Talos Rules 2018-03-15
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-plugins, deleted, malware-cnc, os-windows, pua-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2018-03-15 16:41:14 UTC

Snort Subscriber Rules Update

Date: 2018-03-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45959 <-> DISABLED <-> SERVER-WEBAPP ZEIT Next.js /_next namespace directory traversal attempt (server-webapp.rules)
 * 1:45950 <-> ENABLED <-> PUA-OTHER Coinhive TLS client hello attempt (pua-other.rules)
 * 1:45960 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silverstar outbound connection (malware-cnc.rules)
 * 1:45961 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Revenge RAT initial outbound connection (malware-cnc.rules)
 * 1:45962 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Revenge RAT inbound heartbeat check (malware-cnc.rules)
 * 1:45963 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound command and control IP address check (malware-cnc.rules)
 * 1:45943 <-> DISABLED <-> MALWARE-CNC known malicious SSL certificate - Odinaff C&C (malware-cnc.rules)
 * 1:45966 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound heartbeat (malware-cnc.rules)
 * 1:45947 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection attempt (malware-cnc.rules)
 * 1:45946 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection attempt (malware-cnc.rules)
 * 1:45948 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection attempt (malware-cnc.rules)
 * 1:45967 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound data exfiltration (malware-cnc.rules)
 * 1:45964 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound system information disclousre (malware-cnc.rules)
 * 1:45954 <-> DISABLED <-> SERVER-WEBAPP HP IMC mediaForAction Java expression language injection attempt (server-webapp.rules)
 * 1:45953 <-> DISABLED <-> SERVER-WEBAPP HP IMC mediaForAction Java expression language injection attempt (server-webapp.rules)
 * 1:45949 <-> ENABLED <-> PUA-OTHER Coinhive TLS server hello attempt (pua-other.rules)
 * 1:45956 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.PyCryptoMiner outbound connection (malware-cnc.rules)
 * 1:45951 <-> ENABLED <-> PUA-OTHER Authedmine TLS server hello attempt (pua-other.rules)
 * 1:45952 <-> ENABLED <-> PUA-OTHER Authedmine TLS client hello attempt (pua-other.rules)
 * 1:45965 <-> DISABLED <-> DELETED MALWARE-CNC Win.Trojan.UDPOS outbound system information disclousre (deleted.rules)
 * 1:45968 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound data exfiltration (malware-cnc.rules)
 * 1:45958 <-> DISABLED <-> SERVER-WEBAPP HP IMC iccSelectDeviceSeries Java expression language injection attempt (server-webapp.rules)
 * 1:45955 <-> ENABLED <-> PUA-OTHER XMRMiner cryptocurrency mining pool connection attempt (pua-other.rules)
 * 1:45944 <-> DISABLED <-> MALWARE-CNC known malicious SSL certificate - Odinaff C&C (malware-cnc.rules)
 * 1:45957 <-> DISABLED <-> SERVER-WEBAPP HP IMC iccSelectDeviceSeries Java expression language injection attempt (server-webapp.rules)
 * 1:45945 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DarkSky variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:27793 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access (browser-plugins.rules)
 * 1:43605 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules)
 * 1:27789 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:27791 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:43606 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules)
 * 1:18501 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine elevation of privilege attempt (os-windows.rules)
 * 1:41365 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RtlQueryRegistryValues buffer overflow attempt (os-windows.rules)
 * 1:26784 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Nivdort variant outbound connection (malware-cnc.rules)
 * 1:27792 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules)
 * 1:27790 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:27788 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access (browser-plugins.rules)
 * 1:20212 <-> DISABLED <-> SERVER-OTHER SSL CBC encryption mode weakness brute force attempt (server-other.rules)
 * 1:13905 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules)
 * 1:13903 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:7981 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:13907 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules)

