Talos has added and modified multiple rules in the file-pdf, indicator-shellcode, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54287 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Vobfus-8014472-0 download attempt (malware-other.rules) * 1:54286 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Vobfus-8014472-0 download attempt (malware-other.rules) * 1:54285 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-8014470-0 download attempt (malware-other.rules) * 1:54284 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-8014470-0 download attempt (malware-other.rules) * 1:54295 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AZORult variant payload download attempt (malware-cnc.rules) * 1:54294 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AZORult variant payload download attempt (malware-cnc.rules) * 1:54293 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neutrino variant payload download (malware-cnc.rules) * 1:54292 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.AZORult phishing document download attempt (malware-other.rules) * 1:54291 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.AZORult phishing document download attempt (malware-other.rules) * 1:54289 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Vobfus-8014473-0 download attempt (malware-other.rules) * 1:54288 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Vobfus-8014473-0 download attempt (malware-other.rules) * 3:54290 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1091 attack attempt (server-webapp.rules) * 3:54282 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1092 attack attempt (file-pdf.rules) * 3:54283 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1092 attack attempt (file-pdf.rules)
* 1:32670 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Ch variant outbound connection (malware-cnc.rules) * 1:51417 <-> DISABLED <-> POLICY-OTHER Telerik UI cryptographic keys disclosure attempt (policy-other.rules) * 1:51418 <-> ENABLED <-> SERVER-WEBAPP Telerik UI cryptographic keys disclosure attempt (server-webapp.rules) * 1:46937 <-> ENABLED <-> INDICATOR-SHELLCODE ysoserial Java object deserialization exploit attempt (indicator-shellcode.rules) * 3:53485 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1028 attack attempt (file-pdf.rules) * 3:53486 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1028 attack attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54291 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.AZORult phishing document download attempt (malware-other.rules) * 1:54292 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.AZORult phishing document download attempt (malware-other.rules) * 1:54293 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neutrino variant payload download (malware-cnc.rules) * 1:54286 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Vobfus-8014472-0 download attempt (malware-other.rules) * 1:54289 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Vobfus-8014473-0 download attempt (malware-other.rules) * 1:54284 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-8014470-0 download attempt (malware-other.rules) * 1:54285 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-8014470-0 download attempt (malware-other.rules) * 1:54294 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AZORult variant payload download attempt (malware-cnc.rules) * 1:54295 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AZORult variant payload download attempt (malware-cnc.rules) * 1:54288 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Vobfus-8014473-0 download attempt (malware-other.rules) * 1:54287 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Vobfus-8014472-0 download attempt (malware-other.rules) * 3:54290 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1091 attack attempt (server-webapp.rules) * 3:54283 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1092 attack attempt (file-pdf.rules) * 3:54282 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1092 attack attempt (file-pdf.rules)
* 1:32670 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Ch variant outbound connection (malware-cnc.rules) * 1:51417 <-> DISABLED <-> POLICY-OTHER Telerik UI cryptographic keys disclosure attempt (policy-other.rules) * 1:51418 <-> ENABLED <-> SERVER-WEBAPP Telerik UI cryptographic keys disclosure attempt (server-webapp.rules) * 1:46937 <-> ENABLED <-> INDICATOR-SHELLCODE ysoserial Java object deserialization exploit attempt (indicator-shellcode.rules) * 3:53485 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1028 attack attempt (file-pdf.rules) * 3:53486 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1028 attack attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54291 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.AZORult phishing document download attempt (malware-other.rules) * 1:54285 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-8014470-0 download attempt (malware-other.rules) * 1:54294 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AZORult variant payload download attempt (malware-cnc.rules) * 1:54293 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neutrino variant payload download (malware-cnc.rules) * 1:54288 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Vobfus-8014473-0 download attempt (malware-other.rules) * 1:54287 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Vobfus-8014472-0 download attempt (malware-other.rules) * 1:54284 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-8014470-0 download attempt (malware-other.rules) * 1:54295 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AZORult variant payload download attempt (malware-cnc.rules) * 1:54286 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Vobfus-8014472-0 download attempt (malware-other.rules) * 1:54292 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.AZORult phishing document download attempt (malware-other.rules) * 1:54289 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Vobfus-8014473-0 download attempt (malware-other.rules) * 3:54282 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1092 attack attempt (file-pdf.rules) * 3:54283 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1092 attack attempt (file-pdf.rules) * 3:54290 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1091 attack attempt (server-webapp.rules)
