Talos Rules 2020-03-03
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-flash, malware-cnc, malware-other and server-other rule sets to provide coverage for emerging threats from these technologies.

Change logs

2020-03-03 13:24:42 UTC

Snort Subscriber Rules Update

Date: 2020-03-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53363 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-7600019-0 download attempt (malware-other.rules)
 * 1:53362 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-7599441-0 download attempt (malware-other.rules)
 * 1:53361 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Kuluoz-7599049-0 download attempt (malware-other.rules)
 * 1:53378 <-> DISABLED <-> SERVER-OTHER Exim unauthenticated remote code execution attempt (server-other.rules)
 * 1:53377 <-> DISABLED <-> SERVER-OTHER Exim unauthenticated remote code execution attempt (server-other.rules)
 * 1:53376 <-> DISABLED <-> SERVER-OTHER Exim unauthenticated remote code execution attempt (server-other.rules)
 * 1:53375 <-> DISABLED <-> POLICY-OTHER Microsoft Active Directory DRSUAPI_REPLICA_ADD attempt (policy-other.rules)
 * 1:53374 <-> DISABLED <-> POLICY-OTHER Microsoft Active Directory DrsAddEntry attempt (policy-other.rules)
 * 1:53373 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound CNC connection (malware-cnc.rules)
 * 1:53372 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound CNC connection (malware-cnc.rules)
 * 1:53371 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound cnc connection attempt (malware-cnc.rules)
 * 1:53370 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound CNC connection (malware-cnc.rules)
 * 1:53369 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound CNC connection (malware-cnc.rules)
 * 1:53368 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound CNC connection (malware-cnc.rules)
 * 1:53367 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound CNC connection (malware-cnc.rules)
 * 1:53366 <-> ENABLED <-> MALWARE-OTHER Pdf.Downloader.Mozart malicious PDF download attempt (malware-other.rules)
 * 1:53365 <-> ENABLED <-> MALWARE-OTHER Js.Dropper.Mozart payload download attempt (malware-other.rules)
 * 1:53364 <-> ENABLED <-> MALWARE-OTHER Pdf.Downloader.Mozart malicious PDF download attempt (malware-other.rules)

Modified Rules:


 * 1:28700 <-> ENABLED <-> FILE-FLASH Adobe Flash malformed regular expression exploit attempt (file-flash.rules)
 * 1:47146 <-> DISABLED <-> POLICY-OTHER Siemens SICAM PAS hard coded factory account usage attempt (policy-other.rules)

2020-03-03 13:24:42 UTC

Snort Subscriber Rules Update

Date: 2020-03-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53375 <-> DISABLED <-> POLICY-OTHER Microsoft Active Directory DRSUAPI_REPLICA_ADD attempt (policy-other.rules)
 * 1:53376 <-> DISABLED <-> SERVER-OTHER Exim unauthenticated remote code execution attempt (server-other.rules)
 * 1:53361 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Kuluoz-7599049-0 download attempt (malware-other.rules)
 * 1:53365 <-> ENABLED <-> MALWARE-OTHER Js.Dropper.Mozart payload download attempt (malware-other.rules)
 * 1:53363 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-7600019-0 download attempt (malware-other.rules)
 * 1:53362 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-7599441-0 download attempt (malware-other.rules)
 * 1:53366 <-> ENABLED <-> MALWARE-OTHER Pdf.Downloader.Mozart malicious PDF download attempt (malware-other.rules)
 * 1:53367 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound CNC connection (malware-cnc.rules)
 * 1:53368 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound CNC connection (malware-cnc.rules)
 * 1:53369 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound CNC connection (malware-cnc.rules)
 * 1:53370 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound CNC connection (malware-cnc.rules)
 * 1:53371 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound cnc connection attempt (malware-cnc.rules)
 * 1:53372 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound CNC connection (malware-cnc.rules)
 * 1:53373 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound CNC connection (malware-cnc.rules)
 * 1:53374 <-> DISABLED <-> POLICY-OTHER Microsoft Active Directory DrsAddEntry attempt (policy-other.rules)
 * 1:53378 <-> DISABLED <-> SERVER-OTHER Exim unauthenticated remote code execution attempt (server-other.rules)
 * 1:53377 <-> DISABLED <-> SERVER-OTHER Exim unauthenticated remote code execution attempt (server-other.rules)
 * 1:53364 <-> ENABLED <-> MALWARE-OTHER Pdf.Downloader.Mozart malicious PDF download attempt (malware-other.rules)

