Talos Rules 2019-01-29
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-other, file-pdf, malware-cnc, os-windows, protocol-scada and server-other rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-01-29 16:48:53 UTC

Snort Subscriber Rules Update

Date: 2019-01-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48982 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.MongoLock outbound connection (malware-cnc.rules)
 * 1:48998 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Bits ASCII request  (protocol-scada.rules)
 * 1:48997 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Integers ASCII request  (protocol-scada.rules)
 * 1:48996 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Longs ASCII request  (protocol-scada.rules)
 * 1:48995 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Bits ASCII request  (protocol-scada.rules)
 * 1:48994 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Integers ASCII request  (protocol-scada.rules)
 * 1:48993 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Longs ASCII request  (protocol-scada.rules)
 * 1:48992 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Integers ASCII request  (protocol-scada.rules)
 * 1:48991 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Bits ASCII request  (protocol-scada.rules)
 * 1:48990 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Ouputs ASCII request  (protocol-scada.rules)
 * 1:48989 <-> DISABLED <-> PROTOCOL-SCADA PCOM Set RTC ASCII request  (protocol-scada.rules)
 * 1:48988 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Inputs ASCII request  (protocol-scada.rules)
 * 1:48987 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get UnitID ASCII request  (protocol-scada.rules)
 * 1:48986 <-> DISABLED <-> PROTOCOL-SCADA PCOM Set UnitID ASCII request  (protocol-scada.rules)
 * 1:48985 <-> DISABLED <-> PROTOCOL-SCADA PCOM Init Device ASCII request  (protocol-scada.rules)
 * 1:48984 <-> DISABLED <-> PROTOCOL-SCADA PCOM Identification ASCII request  (protocol-scada.rules)
 * 1:48983 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.MongoLock inbound connection (malware-cnc.rules)
 * 1:49001 <-> DISABLED <-> PROTOCOL-SCADA PCOM Start Device ASCII request  (protocol-scada.rules)
 * 1:49000 <-> DISABLED <-> PROTOCOL-SCADA PCOM Stop Device ASCII request  (protocol-scada.rules)
 * 1:48999 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Ouputs ASCII request  (protocol-scada.rules)
 * 1:49004 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Bits ASCII request  (protocol-scada.rules)
 * 1:49003 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get RTC ASCII request  (protocol-scada.rules)
 * 1:49002 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Longs ASCII request  (protocol-scada.rules)
 * 1:49006 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Longs ASCII request  (protocol-scada.rules)
 * 1:49005 <-> DISABLED <-> PROTOCOL-SCADA PCOM Reset Device ASCII request  (protocol-scada.rules)
 * 1:49009 <-> DISABLED <-> PROTOCOL-SCADA PCOM Set UnitID ASCII reply (protocol-scada.rules)
 * 1:49008 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Operands binary request (protocol-scada.rules)
 * 1:49007 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Integers ASCII request  (protocol-scada.rules)
 * 1:49011 <-> DISABLED <-> PROTOCOL-SCADA PCOM Identification ASCII reply (protocol-scada.rules)
 * 1:49010 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get RTC ASCII reply (protocol-scada.rules)
 * 1:49012 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Data Table binary request (protocol-scada.rules)
 * 1:49033 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Data Table binary reply (protocol-scada.rules)
 * 1:49032 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Data Table binary reply (protocol-scada.rules)
 * 1:49031 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get PLC Name binary reply (protocol-scada.rules)
 * 1:49030 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Operands binary reply (protocol-scada.rules)
 * 1:49029 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Longs ASCII reply (protocol-scada.rules)
 * 1:49028 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Integers ASCII reply (protocol-scada.rules)
 * 1:49027 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Ouputs ASCII reply (protocol-scada.rules)
 * 1:49026 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Bits ASCII reply (protocol-scada.rules)
 * 1:49025 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Integers ASCII reply (protocol-scada.rules)
 * 1:49024 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Bits ASCII reply (protocol-scada.rules)
 * 1:49023 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Integers ASCII reply (protocol-scada.rules)
 * 1:49022 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Bits ASCII reply (protocol-scada.rules)
 * 1:49021 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Ouputs ASCII reply (protocol-scada.rules)
 * 1:49020 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Integers ASCII reply (protocol-scada.rules)
 * 1:49019 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Longs ASCII reply (protocol-scada.rules)
 * 1:49018 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Bits ASCII reply (protocol-scada.rules)
 * 1:49017 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Inputs ASCII reply (protocol-scada.rules)
 * 1:49016 <-> DISABLED <-> PROTOCOL-SCADA PCOM Set RTC ASCII reply (protocol-scada.rules)
 * 1:49015 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get PLC Name binary request (protocol-scada.rules)
 * 1:49014 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Data Table binary request (protocol-scada.rules)
 * 1:49013 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get UnitID ASCII reply (protocol-scada.rules)
 * 1:49044 <-> DISABLED <-> PUA-ADWARE Osx.Adware.MacSearch variant outbound connection detected (pua-adware.rules)
 * 1:49043 <-> DISABLED <-> PUA-ADWARE Osx.Adware.Genieo variant outbound connection detected (pua-adware.rules)
 * 1:49042 <-> DISABLED <-> PUA-ADWARE Osx.Adware.FairyTail variant outbound connection detected (pua-adware.rules)
 * 1:49041 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Terminal server RDP bypass attempt (os-windows.rules)
 * 1:49040 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Terminal server RDP bypass attempt (os-windows.rules)
 * 1:49039 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file email address remote code execution attempt (file-other.rules)
 * 1:49038 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file email address remote code execution attempt (file-other.rules)
 * 1:49037 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA engine memory corruption attempt (file-pdf.rules)
 * 1:49036 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA engine memory corruption attempt (file-pdf.rules)
 * 1:49035 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot malicious executable download attempt (malware-cnc.rules)
 * 1:49034 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot malicious executable download attempt (malware-cnc.rules)
 * 3:49046 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0762 attack attempt (file-other.rules)
 * 3:49047 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0763 attack attempt (protocol-scada.rules)
 * 3:48981 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0765 attack attempt (protocol-scada.rules)
 * 3:49045 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0762 attack attempt (file-other.rules)
 * 3:48979 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0764 attack attempt (protocol-scada.rules)
 * 3:48980 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0766 attack attempt (protocol-scada.rules)
 * 3:48975 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0767 attack attempt (protocol-scada.rules)
 * 3:48978 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0768 attack attempt (protocol-scada.rules)
 * 3:48977 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0770 attack attempt (protocol-scada.rules)
 * 3:48976 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0769 attack attempt (protocol-scada.rules)

