Talos has added and modified multiple rules in the file-image, file-java, malware-cnc, os-linux and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:46130 <-> DISABLED <-> SERVER-OTHER cPanel Mailman privilege escalation attempt (server-other.rules) * 1:46137 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cidox variant outbound connection attempt (malware-cnc.rules) * 1:46139 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Bandarchor variant outbound connection (malware-cnc.rules) * 1:46138 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Bandarchor variant outbound connection (malware-cnc.rules) * 1:46135 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Krodown variant connection attempt (malware-cnc.rules) * 1:46133 <-> DISABLED <-> SERVER-WEBAPP OpenEMR SQL injection attempt (server-webapp.rules) * 1:46140 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Bandarchor variant outbound connection (malware-cnc.rules) * 1:46136 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Banbra variant outbound connection (malware-cnc.rules) * 1:46134 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Krodown variant connection attempt (malware-cnc.rules) * 1:46132 <-> DISABLED <-> SERVER-WEBAPP OpenEMR SQL injection attempt (server-webapp.rules) * 1:46141 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Bandarchor variant outbound connection (malware-cnc.rules) * 1:46129 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HW32 variant outbound connection (malware-cnc.rules) * 1:46131 <-> DISABLED <-> SERVER-OTHER cPanel Mailman privilege escalation attempt (server-other.rules) * 3:46154 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules) * 3:46148 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0552 attack attempt (file-image.rules) * 3:46150 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules) * 3:46144 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules) * 3:46153 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules) * 3:46142 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0551 attack attempt (server-webapp.rules) * 3:46146 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules) * 3:46151 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules) * 3:46149 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0554 attack attempt (server-webapp.rules) * 3:46145 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules) * 3:46152 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules) * 3:46147 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0552 attack attempt (file-image.rules) * 3:46155 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules) * 3:46143 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules)
* 1:35467 <-> DISABLED <-> FILE-JAVA Oracle Java VersionHelper loadClass sandbox bypass attempt (file-java.rules) * 1:35468 <-> DISABLED <-> FILE-JAVA Oracle Java VersionHelper loadClass sandbox bypass attempt (file-java.rules) * 1:40063 <-> DISABLED <-> OS-LINUX Linux Kernel Challenge ACK provocation attempt (os-linux.rules) * 1:40234 <-> ENABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes ping reply (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:46132 <-> DISABLED <-> SERVER-WEBAPP OpenEMR SQL injection attempt (snort3-server-webapp.rules) * 1:46129 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HW32 variant outbound connection (snort3-malware-cnc.rules) * 1:46131 <-> DISABLED <-> SERVER-OTHER cPanel Mailman privilege escalation attempt (snort3-server-other.rules) * 1:46141 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Bandarchor variant outbound connection (snort3-malware-cnc.rules) * 1:46134 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Krodown variant connection attempt (snort3-malware-cnc.rules) * 1:46138 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Bandarchor variant outbound connection (snort3-malware-cnc.rules) * 1:46137 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cidox variant outbound connection attempt (snort3-malware-cnc.rules) * 1:46130 <-> DISABLED <-> SERVER-OTHER cPanel Mailman privilege escalation attempt (snort3-server-other.rules) * 1:46135 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Krodown variant connection attempt (snort3-malware-cnc.rules) * 1:46140 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Bandarchor variant outbound connection (snort3-malware-cnc.rules) * 1:46139 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Bandarchor variant outbound connection (snort3-malware-cnc.rules) * 1:46133 <-> DISABLED <-> SERVER-WEBAPP OpenEMR SQL injection attempt (snort3-server-webapp.rules) * 1:46136 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Banbra variant outbound connection (snort3-malware-cnc.rules)
* 1:35467 <-> DISABLED <-> FILE-JAVA Oracle Java VersionHelper loadClass sandbox bypass attempt (snort3-file-java.rules) * 1:40235 <-> DISABLED <-> DELETED MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes ping request (snort3-deleted.rules) * 1:40234 <-> ENABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes ping reply (snort3-malware-cnc.rules) * 1:40063 <-> DISABLED <-> OS-LINUX Linux Kernel Challenge ACK provocation attempt (snort3-os-linux.rules) * 1:35468 <-> DISABLED <-> FILE-JAVA Oracle Java VersionHelper loadClass sandbox bypass attempt (snort3-file-java.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:46134 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Krodown variant connection attempt (malware-cnc.rules) * 1:46129 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HW32 variant outbound connection (malware-cnc.rules) * 1:46133 <-> DISABLED <-> SERVER-WEBAPP OpenEMR SQL injection attempt (server-webapp.rules) * 1:46140 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Bandarchor variant outbound connection (malware-cnc.rules) * 1:46130 <-> DISABLED <-> SERVER-OTHER cPanel Mailman privilege escalation attempt (server-other.rules) * 1:46139 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Bandarchor variant outbound connection (malware-cnc.rules) * 1:46141 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Bandarchor variant outbound connection (malware-cnc.rules) * 1:46135 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Krodown variant connection attempt (malware-cnc.rules) * 1:46132 <-> DISABLED <-> SERVER-WEBAPP OpenEMR SQL injection attempt (server-webapp.rules) * 1:46138 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Bandarchor variant outbound connection (malware-cnc.rules) * 1:46136 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Banbra variant outbound connection (malware-cnc.rules) * 1:46137 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cidox variant outbound connection attempt (malware-cnc.rules) * 1:46131 <-> DISABLED <-> SERVER-OTHER cPanel Mailman privilege escalation attempt (server-other.rules) * 3:46150 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules) * 3:46151 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules) * 3:46144 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules) * 3:46153 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules) * 3:46145 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules) * 3:46148 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0552 attack attempt (file-image.rules) * 3:46146 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules) * 3:46149 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0554 attack attempt (server-webapp.rules) * 3:46142 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0551 attack attempt (server-webapp.rules) * 3:46143 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules) * 3:46154 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules) * 3:46152 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules) * 3:46147 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0552 attack attempt (file-image.rules) * 3:46155 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)
* 1:35467 <-> DISABLED <-> FILE-JAVA Oracle Java VersionHelper loadClass sandbox bypass attempt (file-java.rules) * 1:35468 <-> DISABLED <-> FILE-JAVA Oracle Java VersionHelper loadClass sandbox bypass attempt (file-java.rules) * 1:40063 <-> DISABLED <-> OS-LINUX Linux Kernel Challenge ACK provocation attempt (os-linux.rules) * 1:40234 <-> ENABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes ping reply (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:46131 <-> DISABLED <-> SERVER-OTHER cPanel Mailman privilege escalation attempt (server-other.rules) * 1:46138 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Bandarchor variant outbound connection (malware-cnc.rules) * 1:46129 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HW32 variant outbound connection (malware-cnc.rules) * 1:46136 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Banbra variant outbound connection (malware-cnc.rules) * 1:46137 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cidox variant outbound connection attempt (malware-cnc.rules) * 1:46140 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Bandarchor variant outbound connection (malware-cnc.rules) * 1:46141 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Bandarchor variant outbound connection (malware-cnc.rules) * 1:46135 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Krodown variant connection attempt (malware-cnc.rules) * 1:46139 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Bandarchor variant outbound connection (malware-cnc.rules) * 1:46133 <-> DISABLED <-> SERVER-WEBAPP OpenEMR SQL injection attempt (server-webapp.rules) * 1:46134 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Krodown variant connection attempt (malware-cnc.rules) * 1:46132 <-> DISABLED <-> SERVER-WEBAPP OpenEMR SQL injection attempt (server-webapp.rules) * 1:46130 <-> DISABLED <-> SERVER-OTHER cPanel Mailman privilege escalation attempt (server-other.rules) * 3:46147 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0552 attack attempt (file-image.rules) * 3:46149 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0554 attack attempt (server-webapp.rules) * 3:46144 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules) * 3:46155 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules) * 3:46152 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules) * 3:46148 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0552 attack attempt (file-image.rules) * 3:46143 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules) * 3:46153 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules) * 3:46142 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0551 attack attempt (server-webapp.rules) * 3:46145 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules) * 3:46154 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules) * 3:46150 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules) * 3:46146 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules) * 3:46151 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)
* 1:35467 <-> DISABLED <-> FILE-JAVA Oracle Java VersionHelper loadClass sandbox bypass attempt (file-java.rules) * 1:35468 <-> DISABLED <-> FILE-JAVA Oracle Java VersionHelper loadClass sandbox bypass attempt (file-java.rules) * 1:40063 <-> DISABLED <-> OS-LINUX Linux Kernel Challenge ACK provocation attempt (os-linux.rules) * 1:40234 <-> ENABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes ping reply (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:46141 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Bandarchor variant outbound connection (malware-cnc.rules) * 1:46140 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Bandarchor variant outbound connection (malware-cnc.rules) * 1:46139 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Bandarchor variant outbound connection (malware-cnc.rules) * 1:46138 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Bandarchor variant outbound connection (malware-cnc.rules) * 1:46137 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cidox variant outbound connection attempt (malware-cnc.rules) * 1:46136 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Banbra variant outbound connection (malware-cnc.rules) * 1:46135 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Krodown variant connection attempt (malware-cnc.rules) * 1:46134 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Krodown variant connection attempt (malware-cnc.rules) * 1:46133 <-> DISABLED <-> SERVER-WEBAPP OpenEMR SQL injection attempt (server-webapp.rules) * 1:46132 <-> DISABLED <-> SERVER-WEBAPP OpenEMR SQL injection attempt (server-webapp.rules) * 1:46131 <-> DISABLED <-> SERVER-OTHER cPanel Mailman privilege escalation attempt (server-other.rules) * 1:46130 <-> DISABLED <-> SERVER-OTHER cPanel Mailman privilege escalation attempt (server-other.rules) * 1:46129 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HW32 variant outbound connection (malware-cnc.rules) * 3:46153 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules) * 3:46154 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules) * 3:46150 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules) * 3:46149 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0554 attack attempt (server-webapp.rules) * 3:46151 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules) * 3:46142 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0551 attack attempt (server-webapp.rules) * 3:46143 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules) * 3:46144 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules) * 3:46145 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules) * 3:46146 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules) * 3:46147 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0552 attack attempt (file-image.rules) * 3:46148 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0552 attack attempt (file-image.rules) * 3:46155 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules) * 3:46152 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)
* 1:35467 <-> DISABLED <-> FILE-JAVA Oracle Java VersionHelper loadClass sandbox bypass attempt (file-java.rules) * 1:35468 <-> DISABLED <-> FILE-JAVA Oracle Java VersionHelper loadClass sandbox bypass attempt (file-java.rules) * 1:40063 <-> DISABLED <-> OS-LINUX Linux Kernel Challenge ACK provocation attempt (os-linux.rules) * 1:40234 <-> ENABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes ping reply (malware-cnc.rules)