Snort - Network Intrusion Detection & Prevention System

Talos Rules 2018-11-20

This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, file-flash, file-office, file-other, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2983

2018-11-20 15:49:56 UTC

Snort Subscriber Rules Update

Date: 2018-11-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48427 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup DateTimeService.pm command injection attempt (server-webapp.rules)
 * 1:48436 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OlympicDestroyer variant outbound connection (malware-cnc.rules)
 * 1:48435 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OlympicDestroyer variant outbound connection (malware-cnc.rules)
 * 1:48432 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy outbound connection (malware-cnc.rules)
 * 1:48430 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cannon outbound connection (malware-cnc.rules)
 * 1:48429 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cannon outbound connection (malware-cnc.rules)
 * 1:48431 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy outbound connection (malware-cnc.rules)
 * 1:48428 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup GlobalViewService.pm command injection attempt (server-webapp.rules)
 * 3:48433 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0724 attack attempt (file-other.rules)
 * 3:48434 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0724 attack attempt (file-other.rules)

Modified Rules:


 * 1:42891 <-> ENABLED <-> FILE-OTHER AfterMidnight post exploitation tool request for aftermidnight.dll over SMB attempt (file-other.rules)
 * 1:44598 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for ociw32.dll over SMB attempt (file-office.rules)
 * 1:44596 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for oci.dll over SMB attempt (file-office.rules)
 * 1:44564 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:39296 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for dbghelp.dll over SMB attempt (file-flash.rules)
 * 1:21320 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player request for atl.dll over SMB attempt (file-flash.rules)
 * 1:38424 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for setupapi.dll over SMB attempt (file-flash.rules)
 * 1:41924 <-> DISABLED <-> FILE-OTHER Notepad++ request for scilexer.dll over SMB attempt (file-other.rules)
 * 1:38897 <-> DISABLED <-> FILE-OTHER Adobe Illustrator CS4 request for aires.dll over SMB attempt (file-other.rules)
 * 1:21319 <-> DISABLED <-> FILE-OTHER Multiple products request for version.dll over SMB attempt (file-other.rules)
 * 1:38423 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for RASMan.dll over SMB attempt (file-flash.rules)
 * 1:38421 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for ClbCatQ.dll over SMB attempt (file-flash.rules)
 * 1:38422 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for HNetCfg.dll over SMB attempt (file-flash.rules)
 * 1:38171 <-> ENABLED <-> FILE-OTHER Adobe Acrobat request for updaternotifications.dll over SMB attempt (file-other.rules)
 * 1:37558 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for phoneinfo.dll over SMB attempt (file-office.rules)
 * 1:37590 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word request for BCSRuntime.dll over SMB attempt (file-office.rules)
 * 1:37591 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word request for OLMAPI32.dll over SMB attempt (file-office.rules)
 * 1:37557 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for msdaora.dll over SMB attempt (file-office.rules)
 * 1:37263 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for api-ms-win-core-winrt-l1-1-0.dll over SMB attempt (file-office.rules)
 * 1:37276 <-> ENABLED <-> OS-WINDOWS Microsoft Windows request for feclient.dll over SMB attempt (os-windows.rules)
 * 1:37319 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word request for rpawinet.dll over SMB attempt (file-office.rules)
 * 1:37261 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for mfplat.dll over SMB attempt (file-office.rules)
 * 1:37001 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for elsext.dll over SMB attempt (file-office.rules)
 * 1:37002 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for nwdblib.dll over SMB attempt (file-office.rules)
 * 1:37258 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer request for mapi32x.dll over SMB attempt (browser-ie.rules)
 * 1:36995 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for spframe.dll over SMB attempt (file-office.rules)
 * 1:36805 <-> DISABLED <-> OS-WINDOWS Microsoft Windows wininet request for peerdistsvc.dll over SMB attempt (os-windows.rules)
 * 1:36930 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for wuaext.dll over SMB attempt (file-office.rules)
 * 1:36993 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for mqrt.dll over SMB attempt (file-office.rules)
 * 1:23315 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word request for imeshare.dll over SMB attempt (file-office.rules)
 * 1:35144 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Viewer request for msostyle.dll over SMB attempt (file-office.rules)
 * 1:35169 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for rapi.dll over SMB attempt (file-office.rules)
 * 1:35216 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer protected mode request for atlthunk.dll over SMB attempt (browser-ie.rules)
 * 1:21321 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player request for uxtheme.dll over SMB attempt (file-flash.rules)
 * 1:21566 <-> DISABLED <-> OS-WINDOWS Microsoft Expression Design request for wintab32.dll over SMB attempt (os-windows.rules)
 * 1:23162 <-> DISABLED <-> OS-WINDOWS Microsoft Lync Online request for ncrypt.dll over SMB attempt (os-windows.rules)
 * 1:23163 <-> DISABLED <-> OS-WINDOWS Microsoft Lync Online request for wlanapi.dll over SMB attempt (os-windows.rules)
 * 1:44597 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for iasdatastore2.dll over SMB attempt (file-office.rules)
 * 1:40080 <-> ENABLED <-> FILE-OFFICE Microsoft Office Visio request for visdlgu.dll over SMB attempt (file-office.rules)
 * 1:42279 <-> DISABLED <-> FILE-OTHER Adobe Acrobat request for RARfsClientNP.dll over SMB attempt (file-other.rules)
 * 1:38872 <-> ENABLED <-> FILE-FLASH Adobe Flash Player request for MSIMG32.dll over SMB attempt (file-flash.rules)
 * 1:39295 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for apphelp.dll over SMB attempt (file-flash.rules)
 * 1:19618 <-> DISABLED <-> FILE-OTHER Multiple products request for dwmapi.dll over SMB attempt (file-other.rules)
 * 1:21309 <-> DISABLED <-> OS-WINDOWS Microsoft product request for fputlsat.dll over SMB attempt (os-windows.rules)
 * 1:41563 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for imjp12k.dll over SMB attempt (file-office.rules)
 * 1:18497 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player and shell extension request for ehtrace.dll over SMB attempt (os-windows.rules)
 * 1:18489 <-> DISABLED <-> FILE-OTHER Adobe Photoshop request for wintab32.dll over SMB attempt (file-other.rules)
 * 1:18207 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Address Book request for msoeres32.dll over SMB attempt (os-windows.rules)
 * 1:18206 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Address Book request for wab32res.dll over SMB attempt (os-windows.rules)
 * 1:18278 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Vista Backup Tool request for fveapi.dll over SMB attempt (os-windows.rules)
 * 1:18532 <-> DISABLED <-> OS-WINDOWS Multiple Vendors request for iacenc.dll over SMB attempt (os-windows.rules)