Modified Rules:


 * 1:31033 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptodefence variant outbound connection (malware-cnc.rules)
 * 1:48359 <-> DISABLED <-> SERVER-OTHER Adobe ColdFusion unauthenticated file upload attempt (server-other.rules)
 * 3:48527 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0737 attack attempt (protocol-scada.rules)

2019-01-29 16:48:53 UTC

Snort Subscriber Rules Update

Date: 2019-01-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49031 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get PLC Name binary reply (protocol-scada.rules)
 * 1:49030 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Operands binary reply (protocol-scada.rules)
 * 1:48983 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.MongoLock inbound connection (malware-cnc.rules)
 * 1:48984 <-> DISABLED <-> PROTOCOL-SCADA PCOM Identification ASCII request  (protocol-scada.rules)
 * 1:48987 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get UnitID ASCII request  (protocol-scada.rules)
 * 1:48986 <-> DISABLED <-> PROTOCOL-SCADA PCOM Set UnitID ASCII request  (protocol-scada.rules)
 * 1:48988 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Inputs ASCII request  (protocol-scada.rules)
 * 1:48992 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Integers ASCII request  (protocol-scada.rules)
 * 1:48989 <-> DISABLED <-> PROTOCOL-SCADA PCOM Set RTC ASCII request  (protocol-scada.rules)
 * 1:48990 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Ouputs ASCII request  (protocol-scada.rules)
 * 1:48991 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Bits ASCII request  (protocol-scada.rules)
 * 1:48993 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Longs ASCII request  (protocol-scada.rules)
 * 1:48994 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Integers ASCII request  (protocol-scada.rules)
 * 1:48985 <-> DISABLED <-> PROTOCOL-SCADA PCOM Init Device ASCII request  (protocol-scada.rules)
 * 1:48998 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Bits ASCII request  (protocol-scada.rules)
 * 1:49001 <-> DISABLED <-> PROTOCOL-SCADA PCOM Start Device ASCII request  (protocol-scada.rules)
 * 1:49002 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Longs ASCII request  (protocol-scada.rules)
 * 1:49003 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get RTC ASCII request  (protocol-scada.rules)
 * 1:49004 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Bits ASCII request  (protocol-scada.rules)
 * 1:49005 <-> DISABLED <-> PROTOCOL-SCADA PCOM Reset Device ASCII request  (protocol-scada.rules)
 * 1:49006 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Longs ASCII request  (protocol-scada.rules)
 * 1:49007 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Integers ASCII request  (protocol-scada.rules)
 * 1:49008 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Operands binary request (protocol-scada.rules)
 * 1:49009 <-> DISABLED <-> PROTOCOL-SCADA PCOM Set UnitID ASCII reply (protocol-scada.rules)
 * 1:49010 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get RTC ASCII reply (protocol-scada.rules)
 * 1:49011 <-> DISABLED <-> PROTOCOL-SCADA PCOM Identification ASCII reply (protocol-scada.rules)
 * 1:49012 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Data Table binary request (protocol-scada.rules)
 * 1:49013 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get UnitID ASCII reply (protocol-scada.rules)
 * 1:49014 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Data Table binary request (protocol-scada.rules)
 * 1:49015 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get PLC Name binary request (protocol-scada.rules)
 * 1:49016 <-> DISABLED <-> PROTOCOL-SCADA PCOM Set RTC ASCII reply (protocol-scada.rules)
 * 1:49017 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Inputs ASCII reply (protocol-scada.rules)
 * 1:49018 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Bits ASCII reply (protocol-scada.rules)
 * 1:49019 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Longs ASCII reply (protocol-scada.rules)
 * 1:49020 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Integers ASCII reply (protocol-scada.rules)
 * 1:48999 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Ouputs ASCII request  (protocol-scada.rules)
 * 1:49034 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot malicious executable download attempt (malware-cnc.rules)
 * 1:49033 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Data Table binary reply (protocol-scada.rules)
 * 1:49032 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Data Table binary reply (protocol-scada.rules)
 * 1:49021 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Ouputs ASCII reply (protocol-scada.rules)
 * 1:49022 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Bits ASCII reply (protocol-scada.rules)
 * 1:49023 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Integers ASCII reply (protocol-scada.rules)
 * 1:49024 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Bits ASCII reply (protocol-scada.rules)
 * 1:49025 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Integers ASCII reply (protocol-scada.rules)
 * 1:49026 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Bits ASCII reply (protocol-scada.rules)
 * 1:49027 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Ouputs ASCII reply (protocol-scada.rules)
 * 1:49028 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Integers ASCII reply (protocol-scada.rules)
 * 1:49029 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Longs ASCII reply (protocol-scada.rules)
 * 1:49000 <-> DISABLED <-> PROTOCOL-SCADA PCOM Stop Device ASCII request  (protocol-scada.rules)
 * 1:49044 <-> DISABLED <-> PUA-ADWARE Osx.Adware.MacSearch variant outbound connection detected (pua-adware.rules)
 * 1:49043 <-> DISABLED <-> PUA-ADWARE Osx.Adware.Genieo variant outbound connection detected (pua-adware.rules)
 * 1:49042 <-> DISABLED <-> PUA-ADWARE Osx.Adware.FairyTail variant outbound connection detected (pua-adware.rules)
 * 1:49041 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Terminal server RDP bypass attempt (os-windows.rules)
 * 1:49040 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Terminal server RDP bypass attempt (os-windows.rules)
 * 1:49039 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file email address remote code execution attempt (file-other.rules)
 * 1:49038 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file email address remote code execution attempt (file-other.rules)
 * 1:49037 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA engine memory corruption attempt (file-pdf.rules)
 * 1:49036 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA engine memory corruption attempt (file-pdf.rules)
 * 1:48982 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.MongoLock outbound connection (malware-cnc.rules)
 * 1:49035 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot malicious executable download attempt (malware-cnc.rules)
 * 1:48996 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Longs ASCII request  (protocol-scada.rules)
 * 1:48997 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Integers ASCII request  (protocol-scada.rules)
 * 1:48995 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Bits ASCII request  (protocol-scada.rules)
 * 3:49046 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0762 attack attempt (file-other.rules)
 * 3:49047 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0763 attack attempt (protocol-scada.rules)
 * 3:49045 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0762 attack attempt (file-other.rules)
 * 3:48981 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0765 attack attempt (protocol-scada.rules)
 * 3:48979 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0764 attack attempt (protocol-scada.rules)
 * 3:48980 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0766 attack attempt (protocol-scada.rules)
 * 3:48977 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0770 attack attempt (protocol-scada.rules)
 * 3:48978 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0768 attack attempt (protocol-scada.rules)
 * 3:48975 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0767 attack attempt (protocol-scada.rules)
 * 3:48976 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0769 attack attempt (protocol-scada.rules)

Modified Rules:


 * 1:31033 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptodefence variant outbound connection (malware-cnc.rules)
 * 1:48359 <-> DISABLED <-> SERVER-OTHER Adobe ColdFusion unauthenticated file upload attempt (server-other.rules)
 * 3:48527 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0737 attack attempt (protocol-scada.rules)

2019-01-29 16:48:53 UTC

Snort Subscriber Rules Update

Date: 2019-01-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49037 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA engine memory corruption attempt (snort3-file-pdf.rules)
 * 1:48984 <-> DISABLED <-> PROTOCOL-SCADA PCOM Identification ASCII request  (snort3-protocol-scada.rules)
 * 1:49044 <-> DISABLED <-> PUA-ADWARE Osx.Adware.MacSearch variant outbound connection detected (snort3-pua-adware.rules)
 * 1:49043 <-> DISABLED <-> PUA-ADWARE Osx.Adware.Genieo variant outbound connection detected (snort3-pua-adware.rules)
 * 1:49042 <-> DISABLED <-> PUA-ADWARE Osx.Adware.FairyTail variant outbound connection detected (snort3-pua-adware.rules)
 * 1:48988 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Inputs ASCII request  (snort3-protocol-scada.rules)
 * 1:49041 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Terminal server RDP bypass attempt (snort3-os-windows.rules)
 * 1:49040 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Terminal server RDP bypass attempt (snort3-os-windows.rules)
 * 1:49039 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file email address remote code execution attempt (snort3-file-other.rules)
 * 1:49038 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file email address remote code execution attempt (snort3-file-other.rules)
 * 1:48990 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Ouputs ASCII request  (snort3-protocol-scada.rules)
 * 1:49003 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get RTC ASCII request  (snort3-protocol-scada.rules)
 * 1:48992 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Integers ASCII request  (snort3-protocol-scada.rules)
 * 1:48993 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Longs ASCII request  (snort3-protocol-scada.rules)
 * 1:48985 <-> DISABLED <-> PROTOCOL-SCADA PCOM Init Device ASCII request  (snort3-protocol-scada.rules)
 * 1:48994 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Integers ASCII request  (snort3-protocol-scada.rules)
 * 1:48995 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Bits ASCII request  (snort3-protocol-scada.rules)
 * 1:48996 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Longs ASCII request  (snort3-protocol-scada.rules)
 * 1:48997 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Integers ASCII request  (snort3-protocol-scada.rules)
 * 1:48998 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Bits ASCII request  (snort3-protocol-scada.rules)
 * 1:48999 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Ouputs ASCII request  (snort3-protocol-scada.rules)
 * 1:49000 <-> DISABLED <-> PROTOCOL-SCADA PCOM Stop Device ASCII request  (snort3-protocol-scada.rules)
 * 1:48991 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Bits ASCII request  (snort3-protocol-scada.rules)
 * 1:49001 <-> DISABLED <-> PROTOCOL-SCADA PCOM Start Device ASCII request  (snort3-protocol-scada.rules)
 * 1:49002 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Longs ASCII request  (snort3-protocol-scada.rules)
 * 1:48982 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.MongoLock outbound connection (snort3-malware-cnc.rules)
 * 1:49004 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Bits ASCII request  (snort3-protocol-scada.rules)
 * 1:49005 <-> DISABLED <-> PROTOCOL-SCADA PCOM Reset Device ASCII request  (snort3-protocol-scada.rules)
 * 1:49006 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Longs ASCII request  (snort3-protocol-scada.rules)
 * 1:49007 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Integers ASCII request  (snort3-protocol-scada.rules)
 * 1:49008 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Operands binary request (snort3-protocol-scada.rules)
 * 1:49009 <-> DISABLED <-> PROTOCOL-SCADA PCOM Set UnitID ASCII reply (snort3-protocol-scada.rules)
 * 1:49010 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get RTC ASCII reply (snort3-protocol-scada.rules)
 * 1:49011 <-> DISABLED <-> PROTOCOL-SCADA PCOM Identification ASCII reply (snort3-protocol-scada.rules)
 * 1:48987 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get UnitID ASCII request  (snort3-protocol-scada.rules)
 * 1:49012 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Data Table binary request (snort3-protocol-scada.rules)
 * 1:49013 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get UnitID ASCII reply (snort3-protocol-scada.rules)
 * 1:49014 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Data Table binary request (snort3-protocol-scada.rules)
 * 1:49015 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get PLC Name binary request (snort3-protocol-scada.rules)
 * 1:49016 <-> DISABLED <-> PROTOCOL-SCADA PCOM Set RTC ASCII reply (snort3-protocol-scada.rules)
 * 1:49017 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Inputs ASCII reply (snort3-protocol-scada.rules)
 * 1:49018 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Bits ASCII reply (snort3-protocol-scada.rules)
 * 1:49019 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Longs ASCII reply (snort3-protocol-scada.rules)
 * 1:49020 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Integers ASCII reply (snort3-protocol-scada.rules)
 * 1:49021 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Ouputs ASCII reply (snort3-protocol-scada.rules)
 * 1:49022 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Bits ASCII reply (snort3-protocol-scada.rules)
 * 1:49023 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Integers ASCII reply (snort3-protocol-scada.rules)
 * 1:49024 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Bits ASCII reply (snort3-protocol-scada.rules)
 * 1:49025 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Integers ASCII reply (snort3-protocol-scada.rules)
 * 1:49026 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Bits ASCII reply (snort3-protocol-scada.rules)
 * 1:49027 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Ouputs ASCII reply (snort3-protocol-scada.rules)
 * 1:49028 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Integers ASCII reply (snort3-protocol-scada.rules)
 * 1:49029 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Longs ASCII reply (snort3-protocol-scada.rules)
 * 1:49030 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Operands binary reply (snort3-protocol-scada.rules)
 * 1:49031 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get PLC Name binary reply (snort3-protocol-scada.rules)
 * 1:49032 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Data Table binary reply (snort3-protocol-scada.rules)
 * 1:49033 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Data Table binary reply (snort3-protocol-scada.rules)
 * 1:48983 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.MongoLock inbound connection (snort3-malware-cnc.rules)
 * 1:49036 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA engine memory corruption attempt (snort3-file-pdf.rules)
 * 1:48989 <-> DISABLED <-> PROTOCOL-SCADA PCOM Set RTC ASCII request  (snort3-protocol-scada.rules)
 * 1:49034 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot malicious executable download attempt (snort3-malware-cnc.rules)
 * 1:48986 <-> DISABLED <-> PROTOCOL-SCADA PCOM Set UnitID ASCII request  (snort3-protocol-scada.rules)
 * 1:49035 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot malicious executable download attempt (snort3-malware-cnc.rules)

Modified Rules:


 * 1:31033 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptodefence variant outbound connection (snort3-malware-cnc.rules)
 * 1:48359 <-> DISABLED <-> SERVER-OTHER Adobe ColdFusion unauthenticated file upload attempt (snort3-server-other.rules)

2019-01-29 16:48:53 UTC

Snort Subscriber Rules Update

Date: 2019-01-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49034 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot malicious executable download attempt (malware-cnc.rules)
 * 1:49041 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Terminal server RDP bypass attempt (os-windows.rules)
 * 1:49042 <-> DISABLED <-> PUA-ADWARE Osx.Adware.FairyTail variant outbound connection detected (pua-adware.rules)
 * 1:49031 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get PLC Name binary reply (protocol-scada.rules)
 * 1:49032 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Data Table binary reply (protocol-scada.rules)
 * 1:49025 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Integers ASCII reply (protocol-scada.rules)
 * 1:49044 <-> DISABLED <-> PUA-ADWARE Osx.Adware.MacSearch variant outbound connection detected (pua-adware.rules)
 * 1:49029 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Longs ASCII reply (protocol-scada.rules)
 * 1:49028 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Integers ASCII reply (protocol-scada.rules)
 * 1:49027 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Ouputs ASCII reply (protocol-scada.rules)
 * 1:49043 <-> DISABLED <-> PUA-ADWARE Osx.Adware.Genieo variant outbound connection detected (pua-adware.rules)
 * 1:49040 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Terminal server RDP bypass attempt (os-windows.rules)
 * 1:49039 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file email address remote code execution attempt (file-other.rules)
 * 1:49035 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot malicious executable download attempt (malware-cnc.rules)
 * 1:49030 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Operands binary reply (protocol-scada.rules)
 * 1:49037 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA engine memory corruption attempt (file-pdf.rules)
 * 1:49026 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Bits ASCII reply (protocol-scada.rules)
 * 1:48982 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.MongoLock outbound connection (malware-cnc.rules)
 * 1:48983 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.MongoLock inbound connection (malware-cnc.rules)
 * 1:48984 <-> DISABLED <-> PROTOCOL-SCADA PCOM Identification ASCII request  (protocol-scada.rules)
 * 1:48985 <-> DISABLED <-> PROTOCOL-SCADA PCOM Init Device ASCII request  (protocol-scada.rules)
 * 1:48986 <-> DISABLED <-> PROTOCOL-SCADA PCOM Set UnitID ASCII request  (protocol-scada.rules)
 * 1:48987 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get UnitID ASCII request  (protocol-scada.rules)
 * 1:48988 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Inputs ASCII request  (protocol-scada.rules)
 * 1:48989 <-> DISABLED <-> PROTOCOL-SCADA PCOM Set RTC ASCII request  (protocol-scada.rules)
 * 1:48990 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Ouputs ASCII request  (protocol-scada.rules)
 * 1:48991 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Bits ASCII request  (protocol-scada.rules)
 * 1:48992 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Integers ASCII request  (protocol-scada.rules)
 * 1:48993 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Longs ASCII request  (protocol-scada.rules)
 * 1:48994 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Integers ASCII request  (protocol-scada.rules)
 * 1:48995 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Bits ASCII request  (protocol-scada.rules)
 * 1:48996 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Longs ASCII request  (protocol-scada.rules)
 * 1:48997 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Integers ASCII request  (protocol-scada.rules)
 * 1:48998 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Bits ASCII request  (protocol-scada.rules)
 * 1:48999 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Ouputs ASCII request  (protocol-scada.rules)
 * 1:49000 <-> DISABLED <-> PROTOCOL-SCADA PCOM Stop Device ASCII request  (protocol-scada.rules)
 * 1:49001 <-> DISABLED <-> PROTOCOL-SCADA PCOM Start Device ASCII request  (protocol-scada.rules)
 * 1:49002 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Longs ASCII request  (protocol-scada.rules)
 * 1:49003 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get RTC ASCII request  (protocol-scada.rules)
 * 1:49004 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Bits ASCII request  (protocol-scada.rules)
 * 1:49005 <-> DISABLED <-> PROTOCOL-SCADA PCOM Reset Device ASCII request  (protocol-scada.rules)
 * 1:49006 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Longs ASCII request  (protocol-scada.rules)
 * 1:49007 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Integers ASCII request  (protocol-scada.rules)
 * 1:49008 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Operands binary request (protocol-scada.rules)
 * 1:49009 <-> DISABLED <-> PROTOCOL-SCADA PCOM Set UnitID ASCII reply (protocol-scada.rules)
 * 1:49010 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get RTC ASCII reply (protocol-scada.rules)
 * 1:49011 <-> DISABLED <-> PROTOCOL-SCADA PCOM Identification ASCII reply (protocol-scada.rules)
 * 1:49012 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Data Table binary request (protocol-scada.rules)
 * 1:49013 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get UnitID ASCII reply (protocol-scada.rules)
 * 1:49014 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Data Table binary request (protocol-scada.rules)
 * 1:49015 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get PLC Name binary request (protocol-scada.rules)
 * 1:49016 <-> DISABLED <-> PROTOCOL-SCADA PCOM Set RTC ASCII reply (protocol-scada.rules)
 * 1:49017 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Inputs ASCII reply (protocol-scada.rules)
 * 1:49018 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Bits ASCII reply (protocol-scada.rules)
 * 1:49019 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Longs ASCII reply (protocol-scada.rules)
 * 1:49020 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Integers ASCII reply (protocol-scada.rules)
 * 1:49024 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Bits ASCII reply (protocol-scada.rules)
 * 1:49021 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Ouputs ASCII reply (protocol-scada.rules)
 * 1:49022 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Bits ASCII reply (protocol-scada.rules)
 * 1:49023 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Integers ASCII reply (protocol-scada.rules)
 * 1:49033 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Data Table binary reply (protocol-scada.rules)
 * 1:49036 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA engine memory corruption attempt (file-pdf.rules)
 * 1:49038 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file email address remote code execution attempt (file-other.rules)
 * 3:48981 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0765 attack attempt (protocol-scada.rules)
 * 3:49045 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0762 attack attempt (file-other.rules)
 * 3:49046 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0762 attack attempt (file-other.rules)
 * 3:49047 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0763 attack attempt (protocol-scada.rules)
 * 3:48977 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0770 attack attempt (protocol-scada.rules)
 * 3:48978 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0768 attack attempt (protocol-scada.rules)
 * 3:48979 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0764 attack attempt (protocol-scada.rules)
 * 3:48980 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0766 attack attempt (protocol-scada.rules)
 * 3:48975 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0767 attack attempt (protocol-scada.rules)
 * 3:48976 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0769 attack attempt (protocol-scada.rules)