Modified Rules:


 * 1:28700 <-> ENABLED <-> FILE-FLASH Adobe Flash malformed regular expression exploit attempt (file-flash.rules)
 * 1:47146 <-> DISABLED <-> POLICY-OTHER Siemens SICAM PAS hard coded factory account usage attempt (policy-other.rules)

2020-03-03 13:24:42 UTC

Snort Subscriber Rules Update

Date: 2020-03-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53363 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-7600019-0 download attempt (malware-other.rules)
 * 1:53378 <-> DISABLED <-> SERVER-OTHER Exim unauthenticated remote code execution attempt (server-other.rules)
 * 1:53377 <-> DISABLED <-> SERVER-OTHER Exim unauthenticated remote code execution attempt (server-other.rules)
 * 1:53364 <-> ENABLED <-> MALWARE-OTHER Pdf.Downloader.Mozart malicious PDF download attempt (malware-other.rules)
 * 1:53376 <-> DISABLED <-> SERVER-OTHER Exim unauthenticated remote code execution attempt (server-other.rules)
 * 1:53371 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound cnc connection attempt (malware-cnc.rules)
 * 1:53362 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-7599441-0 download attempt (malware-other.rules)
 * 1:53365 <-> ENABLED <-> MALWARE-OTHER Js.Dropper.Mozart payload download attempt (malware-other.rules)
 * 1:53375 <-> DISABLED <-> POLICY-OTHER Microsoft Active Directory DRSUAPI_REPLICA_ADD attempt (policy-other.rules)
 * 1:53373 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound CNC connection (malware-cnc.rules)
 * 1:53374 <-> DISABLED <-> POLICY-OTHER Microsoft Active Directory DrsAddEntry attempt (policy-other.rules)
 * 1:53372 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound CNC connection (malware-cnc.rules)
 * 1:53361 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Kuluoz-7599049-0 download attempt (malware-other.rules)
 * 1:53370 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound CNC connection (malware-cnc.rules)
 * 1:53368 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound CNC connection (malware-cnc.rules)
 * 1:53369 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound CNC connection (malware-cnc.rules)
 * 1:53366 <-> ENABLED <-> MALWARE-OTHER Pdf.Downloader.Mozart malicious PDF download attempt (malware-other.rules)
 * 1:53367 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound CNC connection (malware-cnc.rules)

Modified Rules:


 * 1:28700 <-> ENABLED <-> FILE-FLASH Adobe Flash malformed regular expression exploit attempt (file-flash.rules)
 * 1:47146 <-> DISABLED <-> POLICY-OTHER Siemens SICAM PAS hard coded factory account usage attempt (policy-other.rules)

2020-03-03 13:24:42 UTC

Snort Subscriber Rules Update

Date: 2020-03-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53377 <-> DISABLED <-> SERVER-OTHER Exim unauthenticated remote code execution attempt (server-other.rules)
 * 1:53361 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Kuluoz-7599049-0 download attempt (malware-other.rules)
 * 1:53367 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound CNC connection (malware-cnc.rules)
 * 1:53378 <-> DISABLED <-> SERVER-OTHER Exim unauthenticated remote code execution attempt (server-other.rules)
 * 1:53376 <-> DISABLED <-> SERVER-OTHER Exim unauthenticated remote code execution attempt (server-other.rules)
 * 1:53375 <-> DISABLED <-> POLICY-OTHER Microsoft Active Directory DRSUAPI_REPLICA_ADD attempt (policy-other.rules)
 * 1:53373 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound CNC connection (malware-cnc.rules)
 * 1:53363 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-7600019-0 download attempt (malware-other.rules)
 * 1:53366 <-> ENABLED <-> MALWARE-OTHER Pdf.Downloader.Mozart malicious PDF download attempt (malware-other.rules)
 * 1:53365 <-> ENABLED <-> MALWARE-OTHER Js.Dropper.Mozart payload download attempt (malware-other.rules)
 * 1:53369 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound CNC connection (malware-cnc.rules)
 * 1:53368 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound CNC connection (malware-cnc.rules)
 * 1:53364 <-> ENABLED <-> MALWARE-OTHER Pdf.Downloader.Mozart malicious PDF download attempt (malware-other.rules)
 * 1:53370 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound CNC connection (malware-cnc.rules)
 * 1:53372 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound CNC connection (malware-cnc.rules)
 * 1:53362 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-7599441-0 download attempt (malware-other.rules)
 * 1:53374 <-> DISABLED <-> POLICY-OTHER Microsoft Active Directory DrsAddEntry attempt (policy-other.rules)
 * 1:53371 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound cnc connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:47146 <-> DISABLED <-> POLICY-OTHER Siemens SICAM PAS hard coded factory account usage attempt (policy-other.rules)
 * 1:28700 <-> ENABLED <-> FILE-FLASH Adobe Flash malformed regular expression exploit attempt (file-flash.rules)

2020-03-03 13:24:42 UTC

Snort Subscriber Rules Update

Date: 2020-03-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53377 <-> DISABLED <-> SERVER-OTHER Exim unauthenticated remote code execution attempt (server-other.rules)
 * 1:53376 <-> DISABLED <-> SERVER-OTHER Exim unauthenticated remote code execution attempt (server-other.rules)
 * 1:53378 <-> DISABLED <-> SERVER-OTHER Exim unauthenticated remote code execution attempt (server-other.rules)
 * 1:53374 <-> DISABLED <-> POLICY-OTHER Microsoft Active Directory DrsAddEntry attempt (policy-other.rules)
 * 1:53372 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound CNC connection (malware-cnc.rules)
 * 1:53370 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound CNC connection (malware-cnc.rules)
 * 1:53375 <-> DISABLED <-> POLICY-OTHER Microsoft Active Directory DRSUAPI_REPLICA_ADD attempt (policy-other.rules)
 * 1:53368 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound CNC connection (malware-cnc.rules)
 * 1:53373 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound CNC connection (malware-cnc.rules)
 * 1:53366 <-> ENABLED <-> MALWARE-OTHER Pdf.Downloader.Mozart malicious PDF download attempt (malware-other.rules)
 * 1:53371 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound cnc connection attempt (malware-cnc.rules)
 * 1:53369 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound CNC connection (malware-cnc.rules)
 * 1:53362 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-7599441-0 download attempt (malware-other.rules)
 * 1:53367 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound CNC connection (malware-cnc.rules)
 * 1:53365 <-> ENABLED <-> MALWARE-OTHER Js.Dropper.Mozart payload download attempt (malware-other.rules)
 * 1:53364 <-> ENABLED <-> MALWARE-OTHER Pdf.Downloader.Mozart malicious PDF download attempt (malware-other.rules)
 * 1:53363 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-7600019-0 download attempt (malware-other.rules)
 * 1:53361 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Kuluoz-7599049-0 download attempt (malware-other.rules)

Modified Rules:


 * 1:28700 <-> ENABLED <-> FILE-FLASH Adobe Flash malformed regular expression exploit attempt (file-flash.rules)
 * 1:47146 <-> DISABLED <-> POLICY-OTHER Siemens SICAM PAS hard coded factory account usage attempt (policy-other.rules)

2020-03-03 13:24:42 UTC

Snort Subscriber Rules Update

Date: 2020-03-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53376 <-> DISABLED <-> SERVER-OTHER Exim unauthenticated remote code execution attempt (snort3-server-other.rules)
 * 1:53366 <-> ENABLED <-> MALWARE-OTHER Pdf.Downloader.Mozart malicious PDF download attempt (snort3-malware-other.rules)
 * 1:53369 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound CNC connection (snort3-malware-cnc.rules)
 * 1:53367 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound CNC connection (snort3-malware-cnc.rules)
 * 1:53362 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-7599441-0 download attempt (snort3-malware-other.rules)
 * 1:53365 <-> ENABLED <-> MALWARE-OTHER Js.Dropper.Mozart payload download attempt (snort3-malware-other.rules)
 * 1:53378 <-> DISABLED <-> SERVER-OTHER Exim unauthenticated remote code execution attempt (snort3-server-other.rules)
 * 1:53361 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Kuluoz-7599049-0 download attempt (snort3-malware-other.rules)
 * 1:53364 <-> ENABLED <-> MALWARE-OTHER Pdf.Downloader.Mozart malicious PDF download attempt (snort3-malware-other.rules)
 * 1:53372 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound CNC connection (snort3-malware-cnc.rules)
 * 1:53374 <-> DISABLED <-> POLICY-OTHER Microsoft Active Directory DrsAddEntry attempt (snort3-policy-other.rules)
 * 1:53368 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound CNC connection (snort3-malware-cnc.rules)
 * 1:53370 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound CNC connection (snort3-malware-cnc.rules)
 * 1:53375 <-> DISABLED <-> POLICY-OTHER Microsoft Active Directory DRSUAPI_REPLICA_ADD attempt (snort3-policy-other.rules)
 * 1:53373 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound CNC connection (snort3-malware-cnc.rules)
 * 1:53371 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound cnc connection attempt (snort3-malware-cnc.rules)
 * 1:53377 <-> DISABLED <-> SERVER-OTHER Exim unauthenticated remote code execution attempt (snort3-server-other.rules)
 * 1:53363 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-7600019-0 download attempt (snort3-malware-other.rules)

Modified Rules:


 * 1:28700 <-> ENABLED <-> FILE-FLASH Adobe Flash malformed regular expression exploit attempt (snort3-file-flash.rules)
 * 1:47146 <-> DISABLED <-> POLICY-OTHER Siemens SICAM PAS hard coded factory account usage attempt (snort3-policy-other.rules)

2020-03-03 13:24:42 UTC

Snort Subscriber Rules Update

Date: 2020-03-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53363 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-7600019-0 download attempt (malware-other.rules)
 * 1:53376 <-> DISABLED <-> SERVER-OTHER Exim unauthenticated remote code execution attempt (server-other.rules)
 * 1:53373 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound CNC connection (malware-cnc.rules)
 * 1:53368 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound CNC connection (malware-cnc.rules)
 * 1:53365 <-> ENABLED <-> MALWARE-OTHER Js.Dropper.Mozart payload download attempt (malware-other.rules)
 * 1:53362 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-7599441-0 download attempt (malware-other.rules)
 * 1:53367 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound CNC connection (malware-cnc.rules)
 * 1:53364 <-> ENABLED <-> MALWARE-OTHER Pdf.Downloader.Mozart malicious PDF download attempt (malware-other.rules)
 * 1:53369 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound CNC connection (malware-cnc.rules)
 * 1:53374 <-> DISABLED <-> POLICY-OTHER Microsoft Active Directory DrsAddEntry attempt (policy-other.rules)
 * 1:53366 <-> ENABLED <-> MALWARE-OTHER Pdf.Downloader.Mozart malicious PDF download attempt (malware-other.rules)
 * 1:53371 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound cnc connection attempt (malware-cnc.rules)
 * 1:53372 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound CNC connection (malware-cnc.rules)
 * 1:53378 <-> DISABLED <-> SERVER-OTHER Exim unauthenticated remote code execution attempt (server-other.rules)
 * 1:53370 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mozart outbound CNC connection (malware-cnc.rules)
 * 1:53375 <-> DISABLED <-> POLICY-OTHER Microsoft Active Directory DRSUAPI_REPLICA_ADD attempt (policy-other.rules)
 * 1:53361 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Kuluoz-7599049-0 download attempt (malware-other.rules)
 * 1:53377 <-> DISABLED <-> SERVER-OTHER Exim unauthenticated remote code execution attempt (server-other.rules)

Modified Rules:


 * 1:28700 <-> ENABLED <-> FILE-FLASH Adobe Flash malformed regular expression exploit attempt (file-flash.rules)
 * 1:47146 <-> DISABLED <-> POLICY-OTHER Siemens SICAM PAS hard coded factory account usage attempt (policy-other.rules)