Talos Rules 2018-11-20
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, file-flash, file-office, file-other, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-11-20 15:49:56 UTC

Snort Subscriber Rules Update

Date: 2018-11-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48427 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup DateTimeService.pm command injection attempt (server-webapp.rules)
 * 1:48436 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OlympicDestroyer variant outbound connection (malware-cnc.rules)
 * 1:48435 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OlympicDestroyer variant outbound connection (malware-cnc.rules)
 * 1:48432 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy outbound connection (malware-cnc.rules)
 * 1:48431 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy outbound connection (malware-cnc.rules)
 * 1:48430 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cannon outbound connection (malware-cnc.rules)
 * 1:48429 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cannon outbound connection (malware-cnc.rules)
 * 1:48428 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup GlobalViewService.pm command injection attempt (server-webapp.rules)
 * 3:48433 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0724 attack attempt (file-other.rules)
 * 3:48434 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0724 attack attempt (file-other.rules)

Modified Rules:


 * 1:19618 <-> DISABLED <-> FILE-OTHER Multiple products request for dwmapi.dll over SMB attempt (file-other.rules)
 * 1:18532 <-> DISABLED <-> OS-WINDOWS Multiple Vendors request for iacenc.dll over SMB attempt (os-windows.rules)
 * 1:18497 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player and shell extension request for ehtrace.dll over SMB attempt (os-windows.rules)
 * 1:18489 <-> DISABLED <-> FILE-OTHER Adobe Photoshop request for wintab32.dll over SMB attempt (file-other.rules)
 * 1:18278 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Vista Backup Tool request for fveapi.dll over SMB attempt (os-windows.rules)
 * 1:18207 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Address Book request for msoeres32.dll over SMB attempt (os-windows.rules)
 * 1:18206 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Address Book request for wab32res.dll over SMB attempt (os-windows.rules)
 * 1:21309 <-> DISABLED <-> OS-WINDOWS Microsoft product request for fputlsat.dll over SMB attempt (os-windows.rules)
 * 1:37002 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for nwdblib.dll over SMB attempt (file-office.rules)
 * 1:37001 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for elsext.dll over SMB attempt (file-office.rules)
 * 1:36995 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for spframe.dll over SMB attempt (file-office.rules)
 * 1:36993 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for mqrt.dll over SMB attempt (file-office.rules)
 * 1:36930 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for wuaext.dll over SMB attempt (file-office.rules)
 * 1:36805 <-> DISABLED <-> OS-WINDOWS Microsoft Windows wininet request for peerdistsvc.dll over SMB attempt (os-windows.rules)
 * 1:35216 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer protected mode request for atlthunk.dll over SMB attempt (browser-ie.rules)
 * 1:35169 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for rapi.dll over SMB attempt (file-office.rules)
 * 1:35144 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Viewer request for msostyle.dll over SMB attempt (file-office.rules)
 * 1:23315 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word request for imeshare.dll over SMB attempt (file-office.rules)
 * 1:23163 <-> DISABLED <-> OS-WINDOWS Microsoft Lync Online request for wlanapi.dll over SMB attempt (os-windows.rules)
 * 1:23162 <-> DISABLED <-> OS-WINDOWS Microsoft Lync Online request for ncrypt.dll over SMB attempt (os-windows.rules)
 * 1:21566 <-> DISABLED <-> OS-WINDOWS Microsoft Expression Design request for wintab32.dll over SMB attempt (os-windows.rules)
 * 1:21321 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player request for uxtheme.dll over SMB attempt (file-flash.rules)
 * 1:21320 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player request for atl.dll over SMB attempt (file-flash.rules)
 * 1:21319 <-> DISABLED <-> FILE-OTHER Multiple products request for version.dll over SMB attempt (file-other.rules)
 * 1:37263 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for api-ms-win-core-winrt-l1-1-0.dll over SMB attempt (file-office.rules)
 * 1:37261 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for mfplat.dll over SMB attempt (file-office.rules)
 * 1:37258 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer request for mapi32x.dll over SMB attempt (browser-ie.rules)
 * 1:37557 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for msdaora.dll over SMB attempt (file-office.rules)
 * 1:37319 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word request for rpawinet.dll over SMB attempt (file-office.rules)
 * 1:37276 <-> ENABLED <-> OS-WINDOWS Microsoft Windows request for feclient.dll over SMB attempt (os-windows.rules)
 * 1:37590 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word request for BCSRuntime.dll over SMB attempt (file-office.rules)
 * 1:37558 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for phoneinfo.dll over SMB attempt (file-office.rules)
 * 1:38421 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for ClbCatQ.dll over SMB attempt (file-flash.rules)
 * 1:38171 <-> ENABLED <-> FILE-OTHER Adobe Acrobat request for updaternotifications.dll over SMB attempt (file-other.rules)
 * 1:37591 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word request for OLMAPI32.dll over SMB attempt (file-office.rules)
 * 1:38423 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for RASMan.dll over SMB attempt (file-flash.rules)
 * 1:38422 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for HNetCfg.dll over SMB attempt (file-flash.rules)
 * 1:38424 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for setupapi.dll over SMB attempt (file-flash.rules)
 * 1:44598 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for ociw32.dll over SMB attempt (file-office.rules)
 * 1:44597 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for iasdatastore2.dll over SMB attempt (file-office.rules)
 * 1:44596 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for oci.dll over SMB attempt (file-office.rules)
 * 1:44564 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:42891 <-> ENABLED <-> FILE-OTHER AfterMidnight post exploitation tool request for aftermidnight.dll over SMB attempt (file-other.rules)
 * 1:42279 <-> DISABLED <-> FILE-OTHER Adobe Acrobat request for RARfsClientNP.dll over SMB attempt (file-other.rules)
 * 1:41924 <-> DISABLED <-> FILE-OTHER Notepad++ request for scilexer.dll over SMB attempt (file-other.rules)
 * 1:41563 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for imjp12k.dll over SMB attempt (file-office.rules)
 * 1:40080 <-> ENABLED <-> FILE-OFFICE Microsoft Office Visio request for visdlgu.dll over SMB attempt (file-office.rules)
 * 1:39296 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for dbghelp.dll over SMB attempt (file-flash.rules)
 * 1:39295 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for apphelp.dll over SMB attempt (file-flash.rules)
 * 1:38897 <-> DISABLED <-> FILE-OTHER Adobe Illustrator CS4 request for aires.dll over SMB attempt (file-other.rules)
 * 1:38872 <-> ENABLED <-> FILE-FLASH Adobe Flash Player request for MSIMG32.dll over SMB attempt (file-flash.rules)

2018-11-20 15:49:56 UTC

Snort Subscriber Rules Update

Date: 2018-11-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48436 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OlympicDestroyer variant outbound connection (malware-cnc.rules)
 * 1:48427 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup DateTimeService.pm command injection attempt (server-webapp.rules)
 * 1:48428 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup GlobalViewService.pm command injection attempt (server-webapp.rules)
 * 1:48429 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cannon outbound connection (malware-cnc.rules)
 * 1:48430 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cannon outbound connection (malware-cnc.rules)
 * 1:48431 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy outbound connection (malware-cnc.rules)
 * 1:48432 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy outbound connection (malware-cnc.rules)
 * 1:48435 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OlympicDestroyer variant outbound connection (malware-cnc.rules)
 * 3:48433 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0724 attack attempt (file-other.rules)
 * 3:48434 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0724 attack attempt (file-other.rules)

Modified Rules:


 * 1:40080 <-> ENABLED <-> FILE-OFFICE Microsoft Office Visio request for visdlgu.dll over SMB attempt (file-office.rules)
 * 1:38423 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for RASMan.dll over SMB attempt (file-flash.rules)
 * 1:39296 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for dbghelp.dll over SMB attempt (file-flash.rules)
 * 1:39295 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for apphelp.dll over SMB attempt (file-flash.rules)
 * 1:38872 <-> ENABLED <-> FILE-FLASH Adobe Flash Player request for MSIMG32.dll over SMB attempt (file-flash.rules)
 * 1:38897 <-> DISABLED <-> FILE-OTHER Adobe Illustrator CS4 request for aires.dll over SMB attempt (file-other.rules)
 * 1:18206 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Address Book request for wab32res.dll over SMB attempt (os-windows.rules)
 * 1:18207 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Address Book request for msoeres32.dll over SMB attempt (os-windows.rules)
 * 1:18278 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Vista Backup Tool request for fveapi.dll over SMB attempt (os-windows.rules)
 * 1:18489 <-> DISABLED <-> FILE-OTHER Adobe Photoshop request for wintab32.dll over SMB attempt (file-other.rules)
 * 1:18497 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player and shell extension request for ehtrace.dll over SMB attempt (os-windows.rules)
 * 1:18532 <-> DISABLED <-> OS-WINDOWS Multiple Vendors request for iacenc.dll over SMB attempt (os-windows.rules)
 * 1:19618 <-> DISABLED <-> FILE-OTHER Multiple products request for dwmapi.dll over SMB attempt (file-other.rules)
 * 1:21309 <-> DISABLED <-> OS-WINDOWS Microsoft product request for fputlsat.dll over SMB attempt (os-windows.rules)
 * 1:42891 <-> ENABLED <-> FILE-OTHER AfterMidnight post exploitation tool request for aftermidnight.dll over SMB attempt (file-other.rules)
 * 1:42279 <-> DISABLED <-> FILE-OTHER Adobe Acrobat request for RARfsClientNP.dll over SMB attempt (file-other.rules)
 * 1:41924 <-> DISABLED <-> FILE-OTHER Notepad++ request for scilexer.dll over SMB attempt (file-other.rules)
 * 1:41563 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for imjp12k.dll over SMB attempt (file-office.rules)
 * 1:38424 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for setupapi.dll over SMB attempt (file-flash.rules)
 * 1:44598 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for ociw32.dll over SMB attempt (file-office.rules)
 * 1:44597 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for iasdatastore2.dll over SMB attempt (file-office.rules)
 * 1:44596 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for oci.dll over SMB attempt (file-office.rules)
 * 1:44564 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:36930 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for wuaext.dll over SMB attempt (file-office.rules)
 * 1:21319 <-> DISABLED <-> FILE-OTHER Multiple products request for version.dll over SMB attempt (file-other.rules)
 * 1:36805 <-> DISABLED <-> OS-WINDOWS Microsoft Windows wininet request for peerdistsvc.dll over SMB attempt (os-windows.rules)
 * 1:35169 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for rapi.dll over SMB attempt (file-office.rules)
 * 1:35216 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer protected mode request for atlthunk.dll over SMB attempt (browser-ie.rules)
 * 1:23315 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word request for imeshare.dll over SMB attempt (file-office.rules)
 * 1:35144 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Viewer request for msostyle.dll over SMB attempt (file-office.rules)
 * 1:23162 <-> DISABLED <-> OS-WINDOWS Microsoft Lync Online request for ncrypt.dll over SMB attempt (os-windows.rules)
 * 1:23163 <-> DISABLED <-> OS-WINDOWS Microsoft Lync Online request for wlanapi.dll over SMB attempt (os-windows.rules)
 * 1:21321 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player request for uxtheme.dll over SMB attempt (file-flash.rules)
 * 1:21566 <-> DISABLED <-> OS-WINDOWS Microsoft Expression Design request for wintab32.dll over SMB attempt (os-windows.rules)
 * 1:21320 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player request for atl.dll over SMB attempt (file-flash.rules)
 * 1:36995 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for spframe.dll over SMB attempt (file-office.rules)
 * 1:37002 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for nwdblib.dll over SMB attempt (file-office.rules)
 * 1:36993 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for mqrt.dll over SMB attempt (file-office.rules)
 * 1:37001 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for elsext.dll over SMB attempt (file-office.rules)
 * 1:38421 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for ClbCatQ.dll over SMB attempt (file-flash.rules)
 * 1:38422 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for HNetCfg.dll over SMB attempt (file-flash.rules)
 * 1:37591 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word request for OLMAPI32.dll over SMB attempt (file-office.rules)
 * 1:38171 <-> ENABLED <-> FILE-OTHER Adobe Acrobat request for updaternotifications.dll over SMB attempt (file-other.rules)
 * 1:37558 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for phoneinfo.dll over SMB attempt (file-office.rules)
 * 1:37590 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word request for BCSRuntime.dll over SMB attempt (file-office.rules)
 * 1:37319 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word request for rpawinet.dll over SMB attempt (file-office.rules)
 * 1:37557 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for msdaora.dll over SMB attempt (file-office.rules)
 * 1:37263 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for api-ms-win-core-winrt-l1-1-0.dll over SMB attempt (file-office.rules)
 * 1:37276 <-> ENABLED <-> OS-WINDOWS Microsoft Windows request for feclient.dll over SMB attempt (os-windows.rules)
 * 1:37258 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer request for mapi32x.dll over SMB attempt (browser-ie.rules)
 * 1:37261 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for mfplat.dll over SMB attempt (file-office.rules)

2018-11-20 15:49:56 UTC

Snort Subscriber Rules Update

Date: 2018-11-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48427 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup DateTimeService.pm command injection attempt (server-webapp.rules)
 * 1:48432 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy outbound connection (malware-cnc.rules)
 * 1:48435 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OlympicDestroyer variant outbound connection (malware-cnc.rules)
 * 1:48436 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OlympicDestroyer variant outbound connection (malware-cnc.rules)
 * 1:48428 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup GlobalViewService.pm command injection attempt (server-webapp.rules)
 * 1:48430 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cannon outbound connection (malware-cnc.rules)
 * 1:48429 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cannon outbound connection (malware-cnc.rules)
 * 1:48431 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy outbound connection (malware-cnc.rules)
 * 3:48434 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0724 attack attempt (file-other.rules)
 * 3:48433 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0724 attack attempt (file-other.rules)

Modified Rules:


 * 1:38424 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for setupapi.dll over SMB attempt (file-flash.rules)
 * 1:44564 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:44597 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for iasdatastore2.dll over SMB attempt (file-office.rules)
 * 1:42279 <-> DISABLED <-> FILE-OTHER Adobe Acrobat request for RARfsClientNP.dll over SMB attempt (file-other.rules)
 * 1:40080 <-> ENABLED <-> FILE-OFFICE Microsoft Office Visio request for visdlgu.dll over SMB attempt (file-office.rules)
 * 1:39295 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for apphelp.dll over SMB attempt (file-flash.rules)
 * 1:38872 <-> ENABLED <-> FILE-FLASH Adobe Flash Player request for MSIMG32.dll over SMB attempt (file-flash.rules)
 * 1:38897 <-> DISABLED <-> FILE-OTHER Adobe Illustrator CS4 request for aires.dll over SMB attempt (file-other.rules)
 * 1:41924 <-> DISABLED <-> FILE-OTHER Notepad++ request for scilexer.dll over SMB attempt (file-other.rules)
 * 1:44596 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for oci.dll over SMB attempt (file-office.rules)
 * 1:19618 <-> DISABLED <-> FILE-OTHER Multiple products request for dwmapi.dll over SMB attempt (file-other.rules)
 * 1:44598 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for ociw32.dll over SMB attempt (file-office.rules)
 * 1:18206 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Address Book request for wab32res.dll over SMB attempt (os-windows.rules)
 * 1:18207 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Address Book request for msoeres32.dll over SMB attempt (os-windows.rules)
 * 1:18489 <-> DISABLED <-> FILE-OTHER Adobe Photoshop request for wintab32.dll over SMB attempt (file-other.rules)
 * 1:18497 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player and shell extension request for ehtrace.dll over SMB attempt (os-windows.rules)
 * 1:18532 <-> DISABLED <-> OS-WINDOWS Multiple Vendors request for iacenc.dll over SMB attempt (os-windows.rules)
 * 1:21309 <-> DISABLED <-> OS-WINDOWS Microsoft product request for fputlsat.dll over SMB attempt (os-windows.rules)
 * 1:18278 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Vista Backup Tool request for fveapi.dll over SMB attempt (os-windows.rules)
 * 1:37002 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for nwdblib.dll over SMB attempt (file-office.rules)
 * 1:41563 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for imjp12k.dll over SMB attempt (file-office.rules)
 * 1:42891 <-> ENABLED <-> FILE-OTHER AfterMidnight post exploitation tool request for aftermidnight.dll over SMB attempt (file-other.rules)
 * 1:37001 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for elsext.dll over SMB attempt (file-office.rules)
 * 1:36993 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for mqrt.dll over SMB attempt (file-office.rules)
 * 1:36995 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for spframe.dll over SMB attempt (file-office.rules)
 * 1:36805 <-> DISABLED <-> OS-WINDOWS Microsoft Windows wininet request for peerdistsvc.dll over SMB attempt (os-windows.rules)
 * 1:36930 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for wuaext.dll over SMB attempt (file-office.rules)
 * 1:35169 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for rapi.dll over SMB attempt (file-office.rules)
 * 1:35216 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer protected mode request for atlthunk.dll over SMB attempt (browser-ie.rules)
 * 1:23315 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word request for imeshare.dll over SMB attempt (file-office.rules)
 * 1:35144 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Viewer request for msostyle.dll over SMB attempt (file-office.rules)
 * 1:23162 <-> DISABLED <-> OS-WINDOWS Microsoft Lync Online request for ncrypt.dll over SMB attempt (os-windows.rules)
 * 1:23163 <-> DISABLED <-> OS-WINDOWS Microsoft Lync Online request for wlanapi.dll over SMB attempt (os-windows.rules)
 * 1:21321 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player request for uxtheme.dll over SMB attempt (file-flash.rules)
 * 1:21566 <-> DISABLED <-> OS-WINDOWS Microsoft Expression Design request for wintab32.dll over SMB attempt (os-windows.rules)
 * 1:21320 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player request for atl.dll over SMB attempt (file-flash.rules)
 * 1:21319 <-> DISABLED <-> FILE-OTHER Multiple products request for version.dll over SMB attempt (file-other.rules)
 * 1:38171 <-> ENABLED <-> FILE-OTHER Adobe Acrobat request for updaternotifications.dll over SMB attempt (file-other.rules)
 * 1:37263 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for api-ms-win-core-winrt-l1-1-0.dll over SMB attempt (file-office.rules)
 * 1:37276 <-> ENABLED <-> OS-WINDOWS Microsoft Windows request for feclient.dll over SMB attempt (os-windows.rules)
 * 1:37258 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer request for mapi32x.dll over SMB attempt (browser-ie.rules)
 * 1:37261 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for mfplat.dll over SMB attempt (file-office.rules)
 * 1:37591 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word request for OLMAPI32.dll over SMB attempt (file-office.rules)
 * 1:37558 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for phoneinfo.dll over SMB attempt (file-office.rules)
 * 1:37590 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word request for BCSRuntime.dll over SMB attempt (file-office.rules)
 * 1:37319 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word request for rpawinet.dll over SMB attempt (file-office.rules)
 * 1:37557 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for msdaora.dll over SMB attempt (file-office.rules)
 * 1:39296 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for dbghelp.dll over SMB attempt (file-flash.rules)
 * 1:38421 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for ClbCatQ.dll over SMB attempt (file-flash.rules)
 * 1:38422 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for HNetCfg.dll over SMB attempt (file-flash.rules)
 * 1:38423 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for RASMan.dll over SMB attempt (file-flash.rules)

2018-11-20 15:49:56 UTC

Snort Subscriber Rules Update

Date: 2018-11-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48428 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup GlobalViewService.pm command injection attempt (snort3-server-webapp.rules)
 * 1:48429 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cannon outbound connection (snort3-malware-cnc.rules)
 * 1:48430 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cannon outbound connection (snort3-malware-cnc.rules)
 * 1:48431 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy outbound connection (snort3-malware-cnc.rules)
 * 1:48432 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy outbound connection (snort3-malware-cnc.rules)
 * 1:48435 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OlympicDestroyer variant outbound connection (snort3-malware-cnc.rules)
 * 1:48436 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OlympicDestroyer variant outbound connection (snort3-malware-cnc.rules)
 * 1:48427 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup DateTimeService.pm command injection attempt (snort3-server-webapp.rules)

Modified Rules:


 * 1:38423 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for RASMan.dll over SMB attempt (snort3-file-flash.rules)
 * 1:38171 <-> ENABLED <-> FILE-OTHER Adobe Acrobat request for updaternotifications.dll over SMB attempt (snort3-file-other.rules)
 * 1:38421 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for ClbCatQ.dll over SMB attempt (snort3-file-flash.rules)
 * 1:39296 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for dbghelp.dll over SMB attempt (snort3-file-flash.rules)
 * 1:38424 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for setupapi.dll over SMB attempt (snort3-file-flash.rules)
 * 1:41924 <-> DISABLED <-> FILE-OTHER Notepad++ request for scilexer.dll over SMB attempt (snort3-file-other.rules)
 * 1:44596 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for oci.dll over SMB attempt (snort3-file-office.rules)
 * 1:38422 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for HNetCfg.dll over SMB attempt (snort3-file-flash.rules)
 * 1:18206 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Address Book request for wab32res.dll over SMB attempt (snort3-os-windows.rules)
 * 1:18207 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Address Book request for msoeres32.dll over SMB attempt (snort3-os-windows.rules)
 * 1:40080 <-> ENABLED <-> FILE-OFFICE Microsoft Office Visio request for visdlgu.dll over SMB attempt (snort3-file-office.rules)
 * 1:18278 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Vista Backup Tool request for fveapi.dll over SMB attempt (snort3-os-windows.rules)
 * 1:18489 <-> DISABLED <-> FILE-OTHER Adobe Photoshop request for wintab32.dll over SMB attempt (snort3-file-other.rules)
 * 1:18497 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player and shell extension request for ehtrace.dll over SMB attempt (snort3-os-windows.rules)
 * 1:44598 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for ociw32.dll over SMB attempt (snort3-file-office.rules)
 * 1:18532 <-> DISABLED <-> OS-WINDOWS Multiple Vendors request for iacenc.dll over SMB attempt (snort3-os-windows.rules)
 * 1:44597 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for iasdatastore2.dll over SMB attempt (snort3-file-office.rules)
 * 1:41563 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for imjp12k.dll over SMB attempt (snort3-file-office.rules)
 * 1:37591 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word request for OLMAPI32.dll over SMB attempt (snort3-file-office.rules)
 * 1:42279 <-> DISABLED <-> FILE-OTHER Adobe Acrobat request for RARfsClientNP.dll over SMB attempt (snort3-file-other.rules)
 * 1:21309 <-> DISABLED <-> OS-WINDOWS Microsoft product request for fputlsat.dll over SMB attempt (snort3-os-windows.rules)
 * 1:19618 <-> DISABLED <-> FILE-OTHER Multiple products request for dwmapi.dll over SMB attempt (snort3-file-other.rules)
 * 1:21319 <-> DISABLED <-> FILE-OTHER Multiple products request for version.dll over SMB attempt (snort3-file-other.rules)
 * 1:21320 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player request for atl.dll over SMB attempt (snort3-file-flash.rules)
 * 1:21321 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player request for uxtheme.dll over SMB attempt (snort3-file-flash.rules)
 * 1:21322 <-> DISABLED <-> FILE-OTHER Multiple products version.dll dll-load exploit attempt (snort3-file-other.rules)
 * 1:21566 <-> DISABLED <-> OS-WINDOWS Microsoft Expression Design request for wintab32.dll over SMB attempt (snort3-os-windows.rules)
 * 1:23162 <-> DISABLED <-> OS-WINDOWS Microsoft Lync Online request for ncrypt.dll over SMB attempt (snort3-os-windows.rules)
 * 1:23163 <-> DISABLED <-> OS-WINDOWS Microsoft Lync Online request for wlanapi.dll over SMB attempt (snort3-os-windows.rules)
 * 1:23315 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word request for imeshare.dll over SMB attempt (snort3-file-office.rules)
 * 1:34097 <-> DISABLED <-> FILE-OTHER Multiple products external entity injection attempt (snort3-file-other.rules)
 * 1:34098 <-> DISABLED <-> FILE-OTHER Multiple products external entity injection attempt (snort3-file-other.rules)
 * 1:35144 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Viewer request for msostyle.dll over SMB attempt (snort3-file-office.rules)
 * 1:35169 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for rapi.dll over SMB attempt (snort3-file-office.rules)
 * 1:35216 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer protected mode request for atlthunk.dll over SMB attempt (snort3-browser-ie.rules)
 * 1:37590 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word request for BCSRuntime.dll over SMB attempt (snort3-file-office.rules)
 * 1:36805 <-> DISABLED <-> OS-WINDOWS Microsoft Windows wininet request for peerdistsvc.dll over SMB attempt (snort3-os-windows.rules)
 * 1:36930 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for wuaext.dll over SMB attempt (snort3-file-office.rules)
 * 1:36993 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for mqrt.dll over SMB attempt (snort3-file-office.rules)
 * 1:36995 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for spframe.dll over SMB attempt (snort3-file-office.rules)
 * 1:37001 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for elsext.dll over SMB attempt (snort3-file-office.rules)
 * 1:37002 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for nwdblib.dll over SMB attempt (snort3-file-office.rules)
 * 1:37258 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer request for mapi32x.dll over SMB attempt (snort3-browser-ie.rules)
 * 1:37261 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for mfplat.dll over SMB attempt (snort3-file-office.rules)
 * 1:37263 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for api-ms-win-core-winrt-l1-1-0.dll over SMB attempt (snort3-file-office.rules)
 * 1:37276 <-> ENABLED <-> OS-WINDOWS Microsoft Windows request for feclient.dll over SMB attempt (snort3-os-windows.rules)
 * 1:42891 <-> ENABLED <-> FILE-OTHER AfterMidnight post exploitation tool request for aftermidnight.dll over SMB attempt (snort3-file-other.rules)
 * 1:38897 <-> DISABLED <-> FILE-OTHER Adobe Illustrator CS4 request for aires.dll over SMB attempt (snort3-file-other.rules)
 * 1:44564 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (snort3-malware-cnc.rules)
 * 1:39295 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for apphelp.dll over SMB attempt (snort3-file-flash.rules)
 * 1:37319 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word request for rpawinet.dll over SMB attempt (snort3-file-office.rules)
 * 1:37557 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for msdaora.dll over SMB attempt (snort3-file-office.rules)
 * 1:37558 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for phoneinfo.dll over SMB attempt (snort3-file-office.rules)
 * 1:38872 <-> ENABLED <-> FILE-FLASH Adobe Flash Player request for MSIMG32.dll over SMB attempt (snort3-file-flash.rules)

2018-11-20 15:49:56 UTC

Snort Subscriber Rules Update

Date: 2018-11-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48429 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cannon outbound connection (malware-cnc.rules)
 * 1:48430 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cannon outbound connection (malware-cnc.rules)
 * 1:48431 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy outbound connection (malware-cnc.rules)
 * 1:48432 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy outbound connection (malware-cnc.rules)
 * 1:48435 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OlympicDestroyer variant outbound connection (malware-cnc.rules)
 * 1:48436 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OlympicDestroyer variant outbound connection (malware-cnc.rules)
 * 1:48428 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup GlobalViewService.pm command injection attempt (server-webapp.rules)
 * 1:48427 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup DateTimeService.pm command injection attempt (server-webapp.rules)
 * 3:48433 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0724 attack attempt (file-other.rules)
 * 3:48434 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0724 attack attempt (file-other.rules)

Modified Rules:


 * 1:44597 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for iasdatastore2.dll over SMB attempt (file-office.rules)
 * 1:37591 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word request for OLMAPI32.dll over SMB attempt (file-office.rules)
 * 1:38423 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for RASMan.dll over SMB attempt (file-flash.rules)
 * 1:38421 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for ClbCatQ.dll over SMB attempt (file-flash.rules)
 * 1:38171 <-> ENABLED <-> FILE-OTHER Adobe Acrobat request for updaternotifications.dll over SMB attempt (file-other.rules)
 * 1:38422 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for HNetCfg.dll over SMB attempt (file-flash.rules)
 * 1:36930 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for wuaext.dll over SMB attempt (file-office.rules)
 * 1:23315 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word request for imeshare.dll over SMB attempt (file-office.rules)
 * 1:21321 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player request for uxtheme.dll over SMB attempt (file-flash.rules)
 * 1:23162 <-> DISABLED <-> OS-WINDOWS Microsoft Lync Online request for ncrypt.dll over SMB attempt (os-windows.rules)
 * 1:21320 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player request for atl.dll over SMB attempt (file-flash.rules)
 * 1:21566 <-> DISABLED <-> OS-WINDOWS Microsoft Expression Design request for wintab32.dll over SMB attempt (os-windows.rules)
 * 1:35169 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for rapi.dll over SMB attempt (file-office.rules)
 * 1:36805 <-> DISABLED <-> OS-WINDOWS Microsoft Windows wininet request for peerdistsvc.dll over SMB attempt (os-windows.rules)
 * 1:35216 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer protected mode request for atlthunk.dll over SMB attempt (browser-ie.rules)
 * 1:36993 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for mqrt.dll over SMB attempt (file-office.rules)
 * 1:23163 <-> DISABLED <-> OS-WINDOWS Microsoft Lync Online request for wlanapi.dll over SMB attempt (os-windows.rules)
 * 1:35144 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Viewer request for msostyle.dll over SMB attempt (file-office.rules)
 * 1:44598 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for ociw32.dll over SMB attempt (file-office.rules)
 * 1:38424 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for setupapi.dll over SMB attempt (file-flash.rules)
 * 1:37276 <-> ENABLED <-> OS-WINDOWS Microsoft Windows request for feclient.dll over SMB attempt (os-windows.rules)
 * 1:37001 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for elsext.dll over SMB attempt (file-office.rules)
 * 1:37319 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word request for rpawinet.dll over SMB attempt (file-office.rules)
 * 1:37557 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for msdaora.dll over SMB attempt (file-office.rules)
 * 1:37558 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for phoneinfo.dll over SMB attempt (file-office.rules)
 * 1:37590 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word request for BCSRuntime.dll over SMB attempt (file-office.rules)
 * 1:37002 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for nwdblib.dll over SMB attempt (file-office.rules)
 * 1:37258 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer request for mapi32x.dll over SMB attempt (browser-ie.rules)
 * 1:37261 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for mfplat.dll over SMB attempt (file-office.rules)
 * 1:41563 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for imjp12k.dll over SMB attempt (file-office.rules)
 * 1:44564 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:37263 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for api-ms-win-core-winrt-l1-1-0.dll over SMB attempt (file-office.rules)
 * 1:44596 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for oci.dll over SMB attempt (file-office.rules)
 * 1:42891 <-> ENABLED <-> FILE-OTHER AfterMidnight post exploitation tool request for aftermidnight.dll over SMB attempt (file-other.rules)
 * 1:39295 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for apphelp.dll over SMB attempt (file-flash.rules)
 * 1:38897 <-> DISABLED <-> FILE-OTHER Adobe Illustrator CS4 request for aires.dll over SMB attempt (file-other.rules)
 * 1:21319 <-> DISABLED <-> FILE-OTHER Multiple products request for version.dll over SMB attempt (file-other.rules)
 * 1:38872 <-> ENABLED <-> FILE-FLASH Adobe Flash Player request for MSIMG32.dll over SMB attempt (file-flash.rules)
 * 1:19618 <-> DISABLED <-> FILE-OTHER Multiple products request for dwmapi.dll over SMB attempt (file-other.rules)
 * 1:36995 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for spframe.dll over SMB attempt (file-office.rules)
 * 1:42279 <-> DISABLED <-> FILE-OTHER Adobe Acrobat request for RARfsClientNP.dll over SMB attempt (file-other.rules)
 * 1:21309 <-> DISABLED <-> OS-WINDOWS Microsoft product request for fputlsat.dll over SMB attempt (os-windows.rules)
 * 1:39296 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for dbghelp.dll over SMB attempt (file-flash.rules)
 * 1:40080 <-> ENABLED <-> FILE-OFFICE Microsoft Office Visio request for visdlgu.dll over SMB attempt (file-office.rules)
 * 1:18532 <-> DISABLED <-> OS-WINDOWS Multiple Vendors request for iacenc.dll over SMB attempt (os-windows.rules)
 * 1:18207 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Address Book request for msoeres32.dll over SMB attempt (os-windows.rules)
 * 1:18278 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Vista Backup Tool request for fveapi.dll over SMB attempt (os-windows.rules)
 * 1:18489 <-> DISABLED <-> FILE-OTHER Adobe Photoshop request for wintab32.dll over SMB attempt (file-other.rules)
 * 1:18497 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player and shell extension request for ehtrace.dll over SMB attempt (os-windows.rules)
 * 1:18206 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Address Book request for wab32res.dll over SMB attempt (os-windows.rules)
 * 1:41924 <-> DISABLED <-> FILE-OTHER Notepad++ request for scilexer.dll over SMB attempt (file-other.rules)

2018-11-20 15:49:56 UTC

Snort Subscriber Rules Update

Date: 2018-11-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48427 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup DateTimeService.pm command injection attempt (server-webapp.rules)
 * 1:48436 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OlympicDestroyer variant outbound connection (malware-cnc.rules)
 * 1:48435 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OlympicDestroyer variant outbound connection (malware-cnc.rules)
 * 1:48432 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy outbound connection (malware-cnc.rules)
 * 1:48430 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cannon outbound connection (malware-cnc.rules)
 * 1:48429 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cannon outbound connection (malware-cnc.rules)
 * 1:48431 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy outbound connection (malware-cnc.rules)
 * 1:48428 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup GlobalViewService.pm command injection attempt (server-webapp.rules)
 * 3:48433 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0724 attack attempt (file-other.rules)
 * 3:48434 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0724 attack attempt (file-other.rules)

Modified Rules:


 * 1:42891 <-> ENABLED <-> FILE-OTHER AfterMidnight post exploitation tool request for aftermidnight.dll over SMB attempt (file-other.rules)
 * 1:44598 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for ociw32.dll over SMB attempt (file-office.rules)
 * 1:44596 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for oci.dll over SMB attempt (file-office.rules)
 * 1:44564 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:39296 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for dbghelp.dll over SMB attempt (file-flash.rules)
 * 1:21320 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player request for atl.dll over SMB attempt (file-flash.rules)
 * 1:38424 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for setupapi.dll over SMB attempt (file-flash.rules)
 * 1:41924 <-> DISABLED <-> FILE-OTHER Notepad++ request for scilexer.dll over SMB attempt (file-other.rules)
 * 1:38897 <-> DISABLED <-> FILE-OTHER Adobe Illustrator CS4 request for aires.dll over SMB attempt (file-other.rules)
 * 1:21319 <-> DISABLED <-> FILE-OTHER Multiple products request for version.dll over SMB attempt (file-other.rules)
 * 1:38423 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for RASMan.dll over SMB attempt (file-flash.rules)
 * 1:38421 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for ClbCatQ.dll over SMB attempt (file-flash.rules)
 * 1:38422 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for HNetCfg.dll over SMB attempt (file-flash.rules)
 * 1:38171 <-> ENABLED <-> FILE-OTHER Adobe Acrobat request for updaternotifications.dll over SMB attempt (file-other.rules)
 * 1:37558 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for phoneinfo.dll over SMB attempt (file-office.rules)
 * 1:37590 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word request for BCSRuntime.dll over SMB attempt (file-office.rules)
 * 1:37591 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word request for OLMAPI32.dll over SMB attempt (file-office.rules)
 * 1:37557 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for msdaora.dll over SMB attempt (file-office.rules)
 * 1:37263 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for api-ms-win-core-winrt-l1-1-0.dll over SMB attempt (file-office.rules)
 * 1:37276 <-> ENABLED <-> OS-WINDOWS Microsoft Windows request for feclient.dll over SMB attempt (os-windows.rules)
 * 1:37319 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word request for rpawinet.dll over SMB attempt (file-office.rules)
 * 1:37261 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for mfplat.dll over SMB attempt (file-office.rules)
 * 1:37001 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for elsext.dll over SMB attempt (file-office.rules)
 * 1:37002 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for nwdblib.dll over SMB attempt (file-office.rules)
 * 1:37258 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer request for mapi32x.dll over SMB attempt (browser-ie.rules)
 * 1:36995 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for spframe.dll over SMB attempt (file-office.rules)
 * 1:36805 <-> DISABLED <-> OS-WINDOWS Microsoft Windows wininet request for peerdistsvc.dll over SMB attempt (os-windows.rules)
 * 1:36930 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for wuaext.dll over SMB attempt (file-office.rules)
 * 1:36993 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for mqrt.dll over SMB attempt (file-office.rules)
 * 1:23315 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word request for imeshare.dll over SMB attempt (file-office.rules)
 * 1:35144 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Viewer request for msostyle.dll over SMB attempt (file-office.rules)
 * 1:35169 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for rapi.dll over SMB attempt (file-office.rules)
 * 1:35216 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer protected mode request for atlthunk.dll over SMB attempt (browser-ie.rules)
 * 1:21321 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player request for uxtheme.dll over SMB attempt (file-flash.rules)
 * 1:21566 <-> DISABLED <-> OS-WINDOWS Microsoft Expression Design request for wintab32.dll over SMB attempt (os-windows.rules)
 * 1:23162 <-> DISABLED <-> OS-WINDOWS Microsoft Lync Online request for ncrypt.dll over SMB attempt (os-windows.rules)
 * 1:23163 <-> DISABLED <-> OS-WINDOWS Microsoft Lync Online request for wlanapi.dll over SMB attempt (os-windows.rules)
 * 1:44597 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for iasdatastore2.dll over SMB attempt (file-office.rules)
 * 1:40080 <-> ENABLED <-> FILE-OFFICE Microsoft Office Visio request for visdlgu.dll over SMB attempt (file-office.rules)
 * 1:42279 <-> DISABLED <-> FILE-OTHER Adobe Acrobat request for RARfsClientNP.dll over SMB attempt (file-other.rules)
 * 1:38872 <-> ENABLED <-> FILE-FLASH Adobe Flash Player request for MSIMG32.dll over SMB attempt (file-flash.rules)
 * 1:39295 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for apphelp.dll over SMB attempt (file-flash.rules)
 * 1:19618 <-> DISABLED <-> FILE-OTHER Multiple products request for dwmapi.dll over SMB attempt (file-other.rules)
 * 1:21309 <-> DISABLED <-> OS-WINDOWS Microsoft product request for fputlsat.dll over SMB attempt (os-windows.rules)
 * 1:41563 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for imjp12k.dll over SMB attempt (file-office.rules)
 * 1:18497 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player and shell extension request for ehtrace.dll over SMB attempt (os-windows.rules)
 * 1:18489 <-> DISABLED <-> FILE-OTHER Adobe Photoshop request for wintab32.dll over SMB attempt (file-other.rules)
 * 1:18207 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Address Book request for msoeres32.dll over SMB attempt (os-windows.rules)
 * 1:18206 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Address Book request for wab32res.dll over SMB attempt (os-windows.rules)
 * 1:18278 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Vista Backup Tool request for fveapi.dll over SMB attempt (os-windows.rules)
 * 1:18532 <-> DISABLED <-> OS-WINDOWS Multiple Vendors request for iacenc.dll over SMB attempt (os-windows.rules)