Modified Rules:


 * 1:48359 <-> DISABLED <-> SERVER-OTHER Adobe ColdFusion unauthenticated file upload attempt (server-other.rules)
 * 1:31033 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptodefence variant outbound connection (malware-cnc.rules)
 * 3:48527 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0737 attack attempt (protocol-scada.rules)

2019-01-29 16:48:53 UTC

Snort Subscriber Rules Update

Date: 2019-01-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49030 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Operands binary reply (protocol-scada.rules)
 * 1:48984 <-> DISABLED <-> PROTOCOL-SCADA PCOM Identification ASCII request  (protocol-scada.rules)
 * 1:49035 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot malicious executable download attempt (malware-cnc.rules)
 * 1:49037 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA engine memory corruption attempt (file-pdf.rules)
 * 1:48987 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get UnitID ASCII request  (protocol-scada.rules)
 * 1:48983 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.MongoLock inbound connection (malware-cnc.rules)
 * 1:48988 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Inputs ASCII request  (protocol-scada.rules)
 * 1:48986 <-> DISABLED <-> PROTOCOL-SCADA PCOM Set UnitID ASCII request  (protocol-scada.rules)
 * 1:49043 <-> DISABLED <-> PUA-ADWARE Osx.Adware.Genieo variant outbound connection detected (pua-adware.rules)
 * 1:49031 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get PLC Name binary reply (protocol-scada.rules)
 * 1:49034 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot malicious executable download attempt (malware-cnc.rules)
 * 1:49025 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Integers ASCII reply (protocol-scada.rules)
 * 1:49040 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Terminal server RDP bypass attempt (os-windows.rules)
 * 1:48982 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.MongoLock outbound connection (malware-cnc.rules)
 * 1:49039 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file email address remote code execution attempt (file-other.rules)
 * 1:49032 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Data Table binary reply (protocol-scada.rules)
 * 1:49029 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Longs ASCII reply (protocol-scada.rules)
 * 1:49044 <-> DISABLED <-> PUA-ADWARE Osx.Adware.MacSearch variant outbound connection detected (pua-adware.rules)
 * 1:49042 <-> DISABLED <-> PUA-ADWARE Osx.Adware.FairyTail variant outbound connection detected (pua-adware.rules)
 * 1:48996 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Longs ASCII request  (protocol-scada.rules)
 * 1:48997 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Integers ASCII request  (protocol-scada.rules)
 * 1:48995 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Bits ASCII request  (protocol-scada.rules)
 * 1:49015 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get PLC Name binary request (protocol-scada.rules)
 * 1:48998 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Bits ASCII request  (protocol-scada.rules)
 * 1:48999 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Ouputs ASCII request  (protocol-scada.rules)
 * 1:48985 <-> DISABLED <-> PROTOCOL-SCADA PCOM Init Device ASCII request  (protocol-scada.rules)
 * 1:48992 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Integers ASCII request  (protocol-scada.rules)
 * 1:48993 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Longs ASCII request  (protocol-scada.rules)
 * 1:48994 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Integers ASCII request  (protocol-scada.rules)
 * 1:48989 <-> DISABLED <-> PROTOCOL-SCADA PCOM Set RTC ASCII request  (protocol-scada.rules)
 * 1:48991 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Bits ASCII request  (protocol-scada.rules)
 * 1:48990 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Ouputs ASCII request  (protocol-scada.rules)
 * 1:49014 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Data Table binary request (protocol-scada.rules)
 * 1:49012 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Data Table binary request (protocol-scada.rules)
 * 1:49009 <-> DISABLED <-> PROTOCOL-SCADA PCOM Set UnitID ASCII reply (protocol-scada.rules)
