Talos Rules 2020-03-12
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the malware-cnc, malware-other, os-windows, policy-other, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2020-03-12 16:03:38 UTC

Snort Subscriber Rules Update

Date: 2020-03-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53432 <-> DISABLED <-> SERVER-MAIL OpenSMTPD smtp_mailaddr command injection attempt (server-mail.rules)
 * 1:53431 <-> DISABLED <-> SERVER-MAIL OpenSMTPD smtp_mailaddr command injection attempt (server-mail.rules)
 * 1:53430 <-> DISABLED <-> SERVER-WEBAPP rConfig authenticated remote code execution attempt (server-webapp.rules)
 * 1:53429 <-> DISABLED <-> SERVER-WEBAPP rConfig authenticated remote code execution attempt (server-webapp.rules)
 * 1:53446 <-> DISABLED <-> POLICY-OTHER FreeSWITCH default credential login detected (policy-other.rules)
 * 1:53440 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules)
 * 1:53439 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules)
 * 1:53438 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules)
 * 1:53437 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules)
 * 1:53436 <-> ENABLED <-> OS-WINDOWS Windows RDP Gateway Server denial of service attempt (os-windows.rules)
 * 1:53435 <-> ENABLED <-> SERVER-WEBAPP Zoho ManageEngine Desktop Central directory traversal attempt (server-webapp.rules)
 * 1:53434 <-> ENABLED <-> SERVER-WEBAPP Zoho ManageEngine Desktop Central directory traversal attempt (server-webapp.rules)
 * 1:53433 <-> ENABLED <-> SERVER-WEBAPP Zoho ManageEngine Desktop Central directory traversal attempt (server-webapp.rules)
 * 3:53444 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1023 attack attempt (protocol-scada.rules)
 * 3:53445 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1024 attack attempt (protocol-scada.rules)
 * 3:53442 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1021 attack attempt (protocol-scada.rules)
 * 3:53443 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1022 attack attempt (protocol-scada.rules)
 * 3:53441 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1020 attack attempt (protocol-scada.rules)

Modified Rules:


 * 1:33942 <-> DISABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules)
 * 1:33943 <-> ENABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules)

2020-03-12 16:03:38 UTC

Snort Subscriber Rules Update

Date: 2020-03-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53436 <-> ENABLED <-> OS-WINDOWS Windows RDP Gateway Server denial of service attempt (os-windows.rules)
 * 1:53430 <-> DISABLED <-> SERVER-WEBAPP rConfig authenticated remote code execution attempt (server-webapp.rules)
 * 1:53432 <-> DISABLED <-> SERVER-MAIL OpenSMTPD smtp_mailaddr command injection attempt (server-mail.rules)
 * 1:53433 <-> ENABLED <-> SERVER-WEBAPP Zoho ManageEngine Desktop Central directory traversal attempt (server-webapp.rules)
 * 1:53431 <-> DISABLED <-> SERVER-MAIL OpenSMTPD smtp_mailaddr command injection attempt (server-mail.rules)
 * 1:53438 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules)
 * 1:53434 <-> ENABLED <-> SERVER-WEBAPP Zoho ManageEngine Desktop Central directory traversal attempt (server-webapp.rules)
 * 1:53439 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules)
 * 1:53440 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules)
 * 1:53446 <-> DISABLED <-> POLICY-OTHER FreeSWITCH default credential login detected (policy-other.rules)
 * 1:53437 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules)
 * 1:53435 <-> ENABLED <-> SERVER-WEBAPP Zoho ManageEngine Desktop Central directory traversal attempt (server-webapp.rules)
 * 1:53429 <-> DISABLED <-> SERVER-WEBAPP rConfig authenticated remote code execution attempt (server-webapp.rules)
 * 3:53444 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1023 attack attempt (protocol-scada.rules)
 * 3:53445 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1024 attack attempt (protocol-scada.rules)
 * 3:53442 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1021 attack attempt (protocol-scada.rules)
 * 3:53443 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1022 attack attempt (protocol-scada.rules)
 * 3:53441 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1020 attack attempt (protocol-scada.rules)

Modified Rules:


 * 1:33942 <-> DISABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules)
 * 1:33943 <-> ENABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules)

2020-03-12 16:03:38 UTC

Snort Subscriber Rules Update

Date: 2020-03-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53439 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules)
 * 1:53446 <-> DISABLED <-> POLICY-OTHER FreeSWITCH default credential login detected (policy-other.rules)
 * 1:53431 <-> DISABLED <-> SERVER-MAIL OpenSMTPD smtp_mailaddr command injection attempt (server-mail.rules)
 * 1:53436 <-> ENABLED <-> OS-WINDOWS Windows RDP Gateway Server denial of service attempt (os-windows.rules)
 * 1:53434 <-> ENABLED <-> SERVER-WEBAPP Zoho ManageEngine Desktop Central directory traversal attempt (server-webapp.rules)
 * 1:53433 <-> ENABLED <-> SERVER-WEBAPP Zoho ManageEngine Desktop Central directory traversal attempt (server-webapp.rules)
 * 1:53432 <-> DISABLED <-> SERVER-MAIL OpenSMTPD smtp_mailaddr command injection attempt (server-mail.rules)
 * 1:53435 <-> ENABLED <-> SERVER-WEBAPP Zoho ManageEngine Desktop Central directory traversal attempt (server-webapp.rules)
 * 1:53440 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules)
 * 1:53430 <-> DISABLED <-> SERVER-WEBAPP rConfig authenticated remote code execution attempt (server-webapp.rules)
 * 1:53438 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules)
 * 1:53429 <-> DISABLED <-> SERVER-WEBAPP rConfig authenticated remote code execution attempt (server-webapp.rules)
 * 1:53437 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules)
 * 3:53444 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1023 attack attempt (protocol-scada.rules)
 * 3:53445 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1024 attack attempt (protocol-scada.rules)
 * 3:53443 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1022 attack attempt (protocol-scada.rules)
 * 3:53441 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1020 attack attempt (protocol-scada.rules)
 * 3:53442 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1021 attack attempt (protocol-scada.rules)

Modified Rules:


 * 1:33942 <-> DISABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules)
 * 1:33943 <-> ENABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules)

2020-03-12 16:03:38 UTC

Snort Subscriber Rules Update

Date: 2020-03-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53432 <-> DISABLED <-> SERVER-MAIL OpenSMTPD smtp_mailaddr command injection attempt (server-mail.rules)
 * 1:53434 <-> ENABLED <-> SERVER-WEBAPP Zoho ManageEngine Desktop Central directory traversal attempt (server-webapp.rules)
 * 1:53439 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules)
 * 1:53435 <-> ENABLED <-> SERVER-WEBAPP Zoho ManageEngine Desktop Central directory traversal attempt (server-webapp.rules)
 * 1:53431 <-> DISABLED <-> SERVER-MAIL OpenSMTPD smtp_mailaddr command injection attempt (server-mail.rules)
 * 1:53440 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules)
 * 1:53433 <-> ENABLED <-> SERVER-WEBAPP Zoho ManageEngine Desktop Central directory traversal attempt (server-webapp.rules)
 * 1:53446 <-> DISABLED <-> POLICY-OTHER FreeSWITCH default credential login detected (policy-other.rules)
 * 1:53429 <-> DISABLED <-> SERVER-WEBAPP rConfig authenticated remote code execution attempt (server-webapp.rules)
 * 1:53437 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules)
 * 1:53438 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules)
 * 1:53436 <-> ENABLED <-> OS-WINDOWS Windows RDP Gateway Server denial of service attempt (os-windows.rules)
 * 1:53430 <-> DISABLED <-> SERVER-WEBAPP rConfig authenticated remote code execution attempt (server-webapp.rules)
 * 3:53442 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1021 attack attempt (protocol-scada.rules)
 * 3:53443 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1022 attack attempt (protocol-scada.rules)
 * 3:53441 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1020 attack attempt (protocol-scada.rules)
 * 3:53444 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1023 attack attempt (protocol-scada.rules)
 * 3:53445 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1024 attack attempt (protocol-scada.rules)

Modified Rules:


 * 1:33942 <-> DISABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules)
 * 1:33943 <-> ENABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules)

2020-03-12 16:03:38 UTC

Snort Subscriber Rules Update

Date: 2020-03-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53438 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules)
 * 1:53437 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules)
 * 1:53434 <-> ENABLED <-> SERVER-WEBAPP Zoho ManageEngine Desktop Central directory traversal attempt (server-webapp.rules)
 * 1:53446 <-> DISABLED <-> POLICY-OTHER FreeSWITCH default credential login detected (policy-other.rules)
 * 1:53432 <-> DISABLED <-> SERVER-MAIL OpenSMTPD smtp_mailaddr command injection attempt (server-mail.rules)
 * 1:53429 <-> DISABLED <-> SERVER-WEBAPP rConfig authenticated remote code execution attempt (server-webapp.rules)
 * 1:53435 <-> ENABLED <-> SERVER-WEBAPP Zoho ManageEngine Desktop Central directory traversal attempt (server-webapp.rules)
 * 1:53430 <-> DISABLED <-> SERVER-WEBAPP rConfig authenticated remote code execution attempt (server-webapp.rules)
 * 1:53439 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules)
 * 1:53433 <-> ENABLED <-> SERVER-WEBAPP Zoho ManageEngine Desktop Central directory traversal attempt (server-webapp.rules)
 * 1:53431 <-> DISABLED <-> SERVER-MAIL OpenSMTPD smtp_mailaddr command injection attempt (server-mail.rules)
 * 1:53440 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules)
 * 1:53436 <-> ENABLED <-> OS-WINDOWS Windows RDP Gateway Server denial of service attempt (os-windows.rules)
 * 3:53441 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1020 attack attempt (protocol-scada.rules)
 * 3:53444 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1023 attack attempt (protocol-scada.rules)
 * 3:53443 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1022 attack attempt (protocol-scada.rules)
 * 3:53445 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1024 attack attempt (protocol-scada.rules)
 * 3:53442 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1021 attack attempt (protocol-scada.rules)

Modified Rules:


 * 1:33942 <-> DISABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules)
 * 1:33943 <-> ENABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules)

2020-03-12 16:03:38 UTC

Snort Subscriber Rules Update

Date: 2020-03-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53435 <-> ENABLED <-> SERVER-WEBAPP Zoho ManageEngine Desktop Central directory traversal attempt (snort3-server-webapp.rules)
 * 1:53429 <-> DISABLED <-> SERVER-WEBAPP rConfig authenticated remote code execution attempt (snort3-server-webapp.rules)
 * 1:53438 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (snort3-malware-cnc.rules)
 * 1:53446 <-> DISABLED <-> POLICY-OTHER FreeSWITCH default credential login detected (snort3-policy-other.rules)
 * 1:53433 <-> ENABLED <-> SERVER-WEBAPP Zoho ManageEngine Desktop Central directory traversal attempt (snort3-server-webapp.rules)
 * 1:53440 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (snort3-malware-cnc.rules)
 * 1:53436 <-> ENABLED <-> OS-WINDOWS Windows RDP Gateway Server denial of service attempt (snort3-os-windows.rules)
 * 1:53437 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (snort3-malware-cnc.rules)
 * 1:53432 <-> DISABLED <-> SERVER-MAIL OpenSMTPD smtp_mailaddr command injection attempt (snort3-server-mail.rules)
 * 1:53431 <-> DISABLED <-> SERVER-MAIL OpenSMTPD smtp_mailaddr command injection attempt (snort3-server-mail.rules)
 * 1:53434 <-> ENABLED <-> SERVER-WEBAPP Zoho ManageEngine Desktop Central directory traversal attempt (snort3-server-webapp.rules)
 * 1:53430 <-> DISABLED <-> SERVER-WEBAPP rConfig authenticated remote code execution attempt (snort3-server-webapp.rules)
 * 1:53439 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (snort3-malware-cnc.rules)

Modified Rules:


 * 1:33942 <-> DISABLED <-> MALWARE-OTHER Executable control panel file download request (snort3-malware-other.rules)
 * 1:33943 <-> ENABLED <-> MALWARE-OTHER Executable control panel file download request (snort3-malware-other.rules)

2020-03-12 16:03:38 UTC

Snort Subscriber Rules Update

Date: 2020-03-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53431 <-> DISABLED <-> SERVER-MAIL OpenSMTPD smtp_mailaddr command injection attempt (server-mail.rules)
 * 1:53430 <-> DISABLED <-> SERVER-WEBAPP rConfig authenticated remote code execution attempt (server-webapp.rules)
 * 1:53433 <-> ENABLED <-> SERVER-WEBAPP Zoho ManageEngine Desktop Central directory traversal attempt (server-webapp.rules)
 * 1:53446 <-> DISABLED <-> POLICY-OTHER FreeSWITCH default credential login detected (policy-other.rules)
 * 1:53429 <-> DISABLED <-> SERVER-WEBAPP rConfig authenticated remote code execution attempt (server-webapp.rules)
 * 1:53432 <-> DISABLED <-> SERVER-MAIL OpenSMTPD smtp_mailaddr command injection attempt (server-mail.rules)
 * 1:53436 <-> ENABLED <-> OS-WINDOWS Windows RDP Gateway Server denial of service attempt (os-windows.rules)
 * 1:53437 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules)
 * 1:53434 <-> ENABLED <-> SERVER-WEBAPP Zoho ManageEngine Desktop Central directory traversal attempt (server-webapp.rules)
 * 1:53439 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules)
 * 1:53435 <-> ENABLED <-> SERVER-WEBAPP Zoho ManageEngine Desktop Central directory traversal attempt (server-webapp.rules)
 * 1:53440 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules)
 * 1:53438 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules)
 * 3:53443 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1022 attack attempt (protocol-scada.rules)
 * 3:53442 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1021 attack attempt (protocol-scada.rules)
 * 3:53441 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1020 attack attempt (protocol-scada.rules)
 * 3:53444 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1023 attack attempt (protocol-scada.rules)
 * 3:53445 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1024 attack attempt (protocol-scada.rules)

Modified Rules:


 * 1:33942 <-> DISABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules)
 * 1:33943 <-> ENABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules)