Talos Rules 2021-01-19
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the malware-other, malware-tools, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2021-01-19 21:51:57 UTC

Snort Subscriber Rules Update

Date: 2021-01-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56915 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Cerbu-9822059-0 download attempt (malware-other.rules)
 * 1:56916 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56917 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56918 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822210-0 download attempt (malware-other.rules)
 * 1:56919 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822210-0 download attempt (malware-other.rules)
 * 1:56920 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822211-0 download attempt (malware-other.rules)
 * 1:56921 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822211-0 download attempt (malware-other.rules)
 * 1:56922 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822241-0 download attempt (malware-other.rules)
 * 1:56923 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822241-0 download attempt (malware-other.rules)
 * 1:56924 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Emotet-9822370-0 download attempt (malware-other.rules)
 * 1:56925 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Emotet-9822370-0 download attempt (malware-other.rules)
 * 1:56926 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.Trickbot Trickboot module download attempt (malware-tools.rules)
 * 1:56927 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Trickbot Trickboot module download attempt (malware-tools.rules)
 * 1:56928 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.Trickbot Trickboot module download attempt (malware-tools.rules)
 * 1:56929 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Trickbot Trickboot module download attempt (malware-tools.rules)
 * 1:56930 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.FANCYBEAR variant binary download attempt (malware-other.rules)
 * 1:56931 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.FANCYBEAR variant binary download attempt (malware-other.rules)
 * 1:56932 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.FANCYBEAR variant binary download attempt (malware-other.rules)
 * 1:56933 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.FANCYBEAR variant binary download attempt (malware-other.rules)
 * 1:56934 <-> ENABLED <-> SERVER-WEBAPP Nagios XI ajaxhelper command injection attempt (server-webapp.rules)
 * 1:56935 <-> ENABLED <-> SERVER-WEBAPP Nagios XI ajaxhelper command injection attempt (server-webapp.rules)
 * 1:56936 <-> ENABLED <-> SERVER-WEBAPP Nagios XI ajaxhelper command injection attempt (server-webapp.rules)
 * 1:56937 <-> ENABLED <-> SERVER-WEBAPP Nagios XI ajaxhelper command injection attempt (server-webapp.rules)
 * 1:56948 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Stantinko-9822477-0 download attempt (malware-other.rules)
 * 1:56949 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Stantinko-9822477-0 download attempt (malware-other.rules)
 * 1:56895 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Xowgc8j-9819208-0 download attempt (malware-other.rules)
 * 1:56896 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Xowgc8j-9819208-0 download attempt (malware-other.rules)
 * 1:56897 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Mikey-9819490-0 download attempt (malware-other.rules)
 * 1:56898 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Mikey-9819490-0 download attempt (malware-other.rules)
 * 1:56899 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Tiny-9819505-0 download attempt (malware-other.rules)
 * 1:56900 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Tiny-9819505-0 download attempt (malware-other.rules)
 * 1:56901 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zusy-9819756-0 download attempt (malware-other.rules)
 * 1:56902 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zusy-9819756-0 download attempt (malware-other.rules)
 * 1:56903 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Mikey-9820100-0 download attempt (malware-other.rules)
 * 1:56904 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Mikey-9820100-0 download attempt (malware-other.rules)
 * 1:56905 <-> DISABLED <-> POLICY-OTHER WordPress Easy WP SMTP plugin debug log file access attempt (policy-other.rules)
 * 1:56906 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Emotet-9821266-0 download attempt (malware-other.rules)
 * 1:56907 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Emotet-9821266-0 download attempt (malware-other.rules)
 * 1:56908 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-9821529-0 download attempt (malware-other.rules)
 * 1:56909 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-9821529-0 download attempt (malware-other.rules)
 * 1:56910 <-> DISABLED <-> MALWARE-OTHER Unix.Keylogger.Asacub-9821542-0 download attempt (malware-other.rules)
 * 1:56911 <-> DISABLED <-> MALWARE-OTHER Unix.Keylogger.Asacub-9821542-0 download attempt (malware-other.rules)
 * 1:56912 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9821797-0 download attempt (malware-other.rules)
 * 1:56913 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9821797-0 download attempt (malware-other.rules)
 * 1:56914 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Cerbu-9822059-0 download attempt (malware-other.rules)

Modified Rules:


 * 1:45424 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-ResponsePDU (protocol-scada.rules)
 * 1:45423 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU (protocol-scada.rules)
 * 1:45426 <-> DISABLED <-> PROTOCOL-SCADA MMS UnconfirmedPDU (protocol-scada.rules)
 * 1:45425 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-ErrorPDU (protocol-scada.rules)
 * 1:45428 <-> DISABLED <-> PROTOCOL-SCADA MMS Cancel-RequestPDU (protocol-scada.rules)
 * 1:45427 <-> DISABLED <-> PROTOCOL-SCADA MMS RejectPDU (protocol-scada.rules)
 * 1:45430 <-> DISABLED <-> PROTOCOL-SCADA MMS Cancel-ErrorPDU (protocol-scada.rules)
 * 1:45429 <-> DISABLED <-> PROTOCOL-SCADA MMS Cancel-ResponsePDU (protocol-scada.rules)
 * 1:45432 <-> DISABLED <-> PROTOCOL-SCADA MMS Initiate-ResponsePDU (protocol-scada.rules)
 * 1:45431 <-> DISABLED <-> PROTOCOL-SCADA MMS Initiate-RequestPDU (protocol-scada.rules)
 * 1:45434 <-> DISABLED <-> PROTOCOL-SCADA MMS Conclude-RequestPDU (protocol-scada.rules)
 * 1:45433 <-> DISABLED <-> PROTOCOL-SCADA MMS Initiate-ErrorPDU (protocol-scada.rules)
 * 1:45436 <-> DISABLED <-> PROTOCOL-SCADA MMS Conclude-ErrorPDU (protocol-scada.rules)
 * 1:45435 <-> DISABLED <-> PROTOCOL-SCADA MMS Conclude-ResponsePDU (protocol-scada.rules)
 * 1:56827 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56826 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56828 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)