* 1:51418 <-> ENABLED <-> SERVER-WEBAPP Telerik UI cryptographic keys disclosure attempt (server-webapp.rules) * 1:46937 <-> ENABLED <-> INDICATOR-SHELLCODE ysoserial Java object deserialization exploit attempt (indicator-shellcode.rules) * 1:32670 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Ch variant outbound connection (malware-cnc.rules) * 1:51417 <-> DISABLED <-> POLICY-OTHER Telerik UI cryptographic keys disclosure attempt (policy-other.rules) * 3:53485 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1028 attack attempt (file-pdf.rules) * 3:53486 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1028 attack attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54294 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AZORult variant payload download attempt (malware-cnc.rules) * 1:54286 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Vobfus-8014472-0 download attempt (malware-other.rules) * 1:54285 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-8014470-0 download attempt (malware-other.rules) * 1:54287 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Vobfus-8014472-0 download attempt (malware-other.rules) * 1:54289 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Vobfus-8014473-0 download attempt (malware-other.rules) * 1:54291 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.AZORult phishing document download attempt (malware-other.rules) * 1:54295 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AZORult variant payload download attempt (malware-cnc.rules) * 1:54284 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-8014470-0 download attempt (malware-other.rules) * 1:54292 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.AZORult phishing document download attempt (malware-other.rules) * 1:54288 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Vobfus-8014473-0 download attempt (malware-other.rules) * 1:54293 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neutrino variant payload download (malware-cnc.rules) * 3:54282 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1092 attack attempt (file-pdf.rules) * 3:54290 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1091 attack attempt (server-webapp.rules) * 3:54283 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1092 attack attempt (file-pdf.rules)
* 1:51418 <-> ENABLED <-> SERVER-WEBAPP Telerik UI cryptographic keys disclosure attempt (server-webapp.rules) * 1:32670 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Ch variant outbound connection (malware-cnc.rules) * 1:46937 <-> ENABLED <-> INDICATOR-SHELLCODE ysoserial Java object deserialization exploit attempt (indicator-shellcode.rules) * 1:51417 <-> DISABLED <-> POLICY-OTHER Telerik UI cryptographic keys disclosure attempt (policy-other.rules) * 3:53485 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1028 attack attempt (file-pdf.rules) * 3:53486 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1028 attack attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54287 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Vobfus-8014472-0 download attempt (malware-other.rules) * 1:54291 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.AZORult phishing document download attempt (malware-other.rules) * 1:54293 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neutrino variant payload download (malware-cnc.rules) * 1:54294 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AZORult variant payload download attempt (malware-cnc.rules) * 1:54284 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-8014470-0 download attempt (malware-other.rules) * 1:54292 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.AZORult phishing document download attempt (malware-other.rules) * 1:54288 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Vobfus-8014473-0 download attempt (malware-other.rules) * 1:54295 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AZORult variant payload download attempt (malware-cnc.rules) * 1:54285 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-8014470-0 download attempt (malware-other.rules) * 1:54286 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Vobfus-8014472-0 download attempt (malware-other.rules) * 1:54289 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Vobfus-8014473-0 download attempt (malware-other.rules) * 3:54282 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1092 attack attempt (file-pdf.rules) * 3:54283 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1092 attack attempt (file-pdf.rules) * 3:54290 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1091 attack attempt (server-webapp.rules)
* 1:51418 <-> ENABLED <-> SERVER-WEBAPP Telerik UI cryptographic keys disclosure attempt (server-webapp.rules) * 1:51417 <-> DISABLED <-> POLICY-OTHER Telerik UI cryptographic keys disclosure attempt (policy-other.rules) * 1:46937 <-> ENABLED <-> INDICATOR-SHELLCODE ysoserial Java object deserialization exploit attempt (indicator-shellcode.rules) * 1:32670 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Ch variant outbound connection (malware-cnc.rules) * 3:53485 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1028 attack attempt (file-pdf.rules) * 3:53486 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1028 attack attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54291 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.AZORult phishing document download attempt (malware-other.rules) * 1:54285 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-8014470-0 download attempt (malware-other.rules) * 1:54286 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Vobfus-8014472-0 download attempt (malware-other.rules) * 1:54284 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-8014470-0 download attempt (malware-other.rules) * 1:54287 