection attempt (server-webapp.rules)
 * 1:19559 <-> DISABLED <-> INDICATOR-SCAN SSH brute force login attempt (indicator-scan.rules)

2020-02-27 13:28:54 UTC

Snort Subscriber Rules Update

Date: 2020-02-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53360 <-> DISABLED <-> MALWARE-TOOLS Win.Worm.Emotet WiFi Spreader variant download attempt (snort3-malware-tools.rules)
 * 1:53355 <-> DISABLED <-> MALWARE-TOOLS Win.Worm.Emotet WiFi Spreader variant download attempt (snort3-malware-tools.rules)
 * 1:53353 <-> ENABLED <-> MALWARE-CNC Win.Worm.Emotet WiFi Spreader variant outbound connection (snort3-malware-cnc.rules)
 * 1:53359 <-> ENABLED <-> MALWARE-TOOLS Win.Worm.Emotet WiFi Spreader variant download attempt (snort3-malware-tools.rules)
 * 1:53354 <-> ENABLED <-> MALWARE-CNC Win.Worm.Emotet WiFi Spreader variant outbound connection (snort3-malware-cnc.rules)
 * 1:53357 <-> ENABLED <-> MALWARE-TOOLS Win.Worm.Emotet WiFi Spreader variant download attempt (snort3-malware-tools.rules)
 * 1:53356 <-> ENABLED <-> MALWARE-TOOLS Win.Worm.Emotet WiFi Spreader variant download attempt (snort3-malware-tools.rules)
 * 1:53358 <-> DISABLED <-> MALWARE-TOOLS Win.Worm.Emotet WiFi Spreader variant download attempt (snort3-malware-tools.rules)
 * 1:53352 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AZORult variant outbound connection (snort3-malware-cnc.rules)

Modified Rules:


 * 1:53245 <-> DISABLED <-> SERVER-WEBAPP OpenEMR command injection attempt (snort3-server-webapp.rules)
 * 1:19559 <-> DISABLED <-> INDICATOR-SCAN SSH brute force login attempt (snort3-indicator-scan.rules)

2020-02-27 13:28:54 UTC

Snort Subscriber Rules Update

Date: 2020-02-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53353 <-> ENABLED <-> MALWARE-CNC Win.Worm.Emotet WiFi Spreader variant outbound connection (malware-cnc.rules)
 * 1:53360 <-> DISABLED <-> MALWARE-TOOLS Win.Worm.Emotet WiFi Spreader variant download attempt (malware-tools.rules)
 * 1:53359 <-> ENABLED <-> MALWARE-TOOLS Win.Worm.Emotet WiFi Spreader variant download attempt (malware-tools.rules)
 * 1:53352 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AZORult variant outbound connection (malware-cnc.rules)
 * 1:53358 <-> DISABLED <-> MALWARE-TOOLS Win.Worm.Emotet WiFi Spreader variant download attempt (malware-tools.rules)
 * 1:53356 <-> ENABLED <-> MALWARE-TOOLS Win.Worm.Emotet WiFi Spreader variant download attempt (malware-tools.rules)
 * 1:53354 <-> ENABLED <-> MALWARE-CNC Win.Worm.Emotet WiFi Spreader variant outbound connection (malware-cnc.rules)
 * 1:53357 <-> ENABLED <-> MALWARE-TOOLS Win.Worm.Emotet WiFi Spreader variant download attempt (malware-tools.rules)
 * 1:53355 <-> DISABLED <-> MALWARE-TOOLS Win.Worm.Emotet WiFi Spreader variant download attempt (malware-tools.rules)

Modified Rules:


 * 1:53245 <-> DISABLED <-> SERVER-WEBAPP OpenEMR command injection attempt (server-webapp.rules)
 * 1:19559 <-> DISABLED <-> INDICATOR-SCAN SSH brute force login attempt (indicator-scan.rules)