2021-01-19 21:51:57 UTC

Snort Subscriber Rules Update

Date: 2021-01-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56912 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9821797-0 download attempt (malware-other.rules)
 * 1:56913 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9821797-0 download attempt (malware-other.rules)
 * 1:56914 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Cerbu-9822059-0 download attempt (malware-other.rules)
 * 1:56915 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Cerbu-9822059-0 download attempt (malware-other.rules)
 * 1:56916 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56903 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Mikey-9820100-0 download attempt (malware-other.rules)
 * 1:56905 <-> DISABLED <-> POLICY-OTHER WordPress Easy WP SMTP plugin debug log file access attempt (policy-other.rules)
 * 1:56907 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Emotet-9821266-0 download attempt (malware-other.rules)
 * 1:56896 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Xowgc8j-9819208-0 download attempt (malware-other.rules)
 * 1:56901 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zusy-9819756-0 download attempt (malware-other.rules)
 * 1:56897 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Mikey-9819490-0 download attempt (malware-other.rules)
 * 1:56900 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Tiny-9819505-0 download attempt (malware-other.rules)
 * 1:56899 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Tiny-9819505-0 download attempt (malware-other.rules)
 * 1:56898 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Mikey-9819490-0 download attempt (malware-other.rules)
 * 1:56895 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Xowgc8j-9819208-0 download attempt (malware-other.rules)
 * 1:56934 <-> ENABLED <-> SERVER-WEBAPP Nagios XI ajaxhelper command injection attempt (server-webapp.rules)
 * 1:56906 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Emotet-9821266-0 download attempt (malware-other.rules)
 * 1:56935 <-> ENABLED <-> SERVER-WEBAPP Nagios XI ajaxhelper command injection attempt (server-webapp.rules)
 * 1:56936 <-> ENABLED <-> SERVER-WEBAPP Nagios XI ajaxhelper command injection attempt (server-webapp.rules)
 * 1:56937 <-> ENABLED <-> SERVER-WEBAPP Nagios XI ajaxhelper command injection attempt (server-webapp.rules)
 * 1:56948 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Stantinko-9822477-0 download attempt (malware-other.rules)
 * 1:56949 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Stantinko-9822477-0 download attempt (malware-other.rules)
 * 1:56902 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zusy-9819756-0 download attempt (malware-other.rules)
 * 1:56930 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.FANCYBEAR variant binary download attempt (malware-other.rules)
 * 1:56931 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.FANCYBEAR variant binary download attempt (malware-other.rules)
 * 1:56932 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.FANCYBEAR variant binary download attempt (malware-other.rules)
 * 1:56933 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.FANCYBEAR variant binary download attempt (malware-other.rules)
 * 1:56909 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-9821529-0 download attempt (malware-other.rules)
 * 1:56908 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-9821529-0 download attempt (malware-other.rules)
 * 1:56911 <-> DISABLED <-> MALWARE-OTHER Unix.Keylogger.Asacub-9821542-0 download attempt (malware-other.rules)
 * 1:56910 <-> DISABLED <-> MALWARE-OTHER Unix.Keylogger.Asacub-9821542-0 download attempt (malware-other.rules)
 * 1:56904 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Mikey-9820100-0 download attempt (malware-other.rules)
 * 1:56918 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822210-0 download attempt (malware-other.rules)
 * 1:56917 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56920 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822211-0 download attempt (malware-other.rules)
 * 1:56919 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822210-0 download attempt (malware-other.rules)
 * 1:56921 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822211-0 download attempt (malware-other.rules)
 * 1:56923 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822241-0 download attempt (malware-other.rules)
 * 1:56922 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822241-0 download attempt (malware-other.rules)
 * 1:56925 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Emotet-9822370-0 download attempt (malware-other.rules)
 * 1:56924 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Emotet-9822370-0 download attempt (malware-other.rules)
 * 1:56927 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Trickbot Trickboot module download attempt (malware-tools.rules)
 * 1:56926 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.Trickbot Trickboot module download attempt (malware-tools.rules)
 * 1:56929 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Trickbot Trickboot module download attempt (malware-tools.rules)
 * 1:56928 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.Trickbot Trickboot module download attempt (malware-tools.rules)

Modified Rules:


 * 1:45427 <-> DISABLED <-> PROTOCOL-SCADA MMS RejectPDU (protocol-scada.rules)
 * 1:45425 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-ErrorPDU (protocol-scada.rules)
 * 1:45434 <-> DISABLED <-> PROTOCOL-SCADA MMS Conclude-RequestPDU (protocol-scada.rules)
 * 1:45430 <-> DISABLED <-> PROTOCOL-SCADA MMS Cancel-ErrorPDU (protocol-scada.rules)
 * 1:45428 <-> DISABLED <-> PROTOCOL-SCADA MMS Cancel-RequestPDU (protocol-scada.rules)
 * 1:45432 <-> DISABLED <-> PROTOCOL-SCADA MMS Initiate-ResponsePDU (protocol-scada.rules)
 * 1:45423 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU (protocol-scada.rules)
 * 1:45433 <-> DISABLED <-> PROTOCOL-SCADA MMS Initiate-ErrorPDU (protocol-scada.rules)
 * 1:45431 <-> DISABLED <-> PROTOCOL-SCADA MMS Initiate-RequestPDU (protocol-scada.rules)
 * 1:45436 <-> DISABLED <-> PROTOCOL-SCADA MMS Conclude-ErrorPDU (protocol-scada.rules)
 * 1:45426 <-> DISABLED <-> PROTOCOL-SCADA MMS UnconfirmedPDU (protocol-scada.rules)
 * 1:45435 <-> DISABLED <-> PROTOCOL-SCADA MMS Conclude-ResponsePDU (protocol-scada.rules)
 * 1:56826 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56827 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56828 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:45429 <-> DISABLED <-> PROTOCOL-SCADA MMS Cancel-ResponsePDU (protocol-scada.rules)
 * 1:45424 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-ResponsePDU (protocol-scada.rules)

2021-01-19 21:51:57 UTC

Snort Subscriber Rules Update

Date: 2021-01-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56920 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822211-0 download attempt (malware-other.rules)
 * 1:56919 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822210-0 download attempt (malware-other.rules)
 * 1:56922 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822241-0 download attempt (malware-other.rules)
 * 1:56921 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822211-0 download attempt (malware-other.rules)
 * 1:56912 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9821797-0 download attempt (malware-other.rules)
 * 1:56909 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-9821529-0 download attempt (malware-other.rules)
 * 1:56910 <-> DISABLED <-> MALWARE-OTHER Unix.Keylogger.Asacub-9821542-0 download attempt (malware-other.rules)
 * 1:56895 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Xowgc8j-9819208-0 download attempt (malware-other.rules)
 * 1:56911 <-> DISABLED <-> MALWARE-OTHER Unix.Keylogger.Asacub-9821542-0 download attempt (malware-other.rules)
 * 1:56902 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zusy-9819756-0 download attempt (malware-other.rules)
 * 1:56898 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Mikey-9819490-0 download attempt (malware-other.rules)
 * 1:56896 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Xowgc8j-9819208-0 download attempt (malware-other.rules)
 * 1:56899 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Tiny-9819505-0 download attempt (malware-other.rules)
 * 1:56900 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Tiny-9819505-0 download attempt (malware-other.rules)
 * 1:56901 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zusy-9819756-0 download attempt (malware-other.rules)
 * 1:56934 <-> ENABLED <-> SERVER-WEBAPP Nagios XI ajaxhelper command injection attempt (server-webapp.rules)
 * 1:56906 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Emotet-9821266-0 download attempt (malware-other.rules)
 * 1:56935 <-> ENABLED <-> SERVER-WEBAPP Nagios XI ajaxhelper command injection attempt (server-webapp.rules)
 * 1:56936 <-> ENABLED <-> SERVER-WEBAPP Nagios XI ajaxhelper command injection attempt (server-webapp.rules)
 * 1:56937 <-> ENABLED <-> SERVER-WEBAPP Nagios XI ajaxhelper command injection attempt (server-webapp.rules)
 * 1:56948 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Stantinko-9822477-0 download attempt (malware-other.rules)
 * 1:56949 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Stantinko-9822477-0 download attempt (malware-other.rules)
 * 1:56897 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Mikey-9819490-0 download attempt (malware-other.rules)
 * 1:56925 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Emotet-9822370-0 download attempt (malware-other.rules)
 * 1:56924 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Emotet-9822370-0 download attempt (malware-other.rules)
 * 1:56927 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Trickbot Trickboot module download attempt (malware-tools.rules)
 * 1:56926 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.Trickbot Trickboot module download attempt (malware-tools.rules)
 * 1:56928 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.Trickbot Trickboot module download attempt (malware-tools.rules)
 * 1:56929 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Trickbot Trickboot module download attempt (malware-tools.rules)
 * 1:56904 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Mikey-9820100-0 download attempt (malware-other.rules)
 * 1:56908 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-9821529-0 download attempt (malware-other.rules)
 * 1:56918 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822210-0 download attempt (malware-other.rules)
 * 1:56907 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Emotet-9821266-0 download attempt (malware-other.rules)
 * 1:56933 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.FANCYBEAR variant binary download attempt (malware-other.rules)
 * 1:56913 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9821797-0 download attempt (malware-other.rules)
 * 1:56914 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Cerbu-9822059-0 download attempt (malware-other.rules)
 * 1:56915 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Cerbu-9822059-0 download attempt (malware-other.rules)
 * 1:56916 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56903 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Mikey-9820100-0 download attempt (malware-other.rules)
 * 1:56930 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.FANCYBEAR variant binary download attempt (malware-other.rules)
 * 1:56932 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.FANCYBEAR variant binary download attempt (malware-other.rules)
 * 1:56931 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.FANCYBEAR variant binary download attempt (malware-other.rules)
 * 1:56923 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822241-0 download attempt (malware-other.rules)
 * 1:56905 <-> DISABLED <-> POLICY-OTHER WordPress Easy WP SMTP plugin debug log file access attempt (policy-other.rules)
 * 1:56917 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)