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Vobfus-8014472-0 download attempt (malware-other.rules) * 1:54292 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.AZORult phishing document download attempt (malware-other.rules) * 1:54293 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neutrino variant payload download (malware-cnc.rules) * 1:54294 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AZORult variant payload download attempt (malware-cnc.rules) * 1:54295 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AZORult variant payload download attempt (malware-cnc.rules) * 1:54289 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Vobfus-8014473-0 download attempt (malware-other.rules) * 1:54288 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Vobfus-8014473-0 download attempt (malware-other.rules) * 3:54290 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1091 attack attempt (server-webapp.rules) * 3:54282 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1092 attack attempt (file-pdf.rules) * 3:54283 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1092 attack attempt (file-pdf.rules)
* 1:51418 <-> ENABLED <-> SERVER-WEBAPP Telerik UI cryptographic keys disclosure attempt (server-webapp.rules) * 1:32670 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Ch variant outbound connection (malware-cnc.rules) * 1:51417 <-> DISABLED <-> POLICY-OTHER Telerik UI cryptographic keys disclosure attempt (policy-other.rules) * 1:46937 <-> ENABLED <-> INDICATOR-SHELLCODE ysoserial Java object deserialization exploit attempt (indicator-shellcode.rules) * 3:53485 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1028 attack attempt (file-pdf.rules) * 3:53486 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1028 attack attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54284 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-8014470-0 download attempt (snort3-malware-other.rules) * 1:54287 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Vobfus-8014472-0 download attempt (snort3-malware-other.rules) * 1:54285 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-8014470-0 download attempt (snort3-malware-other.rules) * 1:54289 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Vobfus-8014473-0 download attempt (snort3-malware-other.rules) * 1:54292 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.AZORult phishing document download attempt (snort3-malware-other.rules) * 1:54295 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AZORult variant payload download attempt (snort3-malware-cnc.rules) * 1:54293 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neutrino variant payload download (snort3-malware-cnc.rules) * 1:54286 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Vobfus-8014472-0 download attempt (snort3-malware-other.rules) * 1:54294 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AZORult variant payload download attempt (snort3-malware-cnc.rules) * 1:54288 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Vobfus-8014473-0 download attempt (snort3-malware-other.rules) * 1:54291 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.AZORult phishing document download attempt (snort3-malware-other.rules)
* 1:32670 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Ch variant outbound connection (snort3-malware-cnc.rules) * 1:46937 <-> ENABLED <-> INDICATOR-SHELLCODE ysoserial Java object deserialization exploit attempt (snort3-indicator-shellcode.rules) * 1:51417 <-> DISABLED <-> POLICY-OTHER Telerik UI cryptographic keys disclosure attempt (snort3-policy-other.rules) * 1:51418 <-> ENABLED <-> SERVER-WEBAPP Telerik UI cryptographic keys disclosure attempt (snort3-server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54286 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Vobfus-8014472-0 download attempt (malware-other.rules) * 1:54288 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Vobfus-8014473-0 download attempt (malware-other.rules) * 1:54289 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Vobfus-8014473-0 download attempt (malware-other.rules) * 1:54284 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-8014470-0 download attempt (malware-other.rules) * 1:54293 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neutrino variant payload download (malware-cnc.rules) * 1:54291 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.AZORult phishing document download attempt (malware-other.rules) * 1:54294 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AZORult variant payload download attempt (malware-cnc.rules) * 1:54292 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.AZORult phishing document download attempt (malware-other.rules) * 1:54295 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AZORult variant payload download attempt (malware-cnc.rules) * 1:54287 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Vobfus-8014472-0 download attempt (malware-other.rules) * 1:54285 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-8014470-0 download attempt (malware-other.rules) * 3:54283 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1092 attack attempt (file-pdf.rules) * 3:54282 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1092 attack attempt (file-pdf.rules) * 3:54290 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1091 attack attempt (server-webapp.rules)
* 1:32670 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Ch variant outbound connection (malware-cnc.rules) * 1:51418 <-> ENABLED <-> SERVER-WEBAPP Telerik UI cryptographic keys disclosure attempt (server-webapp.rules) * 1:51417 <-> DISABLED <-> POLICY-OTHER Telerik UI cryptographic keys disclosure attempt (policy-other.rules) * 1:46937 <-> ENABLED <-> INDICATOR-SHELLCODE ysoserial Java object deserialization exploit attempt (indicator-shellcode.rules) * 3:53486 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1028 attack attempt (file-pdf.rules) * 3:53485 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1028 attack attempt (file-pdf.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
