Talos Rules 2019-04-11
This release adds and modifies rules in several categories.

Yuzo Related Posts Zero-Day Vulnerability: A coding deficiency exists in the Yuzo Related Posts plugin of WordPress that may lead to cross-site scripting.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SIDs 49795 through 49796.

Talos has added and modified multiple rules in the browser-ie, file-office, file-other, malware-cnc, malware-other, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-04-11 17:30:51 UTC

Snort Subscriber Rules Update

Date: 2019-04-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49765 <-> ENABLED <-> OS-WINDOWS Microsoft Windows AppXSVC privilege escalation attempt (os-windows.rules)
 * 1:49764 <-> ENABLED <-> OS-WINDOWS Microsoft Windows AppXSVC privilege escalation attempt (os-windows.rules)
 * 1:49763 <-> ENABLED <-> OS-WINDOWS Microsoft Windows AppXSVC privilege escalation attempt (os-windows.rules)
 * 1:49762 <-> ENABLED <-> OS-WINDOWS Microsoft Windows AppXSVC privilege escalation attempt (os-windows.rules)
 * 1:49788 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zacinlo outbound connection (malware-cnc.rules)
 * 1:49786 <-> DISABLED <-> FILE-OTHER Go binary bll-load exploit attempt (file-other.rules)
 * 1:49785 <-> DISABLED <-> FILE-OTHER Go binary dll-load exploit attempt (file-other.rules)
 * 1:49784 <-> DISABLED <-> FILE-OTHER Go binary dll-load exploit attempt (file-other.rules)
 * 1:49783 <-> DISABLED <-> FILE-OTHER Go binary dll-load exploit attempt (file-other.rules)
 * 1:49782 <-> DISABLED <-> FILE-OTHER Go binary dll-load exploit attempt (file-other.rules)
 * 1:49781 <-> DISABLED <-> FILE-OTHER Go binary dll-load exploit attempt (file-other.rules)
 * 1:49779 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye variant outbound cnc connection (malware-cnc.rules)
 * 1:49778 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye variant outbound cnc connection (malware-cnc.rules)
 * 1:49777 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye variant outbound cnc connection (malware-cnc.rules)
 * 1:49776 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor object stack buffer overflow attempt (file-office.rules)
 * 1:49775 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor object stack buffer overflow attempt (file-office.rules)
 * 1:49774 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Imminent variant outbound connection (malware-cnc.rules)
 * 1:49773 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Imminent variant outbound connection (malware-cnc.rules)
 * 1:49772 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Imminent variant inbound response (malware-cnc.rules)
 * 1:49771 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Imminent variant download attempt (malware-other.rules)
 * 1:49770 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Imminent variant download attempt (malware-other.rules)
 * 1:49769 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320L ShareCenter PHP code injection attempt (server-webapp.rules)
 * 1:49768 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320L ShareCenter PHP code injection attempt (server-webapp.rules)
 * 1:49767 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Cr1ptT0r download attempt (malware-other.rules)
 * 1:49766 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Cr1ptT0r download attempt (malware-other.rules)
 * 1:49796 <-> ENABLED <-> SERVER-WEBAPP WordPress Yuzo Related Posts plugin cross site scripting attempt (server-webapp.rules)
 * 1:49795 <-> ENABLED <-> SERVER-WEBAPP WordPress Yuzo Related Posts plugin cross site scripting attempt (server-webapp.rules)
 * 1:49794 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)
 * 1:49793 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)
 * 1:49792 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)
 * 1:49791 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)
 * 1:49790 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zacinlo outbound connection (malware-cnc.rules)
 * 1:49789 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zacinlo outbound connection (malware-cnc.rules)
 * 3:49780 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0806 attack attempt (protocol-scada.rules)
 * 3:49787 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0807 attack attempt (protocol-scada.rules)

Modified Rules:


 * 1:24520 <-> DISABLED <-> SERVER-WEBAPP Avaya IP Office Customer Call Reporter invalid file upload attempt (server-webapp.rules)
 * 1:35508 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer array prototype type confusion memory corruption attempt (browser-ie.rules)
 * 1:27862 <-> DISABLED <-> SERVER-WEBAPP Avaya IP Office Customer Call Reporter invalid file upload attempt (server-webapp.rules)
 * 1:35507 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer array prototype type confusion memory corruption attempt (browser-ie.rules)
 * 1:45407 <-> ENABLED <-> SERVER-WEBAPP Western Digital MyCloud nas_sharing.cgi backdoor account access attempt (server-webapp.rules)
 * 1:35171 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MutationObserver use after free attempt (browser-ie.rules)
 * 1:35170 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MutationObserver use after free attempt (browser-ie.rules)