Modified Rules:


 * 1:45425 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-ErrorPDU (protocol-scada.rules)
 * 1:45424 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-ResponsePDU (protocol-scada.rules)
 * 1:45423 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU (protocol-scada.rules)
 * 1:45426 <-> DISABLED <-> PROTOCOL-SCADA MMS UnconfirmedPDU (protocol-scada.rules)
 * 1:45429 <-> DISABLED <-> PROTOCOL-SCADA MMS Cancel-ResponsePDU (protocol-scada.rules)
 * 1:45428 <-> DISABLED <-> PROTOCOL-SCADA MMS Cancel-RequestPDU (protocol-scada.rules)
 * 1:45427 <-> DISABLED <-> PROTOCOL-SCADA MMS RejectPDU (protocol-scada.rules)
 * 1:45430 <-> DISABLED <-> PROTOCOL-SCADA MMS Cancel-ErrorPDU (protocol-scada.rules)
 * 1:45433 <-> DISABLED <-> PROTOCOL-SCADA MMS Initiate-ErrorPDU (protocol-scada.rules)
 * 1:45432 <-> DISABLED <-> PROTOCOL-SCADA MMS Initiate-ResponsePDU (protocol-scada.rules)
 * 1:45431 <-> DISABLED <-> PROTOCOL-SCADA MMS Initiate-RequestPDU (protocol-scada.rules)
 * 1:45434 <-> DISABLED <-> PROTOCOL-SCADA MMS Conclude-RequestPDU (protocol-scada.rules)
 * 1:56826 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:45436 <-> DISABLED <-> PROTOCOL-SCADA MMS Conclude-ErrorPDU (protocol-scada.rules)
 * 1:45435 <-> DISABLED <-> PROTOCOL-SCADA MMS Conclude-ResponsePDU (protocol-scada.rules)
 * 1:56827 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56828 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)

2021-01-19 21:51:57 UTC

Snort Subscriber Rules Update

Date: 2021-01-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56922 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822241-0 download attempt (malware-other.rules)
 * 1:56934 <-> ENABLED <-> SERVER-WEBAPP Nagios XI ajaxhelper command injection attempt (server-webapp.rules)
 * 1:56936 <-> ENABLED <-> SERVER-WEBAPP Nagios XI ajaxhelper command injection attempt (server-webapp.rules)
 * 1:56935 <-> ENABLED <-> SERVER-WEBAPP Nagios XI ajaxhelper command injection attempt (server-webapp.rules)
 * 1:56948 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Stantinko-9822477-0 download attempt (malware-other.rules)
 * 1:56937 <-> ENABLED <-> SERVER-WEBAPP Nagios XI ajaxhelper command injection attempt (server-webapp.rules)
 * 1:56949 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Stantinko-9822477-0 download attempt (malware-other.rules)
 * 1:56913 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9821797-0 download attempt (malware-other.rules)
 * 1:56914 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Cerbu-9822059-0 download attempt (malware-other.rules)
 * 1:56897 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Mikey-9819490-0 download attempt (malware-other.rules)
 * 1:56896 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Xowgc8j-9819208-0 download attempt (malware-other.rules)
 * 1:56915 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Cerbu-9822059-0 download attempt (malware-other.rules)
 * 1:56921 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822211-0 download attempt (malware-other.rules)
 * 1:56895 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Xowgc8j-9819208-0 download attempt (malware-other.rules)
 * 1:56901 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zusy-9819756-0 download attempt (malware-other.rules)
 * 1:56898 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Mikey-9819490-0 download attempt (malware-other.rules)
 * 1:56908 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-9821529-0 download attempt (malware-other.rules)
 * 1:56916 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56900 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Tiny-9819505-0 download attempt (malware-other.rules)
 * 1:56899 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Tiny-9819505-0 download attempt (malware-other.rules)
 * 1:56903 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Mikey-9820100-0 download attempt (malware-other.rules)
 * 1:56902 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zusy-9819756-0 download attempt (malware-other.rules)
 * 1:56920 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822211-0 download attempt (malware-other.rules)
 * 1:56925 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Emotet-9822370-0 download attempt (malware-other.rules)
 * 1:56905 <-> DISABLED <-> POLICY-OTHER WordPress Easy WP SMTP plugin debug log file access attempt (policy-other.rules)
 * 1:56929 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Trickbot Trickboot module download attempt (malware-tools.rules)
 * 1:56928 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.Trickbot Trickboot module download attempt (malware-tools.rules)
 * 1:56926 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.Trickbot Trickboot module download attempt (malware-tools.rules)
 * 1:56927 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Trickbot Trickboot module download attempt (malware-tools.rules)
 * 1:56924 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Emotet-9822370-0 download attempt (malware-other.rules)
 * 1:56907 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Emotet-9821266-0 download attempt (malware-other.rules)
 * 1:56930 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.FANCYBEAR variant binary download attempt (malware-other.rules)
 * 1:56931 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.FANCYBEAR variant binary download attempt (malware-other.rules)
 * 1:56932 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.FANCYBEAR variant binary download attempt (malware-other.rules)
 * 1:56904 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Mikey-9820100-0 download attempt (malware-other.rules)
 * 1:56923 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822241-0 download attempt (malware-other.rules)
 * 1:56910 <-> DISABLED <-> MALWARE-OTHER Unix.Keylogger.Asacub-9821542-0 download attempt (malware-other.rules)
 * 1:56909 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-9821529-0 download attempt (malware-other.rules)
 * 1:56906 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Emotet-9821266-0 download attempt (malware-other.rules)
 * 1:56912 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9821797-0 download attempt (malware-other.rules)
 * 1:56933 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.FANCYBEAR variant binary download attempt (malware-other.rules)
 * 1:56911 <-> DISABLED <-> MALWARE-OTHER Unix.Keylogger.Asacub-9821542-0 download attempt (malware-other.rules)
 * 1:56918 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822210-0 download attempt (malware-other.rules)
 * 1:56917 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56919 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822210-0 download attempt (malware-other.rules)

Modified Rules:


 * 1:45431 <-> DISABLED <-> PROTOCOL-SCADA MMS Initiate-RequestPDU (protocol-scada.rules)
 * 1:45423 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU (protocol-scada.rules)
 * 1:45425 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-ErrorPDU (protocol-scada.rules)
 * 1:45426 <-> DISABLED <-> PROTOCOL-SCADA MMS UnconfirmedPDU (protocol-scada.rules)
 * 1:45424 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-ResponsePDU (protocol-scada.rules)
 * 1:45430 <-> DISABLED <-> PROTOCOL-SCADA MMS Cancel-ErrorPDU (protocol-scada.rules)
 * 1:45427 <-> DISABLED <-> PROTOCOL-SCADA MMS RejectPDU (protocol-scada.rules)
 * 1:45433 <-> DISABLED <-> PROTOCOL-SCADA MMS Initiate-ErrorPDU (protocol-scada.rules)
 * 1:45429 <-> DISABLED <-> PROTOCOL-SCADA MMS Cancel-ResponsePDU (protocol-scada.rules)
 * 1:45428 <-> DISABLED <-> PROTOCOL-SCADA MMS Cancel-RequestPDU (protocol-scada.rules)
 * 1:56828 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:45435 <-> DISABLED <-> PROTOCOL-SCADA MMS Conclude-ResponsePDU (protocol-scada.rules)
 * 1:56827 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:45432 <-> DISABLED <-> PROTOCOL-SCADA MMS Initiate-ResponsePDU (protocol-scada.rules)
 * 1:45436 <-> DISABLED <-> PROTOCOL-SCADA MMS Conclude-ErrorPDU (protocol-scada.rules)
 * 1:56826 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:45434 <-> DISABLED <-> PROTOCOL-SCADA MMS Conclude-RequestPDU (protocol-scada.rules)

2021-01-19 21:51:57 UTC

Snort Subscriber Rules Update

Date: 2021-01-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56898 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Mikey-9819490-0 download attempt (malware-other.rules)
 * 1:56929 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Trickbot Trickboot module download attempt (malware-tools.rules)
 * 1:56928 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.Trickbot Trickboot module download attempt (malware-tools.rules)
 * 1:56949 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Stantinko-9822477-0 download attempt (malware-other.rules)
 * 1:56934 <-> ENABLED <-> SERVER-WEBAPP Nagios XI ajaxhelper command injection attempt (server-webapp.rules)
 * 1:56937 <-> ENABLED <-> SERVER-WEBAPP Nagios XI ajaxhelper command injection attempt (server-webapp.rules)
 * 1:56936 <-> ENABLED <-> SERVER-WEBAPP Nagios XI ajaxhelper command injection attempt (server-webapp.rules)
 * 1:56948 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Stantinko-9822477-0 download attempt (malware-other.rules)
 * 1:56935 <-> ENABLED <-> SERVER-WEBAPP Nagios XI ajaxhelper command injection attempt (server-webapp.rules)
 * 1:56926 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.Trickbot Trickboot module download attempt (malware-tools.rules)
 * 1:56897 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Mikey-9819490-0 download attempt (malware-other.rules)
 * 1:56904 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Mikey-9820100-0 download attempt (malware-other.rules)
 * 1:56901 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zusy-9819756-0 download attempt (malware-other.rules)
 * 1:56925 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Emotet-9822370-0 download attempt (malware-other.rules)
 * 1:56923 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822241-0 download attempt (malware-other.rules)
 * 1:56924 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Emotet-9822370-0 download attempt (malware-other.rules)
 * 1:56909 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-9821529-0 download attempt (malware-other.rules)
 * 1:56907 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Emotet-9821266-0 download attempt (malware-other.rules)
 * 1:56927 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Trickbot Trickboot module download attempt (malware-tools.rules)
 * 1:56913 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9821797-0 download attempt (malware-other.rules)
 * 1:56914 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Cerbu-9822059-0 download attempt (malware-other.rules)
 * 1:56915 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Cerbu-9822059-0 download attempt (malware-other.rules)
 * 1:56916 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56903 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Mikey-9820100-0 download attempt (malware-other.rules)
 * 1:56930 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.FANCYBEAR variant binary download attempt (malware-other.rules)
 * 1:56933 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.FANCYBEAR variant binary download attempt (malware-other.rules)
 * 1:56932 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.FANCYBEAR variant binary download attempt (malware-other.rules)
 * 1:56931 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.FANCYBEAR variant binary download attempt (malware-other.rules)
 * 1:56900 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Tiny-9819505-0 download attempt (malware-other.rules)
 * 1:56895 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Xowgc8j-9819208-0 download attempt (malware-other.rules)
 * 1:56896 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Xowgc8j-9819208-0 download attempt (malware-other.rules)
 * 1:56899 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Tiny-9819505-0 download attempt (malware-other.rules)
 * 1:56922 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822241-0 download attempt (malware-other.rules)
 * 1:56905 <-> DISABLED <-> POLICY-OTHER WordPress Easy WP SMTP plugin debug log file access attempt (policy-other.rules)
 * 1:56921 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822211-0 download attempt (malware-other.rules)
 * 1:56919 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822210-0 download attempt (malware-other.rules)
 * 1:56920 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822211-0 download attempt (malware-other.rules)
 * 1:56918 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822210-0 download attempt (malware-other.rules)
 * 1:56917 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56902 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zusy-9819756-0 download attempt (malware-other.rules)
 * 1:56908 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-9821529-0 download attempt (malware-other.rules)
 * 1:56910 <-> DISABLED <-> MALWARE-OTHER Unix.Keylogger.Asacub-9821542-0 download attempt (malware-other.rules)
 * 1:56912 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9821797-0 download attempt (malware-other.rules)
 * 1:56911 <-> DISABLED <-> MALWARE-OTHER Unix.Keylogger.Asacub-9821542-0 download attempt (malware-other.rules)
 * 1:56906 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Emotet-9821266-0 download attempt (malware-other.rules)

Modified Rules:


 * 1:45424 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-ResponsePDU (protocol-scada.rules)
 * 1:45436 <-> DISABLED <-> PROTOCOL-SCADA MMS Conclude-ErrorPDU (protocol-scada.rules)
 * 1:45428 <-> DISABLED <-> PROTOCOL-SCADA MMS Cancel-RequestPDU (protocol-scada.rules)
 * 1:45426 <-> DISABLED <-> PROTOCOL-SCADA MMS UnconfirmedPDU (protocol-scada.rules)
 * 1:45425 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-ErrorPDU (protocol-scada.rules)
 * 1:45427 <-> DISABLED <-> PROTOCOL-SCADA MMS RejectPDU (protocol-scada.rules)
 * 1:45423 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU (protocol-scada.rules)
 * 1:45432 <-> DISABLED <-> PROTOCOL-SCADA MMS Initiate-ResponsePDU (protocol-scada.rules)
 * 1:45430 <-> DISABLED <-> PROTOCOL-SCADA MMS Cancel-ErrorPDU (protocol-scada.rules)
 * 1:56828 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56826 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:45431 <-> DISABLED <-> PROTOCOL-SCADA MMS Initiate-RequestPDU (protocol-scada.rules)
 * 1:45434 <-> DISABLED <-> PROTOCOL-SCADA MMS Conclude-RequestPDU (protocol-scada.rules)
 * 1:45435 <-> DISABLED <-> PROTOCOL-SCADA MMS Conclude-ResponsePDU (protocol-scada.rules)
 * 1:45433 <-> DISABLED <-> PROTOCOL-SCADA MMS Initiate-ErrorPDU (protocol-scada.rules)
 * 1:45429 <-> DISABLED <-> PROTOCOL-SCADA MMS Cancel-ResponsePDU (protocol-scada.rules)
 * 1:56827 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)

2021-01-19 21:51:57 UTC

Snort Subscriber Rules Update

Date: 2021-01-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56918 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822210-0 download attempt (malware-other.rules)
 * 1:56908 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-9821529-0 download attempt (malware-other.rules)
 * 1:56904 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Mikey-9820100-0 download attempt (malware-other.rules)
 * 1:56936 <-> ENABLED <-> SERVER-WEBAPP Nagios XI ajaxhelper command injection attempt (server-webapp.rules)
 * 1:56937 <-> ENABLED <-> SERVER-WEBAPP Nagios XI ajaxhelper command injection attempt (server-webapp.rules)
 * 1:56913 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9821797-0 download attempt (malware-other.rules)
 * 1:56914 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Cerbu-9822059-0 download attempt (malware-other.rules)
 * 1:56915 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Cerbu-9822059-0 download attempt (malware-other.rules)
 * 1:56916 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56903 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Mikey-9820100-0 download attempt (malware-other.rules)
 * 1:56895 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Xowgc8j-9819208-0 download attempt (malware-other.rules)
 * 1:56912 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9821797-0 download attempt (malware-other.rules)
 * 1:56935 <-> ENABLED <-> SERVER-WEBAPP Nagios XI ajaxhelper command injection attempt (server-webapp.rules)
 * 1:56921 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822211-0 download attempt (malware-other.rules)
 * 1:56922 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822241-0 download attempt (malware-other.rules)
 * 1:56898 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Mikey-9819490-0 download attempt (malware-other.rules)
 * 1:56917 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56901 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zusy-9819756-0 download attempt (malware-other.rules)
 * 1:56899 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Tiny-9819505-0 download attempt (malware-other.rules)
 * 1:56900 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Tiny-9819505-0 download attempt (malware-other.rules)
 * 1:56897 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Mikey-9819490-0 download attempt (malware-other.rules)
 * 1:56948 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Stantinko-9822477-0 download attempt (malware-other.rules)
 * 1:56930 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.FANCYBEAR variant binary download attempt (malware-other.rules)
 * 1:56933 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.FANCYBEAR variant binary download attempt (malware-other.rules)
 * 1:56932 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.FANCYBEAR variant binary download attempt (malware-other.rules)
 * 1:56931 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.FANCYBEAR variant binary download attempt (malware-other.rules)
 * 1:56896 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Xowgc8j-9819208-0 download attempt (malware-other.rules)
 * 1:56925 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Emotet-9822370-0 download attempt (malware-other.rules)
 * 1:56929 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Trickbot Trickboot module download attempt (malware-tools.rules)
 * 1:56926 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.Trickbot Trickboot module download attempt (malware-tools.rules)
 * 1:56928 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.Trickbot Trickboot module download attempt (malware-tools.rules)
 * 1:56905 <-> DISABLED <-> POLICY-OTHER WordPress Easy WP SMTP plugin debug log file access attempt (policy-other.rules)
 * 1:56924 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Emotet-9822370-0 download attempt (malware-other.rules)
 * 1:56927 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Trickbot Trickboot module download attempt (malware-tools.rules)
 * 1:56910 <-> DISABLED <-> MALWARE-OTHER Unix.Keylogger.Asacub-9821542-0 download attempt (malware-other.rules)
 * 1:56911 <-> DISABLED <-> MALWARE-OTHER Unix.Keylogger.Asacub-9821542-0 download attempt (malware-other.rules)
 * 1:56907 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Emotet-9821266-0 download attempt (malware-other.rules)
 * 1:56906 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Emotet-9821266-0 download attempt (malware-other.rules)
 * 1:56934 <-> ENABLED <-> SERVER-WEBAPP Nagios XI ajaxhelper command injection attempt (server-webapp.rules)
 * 1:56949 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Stantinko-9822477-0 download attempt (malware-other.rules)
 * 1:56909 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-9821529-0 download attempt (malware-other.rules)
 * 1:56923 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822241-0 download attempt (malware-other.rules)
 * 1:56920 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822211-0 download attempt (malware-other.rules)
 * 1:56919 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822210-0 download attempt (malware-other.rules)
 * 1:56902 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zusy-9819756-0 download attempt (malware-other.rules)

Modified Rules:


 * 1:45431 <-> DISABLED <-> PROTOCOL-SCADA MMS Initiate-RequestPDU (protocol-scada.rules)
 * 1:45435 <-> DISABLED <-> PROTOCOL-SCADA MMS Conclude-ResponsePDU (protocol-scada.rules)
 * 1:56828 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:45424 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-ResponsePDU (protocol-scada.rules)
 * 1:45425 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-ErrorPDU (protocol-scada.rules)
 * 1:45426 <-> DISABLED <-> PROTOCOL-SCADA MMS UnconfirmedPDU (protocol-scada.rules)
 * 1:45428 <-> DISABLED <-> PROTOCOL-SCADA MMS Cancel-RequestPDU (protocol-scada.rules)
 * 1:45429 <-> DISABLED <-> PROTOCOL-SCADA MMS Cancel-ResponsePDU (protocol-scada.rules)
 * 1:45430 <-> DISABLED <-> PROTOCOL-SCADA MMS Cancel-ErrorPDU (protocol-scada.rules)
 * 1:45432 <-> DISABLED <-> PROTOCOL-SCADA MMS Initiate-ResponsePDU (protocol-scada.rules)
 * 1:45433 <-> DISABLED <-> PROTOCOL-SCADA MMS Initiate-ErrorPDU (protocol-scada.rules)
 * 1:45434 <-> DISABLED <-> PROTOCOL-SCADA MMS Conclude-RequestPDU (protocol-scada.rules)
 * 1:45436 <-> DISABLED <-> PROTOCOL-SCADA MMS Conclude-ErrorPDU (protocol-scada.rules)
 * 1:56826 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56827 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:45423 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU (protocol-scada.rules)
 * 1:45427 <-> DISABLED <-> PROTOCOL-SCADA MMS RejectPDU (protocol-scada.rules)

2021-01-19 21:51:57 UTC

Snort Subscriber Rules Update

Date: 2021-01-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56910 <-> DISABLED <-> MALWARE-OTHER Unix.Keylogger.Asacub-9821542-0 download attempt (malware-other.rules)
 * 1:56926 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.Trickbot Trickboot module download attempt (malware-tools.rules)
 * 1:56917 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56923 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822241-0 download attempt (malware-other.rules)
 * 1:56937 <-> ENABLED <-> SERVER-WEBAPP Nagios XI ajaxhelper command injection attempt (server-webapp.rules)
 * 1:56935 <-> ENABLED <-> SERVER-WEBAPP Nagios XI ajaxhelper command injection attempt (server-webapp.rules)
 * 1:56936 <-> ENABLED <-> SERVER-WEBAPP Nagios XI ajaxhelper command injection attempt (server-webapp.rules)
 * 1:56927 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Trickbot Trickboot module download attempt (malware-tools.rules)
 * 1:56949 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Stantinko-9822477-0 download attempt (malware-other.rules)
 * 1:56948 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Stantinko-9822477-0 download attempt (malware-other.rules)
 * 1:56913 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9821797-0 download attempt (malware-other.rules)
 * 1:56895 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Xowgc8j-9819208-0 download attempt (malware-other.rules)
 * 1:56934 <-> ENABLED <-> SERVER-WEBAPP Nagios XI ajaxhelper command injection attempt (server-webapp.rules)
 * 1:56899 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Tiny-9819505-0 download attempt (malware-other.rules)
 * 1:56914 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Cerbu-9822059-0 download attempt (malware-other.rules)
 * 1:56902 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zusy-9819756-0 download attempt (malware-other.rules)
 * 1:56915 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Cerbu-9822059-0 download attempt (malware-other.rules)
 * 1:56905 <-> DISABLED <-> POLICY-OTHER WordPress Easy WP SMTP plugin debug log file access attempt (policy-other.rules)
 * 1:56916 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56903 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Mikey-9820100-0 download attempt (malware-other.rules)
 * 1:56928 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.Trickbot Trickboot module download attempt (malware-tools.rules)
 * 1:56907 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Emotet-9821266-0 download attempt (malware-other.rules)
 * 1:56911 <-> DISABLED <-> MALWARE-OTHER Unix.Keylogger.Asacub-9821542-0 download attempt (malware-other.rules)
 * 1:56904 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Mikey-9820100-0 download attempt (malware-other.rules)
 * 1:56918 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822210-0 download attempt (malware-other.rules)
 * 1:56906 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Emotet-9821266-0 download attempt (malware-other.rules)
 * 1:56912 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9821797-0 download attempt (malware-other.rules)
 * 1:56909 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-9821529-0 download attempt (malware-other.rules)
 * 1:56908 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-9821529-0 download attempt (malware-other.rules)
 * 1:56896 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Xowgc8j-9819208-0 download attempt (malware-other.rules)
 * 1:56897 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Mikey-9819490-0 download attempt (malware-other.rules)
 * 1:56924 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Emotet-9822370-0 download attempt (malware-other.rules)
 * 1:56929 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Trickbot Trickboot module download attempt (malware-tools.rules)
 * 1:56930 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.FANCYBEAR variant binary download attempt (malware-other.rules)
 * 1:56919 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822210-0 download attempt (malware-other.rules)
 * 1:56920 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822211-0 download attempt (malware-other.rules)
 * 1:56921 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822211-0 download attempt (malware-other.rules)
 * 1:56925 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Emotet-9822370-0 download attempt (malware-other.rules)
 * 1:56922 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822241-0 download attempt (malware-other.rules)
 * 1:56931 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.FANCYBEAR variant binary download attempt (malware-other.rules)
 * 1:56932 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.FANCYBEAR variant binary download attempt (malware-other.rules)
 * 1:56933 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.FANCYBEAR variant binary download attempt (malware-other.rules)
 * 1:56898 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Mikey-9819490-0 download attempt (malware-other.rules)
 * 1:56900 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Tiny-9819505-0 download attempt (malware-other.rules)
 * 1:56901 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zusy-9819756-0 download attempt (malware-other.rules)

Modified Rules:


 * 1:45427 <-> DISABLED <-> PROTOCOL-SCADA MMS RejectPDU (protocol-scada.rules)
 * 1:45428 <-> DISABLED <-> PROTOCOL-SCADA MMS Cancel-RequestPDU (protocol-scada.rules)
 * 1:45435 <-> DISABLED <-> PROTOCOL-SCADA MMS Conclude-ResponsePDU (protocol-scada.rules)
 * 1:45423 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU (protocol-scada.rules)
 * 1:56827 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:45436 <-> DISABLED <-> PROTOCOL-SCADA MMS Conclude-ErrorPDU (protocol-scada.rules)
 * 1:45431 <-> DISABLED <-> PROTOCOL-SCADA MMS Initiate-RequestPDU (protocol-scada.rules)
 * 1:56826 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:45424 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-ResponsePDU (protocol-scada.rules)
 * 1:45425 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-ErrorPDU (protocol-scada.rules)
 * 1:45426 <-> DISABLED <-> PROTOCOL-SCADA MMS UnconfirmedPDU (protocol-scada.rules)
 * 1:56828 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:45429 <-> DISABLED <-> PROTOCOL-SCADA MMS Cancel-ResponsePDU (protocol-scada.rules)
 * 1:45432 <-> DISABLED <-> PROTOCOL-SCADA MMS Initiate-ResponsePDU (protocol-scada.rules)
 * 1:45433 <-> DISABLED <-> PROTOCOL-SCADA MMS Initiate-ErrorPDU (protocol-scada.rules)
 * 1:45434 <-> DISABLED <-> PROTOCOL-SCADA MMS Conclude-RequestPDU (protocol-scada.rules)
 * 1:45430 <-> DISABLED <-> PROTOCOL-SCADA MMS Cancel-ErrorPDU (protocol-scada.rules)

2021-01-19 21:51:57 UTC

Snort Subscriber Rules Update

Date: 2021-01-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56934 <-> ENABLED <-> SERVER-WEBAPP Nagios XI ajaxhelper command injection attempt (server-webapp.rules)
 * 1:56917 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56895 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Xowgc8j-9819208-0 download attempt (malware-other.rules)
 * 1:56896 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Xowgc8j-9819208-0 download attempt (malware-other.rules)
 * 1:56924 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Emotet-9822370-0 download attempt (malware-other.rules)
 * 1:56913 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9821797-0 download attempt (malware-other.rules)
 * 1:56935 <-> ENABLED <-> SERVER-WEBAPP Nagios XI ajaxhelper command injection attempt (server-webapp.rules)
 * 1:56936 <-> ENABLED <-> SERVER-WEBAPP Nagios XI ajaxhelper command injection attempt (server-webapp.rules)
 * 1:56937 <-> ENABLED <-> SERVER-WEBAPP Nagios XI ajaxhelper command injection attempt (server-webapp.rules)
 * 1:56948 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Stantinko-9822477-0 download attempt (malware-other.rules)
 * 1:56949 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Stantinko-9822477-0 download attempt (malware-other.rules)
 * 1:56919 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822210-0 download attempt (malware-other.rules)
 * 1:56923 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822241-0 download attempt (malware-other.rules)
 * 1:56929 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Trickbot Trickboot module download attempt (malware-tools.rules)
 * 1:56910 <-> DISABLED <-> MALWARE-OTHER Unix.Keylogger.Asacub-9821542-0 download attempt (malware-other.rules)
 * 1:56925 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Emotet-9822370-0 download attempt (malware-other.rules)
 * 1:56914 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Cerbu-9822059-0 download attempt (malware-other.rules)
 * 1:56918 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822210-0 download attempt (malware-other.rules)
 * 1:56928 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.Trickbot Trickboot module download attempt (malware-tools.rules)
 * 1:56915 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Cerbu-9822059-0 download attempt (malware-other.rules)
 * 1:56908 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-9821529-0 download attempt (malware-other.rules)
 * 1:56902 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zusy-9819756-0 download attempt (malware-other.rules)
 * 1:56899 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Tiny-9819505-0 download attempt (malware-other.rules)
 * 1:56901 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zusy-9819756-0 download attempt (malware-other.rules)
 * 1:56916 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56897 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Mikey-9819490-0 download attempt (malware-other.rules)
 * 1:56920 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822211-0 download attempt (malware-other.rules)
 * 1:56921 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822211-0 download attempt (malware-other.rules)
 * 1:56926 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.Trickbot Trickboot module download attempt (malware-tools.rules)
 * 1:56911 <-> DISABLED <-> MALWARE-OTHER Unix.Keylogger.Asacub-9821542-0 download attempt (malware-other.rules)
 * 1:56927 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Trickbot Trickboot module download attempt (malware-tools.rules)
 * 1:56912 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9821797-0 download attempt (malware-other.rules)
 * 1:56903 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Mikey-9820100-0 download attempt (malware-other.rules)
 * 1:56909 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-9821529-0 download attempt (malware-other.rules)
 * 1:56907 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Emotet-9821266-0 download attempt (malware-other.rules)
 * 1:56905 <-> DISABLED <-> POLICY-OTHER WordPress Easy WP SMTP plugin debug log file access attempt (policy-other.rules)
 * 1:56900 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Tiny-9819505-0 download attempt (malware-other.rules)
 * 1:56922 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822241-0 download attempt (malware-other.rules)
 * 1:56898 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Mikey-9819490-0 download attempt (malware-other.rules)
 * 1:56930 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.FANCYBEAR variant binary download attempt (malware-other.rules)
 * 1:56931 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.FANCYBEAR variant binary download attempt (malware-other.rules)
 * 1:56932 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.FANCYBEAR variant binary download attempt (malware-other.rules)
 * 1:56933 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.FANCYBEAR variant binary download attempt (malware-other.rules)
 * 1:56904 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Mikey-9820100-0 download attempt (malware-other.rules)
 * 1:56906 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Emotet-9821266-0 download attempt (malware-other.rules)

Modified Rules:


 * 1:56828 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:45423 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU (protocol-scada.rules)
 * 1:45427 <-> DISABLED <-> PROTOCOL-SCADA MMS RejectPDU (protocol-scada.rules)
 * 1:56826 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:45425 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-ErrorPDU (protocol-scada.rules)
 * 1:45426 <-> DISABLED <-> PROTOCOL-SCADA MMS UnconfirmedPDU (protocol-scada.rules)
 * 1:45428 <-> DISABLED <-> PROTOCOL-SCADA MMS Cancel-RequestPDU (protocol-scada.rules)
 * 1:56827 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:45432 <-> DISABLED <-> PROTOCOL-SCADA MMS Initiate-ResponsePDU (protocol-scada.rules)
 * 1:45424 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-ResponsePDU (protocol-scada.rules)
 * 1:45429 <-> DISABLED <-> PROTOCOL-SCADA MMS Cancel-ResponsePDU (protocol-scada.rules)
 * 1:45436 <-> DISABLED <-> PROTOCOL-SCADA MMS Conclude-ErrorPDU (protocol-scada.rules)
 * 1:45434 <-> DISABLED <-> PROTOCOL-SCADA MMS Conclude-RequestPDU (protocol-scada.rules)
 * 1:45433 <-> DISABLED <-> PROTOCOL-SCADA MMS Initiate-ErrorPDU (protocol-scada.rules)
 * 1:45430 <-> DISABLED <-> PROTOCOL-SCADA MMS Cancel-ErrorPDU (protocol-scada.rules)
 * 1:45431 <-> DISABLED <-> PROTOCOL-SCADA MMS Initiate-RequestPDU (protocol-scada.rules)
 * 1:45435 <-> DISABLED <-> PROTOCOL-SCADA MMS Conclude-ResponsePDU (protocol-scada.rules)

2021-01-19 21:51:57 UTC

Snort Subscriber Rules Update

Date: 2021-01-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56898 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Mikey-9819490-0 download attempt (snort3-malware-other.rules)
 * 1:56904 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Mikey-9820100-0 download attempt (snort3-malware-other.rules)
 * 1:56910 <-> DISABLED <-> MALWARE-OTHER Unix.Keylogger.Asacub-9821542-0 download attempt (snort3-malware-other.rules)
 * 1:56913 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9821797-0 download attempt (snort3-malware-other.rules)
 * 1:56914 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Cerbu-9822059-0 download attempt (snort3-malware-other.rules)
 * 1:56906 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Emotet-9821266-0 download attempt (snort3-malware-other.rules)
 * 1:56908 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-9821529-0 download attempt (snort3-malware-other.rules)
 * 1:56915 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Cerbu-9822059-0 download attempt (snort3-malware-other.rules)
 * 1:56923 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822241-0 download attempt (snort3-malware-other.rules)
 * 1:56936 <-> ENABLED <-> SERVER-WEBAPP Nagios XI ajaxhelper command injection attempt (snort3-server-webapp.rules)
 * 1:56916 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (snort3-server-webapp.rules)
 * 1:56911 <-> DISABLED <-> MALWARE-OTHER Unix.Keylogger.Asacub-9821542-0 download attempt (snort3-malware-other.rules)
 * 1:56896 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Xowgc8j-9819208-0 download attempt (snort3-malware-other.rules)
 * 1:56897 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Mikey-9819490-0 download attempt (snort3-malware-other.rules)
 * 1:56934 <-> ENABLED <-> SERVER-WEBAPP Nagios XI ajaxhelper command injection attempt (snort3-server-webapp.rules)
 * 1:56924 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Emotet-9822370-0 download attempt (snort3-malware-other.rules)
 * 1:56935 <-> ENABLED <-> SERVER-WEBAPP Nagios XI ajaxhelper command injection attempt (snort3-server-webapp.rules)
 * 1:56903 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Mikey-9820100-0 download attempt (snort3-malware-other.rules)
 * 1:56928 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.Trickbot Trickboot module download attempt (snort3-malware-tools.rules)
 * 1:56902 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zusy-9819756-0 download attempt (snort3-malware-other.rules)
 * 1:56901 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zusy-9819756-0 download attempt (snort3-malware-other.rules)
 * 1:56895 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Xowgc8j-9819208-0 download attempt (snort3-malware-other.rules)
 * 1:56918 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822210-0 download attempt (snort3-malware-other.rules)
 * 1:56905 <-> DISABLED <-> POLICY-OTHER WordPress Easy WP SMTP plugin debug log file access attempt (snort3-policy-other.rules)
 * 1:56927 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Trickbot Trickboot module download attempt (snort3-malware-tools.rules)
 * 1:56907 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Emotet-9821266-0 download attempt (snort3-malware-other.rules)
 * 1:56937 <-> ENABLED <-> SERVER-WEBAPP Nagios XI ajaxhelper command injection attempt (snort3-server-webapp.rules)
 * 1:56948 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Stantinko-9822477-0 download attempt (snort3-malware-other.rules)
 * 1:56909 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-9821529-0 download attempt (snort3-malware-other.rules)
 * 1:56900 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Tiny-9819505-0 download attempt (snort3-malware-other.rules)
 * 1:56949 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Stantinko-9822477-0 download attempt (snort3-malware-other.rules)
 * 1:56899 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Tiny-9819505-0 download attempt (snort3-malware-other.rules)
 * 1:56920 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822211-0 download attempt (snort3-malware-other.rules)
 * 1:56921 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822211-0 download attempt (snort3-malware-other.rules)
 * 1:56919 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822210-0 download attempt (snort3-malware-other.rules)
 * 1:56922 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822241-0 download attempt (snort3-malware-other.rules)
 * 1:56925 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Emotet-9822370-0 download attempt (snort3-malware-other.rules)
 * 1:56912 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9821797-0 download attempt (snort3-malware-other.rules)
 * 1:56926 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.Trickbot Trickboot module download attempt (snort3-malware-tools.rules)
 * 1:56917 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (snort3-server-webapp.rules)
 * 1:56929 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Trickbot Trickboot module download attempt (snort3-malware-tools.rules)
 * 1:56930 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.FANCYBEAR variant binary download attempt (snort3-malware-other.rules)
 * 1:56931 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.FANCYBEAR variant binary download attempt (snort3-malware-other.rules)
 * 1:56932 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.FANCYBEAR variant binary download attempt (snort3-malware-other.rules)
 * 1:56933 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.FANCYBEAR variant binary download attempt (snort3-malware-other.rules)

Modified Rules:


 * 1:45435 <-> DISABLED <-> PROTOCOL-SCADA MMS Conclude-ResponsePDU (snort3-protocol-scada.rules)
 * 1:45428 <-> DISABLED <-> PROTOCOL-SCADA MMS Cancel-RequestPDU (snort3-protocol-scada.rules)
 * 1:45434 <-> DISABLED <-> PROTOCOL-SCADA MMS Conclude-RequestPDU (snort3-protocol-scada.rules)
 * 1:45427 <-> DISABLED <-> PROTOCOL-SCADA MMS RejectPDU (snort3-protocol-scada.rules)
 * 1:45423 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU (snort3-protocol-scada.rules)
 * 1:45436 <-> DISABLED <-> PROTOCOL-SCADA MMS Conclude-ErrorPDU (snort3-protocol-scada.rules)
 * 1:45429 <-> DISABLED <-> PROTOCOL-SCADA MMS Cancel-ResponsePDU (snort3-protocol-scada.rules)
 * 1:56828 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (snort3-server-webapp.rules)
 * 1:45424 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-ResponsePDU (snort3-protocol-scada.rules)
 * 1:45431 <-> DISABLED <-> PROTOCOL-SCADA MMS Initiate-RequestPDU (snort3-protocol-scada.rules)
 * 1:45426 <-> DISABLED <-> PROTOCOL-SCADA MMS UnconfirmedPDU (snort3-protocol-scada.rules)
 * 1:45425 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-ErrorPDU (snort3-protocol-scada.rules)
 * 1:56826 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (snort3-server-webapp.rules)
 * 1:45433 <-> DISABLED <-> PROTOCOL-SCADA MMS Initiate-ErrorPDU (snort3-protocol-scada.rules)
 * 1:45430 <-> DISABLED <-> PROTOCOL-SCADA MMS Cancel-ErrorPDU (snort3-protocol-scada.rules)
 * 1:56827 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (snort3-server-webapp.rules)
 * 1:45432 <-> DISABLED <-> PROTOCOL-SCADA MMS Initiate-ResponsePDU (snort3-protocol-scada.rules)

2021-01-19 21:51:57 UTC

Snort Subscriber Rules Update

Date: 2021-01-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56898 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Mikey-9819490-0 download attempt (malware-other.rules)
 * 1:56929 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Trickbot Trickboot module download attempt (malware-tools.rules)
 * 1:56917 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56920 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822211-0 download attempt (malware-other.rules)
 * 1:56911 <-> DISABLED <-> MALWARE-OTHER Unix.Keylogger.Asacub-9821542-0 download attempt (malware-other.rules)
 * 1:56901 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zusy-9819756-0 download attempt (malware-other.rules)
 * 1:56912 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9821797-0 download attempt (malware-other.rules)
 * 1:56913 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9821797-0 download attempt (malware-other.rules)
 * 1:56919 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822210-0 download attempt (malware-other.rules)
 * 1:56897 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Mikey-9819490-0 download attempt (malware-other.rules)
 * 1:56900 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Tiny-9819505-0 download attempt (malware-other.rules)
 * 1:56904 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Mikey-9820100-0 download attempt (malware-other.rules)
 * 1:56918 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822210-0 download attempt (malware-other.rules)
 * 1:56936 <-> ENABLED <-> SERVER-WEBAPP Nagios XI ajaxhelper command injection attempt (server-webapp.rules)
 * 1:56914 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Cerbu-9822059-0 download attempt (malware-other.rules)
 * 1:56934 <-> ENABLED <-> SERVER-WEBAPP Nagios XI ajaxhelper command injection attempt (server-webapp.rules)
 * 1:56896 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Xowgc8j-9819208-0 download attempt (malware-other.rules)
 * 1:56909 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-9821529-0 download attempt (malware-other.rules)
 * 1:56923 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822241-0 download attempt (malware-other.rules)
 * 1:56903 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Mikey-9820100-0 download attempt (malware-other.rules)
 * 1:56902 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zusy-9819756-0 download attempt (malware-other.rules)
 * 1:56908 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-9821529-0 download attempt (malware-other.rules)
 * 1:56922 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822241-0 download attempt (malware-other.rules)
 * 1:56935 <-> ENABLED <-> SERVER-WEBAPP Nagios XI ajaxhelper command injection attempt (server-webapp.rules)
 * 1:56895 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Xowgc8j-9819208-0 download attempt (malware-other.rules)
 * 1:56906 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Emotet-9821266-0 download attempt (malware-other.rules)
 * 1:56907 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Emotet-9821266-0 download attempt (malware-other.rules)
 * 1:56926 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.Trickbot Trickboot module download attempt (malware-tools.rules)
 * 1:56924 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Emotet-9822370-0 download attempt (malware-other.rules)
 * 1:56925 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Emotet-9822370-0 download attempt (malware-other.rules)
 * 1:56948 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Stantinko-9822477-0 download attempt (malware-other.rules)
 * 1:56927 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Trickbot Trickboot module download attempt (malware-tools.rules)
 * 1:56928 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.Trickbot Trickboot module download attempt (malware-tools.rules)
 * 1:56949 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Stantinko-9822477-0 download attempt (malware-other.rules)
 * 1:56921 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qqpass-9822211-0 download attempt (malware-other.rules)
 * 1:56932 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.FANCYBEAR variant binary download attempt (malware-other.rules)
 * 1:56930 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.FANCYBEAR variant binary download attempt (malware-other.rules)
 * 1:56933 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.FANCYBEAR variant binary download attempt (malware-other.rules)
 * 1:56899 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Tiny-9819505-0 download attempt (malware-other.rules)
 * 1:56905 <-> DISABLED <-> POLICY-OTHER WordPress Easy WP SMTP plugin debug log file access attempt (policy-other.rules)
 * 1:56916 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56937 <-> ENABLED <-> SERVER-WEBAPP Nagios XI ajaxhelper command injection attempt (server-webapp.rules)
 * 1:56915 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Cerbu-9822059-0 download attempt (malware-other.rules)
 * 1:56910 <-> DISABLED <-> MALWARE-OTHER Unix.Keylogger.Asacub-9821542-0 download attempt (malware-other.rules)
 * 1:56931 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.FANCYBEAR variant binary download attempt (malware-other.rules)

Modified Rules:


 * 1:45426 <-> DISABLED <-> PROTOCOL-SCADA MMS UnconfirmedPDU (protocol-scada.rules)
 * 1:45430 <-> DISABLED <-> PROTOCOL-SCADA MMS Cancel-ErrorPDU (protocol-scada.rules)
 * 1:45424 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-ResponsePDU (protocol-scada.rules)
 * 1:45428 <-> DISABLED <-> PROTOCOL-SCADA MMS Cancel-RequestPDU (protocol-scada.rules)
 * 1:45425 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-ErrorPDU (protocol-scada.rules)
 * 1:45436 <-> DISABLED <-> PROTOCOL-SCADA MMS Conclude-ErrorPDU (protocol-scada.rules)
 * 1:45434 <-> DISABLED <-> PROTOCOL-SCADA MMS Conclude-RequestPDU (protocol-scada.rules)
 * 1:45429 <-> DISABLED <-> PROTOCOL-SCADA MMS Cancel-ResponsePDU (protocol-scada.rules)
 * 1:45432 <-> DISABLED <-> PROTOCOL-SCADA MMS Initiate-ResponsePDU (protocol-scada.rules)
 * 1:56826 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56827 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:45433 <-> DISABLED <-> PROTOCOL-SCADA MMS Initiate-ErrorPDU (protocol-scada.rules)
 * 1:45431 <-> DISABLED <-> PROTOCOL-SCADA MMS Initiate-RequestPDU (protocol-scada.rules)
 * 1:45435 <-> DISABLED <-> PROTOCOL-SCADA MMS Conclude-ResponsePDU (protocol-scada.rules)
 * 1:45423 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU (protocol-scada.rules)
 * 1:56828 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:45427 <-> DISABLED <-> PROTOCOL-SCADA MMS RejectPDU (protocol-scada.rules)