2018-03-15 16:41:14 UTC

Snort Subscriber Rules Update

Date: 2018-03-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45964 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound system information disclousre (malware-cnc.rules)
 * 1:45966 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound heartbeat (malware-cnc.rules)
 * 1:45943 <-> DISABLED <-> MALWARE-CNC known malicious SSL certificate - Odinaff C&C (malware-cnc.rules)
 * 1:45962 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Revenge RAT inbound heartbeat check (malware-cnc.rules)
 * 1:45944 <-> DISABLED <-> MALWARE-CNC known malicious SSL certificate - Odinaff C&C (malware-cnc.rules)
 * 1:45945 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DarkSky variant outbound connection (malware-cnc.rules)
 * 1:45946 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection attempt (malware-cnc.rules)
 * 1:45947 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection attempt (malware-cnc.rules)
 * 1:45948 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection attempt (malware-cnc.rules)
 * 1:45949 <-> ENABLED <-> PUA-OTHER Coinhive TLS server hello attempt (pua-other.rules)
 * 1:45950 <-> ENABLED <-> PUA-OTHER Coinhive TLS client hello attempt (pua-other.rules)
 * 1:45961 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Revenge RAT initial outbound connection (malware-cnc.rules)
 * 1:45951 <-> ENABLED <-> PUA-OTHER Authedmine TLS server hello attempt (pua-other.rules)
 * 1:45952 <-> ENABLED <-> PUA-OTHER Authedmine TLS client hello attempt (pua-other.rules)
 * 1:45968 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound data exfiltration (malware-cnc.rules)
 * 1:45967 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound data exfiltration (malware-cnc.rules)
 * 1:45960 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silverstar outbound connection (malware-cnc.rules)
 * 1:45953 <-> DISABLED <-> SERVER-WEBAPP HP IMC mediaForAction Java expression language injection attempt (server-webapp.rules)
 * 1:45965 <-> DISABLED <-> DELETED MALWARE-CNC Win.Trojan.UDPOS outbound system information disclousre (deleted.rules)
 * 1:45954 <-> DISABLED <-> SERVER-WEBAPP HP IMC mediaForAction Java expression language injection attempt (server-webapp.rules)
 * 1:45955 <-> ENABLED <-> PUA-OTHER XMRMiner cryptocurrency mining pool connection attempt (pua-other.rules)
 * 1:45956 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.PyCryptoMiner outbound connection (malware-cnc.rules)
 * 1:45957 <-> DISABLED <-> SERVER-WEBAPP HP IMC iccSelectDeviceSeries Java expression language injection attempt (server-webapp.rules)
 * 1:45958 <-> DISABLED <-> SERVER-WEBAPP HP IMC iccSelectDeviceSeries Java expression language injection attempt (server-webapp.rules)
 * 1:45959 <-> DISABLED <-> SERVER-WEBAPP ZEIT Next.js /_next namespace directory traversal attempt (server-webapp.rules)
 * 1:45963 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound command and control IP address check (malware-cnc.rules)

Modified Rules:


 * 1:41365 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RtlQueryRegistryValues buffer overflow attempt (os-windows.rules)
 * 1:27793 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access (browser-plugins.rules)
 * 1:27791 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:13907 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:27789 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:27790 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:26784 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Nivdort variant outbound connection (malware-cnc.rules)
 * 1:18501 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine elevation of privilege attempt (os-windows.rules)
 * 1:20212 <-> DISABLED <-> SERVER-OTHER SSL CBC encryption mode weakness brute force attempt (server-other.rules)
 * 1:13905 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules)
 * 1:13903 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:43606 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules)
 * 1:27792 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules)
 * 1:7981 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:43605 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules)
 * 1:27788 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access (browser-plugins.rules)

2018-03-15 16:41:14 UTC

Snort Subscriber Rules Update

Date: 2018-03-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45952 <-> ENABLED <-> PUA-OTHER Authedmine TLS client hello attempt (snort3-pua-other.rules)
 * 1:45958 <-> DISABLED <-> SERVER-WEBAPP HP IMC iccSelectDeviceSeries Java expression language injection attempt (snort3-server-webapp.rules)
 * 1:45953 <-> DISABLED <-> SERVER-WEBAPP HP IMC mediaForAction Java expression language injection attempt (snort3-server-webapp.rules)
 * 1:45951 <-> ENABLED <-> PUA-OTHER Authedmine TLS server hello attempt (snort3-pua-other.rules)
 * 1:45955 <-> ENABLED <-> PUA-OTHER XMRMiner cryptocurrency mining pool connection attempt (snort3-pua-other.rules)
 * 1:45963 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound command and control IP address check (snort3-malware-cnc.rules)
 * 1:45959 <-> DISABLED <-> SERVER-WEBAPP ZEIT Next.js /_next namespace directory traversal attempt (snort3-server-webapp.rules)
 * 1:45960 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silverstar outbound connection (snort3-malware-cnc.rules)
 * 1:45961 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Revenge RAT initial outbound connection (snort3-malware-cnc.rules)
 * 1:45962 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Revenge RAT inbound heartbeat check (snort3-malware-cnc.rules)
 * 1:45964 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound system information disclousre (snort3-malware-cnc.rules)
 * 1:45965 <-> DISABLED <-> DELETED MALWARE-CNC Win.Trojan.UDPOS outbound system information disclousre (snort3-deleted.rules)
 * 1:45968 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound data exfiltration (snort3-malware-cnc.rules)
 * 1:45957 <-> DISABLED <-> SERVER-WEBAPP HP IMC iccSelectDeviceSeries Java expression language injection attempt (snort3-server-webapp.rules)
 * 1:45954 <-> DISABLED <-> SERVER-WEBAPP HP IMC mediaForAction Java expression language injection attempt (snort3-server-webapp.rules)
 * 1:45966 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound heartbeat (snort3-malware-cnc.rules)
 * 1:45967 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound data exfiltration (snort3-malware-cnc.rules)
 * 1:45956 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.PyCryptoMiner outbound connection (snort3-malware-cnc.rules)
 * 1:45943 <-> DISABLED <-> MALWARE-CNC known malicious SSL certificate - Odinaff C&C (snort3-malware-cnc.rules)
 * 1:45944 <-> DISABLED <-> MALWARE-CNC known malicious SSL certificate - Odinaff C&C (snort3-malware-cnc.rules)
 * 1:45945 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DarkSky variant outbound connection (snort3-malware-cnc.rules)
 * 1:45946 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection attempt (snort3-malware-cnc.rules)
 * 1:45947 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection attempt (snort3-malware-cnc.rules)
 * 1:45948 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection attempt (snort3-malware-cnc.rules)
 * 1:45949 <-> ENABLED <-> PUA-OTHER Coinhive TLS server hello attempt (snort3-pua-other.rules)
 * 1:45950 <-> ENABLED <-> PUA-OTHER Coinhive TLS client hello attempt (snort3-pua-other.rules)

Modified Rules:


 * 1:27788 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access (snort3-browser-plugins.rules)
 * 1:27790 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (snort3-browser-plugins.rules)
 * 1:43606 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (snort3-browser-plugins.rules)
 * 1:41365 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RtlQueryRegistryValues buffer overflow attempt (snort3-os-windows.rules)
 * 1:31870 <-> DISABLED <-> DELETED FILE-IDENTIFY JPEG file download request (snort3-deleted.rules)
 * 1:27791 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (snort3-browser-plugins.rules)
 * 1:27789 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (snort3-browser-plugins.rules)
 * 1:27793 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access (snort3-browser-plugins.rules)
 * 1:7981 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (snort3-browser-plugins.rules)
 * 1:31865 <-> DISABLED <-> DELETED FILE-IDENTIFY JPEG file attachment detected (snort3-deleted.rules)
 * 1:31867 <-> DISABLED <-> DELETED FILE-IDENTIFY JPEG file attachment detected (snort3-deleted.rules)
 * 1:13907 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (snort3-browser-plugins.rules)
 * 1:13903 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (snort3-browser-plugins.rules)
 * 1:13905 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (snort3-browser-plugins.rules)
 * 1:18501 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine elevation of privilege attempt (snort3-os-windows.rules)
 * 1:26784 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Nivdort variant outbound connection (snort3-malware-cnc.rules)
 * 1:31866 <-> DISABLED <-> DELETED FILE-IDENTIFY JPEG file attachment detected (snort3-deleted.rules)
 * 1:27792 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (snort3-browser-plugins.rules)
 * 1:31869 <-> DISABLED <-> DELETED FILE-IDENTIFY JPEG file download request (snort3-deleted.rules)
 * 1:31868 <-> DISABLED <-> DELETED FILE-IDENTIFY JPEG file attachment detected (snort3-deleted.rules)
 * 1:20212 <-> DISABLED <-> SERVER-OTHER SSL CBC encryption mode weakness brute force attempt (snort3-server-other.rules)
 * 1:43605 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (snort3-browser-plugins.rules)

2018-03-15 16:41:14 UTC

Snort Subscriber Rules Update

Date: 2018-03-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45953 <-> DISABLED <-> SERVER-WEBAPP HP IMC mediaForAction Java expression language injection attempt (server-webapp.rules)
 * 1:45954 <-> DISABLED <-> SERVER-WEBAPP HP IMC mediaForAction Java expression language injection attempt (server-webapp.rules)
 * 1:45943 <-> DISABLED <-> MALWARE-CNC known malicious SSL certificate - Odinaff C&C (malware-cnc.rules)
 * 1:45944 <-> DISABLED <-> MALWARE-CNC known malicious SSL certificate - Odinaff C&C (malware-cnc.rules)
 * 1:45945 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DarkSky variant outbound connection (malware-cnc.rules)
 * 1:45946 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection attempt (malware-cnc.rules)
 * 1:45947 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection attempt (malware-cnc.rules)
 * 1:45948 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection attempt (malware-cnc.rules)
 * 1:45949 <-> ENABLED <-> PUA-OTHER Coinhive TLS server hello attempt (pua-other.rules)
 * 1:45950 <-> ENABLED <-> PUA-OTHER Coinhive TLS client hello attempt (pua-other.rules)
 * 1:45951 <-> ENABLED <-> PUA-OTHER Authedmine TLS server hello attempt (pua-other.rules)
 * 1:45952 <-> ENABLED <-> PUA-OTHER Authedmine TLS client hello attempt (pua-other.rules)
 * 1:45957 <-> DISABLED <-> SERVER-WEBAPP HP IMC iccSelectDeviceSeries Java expression language injection attempt (server-webapp.rules)
 * 1:45956 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.PyCryptoMiner outbound connection (malware-cnc.rules)
 * 1:45958 <-> DISABLED <-> SERVER-WEBAPP HP IMC iccSelectDeviceSeries Java expression language injection attempt (server-webapp.rules)
 * 1:45955 <-> ENABLED <-> PUA-OTHER XMRMiner cryptocurrency mining pool connection attempt (pua-other.rules)
 * 1:45964 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound system information disclousre (malware-cnc.rules)
 * 1:45959 <-> DISABLED <-> SERVER-WEBAPP ZEIT Next.js /_next namespace directory traversal attempt (server-webapp.rules)
 * 1:45965 <-> DISABLED <-> DELETED MALWARE-CNC Win.Trojan.UDPOS outbound system information disclousre (deleted.rules)
 * 1:45968 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound data exfiltration (malware-cnc.rules)
 * 1:45967 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound data exfiltration (malware-cnc.rules)
 * 1:45966 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound heartbeat (malware-cnc.rules)
 * 1:45962 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Revenge RAT inbound heartbeat check (malware-cnc.rules)
 * 1:45963 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound command and control IP address check (malware-cnc.rules)
 * 1:45960 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silverstar outbound connection (malware-cnc.rules)
 * 1:45961 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Revenge RAT initial outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:13907 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:13903 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:13905 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules)
 * 1:7981 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:43605 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules)
 * 1:43606 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules)
 * 1:27793 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access (browser-plugins.rules)
 * 1:41365 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RtlQueryRegistryValues buffer overflow attempt (os-windows.rules)
 * 1:27791 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:27792 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules)
 * 1:27789 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:27790 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:26784 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Nivdort variant outbound connection (malware-cnc.rules)
 * 1:27788 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access (browser-plugins.rules)
 * 1:18501 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine elevation of privilege attempt (os-windows.rules)
 * 1:20212 <-> DISABLED <-> SERVER-OTHER SSL CBC encryption mode weakness brute force attempt (server-other.rules)

2018-03-15 16:41:14 UTC

Snort Subscriber Rules Update

Date: 2018-03-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45947 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection attempt (malware-cnc.rules)
 * 1:45946 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection attempt (malware-cnc.rules)
 * 1:45945 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DarkSky variant outbound connection (malware-cnc.rules)
 * 1:45944 <-> DISABLED <-> MALWARE-CNC known malicious SSL certificate - Odinaff C&C (malware-cnc.rules)
 * 1:45943 <-> DISABLED <-> MALWARE-CNC known malicious SSL certificate - Odinaff C&C (malware-cnc.rules)
 * 1:45968 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound data exfiltration (malware-cnc.rules)
 * 1:45967 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound data exfiltration (malware-cnc.rules)
 * 1:45966 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound heartbeat (malware-cnc.rules)
 * 1:45965 <-> DISABLED <-> DELETED MALWARE-CNC Win.Trojan.UDPOS outbound system information disclousre (deleted.rules)
 * 1:45964 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound system information disclousre (malware-cnc.rules)
 * 1:45963 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound command and control IP address check (malware-cnc.rules)
 * 1:45962 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Revenge RAT inbound heartbeat check (malware-cnc.rules)
 * 1:45961 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Revenge RAT initial outbound connection (malware-cnc.rules)
 * 1:45960 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silverstar outbound connection (malware-cnc.rules)
 * 1:45959 <-> DISABLED <-> SERVER-WEBAPP ZEIT Next.js /_next namespace directory traversal attempt (server-webapp.rules)
 * 1:45958 <-> DISABLED <-> SERVER-WEBAPP HP IMC iccSelectDeviceSeries Java expression language injection attempt (server-webapp.rules)
 * 1:45957 <-> DISABLED <-> SERVER-WEBAPP HP IMC iccSelectDeviceSeries Java expression language injection attempt (server-webapp.rules)
 * 1:45956 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.PyCryptoMiner outbound connection (malware-cnc.rules)
 * 1:45955 <-> ENABLED <-> PUA-OTHER XMRMiner cryptocurrency mining pool connection attempt (pua-other.rules)
 * 1:45954 <-> DISABLED <-> SERVER-WEBAPP HP IMC mediaForAction Java expression language injection attempt (server-webapp.rules)
 * 1:45953 <-> DISABLED <-> SERVER-WEBAPP HP IMC mediaForAction Java expression language injection attempt (server-webapp.rules)
 * 1:45952 <-> ENABLED <-> PUA-OTHER Authedmine TLS client hello attempt (pua-other.rules)
 * 1:45951 <-> ENABLED <-> PUA-OTHER Authedmine TLS server hello attempt (pua-other.rules)
 * 1:45950 <-> ENABLED <-> PUA-OTHER Coinhive TLS client hello attempt (pua-other.rules)
 * 1:45949 <-> ENABLED <-> PUA-OTHER Coinhive TLS server hello attempt (pua-other.rules)
 * 1:45948 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:13903 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:13905 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules)
 * 1:13907 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:18501 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine elevation of privilege attempt (os-windows.rules)
 * 1:20212 <-> DISABLED <-> SERVER-OTHER SSL CBC encryption mode weakness brute force attempt (server-other.rules)
 * 1:26784 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Nivdort variant outbound connection (malware-cnc.rules)
 * 1:27788 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access (browser-plugins.rules)
 * 1:27789 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:27790 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:27791 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:27792 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules)
 * 1:27793 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access (browser-plugins.rules)
 * 1:41365 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RtlQueryRegistryValues buffer overflow attempt (os-windows.rules)
 * 1:43605 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules)
 * 1:43606 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules)
 * 1:7981 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules)