Talos Rules 2020-06-04
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-other, malware-cnc, malware-other, policy-other, protocol-other, protocol-voip and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2020-06-04 12:28:55 UTC

Snort Subscriber Rules Update

Date: 2020-06-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54162 <-> ENABLED <-> SERVER-WEBAPP Apache Tomcat FileStore directory traversal attempt (server-webapp.rules)
 * 1:54157 <-> DISABLED <-> SERVER-OTHER VMWare Directory Service authentication bypass attempt (server-other.rules)
 * 1:54156 <-> ENABLED <-> POLICY-OTHER LDAP bind success (policy-other.rules)
 * 1:54154 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Turla malicious executable download attempt (malware-other.rules)
 * 1:54153 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Turla malicious executable download attempt (malware-other.rules)
 * 1:54152 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (malware-other.rules)
 * 1:54151 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (malware-other.rules)
 * 1:54150 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (malware-other.rules)
 * 1:54149 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Vobfus-7994999-0 download attempt (malware-other.rules)
 * 1:54148 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Vobfus-7994999-0 download attempt (malware-other.rules)
 * 1:54147 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7993070-0 download attempt (malware-other.rules)
 * 1:54146 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7993070-0 download attempt (malware-other.rules)
 * 1:54145 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules)
 * 3:54155 <-> ENABLED <-> SERVER-OTHER Cisco IOx Application Environment external VDS control message attempt (server-other.rules)
 * 3:54160 <-> ENABLED <-> SERVER-OTHER Cisco IOS IKE2 invalid port denial of service attempt (server-other.rules)
 * 3:54158 <-> ENABLED <-> PROTOCOL-OTHER Cisco IOS XE NetFlow packet parsing denial of service attempt (protocol-other.rules)
 * 3:53497 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:53498 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI file upload directory traversal attempt (server-webapp.rules)
 * 3:53499 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI file upload remote code execution attempt (server-webapp.rules)
 * 3:53500 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI file upload remote code execution attempt (server-webapp.rules)
 * 3:53501 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:53502 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:53503 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:53504 <-> ENABLED <-> FILE-OTHER TAR file directory traversal attempt (file-other.rules)
 * 3:54163 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS malformed SIP Via header denial of service attempt (protocol-voip.rules)
 * 3:54161 <-> ENABLED <-> POLICY-OTHER Cisco IOx token service access detected (policy-other.rules)
 * 3:54164 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS malformed SIP Via header denial of service attempt (protocol-voip.rules)
 * 3:54159 <-> ENABLED <-> SERVER-OTHER Cisco IOS IKE2 invalid port denial of service attempt (server-other.rules)

Modified Rules:


 * 1:53841 <-> DISABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection attempt (malware-cnc.rules)
 * 1:54004 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.WolfRAT variant outbound connection (malware-cnc.rules)
 * 3:51623 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:51622 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:51624 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:51625 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)

2020-06-04 12:28:55 UTC

Snort Subscriber Rules Update

Date: 2020-06-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54157 <-> DISABLED <-> SERVER-OTHER VMWare Directory Service authentication bypass attempt (server-other.rules)
 * 1:54148 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Vobfus-7994999-0 download attempt (malware-other.rules)
 * 1:54152 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (malware-other.rules)
 * 1:54147 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7993070-0 download attempt (malware-other.rules)
 * 1:54149 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Vobfus-7994999-0 download attempt (malware-other.rules)
 * 1:54153 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Turla malicious executable download attempt (malware-other.rules)
 * 1:54154 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Turla malicious executable download attempt (malware-other.rules)
 * 1:54146 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7993070-0 download attempt (malware-other.rules)
 * 1:54145 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules)
 * 1:54151 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (malware-other.rules)
 * 1:54150 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (malware-other.rules)
 * 1:54162 <-> ENABLED <-> SERVER-WEBAPP Apache Tomcat FileStore directory traversal attempt (server-webapp.rules)
 * 1:54156 <-> ENABLED <-> POLICY-OTHER LDAP bind success (policy-other.rules)
 * 3:54161 <-> ENABLED <-> POLICY-OTHER Cisco IOx token service access detected (policy-other.rules)
 * 3:54163 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS malformed SIP Via header denial of service attempt (protocol-voip.rules)
 * 3:54155 <-> ENABLED <-> SERVER-OTHER Cisco IOx Application Environment external VDS control message attempt (server-other.rules)
 * 3:54159 <-> ENABLED <-> SERVER-OTHER Cisco IOS IKE2 invalid port denial of service attempt (server-other.rules)
 * 3:53499 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI file upload remote code execution attempt (server-webapp.rules)
 * 3:53500 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI file upload remote code execution attempt (server-webapp.rules)
 * 3:53504 <-> ENABLED <-> FILE-OTHER TAR file directory traversal attempt (file-other.rules)
 * 3:53503 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:54158 <-> ENABLED <-> PROTOCOL-OTHER Cisco IOS XE NetFlow packet parsing denial of service attempt (protocol-other.rules)
 * 3:53501 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:53502 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:54160 <-> ENABLED <-> SERVER-OTHER Cisco IOS IKE2 invalid port denial of service attempt (server-other.rules)
 * 3:54164 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS malformed SIP Via header denial of service attempt (protocol-voip.rules)
 * 3:53498 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI file upload directory traversal attempt (server-webapp.rules)
 * 3:53497 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:54004 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.WolfRAT variant outbound connection (malware-cnc.rules)
 * 1:53841 <-> DISABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection attempt (malware-cnc.rules)
 * 3:51623 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:51622 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:51624 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:51625 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)

2020-06-04 12:28:55 UTC

Snort Subscriber Rules Update

Date: 2020-06-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54162 <-> ENABLED <-> SERVER-WEBAPP Apache Tomcat FileStore directory traversal attempt (server-webapp.rules)
 * 1:54149 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Vobfus-7994999-0 download attempt (malware-other.rules)
 * 1:54153 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Turla malicious executable download attempt (malware-other.rules)
 * 1:54148 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Vobfus-7994999-0 download attempt (malware-other.rules)
 * 1:54145 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules)
 * 1:54156 <-> ENABLED <-> POLICY-OTHER LDAP bind success (policy-other.rules)
 * 1:54147 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7993070-0 download attempt (malware-other.rules)
 * 1:54146 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7993070-0 download attempt (malware-other.rules)
 * 1:54150 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (malware-other.rules)
 * 1:54154 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Turla malicious executable download attempt (malware-other.rules)
 * 1:54152 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (malware-other.rules)
 * 1:54151 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (malware-other.rules)
 * 1:54157 <-> DISABLED <-> SERVER-OTHER VMWare Directory Service authentication bypass attempt (server-other.rules)
 * 3:54161 <-> ENABLED <-> POLICY-OTHER Cisco IOx token service access detected (policy-other.rules)
 * 3:54158 <-> ENABLED <-> PROTOCOL-OTHER Cisco IOS XE NetFlow packet parsing denial of service attempt (protocol-other.rules)
 * 3:53500 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI file upload remote code execution attempt (server-webapp.rules)
 * 3:54160 <-> ENABLED <-> SERVER-OTHER Cisco IOS IKE2 invalid port denial of service attempt (server-other.rules)
 * 3:54155 <-> ENABLED <-> SERVER-OTHER Cisco IOx Application Environment external VDS control message attempt (server-other.rules)
 * 3:53501 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:54164 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS malformed SIP Via header denial of service attempt (protocol-voip.rules)
 * 3:53504 <-> ENABLED <-> FILE-OTHER TAR file directory traversal attempt (file-other.rules)
 * 3:54163 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS malformed SIP Via header denial of service attempt (protocol-voip.rules)
 * 3:53498 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI file upload directory traversal attempt (server-webapp.rules)
 * 3:53503 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:54159 <-> ENABLED <-> SERVER-OTHER Cisco IOS IKE2 invalid port denial of service attempt (server-other.rules)
 * 3:53499 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI file upload remote code execution attempt (server-webapp.rules)
 * 3:53502 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:53497 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:54004 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.WolfRAT variant outbound connection (malware-cnc.rules)
 * 1:53841 <-> DISABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection attempt (malware-cnc.rules)
 * 3:51623 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:51622 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:51624 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:51625 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)