 * 1:49010 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get RTC ASCII reply (protocol-scada.rules)
 * 1:49011 <-> DISABLED <-> PROTOCOL-SCADA PCOM Identification ASCII reply (protocol-scada.rules)
 * 1:49008 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Operands binary request (protocol-scada.rules)
 * 1:49005 <-> DISABLED <-> PROTOCOL-SCADA PCOM Reset Device ASCII request  (protocol-scada.rules)
 * 1:49006 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Longs ASCII request  (protocol-scada.rules)
 * 1:49007 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Integers ASCII request  (protocol-scada.rules)
 * 1:49004 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Bits ASCII request  (protocol-scada.rules)
 * 1:49001 <-> DISABLED <-> PROTOCOL-SCADA PCOM Start Device ASCII request  (protocol-scada.rules)
 * 1:49002 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Longs ASCII request  (protocol-scada.rules)
 * 1:49003 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get RTC ASCII request  (protocol-scada.rules)
 * 1:49000 <-> DISABLED <-> PROTOCOL-SCADA PCOM Stop Device ASCII request  (protocol-scada.rules)
 * 1:49013 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get UnitID ASCII reply (protocol-scada.rules)
 * 1:49019 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Longs ASCII reply (protocol-scada.rules)
 * 1:49016 <-> DISABLED <-> PROTOCOL-SCADA PCOM Set RTC ASCII reply (protocol-scada.rules)
 * 1:49018 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Bits ASCII reply (protocol-scada.rules)
 * 1:49041 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Terminal server RDP bypass attempt (os-windows.rules)
 * 1:49026 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Bits ASCII reply (protocol-scada.rules)
 * 1:49027 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Ouputs ASCII reply (protocol-scada.rules)
 * 1:49028 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Integers ASCII reply (protocol-scada.rules)
 * 1:49024 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Bits ASCII reply (protocol-scada.rules)
 * 1:49021 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Ouputs ASCII reply (protocol-scada.rules)
 * 1:49022 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Bits ASCII reply (protocol-scada.rules)
 * 1:49023 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Integers ASCII reply (protocol-scada.rules)
 * 1:49020 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Integers ASCII reply (protocol-scada.rules)
 * 1:49017 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Inputs ASCII reply (protocol-scada.rules)
 * 1:49033 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Data Table binary reply (protocol-scada.rules)
 * 1:49036 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA engine memory corruption attempt (file-pdf.rules)
 * 1:49038 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file email address remote code execution attempt (file-other.rules)
 * 3:49047 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0763 attack attempt (protocol-scada.rules)
 * 3:48975 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0767 attack attempt (protocol-scada.rules)
 * 3:48978 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0768 attack attempt (protocol-scada.rules)
 * 3:48981 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0765 attack attempt (protocol-scada.rules)
 * 3:48980 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0766 attack attempt (protocol-scada.rules)
 * 3:48977 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0770 attack attempt (protocol-scada.rules)
 * 3:48976 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0769 attack attempt (protocol-scada.rules)
 * 3:49046 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0762 attack attempt (file-other.rules)
 * 3:49045 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0762 attack attempt (file-other.rules)
 * 3:48979 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0764 attack attempt (protocol-scada.rules)

Modified Rules:


 * 1:31033 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptodefence variant outbound connection (malware-cnc.rules)
 * 1:48359 <-> DISABLED <-> SERVER-OTHER Adobe ColdFusion unauthenticated file upload attempt (server-other.rules)
 * 3:48527 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0737 attack attempt (protocol-scada.rules)