Talos Rules 2018-05-17
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, file-pdf, malware-backdoor, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-05-17 13:27:19 UTC

Snort Subscriber Rules Update

Date: 2018-05-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46748 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qarallax outbound connection (malware-cnc.rules)
 * 1:46747 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qarallax outbound connection (malware-cnc.rules)
 * 1:46746 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:46745 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:46744 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper malicious executable download attempt (malware-cnc.rules)
 * 1:46743 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper initial outbound connection attempt (malware-cnc.rules)
 * 1:46742 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper malicious script download attempt (malware-cnc.rules)
 * 1:46737 <-> DISABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules)
 * 1:46736 <-> DISABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules)
 * 1:46735 <-> DISABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules)
 * 3:46738 <-> ENABLED <-> SERVER-WEBAPP Cisco DNA Center API directory traversal attempt (server-webapp.rules)
 * 3:46739 <-> ENABLED <-> SERVER-WEBAPP Cisco DNA Center API default login attempt (server-webapp.rules)
 * 3:46740 <-> ENABLED <-> SERVER-WEBAPP Kubernetes Kubelet arbitrary command execution attempt (server-webapp.rules)
 * 3:46741 <-> ENABLED <-> SERVER-WEBAPP Kubernetes Kubelet arbitrary command execution attempt (server-webapp.rules)
 * 3:46749 <-> ENABLED <-> SERVER-OTHER Cisco Meeting Server configuration download attempt (server-other.rules)
 * 3:46750 <-> ENABLED <-> SERVER-OTHER Cisco Meeting Server user configuration download attempt (server-other.rules)

Modified Rules:


 * 1:25015 <-> ENABLED <-> MALWARE-BACKDOOR Arucer backdoor traffic - NOP command attempt (malware-backdoor.rules)
 * 1:16113 <-> DISABLED <-> MALWARE-CNC Win.Trojan.agent.vhb variant outbound connection request login page (malware-cnc.rules)
 * 1:16112 <-> DISABLED <-> MALWARE-CNC Win.Trojan.agent.vhb variant outbound connection contact remote server (malware-cnc.rules)
 * 1:16487 <-> ENABLED <-> MALWARE-BACKDOOR Arucer backdoor traffic - yes command attempt (malware-backdoor.rules)
 * 1:16486 <-> ENABLED <-> MALWARE-BACKDOOR Arucer backdoor traffic - command execution attempt (malware-backdoor.rules)
 * 1:46070 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty file exfiltration outbound request (malware-cnc.rules)
 * 1:16551 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user agent - malware (malware-cnc.rules)
 * 1:16368 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hydraq variant outbound connection (malware-cnc.rules)
 * 1:16695 <-> ENABLED <-> MALWARE-CNC Rogue AV download/update (malware-cnc.rules)
 * 1:16693 <-> ENABLED <-> MALWARE-CNC Torpig bot sinkhole server DNS lookup (malware-cnc.rules)
 * 1:16391 <-> ENABLED <-> MALWARE-CNC Gozi Win.Trojan.connection to C&C (malware-cnc.rules)
 * 1:16670 <-> ENABLED <-> MALWARE-CNC Koobface worm executable download (malware-cnc.rules)
 * 1:28541 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeroAccess Download Headers (malware-cnc.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:16488 <-> ENABLED <-> MALWARE-BACKDOOR Arucer backdoor traffic - write file attempt (malware-backdoor.rules)
 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 3:45507 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0517 attack attempt (file-pdf.rules)
 * 3:45506 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0517 attack attempt (file-pdf.rules)

2018-05-17 13:27:19 UTC

Snort Subscriber Rules Update

Date: 2018-05-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46748 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qarallax outbound connection (malware-cnc.rules)
 * 1:46735 <-> DISABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules)
 * 1:46747 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qarallax outbound connection (malware-cnc.rules)
 * 1:46744 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper malicious executable download attempt (malware-cnc.rules)
 * 1:46736 <-> DISABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules)
 * 1:46737 <-> DISABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules)
 * 1:46746 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:46742 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper malicious script download attempt (malware-cnc.rules)
 * 1:46745 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:46743 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper initial outbound connection attempt (malware-cnc.rules)
 * 3:46740 <-> ENABLED <-> SERVER-WEBAPP Kubernetes Kubelet arbitrary command execution attempt (server-webapp.rules)
 * 3:46738 <-> ENABLED <-> SERVER-WEBAPP Cisco DNA Center API directory traversal attempt (server-webapp.rules)
 * 3:46750 <-> ENABLED <-> SERVER-OTHER Cisco Meeting Server user configuration download attempt (server-other.rules)
 * 3:46739 <-> ENABLED <-> SERVER-WEBAPP Cisco DNA Center API default login attempt (server-webapp.rules)
 * 3:46749 <-> ENABLED <-> SERVER-OTHER Cisco Meeting Server configuration download attempt (server-other.rules)
 * 3:46741 <-> ENABLED <-> SERVER-WEBAPP Kubernetes Kubelet arbitrary command execution attempt (server-webapp.rules)

Modified Rules:


 * 1:16486 <-> ENABLED <-> MALWARE-BACKDOOR Arucer backdoor traffic - command execution attempt (malware-backdoor.rules)
 * 1:16695 <-> ENABLED <-> MALWARE-CNC Rogue AV download/update (malware-cnc.rules)
 * 1:16488 <-> ENABLED <-> MALWARE-BACKDOOR Arucer backdoor traffic - write file attempt (malware-backdoor.rules)
 * 1:16693 <-> ENABLED <-> MALWARE-CNC Torpig bot sinkhole server DNS lookup (malware-cnc.rules)
 * 1:16113 <-> DISABLED <-> MALWARE-CNC Win.Trojan.agent.vhb variant outbound connection request login page (malware-cnc.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:16487 <-> ENABLED <-> MALWARE-BACKDOOR Arucer backdoor traffic - yes command attempt (malware-backdoor.rules)
 * 1:16391 <-> ENABLED <-> MALWARE-CNC Gozi Win.Trojan.connection to C&C (malware-cnc.rules)
 * 1:25015 <-> ENABLED <-> MALWARE-BACKDOOR Arucer backdoor traffic - NOP command attempt (malware-backdoor.rules)
 * 1:28541 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeroAccess Download Headers (malware-cnc.rules)
 * 1:16551 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user agent - malware (malware-cnc.rules)
 * 1:46070 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty file exfiltration outbound request (malware-cnc.rules)
 * 1:16112 <-> DISABLED <-> MALWARE-CNC Win.Trojan.agent.vhb variant outbound connection contact remote server (malware-cnc.rules)
 * 1:16368 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hydraq variant outbound connection (malware-cnc.rules)
 * 1:16670 <-> ENABLED <-> MALWARE-CNC Koobface worm executable download (malware-cnc.rules)
 * 3:45506 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0517 attack attempt (file-pdf.rules)
 * 3:45507 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0517 attack attempt (file-pdf.rules)

2018-05-17 13:27:19 UTC

Snort Subscriber Rules Update

Date: 2018-05-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46735 <-> DISABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (snort3-server-webapp.rules)
 * 1:46736 <-> DISABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (snort3-server-webapp.rules)
 * 1:46747 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qarallax outbound connection (snort3-malware-cnc.rules)
 * 1:46743 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper initial outbound connection attempt (snort3-malware-cnc.rules)
 * 1:46737 <-> DISABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (snort3-server-webapp.rules)
 * 1:46745 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules)
 * 1:46744 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper malicious executable download attempt (snort3-malware-cnc.rules)
 * 1:46748 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qarallax outbound connection (snort3-malware-cnc.rules)
 * 1:46742 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper malicious script download attempt (snort3-malware-cnc.rules)
 * 1:46746 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules)

Modified Rules:


 * 1:16670 <-> ENABLED <-> MALWARE-CNC Koobface worm executable download (snort3-malware-cnc.rules)
 * 1:16695 <-> ENABLED <-> MALWARE-CNC Rogue AV download/update (snort3-malware-cnc.rules)
 * 1:16551 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user agent - malware (snort3-malware-cnc.rules)
 * 1:16693 <-> ENABLED <-> MALWARE-CNC Torpig bot sinkhole server DNS lookup (snort3-malware-cnc.rules)
 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules)
 * 1:16112 <-> DISABLED <-> MALWARE-CNC Win.Trojan.agent.vhb variant outbound connection contact remote server (snort3-malware-cnc.rules)
 * 1:46070 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty file exfiltration outbound request (snort3-malware-cnc.rules)
 * 1:16486 <-> ENABLED <-> MALWARE-BACKDOOR Arucer backdoor traffic - command execution attempt (snort3-malware-backdoor.rules)
 * 1:16487 <-> ENABLED <-> MALWARE-BACKDOOR Arucer backdoor traffic - yes command attempt (snort3-malware-backdoor.rules)
 * 1:16113 <-> DISABLED <-> MALWARE-CNC Win.Trojan.agent.vhb variant outbound connection request login page (snort3-malware-cnc.rules)
 * 1:16368 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hydraq variant outbound connection (snort3-malware-cnc.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules)
 * 1:16391 <-> ENABLED <-> MALWARE-CNC Gozi Win.Trojan.connection to C&C (snort3-malware-cnc.rules)
 * 1:16488 <-> ENABLED <-> MALWARE-BACKDOOR Arucer backdoor traffic - write file attempt (snort3-malware-backdoor.rules)
 * 1:28541 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeroAccess Download Headers (snort3-malware-cnc.rules)
 * 1:25015 <-> ENABLED <-> MALWARE-BACKDOOR Arucer backdoor traffic - NOP command attempt (snort3-malware-backdoor.rules)

2018-05-17 13:27:19 UTC

Snort Subscriber Rules Update

Date: 2018-05-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46735 <-> DISABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules)
 * 1:46736 <-> DISABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules)
 * 1:46737 <-> DISABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules)
 * 1:46742 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper malicious script download attempt (malware-cnc.rules)
 * 1:46743 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper initial outbound connection attempt (malware-cnc.rules)
 * 1:46744 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper malicious executable download attempt (malware-cnc.rules)
 * 1:46745 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:46746 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:46747 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qarallax outbound connection (malware-cnc.rules)
 * 1:46748 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qarallax outbound connection (malware-cnc.rules)
 * 3:46749 <-> ENABLED <-> SERVER-OTHER Cisco Meeting Server configuration download attempt (server-other.rules)
 * 3:46750 <-> ENABLED <-> SERVER-OTHER Cisco Meeting Server user configuration download attempt (server-other.rules)
 * 3:46739 <-> ENABLED <-> SERVER-WEBAPP Cisco DNA Center API default login attempt (server-webapp.rules)
 * 3:46738 <-> ENABLED <-> SERVER-WEBAPP Cisco DNA Center API directory traversal attempt (server-webapp.rules)
 * 3:46741 <-> ENABLED <-> SERVER-WEBAPP Kubernetes Kubelet arbitrary command execution attempt (server-webapp.rules)
 * 3:46740 <-> ENABLED <-> SERVER-WEBAPP Kubernetes Kubelet arbitrary command execution attempt (server-webapp.rules)

Modified Rules:


 * 1:16695 <-> ENABLED <-> MALWARE-CNC Rogue AV download/update (malware-cnc.rules)
 * 1:46070 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty file exfiltration outbound request (malware-cnc.rules)
 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:16113 <-> DISABLED <-> MALWARE-CNC Win.Trojan.agent.vhb variant outbound connection request login page (malware-cnc.rules)
 * 1:16112 <-> DISABLED <-> MALWARE-CNC Win.Trojan.agent.vhb variant outbound connection contact remote server (malware-cnc.rules)
 * 1:25015 <-> ENABLED <-> MALWARE-BACKDOOR Arucer backdoor traffic - NOP command attempt (malware-backdoor.rules)
 * 1:16551 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user agent - malware (malware-cnc.rules)
 * 1:16368 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hydraq variant outbound connection (malware-cnc.rules)
 * 1:28541 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeroAccess Download Headers (malware-cnc.rules)
 * 1:16487 <-> ENABLED <-> MALWARE-BACKDOOR Arucer backdoor traffic - yes command attempt (malware-backdoor.rules)
 * 1:16486 <-> ENABLED <-> MALWARE-BACKDOOR Arucer backdoor traffic - command execution attempt (malware-backdoor.rules)
 * 1:16670 <-> ENABLED <-> MALWARE-CNC Koobface worm executable download (malware-cnc.rules)
 * 1:16693 <-> ENABLED <-> MALWARE-CNC Torpig bot sinkhole server DNS lookup (malware-cnc.rules)
 * 1:16391 <-> ENABLED <-> MALWARE-CNC Gozi Win.Trojan.connection to C&C (malware-cnc.rules)
 * 1:16488 <-> ENABLED <-> MALWARE-BACKDOOR Arucer backdoor traffic - write file attempt (malware-backdoor.rules)
 * 3:45506 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0517 attack attempt (file-pdf.rules)
 * 3:45507 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0517 attack attempt (file-pdf.rules)