2020-06-04 12:28:55 UTC

Snort Subscriber Rules Update

Date: 2020-06-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54149 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Vobfus-7994999-0 download attempt (malware-other.rules)
 * 1:54153 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Turla malicious executable download attempt (malware-other.rules)
 * 1:54146 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7993070-0 download attempt (malware-other.rules)
 * 1:54152 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (malware-other.rules)
 * 1:54151 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (malware-other.rules)
 * 1:54147 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7993070-0 download attempt (malware-other.rules)
 * 1:54145 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules)
 * 1:54148 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Vobfus-7994999-0 download attempt (malware-other.rules)
 * 1:54150 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (malware-other.rules)
 * 1:54154 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Turla malicious executable download attempt (malware-other.rules)
 * 1:54156 <-> ENABLED <-> POLICY-OTHER LDAP bind success (policy-other.rules)
 * 1:54162 <-> ENABLED <-> SERVER-WEBAPP Apache Tomcat FileStore directory traversal attempt (server-webapp.rules)
 * 1:54157 <-> DISABLED <-> SERVER-OTHER VMWare Directory Service authentication bypass attempt (server-other.rules)
 * 3:54158 <-> ENABLED <-> PROTOCOL-OTHER Cisco IOS XE NetFlow packet parsing denial of service attempt (protocol-other.rules)
 * 3:54160 <-> ENABLED <-> SERVER-OTHER Cisco IOS IKE2 invalid port denial of service attempt (server-other.rules)
 * 3:54159 <-> ENABLED <-> SERVER-OTHER Cisco IOS IKE2 invalid port denial of service attempt (server-other.rules)
 * 3:54163 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS malformed SIP Via header denial of service attempt (protocol-voip.rules)
 * 3:54164 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS malformed SIP Via header denial of service attempt (protocol-voip.rules)
 * 3:53502 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:54155 <-> ENABLED <-> SERVER-OTHER Cisco IOx Application Environment external VDS control message attempt (server-other.rules)
 * 3:53501 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:53499 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI file upload remote code execution attempt (server-webapp.rules)
 * 3:53500 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI file upload remote code execution attempt (server-webapp.rules)
 * 3:53497 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:53503 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:54161 <-> ENABLED <-> POLICY-OTHER Cisco IOx token service access detected (policy-other.rules)
 * 3:53498 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI file upload directory traversal attempt (server-webapp.rules)
 * 3:53504 <-> ENABLED <-> FILE-OTHER TAR file directory traversal attempt (file-other.rules)

Modified Rules:


 * 1:54004 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.WolfRAT variant outbound connection (malware-cnc.rules)
 * 1:53841 <-> DISABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection attempt (malware-cnc.rules)
 * 3:51622 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:51624 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:51625 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:51623 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)

2020-06-04 12:28:55 UTC

Snort Subscriber Rules Update

Date: 2020-06-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54147 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7993070-0 download attempt (malware-other.rules)
 * 1:54152 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (malware-other.rules)
 * 1:54157 <-> DISABLED <-> SERVER-OTHER VMWare Directory Service authentication bypass attempt (server-other.rules)
 * 1:54162 <-> ENABLED <-> SERVER-WEBAPP Apache Tomcat FileStore directory traversal attempt (server-webapp.rules)
 * 1:54146 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7993070-0 download attempt (malware-other.rules)
 * 1:54154 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Turla malicious executable download attempt (malware-other.rules)
 * 1:54156 <-> ENABLED <-> POLICY-OTHER LDAP bind success (policy-other.rules)
 * 1:54151 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (malware-other.rules)
 * 1:54145 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules)
 * 1:54150 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (malware-other.rules)
 * 1:54148 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Vobfus-7994999-0 download attempt (malware-other.rules)
 * 1:54153 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Turla malicious executable download attempt (malware-other.rules)
 * 1:54149 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Vobfus-7994999-0 download attempt (malware-other.rules)
 * 3:54161 <-> ENABLED <-> POLICY-OTHER Cisco IOx token service access detected (policy-other.rules)
 * 3:54158 <-> ENABLED <-> PROTOCOL-OTHER Cisco IOS XE NetFlow packet parsing denial of service attempt (protocol-other.rules)
 * 3:54155 <-> ENABLED <-> SERVER-OTHER Cisco IOx Application Environment external VDS control message attempt (server-other.rules)
 * 3:54163 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS malformed SIP Via header denial of service attempt (protocol-voip.rules)
 * 3:54159 <-> ENABLED <-> SERVER-OTHER Cisco IOS IKE2 invalid port denial of service attempt (server-other.rules)
 * 3:53503 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:53502 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:53504 <-> ENABLED <-> FILE-OTHER TAR file directory traversal attempt (file-other.rules)
 * 3:53501 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:53500 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI file upload remote code execution attempt (server-webapp.rules)
 * 3:53497 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:53498 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI file upload directory traversal attempt (server-webapp.rules)
 * 3:54160 <-> ENABLED <-> SERVER-OTHER Cisco IOS IKE2 invalid port denial of service attempt (server-other.rules)
 * 3:54164 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS malformed SIP Via header denial of service attempt (protocol-voip.rules)
 * 3:53499 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI file upload remote code execution attempt (server-webapp.rules)