2019-04-11 17:30:51 UTC

Snort Subscriber Rules Update

Date: 2019-04-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49791 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)
 * 1:49767 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Cr1ptT0r download attempt (malware-other.rules)
 * 1:49766 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Cr1ptT0r download attempt (malware-other.rules)
 * 1:49763 <-> ENABLED <-> OS-WINDOWS Microsoft Windows AppXSVC privilege escalation attempt (os-windows.rules)
 * 1:49762 <-> ENABLED <-> OS-WINDOWS Microsoft Windows AppXSVC privilege escalation attempt (os-windows.rules)
 * 1:49790 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zacinlo outbound connection (malware-cnc.rules)
 * 1:49770 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Imminent variant download attempt (malware-other.rules)
 * 1:49771 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Imminent variant download attempt (malware-other.rules)
 * 1:49772 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Imminent variant inbound response (malware-cnc.rules)
 * 1:49773 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Imminent variant outbound connection (malware-cnc.rules)
 * 1:49774 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Imminent variant outbound connection (malware-cnc.rules)
 * 1:49768 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320L ShareCenter PHP code injection attempt (server-webapp.rules)
 * 1:49775 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor object stack buffer overflow attempt (file-office.rules)
 * 1:49776 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor object stack buffer overflow attempt (file-office.rules)
 * 1:49777 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye variant outbound cnc connection (malware-cnc.rules)
 * 1:49778 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye variant outbound cnc connection (malware-cnc.rules)
 * 1:49779 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye variant outbound cnc connection (malware-cnc.rules)
 * 1:49781 <-> DISABLED <-> FILE-OTHER Go binary dll-load exploit attempt (file-other.rules)
 * 1:49796 <-> ENABLED <-> SERVER-WEBAPP WordPress Yuzo Related Posts plugin cross site scripting attempt (server-webapp.rules)
 * 1:49795 <-> ENABLED <-> SERVER-WEBAPP WordPress Yuzo Related Posts plugin cross site scripting attempt (server-webapp.rules)
 * 1:49794 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)
 * 1:49792 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)
 * 1:49793 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)
 * 1:49782 <-> DISABLED <-> FILE-OTHER Go binary dll-load exploit attempt (file-other.rules)
 * 1:49783 <-> DISABLED <-> FILE-OTHER Go binary dll-load exploit attempt (file-other.rules)
 * 1:49784 <-> DISABLED <-> FILE-OTHER Go binary dll-load exploit attempt (file-other.rules)
 * 1:49785 <-> DISABLED <-> FILE-OTHER Go binary dll-load exploit attempt (file-other.rules)
 * 1:49786 <-> DISABLED <-> FILE-OTHER Go binary bll-load exploit attempt (file-other.rules)
 * 1:49788 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zacinlo outbound connection (malware-cnc.rules)
 * 1:49789 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zacinlo outbound connection (malware-cnc.rules)
 * 1:49765 <-> ENABLED <-> OS-WINDOWS Microsoft Windows AppXSVC privilege escalation attempt (os-windows.rules)
 * 1:49769 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320L ShareCenter PHP code injection attempt (server-webapp.rules)
 * 1:49764 <-> ENABLED <-> OS-WINDOWS Microsoft Windows AppXSVC privilege escalation attempt (os-windows.rules)
 * 3:49787 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0807 attack attempt (protocol-scada.rules)
 * 3:49780 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0806 attack attempt (protocol-scada.rules)

Modified Rules:


 * 1:24520 <-> DISABLED <-> SERVER-WEBAPP Avaya IP Office Customer Call Reporter invalid file upload attempt (server-webapp.rules)
 * 1:35170 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MutationObserver use after free attempt (browser-ie.rules)
 * 1:35171 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MutationObserver use after free attempt (browser-ie.rules)
 * 1:35507 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer array prototype type confusion memory corruption attempt (browser-ie.rules)
 * 1:45407 <-> ENABLED <-> SERVER-WEBAPP Western Digital MyCloud nas_sharing.cgi backdoor account access attempt (server-webapp.rules)
 * 1:35508 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer array prototype type confusion memory corruption attempt (browser-ie.rules)
 * 1:27862 <-> DISABLED <-> SERVER-WEBAPP Avaya IP Office Customer Call Reporter invalid file upload attempt (server-webapp.rules)

2019-04-11 17:30:51 UTC

Snort Subscriber Rules Update

Date: 2019-04-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49786 <-> DISABLED <-> FILE-OTHER Go binary bll-load exploit attempt (file-other.rules)
 * 1:49791 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)
 * 1:49776 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor object stack buffer overflow attempt (file-office.rules)
 * 1:49767 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Cr1ptT0r download attempt (malware-other.rules)
 * 1:49796 <-> ENABLED <-> SERVER-WEBAPP WordPress Yuzo Related Posts plugin cross site scripting attempt (server-webapp.rules)
 * 1:49795 <-> ENABLED <-> SERVER-WEBAPP WordPress Yuzo Related Posts plugin cross site scripting attempt (server-webapp.rules)
 * 1:49794 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)
 * 1:49793 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)
 * 1:49792 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)
 * 1:49788 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zacinlo outbound connection (malware-cnc.rules)
 * 1:49762 <-> ENABLED <-> OS-WINDOWS Microsoft Windows AppXSVC privilege escalation attempt (os-windows.rules)
 * 1:49770 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Imminent variant download attempt (malware-other.rules)
 * 1:49771 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Imminent variant download attempt (malware-other.rules)
 * 1:49772 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Imminent variant inbound response (malware-cnc.rules)
 * 1:49773 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Imminent variant outbound connection (malware-cnc.rules)
 * 1:49774 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Imminent variant outbound connection (malware-cnc.rules)
 * 1:49777 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye variant outbound cnc connection (malware-cnc.rules)
 * 1:49778 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye variant outbound cnc connection (malware-cnc.rules)
 * 1:49766 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Cr1ptT0r download attempt (malware-other.rules)
 * 1:49775 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor object stack buffer overflow attempt (file-office.rules)
 * 1:49768 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320L ShareCenter PHP code injection attempt (server-webapp.rules)
 * 1:49779 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye variant outbound cnc connection (malware-cnc.rules)
 * 1:49781 <-> DISABLED <-> FILE-OTHER Go binary dll-load exploit attempt (file-other.rules)
 * 1:49782 <-> DISABLED <-> FILE-OTHER Go binary dll-load exploit attempt (file-other.rules)
 * 1:49783 <-> DISABLED <-> FILE-OTHER Go binary dll-load exploit attempt (file-other.rules)
 * 1:49784 <-> DISABLED <-> FILE-OTHER Go binary dll-load exploit attempt (file-other.rules)
 * 1:49785 <-> DISABLED <-> FILE-OTHER Go binary dll-load exploit attempt (file-other.rules)
 * 1:49790 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zacinlo outbound connection (malware-cnc.rules)
 * 1:49765 <-> ENABLED <-> OS-WINDOWS Microsoft Windows AppXSVC privilege escalation attempt (os-windows.rules)
 * 1:49769 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320L ShareCenter PHP code injection attempt (server-webapp.rules)
 * 1:49763 <-> ENABLED <-> OS-WINDOWS Microsoft Windows AppXSVC privilege escalation attempt (os-windows.rules)
 * 1:49764 <-> ENABLED <-> OS-WINDOWS Microsoft Windows AppXSVC privilege escalation attempt (os-windows.rules)
 * 1:49789 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zacinlo outbound connection (malware-cnc.rules)
 * 3:49780 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0806 attack attempt (protocol-scada.rules)
 * 3:49787 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0807 attack attempt (protocol-scada.rules)

Modified Rules:


 * 1:24520 <-> DISABLED <-> SERVER-WEBAPP Avaya IP Office Customer Call Reporter invalid file upload attempt (server-webapp.rules)
 * 1:35507 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer array prototype type confusion memory corruption attempt (browser-ie.rules)
 * 1:45407 <-> ENABLED <-> SERVER-WEBAPP Western Digital MyCloud nas_sharing.cgi backdoor account access attempt (server-webapp.rules)
 * 1:35508 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer array prototype type confusion memory corruption attempt (browser-ie.rules)
 * 1:35171 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MutationObserver use after free attempt (browser-ie.rules)
 * 1:27862 <-> DISABLED <-> SERVER-WEBAPP Avaya IP Office Customer Call Reporter invalid file upload attempt (server-webapp.rules)
 * 1:35170 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MutationObserver use after free attempt (browser-ie.rules)