2018-05-17 13:27:19 UTC

Snort Subscriber Rules Update

Date: 2018-05-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46743 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper initial outbound connection attempt (malware-cnc.rules)
 * 1:46742 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper malicious script download attempt (malware-cnc.rules)
 * 1:46737 <-> DISABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules)
 * 1:46745 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:46746 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:46735 <-> DISABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules)
 * 1:46744 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper malicious executable download attempt (malware-cnc.rules)
 * 1:46747 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qarallax outbound connection (malware-cnc.rules)
 * 1:46748 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qarallax outbound connection (malware-cnc.rules)
 * 1:46736 <-> DISABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules)
 * 3:46738 <-> ENABLED <-> SERVER-WEBAPP Cisco DNA Center API directory traversal attempt (server-webapp.rules)
 * 3:46749 <-> ENABLED <-> SERVER-OTHER Cisco Meeting Server configuration download attempt (server-other.rules)
 * 3:46739 <-> ENABLED <-> SERVER-WEBAPP Cisco DNA Center API default login attempt (server-webapp.rules)
 * 3:46750 <-> ENABLED <-> SERVER-OTHER Cisco Meeting Server user configuration download attempt (server-other.rules)
 * 3:46740 <-> ENABLED <-> SERVER-WEBAPP Kubernetes Kubelet arbitrary command execution attempt (server-webapp.rules)
 * 3:46741 <-> ENABLED <-> SERVER-WEBAPP Kubernetes Kubelet arbitrary command execution attempt (server-webapp.rules)

Modified Rules:


 * 1:16112 <-> DISABLED <-> MALWARE-CNC Win.Trojan.agent.vhb variant outbound connection contact remote server (malware-cnc.rules)
 * 1:16486 <-> ENABLED <-> MALWARE-BACKDOOR Arucer backdoor traffic - command execution attempt (malware-backdoor.rules)
 * 1:16488 <-> ENABLED <-> MALWARE-BACKDOOR Arucer backdoor traffic - write file attempt (malware-backdoor.rules)
 * 1:16695 <-> ENABLED <-> MALWARE-CNC Rogue AV download/update (malware-cnc.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:16670 <-> ENABLED <-> MALWARE-CNC Koobface worm executable download (malware-cnc.rules)
 * 1:28541 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeroAccess Download Headers (malware-cnc.rules)
 * 1:16391 <-> ENABLED <-> MALWARE-CNC Gozi Win.Trojan.connection to C&C (malware-cnc.rules)
 * 1:46070 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty file exfiltration outbound request (malware-cnc.rules)
 * 1:16693 <-> ENABLED <-> MALWARE-CNC Torpig bot sinkhole server DNS lookup (malware-cnc.rules)
 * 1:25015 <-> ENABLED <-> MALWARE-BACKDOOR Arucer backdoor traffic - NOP command attempt (malware-backdoor.rules)
 * 1:16551 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user agent - malware (malware-cnc.rules)
 * 1:16487 <-> ENABLED <-> MALWARE-BACKDOOR Arucer backdoor traffic - yes command attempt (malware-backdoor.rules)
 * 1:16368 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hydraq variant outbound connection (malware-cnc.rules)
 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:16113 <-> DISABLED <-> MALWARE-CNC Win.Trojan.agent.vhb variant outbound connection request login page (malware-cnc.rules)
 * 3:45506 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0517 attack attempt (file-pdf.rules)
 * 3:45507 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0517 attack attempt (file-pdf.rules)