2990

2018-11-20 15:49:56 UTC

Snort Subscriber Rules Update

Date: 2018-11-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48429 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cannon outbound connection (malware-cnc.rules)
 * 1:48430 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cannon outbound connection (malware-cnc.rules)
 * 1:48431 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy outbound connection (malware-cnc.rules)
 * 1:48432 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy outbound connection (malware-cnc.rules)
 * 1:48435 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OlympicDestroyer variant outbound connection (malware-cnc.rules)
 * 1:48436 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OlympicDestroyer variant outbound connection (malware-cnc.rules)
 * 1:48428 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup GlobalViewService.pm command injection attempt (server-webapp.rules)
 * 1:48427 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup DateTimeService.pm command injection attempt (server-webapp.rules)
 * 3:48433 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0724 attack attempt (file-other.rules)
 * 3:48434 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0724 attack attempt (file-other.rules)

Modified Rules:


 * 1:44597 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for iasdatastore2.dll over SMB attempt (file-office.rules)
 * 1:37591 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word request for OLMAPI32.dll over SMB attempt (file-office.rules)
 * 1:38423 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for RASMan.dll over SMB attempt (file-flash.rules)
 * 1:38421 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for ClbCatQ.dll over SMB attempt (file-flash.rules)
 * 1:38171 <-> ENABLED <-> FILE-OTHER Adobe Acrobat request for updaternotifications.dll over SMB attempt (file-other.rules)
 * 1:38422 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for HNetCfg.dll over SMB attempt (file-flash.rules)
 * 1:36930 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for wuaext.dll over SMB attempt (file-office.rules)
 * 1:23315 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word request for imeshare.dll over SMB attempt (file-office.rules)
 * 1:21321 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player request for uxtheme.dll over SMB attempt (file-flash.rules)
 * 1:23162 <-> DISABLED <-> OS-WINDOWS Microsoft Lync Online request for ncrypt.dll over SMB attempt (os-windows.rules)
 * 1:21320 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player request for atl.dll over SMB attempt (file-flash.rules)
 * 1:21566 <-> DISABLED <-> OS-WINDOWS Microsoft Expression Design request for wintab32.dll over SMB attempt (os-windows.rules)
 * 1:35169 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for rapi.dll over SMB attempt (file-office.rules)
 * 1:36805 <-> DISABLED <-> OS-WINDOWS Microsoft Windows wininet request for peerdistsvc.dll over SMB attempt (os-windows.rules)
 * 1:35216 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer protected mode request for atlthunk.dll over SMB attempt (browser-ie.rules)
 * 1:36993 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for mqrt.dll over SMB attempt (file-office.rules)
 * 1:23163 <-> DISABLED <-> OS-WINDOWS Microsoft Lync Online request for wlanapi.dll over SMB attempt (os-windows.rules)
 * 1:35144 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Viewer request for msostyle.dll over SMB attempt (file-office.rules)
 * 1:44598 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for ociw32.dll over SMB attempt (file-office.rules)
 * 1:38424 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for setupapi.dll over SMB attempt (file-flash.rules)
 * 1:37276 <-> ENABLED <-> OS-WINDOWS Microsoft Windows request for feclient.dll over SMB attempt (os-windows.rules)
 * 1:37001 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for elsext.dll over SMB attempt (file-office.rules)
 * 1:37319 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word request for rpawinet.dll over SMB attempt (file-office.rules)
 * 1:37557 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for msdaora.dll over SMB attempt (file-office.rules)
 * 1:37558 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for phoneinfo.dll over SMB attempt (file-office.rules)
 * 1:37590 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word request for BCSRuntime.dll over SMB attempt (file-office.rules)
 * 1:37002 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for nwdblib.dll over SMB attempt (file-office.rules)
 * 1:37258 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer request for mapi32x.dll over SMB attempt (browser-ie.rules)
 * 1:37261 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for mfplat.dll over SMB attempt (file-office.rules)
 * 1:41563 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for imjp12k.dll over SMB attempt (file-office.rules)
 * 1:44564 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:37263 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for api-ms-win-core-winrt-l1-1-0.dll over SMB attempt (file-office.rules)
 * 1:44596 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for oci.dll over SMB attempt (file-office.rules)
 * 1:42891 <-> ENABLED <-> FILE-OTHER AfterMidnight post exploitation tool request for aftermidnight.dll over SMB attempt (file-other.rules)
 * 1:39295 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for apphelp.dll over SMB attempt (file-flash.rules)
 * 1:38897 <-> DISABLED <-> FILE-OTHER Adobe Illustrator CS4 request for aires.dll over SMB attempt (file-other.rules)
 * 1:21319 <-> DISABLED <-> FILE-OTHER Multiple products request for version.dll over SMB attempt (file-other.rules)
 * 1:38872 <-> ENABLED <-> FILE-FLASH Adobe Flash Player request for MSIMG32.dll over SMB attempt (file-flash.rules)
 * 1:19618 <-> DISABLED <-> FILE-OTHER Multiple products request for dwmapi.dll over SMB attempt (file-other.rules)
 * 1:36995 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for spframe.dll over SMB attempt (file-office.rules)
 * 1:42279 <-> DISABLED <-> FILE-OTHER Adobe Acrobat request for RARfsClientNP.dll over SMB attempt (file-other.rules)
 * 1:21309 <-> DISABLED <-> OS-WINDOWS Microsoft product request for fputlsat.dll over SMB attempt (os-windows.rules)
 * 1:39296 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for dbghelp.dll over SMB attempt (file-flash.rules)
 * 1:40080 <-> ENABLED <-> FILE-OFFICE Microsoft Office Visio request for visdlgu.dll over SMB attempt (file-office.rules)
 * 1:18532 <-> DISABLED <-> OS-WINDOWS Multiple Vendors request for iacenc.dll over SMB attempt (os-windows.rules)
 * 1:18207 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Address Book request for msoeres32.dll over SMB attempt (os-windows.rules)
 * 1:18278 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Vista Backup Tool request for fveapi.dll over SMB attempt (os-windows.rules)
 * 1:18489 <-> DISABLED <-> FILE-OTHER Adobe Photoshop request for wintab32.dll over SMB attempt (file-other.rules)
 * 1:18497 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player and shell extension request for ehtrace.dll over SMB attempt (os-windows.rules)
 * 1:18206 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Address Book request for wab32res.dll over SMB attempt (os-windows.rules)
 * 1:41924 <-> DISABLED <-> FILE-OTHER Notepad++ request for scilexer.dll over SMB attempt (file-other.rules)

3000

2018-11-20 15:49:56 UTC

Snort Subscriber Rules Update

Date: 2018-11-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48428 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup GlobalViewService.pm command injection attempt (snort3-server-webapp.rules)
 * 1:48429 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cannon outbound connection (snort3-malware-cnc.rules)
 * 1:48430 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cannon outbound connection (snort3-malware-cnc.rules)
 * 1:48431 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy outbound connection (snort3-malware-cnc.rules)
 * 1:48432 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy outbound connection (snort3-malware-cnc.rules)
 * 1:48435 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OlympicDestroyer variant outbound connection (snort3-malware-cnc.rules)
 * 1:48436 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OlympicDestroyer variant outbound connection (snort3-malware-cnc.rules)
 * 1:48427 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup DateTimeService.pm command injection attempt (snort3-server-webapp.rules)

Modified Rules:


 * 1:38423 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for RASMan.dll over SMB attempt (snort3-file-flash.rules)
 * 1:38171 <-> ENABLED <-> FILE-OTHER Adobe Acrobat request for updaternotifications.dll over SMB attempt (snort3-file-other.rules)
 * 1:38421 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for ClbCatQ.dll over SMB attempt (snort3-file-flash.rules)
 * 1:39296 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for dbghelp.dll over SMB attempt (snort3-file-flash.rules)
 * 1:38424 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for setupapi.dll over SMB attempt (snort3-file-flash.rules)
 * 1:41924 <-> DISABLED <-> FILE-OTHER Notepad++ request for scilexer.dll over SMB attempt (snort3-file-other.rules)
 * 1:44596 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for oci.dll over SMB attempt (snort3-file-office.rules)
 * 1:38422 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for HNetCfg.dll over SMB attempt (snort3-file-flash.rules)
 * 1:18206 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Address Book request for wab32res.dll over SMB attempt (snort3-os-windows.rules)
 * 1:18207 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Address Book request for msoeres32.dll over SMB attempt (snort3-os-windows.rules)
 * 1:40080 <-> ENABLED <-> FILE-OFFICE Microsoft Office Visio request for visdlgu.dll over SMB attempt (snort3-file-office.rules)
 * 1:18278 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Vista Backup Tool request for fveapi.dll over SMB attempt (snort3-os-windows.rules)
 * 1:18489 <-> DISABLED <-> FILE-OTHER Adobe Photoshop request for wintab32.dll over SMB attempt (snort3-file-other.rules)
 * 1:18497 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player and shell extension request for ehtrace.dll over SMB attempt (snort3-os-windows.rules)
 * 1:44598 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for ociw32.dll over SMB attempt (snort3-file-office.rules)
 * 1:18532 <-> DISABLED <-> OS-WINDOWS Multiple Vendors request for iacenc.dll over SMB attempt (snort3-os-windows.rules)
 * 1:44597 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for iasdatastore2.dll over SMB attempt (snort3-file-office.rules)
 * 1:41563 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for imjp12k.dll over SMB attempt (snort3-file-office.rules)
 * 1:37591 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word request for OLMAPI32.dll over SMB attempt (snort3-file-office.rules)
 * 1:42279 <-> DISABLED <-> FILE-OTHER Adobe Acrobat request for RARfsClientNP.dll over SMB attempt (snort3-file-other.rules)
 * 1:21309 <-> DISABLED <-> OS-WINDOWS Microsoft product request for fputlsat.dll over SMB attempt (snort3-os-windows.rules)
 * 1:19618 <-> DISABLED <-> FILE-OTHER Multiple products request for dwmapi.dll over SMB attempt (snort3-file-other.rules)
 * 1:21319 <-> DISABLED <-> FILE-OTHER Multiple products request for version.dll over SMB attempt (snort3-file-other.rules)
 * 1:21320 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player request for atl.dll over SMB attempt (snort3-file-flash.rules)
 * 1:21321 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player request for uxtheme.dll over SMB attempt (snort3-file-flash.rules)
 * 1:21322 <-> DISABLED <-> FILE-OTHER Multiple products version.dll dll-load exploit attempt (snort3-file-other.rules)
 * 1:21566 <-> DISABLED <-> OS-WINDOWS Microsoft Expression Design request for wintab32.dll over SMB attempt (snort3-os-windows.rules)
 * 1:23162 <-> DISABLED <-> OS-WINDOWS Microsoft Lync Online request for ncrypt.dll over SMB attempt (snort3-os-windows.rules)
 * 1:23163 <-> DISABLED <-> OS-WINDOWS Microsoft Lync Online request for wlanapi.dll over SMB attempt (snort3-os-windows.rules)
 * 1:23315 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word request for imeshare.dll over SMB attempt (snort3-file-office.rules)
 * 1:34097 <-> DISABLED <-> FILE-OTHER Multiple products external entity injection attempt (snort3-file-other.rules)
 * 1:34098 <-> DISABLED <-> FILE-OTHER Multiple products external entity injection attempt (snort3-file-other.rules)
 * 1:35144 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Viewer request for msostyle.dll over SMB attempt (snort3-file-office.rules)
 * 1:35169 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for rapi.dll over SMB attempt (snort3-file-office.rules)
 * 1:35216 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer protected mode request for atlthunk.dll over SMB attempt (snort3-browser-ie.rules)
 * 1:37590 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word request for BCSRuntime.dll over SMB attempt (snort3-file-office.rules)
 * 1:36805 <-> DISABLED <-> OS-WINDOWS Microsoft Windows wininet request for peerdistsvc.dll over SMB attempt (snort3-os-windows.rules)
 * 1:36930 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for wuaext.dll over SMB attempt (snort3-file-office.rules)
 * 1:36993 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for mqrt.dll over SMB attempt (snort3-file-office.rules)
 * 1:36995 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for spframe.dll over SMB attempt (snort3-file-office.rules)
 * 1:37001 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for elsext.dll over SMB attempt (snort3-file-office.rules)
 * 1:37002 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for nwdblib.dll over SMB attempt (snort3-file-office.rules)
 * 1:37258 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer request for mapi32x.dll over SMB attempt (snort3-browser-ie.rules)
 * 1:37261 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for mfplat.dll over SMB attempt (snort3-file-office.rules)
 * 1:37263 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for api-ms-win-core-winrt-l1-1-0.dll over SMB attempt (snort3-file-office.rules)
 * 1:37276 <-> ENABLED <-> OS-WINDOWS Microsoft Windows request for feclient.dll over SMB attempt (snort3-os-windows.rules)
 * 1:42891 <-> ENABLED <-> FILE-OTHER AfterMidnight post exploitation tool request for aftermidnight.dll over SMB attempt (snort3-file-other.rules)
 * 1:38897 <-> DISABLED <-> FILE-OTHER Adobe Illustrator CS4 request for aires.dll over SMB attempt (snort3-file-other.rules)
 * 1:44564 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (snort3-malware-cnc.rules)
 * 1:39295 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for apphelp.dll over SMB attempt (snort3-file-flash.rules)
 * 1:37319 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word request for rpawinet.dll over SMB attempt (snort3-file-office.rules)
 * 1:37557 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for msdaora.dll over SMB attempt (snort3-file-office.rules)
 * 1:37558 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for phoneinfo.dll over SMB attempt (snort3-file-office.rules)
 * 1:38872 <-> ENABLED <-> FILE-FLASH Adobe Flash Player request for MSIMG32.dll over SMB attempt (snort3-file-flash.rules)

29110

2018-11-20 15:49:56 UTC

Snort Subscriber Rules Update

Date: 2018-11-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48427 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup DateTimeService.pm command injection attempt (server-webapp.rules)
 * 1:48432 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy outbound connection (malware-cnc.rules)
 * 1:48435 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OlympicDestroyer variant outbound connection (malware-cnc.rules)
 * 1:48436 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OlympicDestroyer variant outbound connection (malware-cnc.rules)
 * 1:48428 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup GlobalViewService.pm command injection attempt (server-webapp.rules)
 * 1:48430 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cannon outbound connection (malware-cnc.rules)
 * 1:48429 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cannon outbound connection (malware-cnc.rules)
 * 1:48431 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy outbound connection (malware-cnc.rules)
 * 3:48434 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0724 attack attempt (file-other.rules)
 * 3:48433 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0724 attack attempt (file-other.rules)

Modified Rules:


 * 1:38424 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for setupapi.dll over SMB attempt (file-flash.rules)
 * 1:44564 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:44597 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for iasdatastore2.dll over SMB attempt (file-office.rules)
 * 1:42279 <-> DISABLED <-> FILE-OTHER Adobe Acrobat request for RARfsClientNP.dll over SMB attempt (file-other.rules)
 * 1:40080 <-> ENABLED <-> FILE-OFFICE Microsoft Office Visio request for visdlgu.dll over SMB attempt (file-office.rules)
 * 1:39295 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for apphelp.dll over SMB attempt (file-flash.rules)
 * 1:38872 <-> ENABLED <-> FILE-FLASH Adobe Flash Player request for MSIMG32.dll over SMB attempt (file-flash.rules)
 * 1:38897 <-> DISABLED <-> FILE-OTHER Adobe Illustrator CS4 request for aires.dll over SMB attempt (file-other.rules)
 * 1:41924 <-> DISABLED <-> FILE-OTHER Notepad++ request for scilexer.dll over SMB attempt (file-other.rules)
 * 1:44596 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for oci.dll over SMB attempt (file-office.rules)
 * 1:19618 <-> DISABLED <-> FILE-OTHER Multiple products request for dwmapi.dll over SMB attempt (file-other.rules)
 * 1:44598 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for ociw32.dll over SMB attempt (file-office.rules)
 * 1:18206 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Address Book request for wab32res.dll over SMB attempt (os-windows.rules)
 * 1:18207 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Address Book request for msoeres32.dll over SMB attempt (os-windows.rules)
 * 1:18489 <-> DISABLED <-> FILE-OTHER Adobe Photoshop request for wintab32.dll over SMB attempt (file-other.rules)
 * 1:18497 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player and shell extension request for ehtrace.dll over SMB attempt (os-windows.rules)
 * 1:18532 <-> DISABLED <-> OS-WINDOWS Multiple Vendors request for iacenc.dll over SMB attempt (os-windows.rules)
 * 1:21309 <-> DISABLED <-> OS-WINDOWS Microsoft product request for fputlsat.dll over SMB attempt (os-windows.rules)
 * 1:18278 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Vista Backup Tool request for fveapi.dll over SMB attempt (os-windows.rules)
 * 1:37002 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for nwdblib.dll over SMB attempt (file-office.rules)
 * 1:41563 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for imjp12k.dll over SMB attempt (file-office.rules)
 * 1:42891 <-> ENABLED <-> FILE-OTHER AfterMidnight post exploitation tool request for aftermidnight.dll over SMB attempt (file-other.rules)
 * 1:37001 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for elsext.dll over SMB attempt (file-office.rules)
 * 1:36993 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for mqrt.dll over SMB attempt (file-office.rules)
 * 1:36995 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for spframe.dll over SMB attempt (file-office.rules)
 * 1:36805 <-> DISABLED <-> OS-WINDOWS Microsoft Windows wininet request for peerdistsvc.dll over SMB attempt (os-windows.rules)
 * 1:36930 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for wuaext.dll over SMB attempt (file-office.rules)
 * 1:35169 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for rapi.dll over SMB attempt (file-office.rules)
 * 1:35216 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer protected mode request for atlthunk.dll over SMB attempt (browser-ie.rules)
 * 1:23315 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word request for imeshare.dll over SMB attempt (file-office.rules)
 * 1:35144 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Viewer request for msostyle.dll over SMB attempt (file-office.rules)
 * 1:23162 <-> DISABLED <-> OS-WINDOWS Microsoft Lync Online request for ncrypt.dll over SMB attempt (os-windows.rules)
 * 1:23163 <-> DISABLED <-> OS-WINDOWS Microsoft Lync Online request for wlanapi.dll over SMB attempt (os-windows.rules)
 * 1:21321 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player request for uxtheme.dll over SMB attempt (file-flash.rules)
 * 1:21566 <-> DISABLED <-> OS-WINDOWS Microsoft Expression Design request for wintab32.dll over SMB attempt (os-windows.rules)
 * 1:21320 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player request for atl.dll over SMB attempt (file-flash.rules)
 * 1:21319 <-> DISABLED <-> FILE-OTHER Multiple products request for version.dll over SMB attempt (file-other.rules)
 * 1:38171 <-> ENABLED <-> FILE-OTHER Adobe Acrobat request for updaternotifications.dll over SMB attempt (file-other.rules)
 * 1:37263 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for api-ms-win-core-winrt-l1-1-0.dll over SMB attempt (file-office.rules)
 * 1:37276 <-> ENABLED <-> OS-WINDOWS Microsoft Windows request for feclient.dll over SMB attempt (os-windows.rules)
 * 1:37258 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer request for mapi32x.dll over SMB attempt (browser-ie.rules)
 * 1:37261 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for mfplat.dll over SMB attempt (file-office.rules)
 * 1:37591 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word request for OLMAPI32.dll over SMB attempt (file-office.rules)
 * 1:37558 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for phoneinfo.dll over SMB attempt (file-office.rules)
 * 1:37590 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word request for BCSRuntime.dll over SMB attempt (file-office.rules)
 * 1:37319 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word request for rpawinet.dll over SMB attempt (file-office.rules)
 * 1:37557 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for msdaora.dll over SMB attempt (file-office.rules)
 * 1:39296 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for dbghelp.dll over SMB attempt (file-flash.rules)
 * 1:38421 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for ClbCatQ.dll over SMB attempt (file-flash.rules)
 * 1:38422 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for HNetCfg.dll over SMB attempt (file-flash.rules)
 * 1:38423 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for RASMan.dll over SMB attempt (file-flash.rules)