Modified Rules:


 * 1:53841 <-> DISABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection attempt (malware-cnc.rules)
 * 1:54004 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.WolfRAT variant outbound connection (malware-cnc.rules)
 * 3:51622 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:51623 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:51624 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:51625 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)

2020-06-04 12:28:55 UTC

Snort Subscriber Rules Update

Date: 2020-06-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54150 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (malware-other.rules)
 * 1:54146 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7993070-0 download attempt (malware-other.rules)
 * 1:54147 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7993070-0 download attempt (malware-other.rules)
 * 1:54149 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Vobfus-7994999-0 download attempt (malware-other.rules)
 * 1:54154 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Turla malicious executable download attempt (malware-other.rules)
 * 1:54151 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (malware-other.rules)
 * 1:54157 <-> DISABLED <-> SERVER-OTHER VMWare Directory Service authentication bypass attempt (server-other.rules)
 * 1:54156 <-> ENABLED <-> POLICY-OTHER LDAP bind success (policy-other.rules)
 * 1:54153 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Turla malicious executable download attempt (malware-other.rules)
 * 1:54152 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (malware-other.rules)
 * 1:54162 <-> ENABLED <-> SERVER-WEBAPP Apache Tomcat FileStore directory traversal attempt (server-webapp.rules)
 * 1:54148 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Vobfus-7994999-0 download attempt (malware-other.rules)
 * 1:54145 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules)
 * 3:54161 <-> ENABLED <-> POLICY-OTHER Cisco IOx token service access detected (policy-other.rules)
 * 3:53498 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI file upload directory traversal attempt (server-webapp.rules)
 * 3:54163 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS malformed SIP Via header denial of service attempt (protocol-voip.rules)
 * 3:54158 <-> ENABLED <-> PROTOCOL-OTHER Cisco IOS XE NetFlow packet parsing denial of service attempt (protocol-other.rules)
 * 3:54155 <-> ENABLED <-> SERVER-OTHER Cisco IOx Application Environment external VDS control message attempt (server-other.rules)
 * 3:53502 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:54159 <-> ENABLED <-> SERVER-OTHER Cisco IOS IKE2 invalid port denial of service attempt (server-other.rules)
 * 3:53500 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI file upload remote code execution attempt (server-webapp.rules)
 * 3:54164 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS malformed SIP Via header denial of service attempt (protocol-voip.rules)
 * 3:53499 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI file upload remote code execution attempt (server-webapp.rules)
 * 3:54160 <-> ENABLED <-> SERVER-OTHER Cisco IOS IKE2 invalid port denial of service attempt (server-other.rules)
 * 3:53504 <-> ENABLED <-> FILE-OTHER TAR file directory traversal attempt (file-other.rules)
 * 3:53497 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:53501 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:53503 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:54004 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.WolfRAT variant outbound connection (malware-cnc.rules)
 * 1:53841 <-> DISABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection attempt (malware-cnc.rules)
 * 3:51625 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:51622 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:51623 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:51624 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)