29111

2018-11-20 15:49:56 UTC

Snort Subscriber Rules Update

Date: 2018-11-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48436 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OlympicDestroyer variant outbound connection (malware-cnc.rules)
 * 1:48427 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup DateTimeService.pm command injection attempt (server-webapp.rules)
 * 1:48428 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup GlobalViewService.pm command injection attempt (server-webapp.rules)
 * 1:48429 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cannon outbound connection (malware-cnc.rules)
 * 1:48430 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cannon outbound connection (malware-cnc.rules)
 * 1:48431 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy outbound connection (malware-cnc.rules)
 * 1:48432 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy outbound connection (malware-cnc.rules)
 * 1:48435 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OlympicDestroyer variant outbound connection (malware-cnc.rules)
 * 3:48433 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0724 attack attempt (file-other.rules)
 * 3:48434 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0724 attack attempt (file-other.rules)

Modified Rules:


 * 1:40080 <-> ENABLED <-> FILE-OFFICE Microsoft Office Visio request for visdlgu.dll over SMB attempt (file-office.rules)
 * 1:38423 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for RASMan.dll over SMB attempt (file-flash.rules)
 * 1:39296 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for dbghelp.dll over SMB attempt (file-flash.rules)
 * 1:39295 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for apphelp.dll over SMB attempt (file-flash.rules)
 * 1:38872 <-> ENABLED <-> FILE-FLASH Adobe Flash Player request for MSIMG32.dll over SMB attempt (file-flash.rules)
 * 1:38897 <-> DISABLED <-> FILE-OTHER Adobe Illustrator CS4 request for aires.dll over SMB attempt (file-other.rules)
 * 1:18206 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Address Book request for wab32res.dll over SMB attempt (os-windows.rules)
 * 1:18207 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Address Book request for msoeres32.dll over SMB attempt (os-windows.rules)
 * 1:18278 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Vista Backup Tool request for fveapi.dll over SMB attempt (os-windows.rules)
 * 1:18489 <-> DISABLED <-> FILE-OTHER Adobe Photoshop request for wintab32.dll over SMB attempt (file-other.rules)
 * 1:18497 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player and shell extension request for ehtrace.dll over SMB attempt (os-windows.rules)
 * 1:18532 <-> DISABLED <-> OS-WINDOWS Multiple Vendors request for iacenc.dll over SMB attempt (os-windows.rules)
 * 1:19618 <-> DISABLED <-> FILE-OTHER Multiple products request for dwmapi.dll over SMB attempt (file-other.rules)
 * 1:21309 <-> DISABLED <-> OS-WINDOWS Microsoft product request for fputlsat.dll over SMB attempt (os-windows.rules)
 * 1:42891 <-> ENABLED <-> FILE-OTHER AfterMidnight post exploitation tool request for aftermidnight.dll over SMB attempt (file-other.rules)
 * 1:42279 <-> DISABLED <-> FILE-OTHER Adobe Acrobat request for RARfsClientNP.dll over SMB attempt (file-other.rules)
 * 1:41924 <-> DISABLED <-> FILE-OTHER Notepad++ request for scilexer.dll over SMB attempt (file-other.rules)
 * 1:41563 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for imjp12k.dll over SMB attempt (file-office.rules)
 * 1:38424 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for setupapi.dll over SMB attempt (file-flash.rules)
 * 1:44598 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for ociw32.dll over SMB attempt (file-office.rules)
 * 1:44597 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for iasdatastore2.dll over SMB attempt (file-office.rules)
 * 1:44596 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for oci.dll over SMB attempt (file-office.rules)
 * 1:44564 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:36930 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for wuaext.dll over SMB attempt (file-office.rules)
 * 1:21319 <-> DISABLED <-> FILE-OTHER Multiple products request for version.dll over SMB attempt (file-other.rules)
 * 1:36805 <-> DISABLED <-> OS-WINDOWS Microsoft Windows wininet request for peerdistsvc.dll over SMB attempt (os-windows.rules)
 * 1:35169 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for rapi.dll over SMB attempt (file-office.rules)
 * 1:35216 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer protected mode request for atlthunk.dll over SMB attempt (browser-ie.rules)
 * 1:23315 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word request for imeshare.dll over SMB attempt (file-office.rules)
 * 1:35144 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Viewer request for msostyle.dll over SMB attempt (file-office.rules)
 * 1:23162 <-> DISABLED <-> OS-WINDOWS Microsoft Lync Online request for ncrypt.dll over SMB attempt (os-windows.rules)
 * 1:23163 <-> DISABLED <-> OS-WINDOWS Microsoft Lync Online request for wlanapi.dll over SMB attempt (os-windows.rules)
 * 1:21321 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player request for uxtheme.dll over SMB attempt (file-flash.rules)
 * 1:21566 <-> DISABLED <-> OS-WINDOWS Microsoft Expression Design request for wintab32.dll over SMB attempt (os-windows.rules)
 * 1:21320 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player request for atl.dll over SMB attempt (file-flash.rules)
 * 1:36995 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for spframe.dll over SMB attempt (file-office.rules)
 * 1:37002 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for nwdblib.dll over SMB attempt (file-office.rules)
 * 1:36993 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for mqrt.dll over SMB attempt (file-office.rules)
 * 1:37001 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for elsext.dll over SMB attempt (file-office.rules)
 * 1:38421 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for ClbCatQ.dll over SMB attempt (file-flash.rules)
 * 1:38422 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for HNetCfg.dll over SMB attempt (file-flash.rules)
 * 1:37591 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word request for OLMAPI32.dll over SMB attempt (file-office.rules)
 * 1:38171 <-> ENABLED <-> FILE-OTHER Adobe Acrobat request for updaternotifications.dll over SMB attempt (file-other.rules)
 * 1:37558 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for phoneinfo.dll over SMB attempt (file-office.rules)
 * 1:37590 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word request for BCSRuntime.dll over SMB attempt (file-office.rules)
 * 1:37319 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word request for rpawinet.dll over SMB attempt (file-office.rules)
 * 1:37557 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for msdaora.dll over SMB attempt (file-office.rules)
 * 1:37263 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for api-ms-win-core-winrt-l1-1-0.dll over SMB attempt (file-office.rules)
 * 1:37276 <-> ENABLED <-> OS-WINDOWS Microsoft Windows request for feclient.dll over SMB attempt (os-windows.rules)
 * 1:37258 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer request for mapi32x.dll over SMB attempt (browser-ie.rules)
 * 1:37261 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for mfplat.dll over SMB attempt (file-office.rules)

29120

2018-11-20 15:49:56 UTC

Snort Subscriber Rules Update

Date: 2018-11-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48427 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup DateTimeService.pm command injection attempt (server-webapp.rules)
 * 1:48436 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OlympicDestroyer variant outbound connection (malware-cnc.rules)
 * 1:48435 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OlympicDestroyer variant outbound connection (malware-cnc.rules)
 * 1:48432 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy outbound connection (malware-cnc.rules)
 * 1:48431 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy outbound connection (malware-cnc.rules)
 * 1:48430 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cannon outbound connection (malware-cnc.rules)
 * 1:48429 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cannon outbound connection (malware-cnc.rules)
 * 1:48428 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup GlobalViewService.pm command injection attempt (server-webapp.rules)
 * 3:48433 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0724 attack attempt (file-other.rules)
 * 3:48434 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0724 attack attempt (file-other.rules)

Modified Rules:


 * 1:19618 <-> DISABLED <-> FILE-OTHER Multiple products request for dwmapi.dll over SMB attempt (file-other.rules)
 * 1:18532 <-> DISABLED <-> OS-WINDOWS Multiple Vendors request for iacenc.dll over SMB attempt (os-windows.rules)
 * 1:18497 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player and shell extension request for ehtrace.dll over SMB attempt (os-windows.rules)
 * 1:18489 <-> DISABLED <-> FILE-OTHER Adobe Photoshop request for wintab32.dll over SMB attempt (file-other.rules)
 * 1:18278 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Vista Backup Tool request for fveapi.dll over SMB attempt (os-windows.rules)
 * 1:18207 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Address Book request for msoeres32.dll over SMB attempt (os-windows.rules)
 * 1:18206 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Address Book request for wab32res.dll over SMB attempt (os-windows.rules)
 * 1:21309 <-> DISABLED <-> OS-WINDOWS Microsoft product request for fputlsat.dll over SMB attempt (os-windows.rules)
 * 1:37002 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for nwdblib.dll over SMB attempt (file-office.rules)
 * 1:37001 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for elsext.dll over SMB attempt (file-office.rules)
 * 1:36995 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for spframe.dll over SMB attempt (file-office.rules)
 * 1:36993 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for mqrt.dll over SMB attempt (file-office.rules)
 * 1:36930 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for wuaext.dll over SMB attempt (file-office.rules)
 * 1:36805 <-> DISABLED <-> OS-WINDOWS Microsoft Windows wininet request for peerdistsvc.dll over SMB attempt (os-windows.rules)
 * 1:35216 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer protected mode request for atlthunk.dll over SMB attempt (browser-ie.rules)
 * 1:35169 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for rapi.dll over SMB attempt (file-office.rules)
 * 1:35144 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Viewer request for msostyle.dll over SMB attempt (file-office.rules)
 * 1:23315 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word request for imeshare.dll over SMB attempt (file-office.rules)
 * 1:23163 <-> DISABLED <-> OS-WINDOWS Microsoft Lync Online request for wlanapi.dll over SMB attempt (os-windows.rules)
 * 1:23162 <-> DISABLED <-> OS-WINDOWS Microsoft Lync Online request for ncrypt.dll over SMB attempt (os-windows.rules)
 * 1:21566 <-> DISABLED <-> OS-WINDOWS Microsoft Expression Design request for wintab32.dll over SMB attempt (os-windows.rules)
 * 1:21321 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player request for uxtheme.dll over SMB attempt (file-flash.rules)
 * 1:21320 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player request for atl.dll over SMB attempt (file-flash.rules)
 * 1:21319 <-> DISABLED <-> FILE-OTHER Multiple products request for version.dll over SMB attempt (file-other.rules)
 * 1:37263 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for api-ms-win-core-winrt-l1-1-0.dll over SMB attempt (file-office.rules)
 * 1:37261 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for mfplat.dll over SMB attempt (file-office.rules)
 * 1:37258 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer request for mapi32x.dll over SMB attempt (browser-ie.rules)
 * 1:37557 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for msdaora.dll over SMB attempt (file-office.rules)
 * 1:37319 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word request for rpawinet.dll over SMB attempt (file-office.rules)
 * 1:37276 <-> ENABLED <-> OS-WINDOWS Microsoft Windows request for feclient.dll over SMB attempt (os-windows.rules)
 * 1:37590 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word request for BCSRuntime.dll over SMB attempt (file-office.rules)
 * 1:37558 <-> ENABLED <-> FILE-OFFICE Microsoft Office request for phoneinfo.dll over SMB attempt (file-office.rules)
 * 1:38421 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for ClbCatQ.dll over SMB attempt (file-flash.rules)
 * 1:38171 <-> ENABLED <-> FILE-OTHER Adobe Acrobat request for updaternotifications.dll over SMB attempt (file-other.rules)
 * 1:37591 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word request for OLMAPI32.dll over SMB attempt (file-office.rules)
 * 1:38423 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for RASMan.dll over SMB attempt (file-flash.rules)
 * 1:38422 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for HNetCfg.dll over SMB attempt (file-flash.rules)
 * 1:38424 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for setupapi.dll over SMB attempt (file-flash.rules)
 * 1:44598 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for ociw32.dll over SMB attempt (file-office.rules)
 * 1:44597 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for iasdatastore2.dll over SMB attempt (file-office.rules)
 * 1:44596 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for oci.dll over SMB attempt (file-office.rules)
 * 1:44564 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:42891 <-> ENABLED <-> FILE-OTHER AfterMidnight post exploitation tool request for aftermidnight.dll over SMB attempt (file-other.rules)
 * 1:42279 <-> DISABLED <-> FILE-OTHER Adobe Acrobat request for RARfsClientNP.dll over SMB attempt (file-other.rules)
 * 1:41924 <-> DISABLED <-> FILE-OTHER Notepad++ request for scilexer.dll over SMB attempt (file-other.rules)
 * 1:41563 <-> DISABLED <-> FILE-OFFICE Microsoft Office request for imjp12k.dll over SMB attempt (file-office.rules)
 * 1:40080 <-> ENABLED <-> FILE-OFFICE Microsoft Office Visio request for visdlgu.dll over SMB attempt (file-office.rules)
 * 1:39296 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for dbghelp.dll over SMB attempt (file-flash.rules)
 * 1:39295 <-> DISABLED <-> FILE-FLASH Adobe Flash Player request for apphelp.dll over SMB attempt (file-flash.rules)
 * 1:38897 <-> DISABLED <-> FILE-OTHER Adobe Illustrator CS4 request for aires.dll over SMB attempt (file-other.rules)
 * 1:38872 <-> ENABLED <-> FILE-FLASH Adobe Flash Player request for MSIMG32.dll over SMB attempt (file-flash.rules)