2020-06-04 12:28:55 UTC

Snort Subscriber Rules Update

Date: 2020-06-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54149 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Vobfus-7994999-0 download attempt (snort3-malware-other.rules)
 * 1:54154 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Turla malicious executable download attempt (snort3-malware-other.rules)
 * 1:54152 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (snort3-malware-other.rules)
 * 1:54146 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7993070-0 download attempt (snort3-malware-other.rules)
 * 1:54162 <-> ENABLED <-> SERVER-WEBAPP Apache Tomcat FileStore directory traversal attempt (snort3-server-webapp.rules)
 * 1:54151 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (snort3-malware-other.rules)
 * 1:54145 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (snort3-malware-other.rules)
 * 1:54153 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Turla malicious executable download attempt (snort3-malware-other.rules)
 * 1:54157 <-> DISABLED <-> SERVER-OTHER VMWare Directory Service authentication bypass attempt (snort3-server-other.rules)
 * 1:54156 <-> ENABLED <-> POLICY-OTHER LDAP bind success (snort3-policy-other.rules)
 * 1:54147 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7993070-0 download attempt (snort3-malware-other.rules)
 * 1:54150 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (snort3-malware-other.rules)
 * 1:54148 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Vobfus-7994999-0 download attempt (snort3-malware-other.rules)

Modified Rules:


 * 1:54004 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.WolfRAT variant outbound connection (snort3-malware-cnc.rules)
 * 1:53841 <-> DISABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection attempt (snort3-malware-cnc.rules)

2020-06-04 12:28:55 UTC

Snort Subscriber Rules Update

Date: 2020-06-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54162 <-> ENABLED <-> SERVER-WEBAPP Apache Tomcat FileStore directory traversal attempt (server-webapp.rules)
 * 1:54154 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Turla malicious executable download attempt (malware-other.rules)
 * 1:54151 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (malware-other.rules)
 * 1:54150 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (malware-other.rules)
 * 1:54156 <-> ENABLED <-> POLICY-OTHER LDAP bind success (policy-other.rules)
 * 1:54152 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (malware-other.rules)
 * 1:54146 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7993070-0 download attempt (malware-other.rules)
 * 1:54153 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Turla malicious executable download attempt (malware-other.rules)
 * 1:54157 <-> DISABLED <-> SERVER-OTHER VMWare Directory Service authentication bypass attempt (server-other.rules)
 * 1:54145 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules)
 * 1:54147 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7993070-0 download attempt (malware-other.rules)
 * 1:54148 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Vobfus-7994999-0 download attempt (malware-other.rules)
 * 1:54149 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Vobfus-7994999-0 download attempt (malware-other.rules)
 * 3:54161 <-> ENABLED <-> POLICY-OTHER Cisco IOx token service access detected (policy-other.rules)
 * 3:54155 <-> ENABLED <-> SERVER-OTHER Cisco IOx Application Environment external VDS control message attempt (server-other.rules)
 * 3:53502 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:53503 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:53499 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI file upload remote code execution attempt (server-webapp.rules)
 * 3:53504 <-> ENABLED <-> FILE-OTHER TAR file directory traversal attempt (file-other.rules)
 * 3:54163 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS malformed SIP Via header denial of service attempt (protocol-voip.rules)
 * 3:53501 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:54160 <-> ENABLED <-> SERVER-OTHER Cisco IOS IKE2 invalid port denial of service attempt (server-other.rules)
 * 3:54159 <-> ENABLED <-> SERVER-OTHER Cisco IOS IKE2 invalid port denial of service attempt (server-other.rules)
 * 3:54158 <-> ENABLED <-> PROTOCOL-OTHER Cisco IOS XE NetFlow packet parsing denial of service attempt (protocol-other.rules)
 * 3:54164 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS malformed SIP Via header denial of service attempt (protocol-voip.rules)
 * 3:53498 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI file upload directory traversal attempt (server-webapp.rules)
 * 3:53500 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI file upload remote code execution attempt (server-webapp.rules)
 * 3:53497 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:53841 <-> DISABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection attempt (malware-cnc.rules)
 * 1:54004 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.WolfRAT variant outbound connection (malware-cnc.rules)
 * 3:51622 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:51623 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:51625 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:51624 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)