2019-04-11 17:30:51 UTC

Snort Subscriber Rules Update

Date: 2019-04-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49793 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (snort3-malware-cnc.rules)
 * 1:49792 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (snort3-malware-cnc.rules)
 * 1:49785 <-> DISABLED <-> FILE-OTHER Go binary dll-load exploit attempt (snort3-file-other.rules)
 * 1:49768 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320L ShareCenter PHP code injection attempt (snort3-server-webapp.rules)
 * 1:49763 <-> ENABLED <-> OS-WINDOWS Microsoft Windows AppXSVC privilege escalation attempt (snort3-os-windows.rules)
 * 1:49796 <-> ENABLED <-> SERVER-WEBAPP WordPress Yuzo Related Posts plugin cross site scripting attempt (snort3-server-webapp.rules)
 * 1:49795 <-> ENABLED <-> SERVER-WEBAPP WordPress Yuzo Related Posts plugin cross site scripting attempt (snort3-server-webapp.rules)
 * 1:49767 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Cr1ptT0r download attempt (snort3-malware-other.rules)
 * 1:49790 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zacinlo outbound connection (snort3-malware-cnc.rules)
 * 1:49794 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (snort3-malware-cnc.rules)
 * 1:49775 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor object stack buffer overflow attempt (snort3-file-office.rules)
 * 1:49769 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320L ShareCenter PHP code injection attempt (snort3-server-webapp.rules)
 * 1:49776 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor object stack buffer overflow attempt (snort3-file-office.rules)
 * 1:49778 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye variant outbound cnc connection (snort3-malware-cnc.rules)
 * 1:49779 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye variant outbound cnc connection (snort3-malware-cnc.rules)
 * 1:49781 <-> DISABLED <-> FILE-OTHER Go binary dll-load exploit attempt (snort3-file-other.rules)
 * 1:49782 <-> DISABLED <-> FILE-OTHER Go binary dll-load exploit attempt (snort3-file-other.rules)
 * 1:49783 <-> DISABLED <-> FILE-OTHER Go binary dll-load exploit attempt (snort3-file-other.rules)
 * 1:49773 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Imminent variant outbound connection (snort3-malware-cnc.rules)
 * 1:49774 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Imminent variant outbound connection (snort3-malware-cnc.rules)
 * 1:49771 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Imminent variant download attempt (snort3-malware-other.rules)
 * 1:49772 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Imminent variant inbound response (snort3-malware-cnc.rules)
 * 1:49788 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zacinlo outbound connection (snort3-malware-cnc.rules)
 * 1:49789 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zacinlo outbound connection (snort3-malware-cnc.rules)
 * 1:49762 <-> ENABLED <-> OS-WINDOWS Microsoft Windows AppXSVC privilege escalation attempt (snort3-os-windows.rules)
 * 1:49766 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Cr1ptT0r download attempt (snort3-malware-other.rules)
 * 1:49770 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Imminent variant download attempt (snort3-malware-other.rules)
 * 1:49765 <-> ENABLED <-> OS-WINDOWS Microsoft Windows AppXSVC privilege escalation attempt (snort3-os-windows.rules)
 * 1:49764 <-> ENABLED <-> OS-WINDOWS Microsoft Windows AppXSVC privilege escalation attempt (snort3-os-windows.rules)
 * 1:49784 <-> DISABLED <-> FILE-OTHER Go binary dll-load exploit attempt (snort3-file-other.rules)
 * 1:49786 <-> DISABLED <-> FILE-OTHER Go binary bll-load exploit attempt (snort3-file-other.rules)
 * 1:49777 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye variant outbound cnc connection (snort3-malware-cnc.rules)
 * 1:49791 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (snort3-malware-cnc.rules)

Modified Rules:


 * 1:45407 <-> ENABLED <-> SERVER-WEBAPP Western Digital MyCloud nas_sharing.cgi backdoor account access attempt (snort3-server-webapp.rules)
 * 1:35170 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MutationObserver use after free attempt (snort3-browser-ie.rules)
 * 1:35508 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer array prototype type confusion memory corruption attempt (snort3-browser-ie.rules)
 * 1:35507 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer array prototype type confusion memory corruption attempt (snort3-browser-ie.rules)
 * 1:35171 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MutationObserver use after free attempt (snort3-browser-ie.rules)
 * 1:27862 <-> DISABLED <-> SERVER-WEBAPP Avaya IP Office Customer Call Reporter invalid file upload attempt (snort3-server-webapp.rules)
 * 1:24520 <-> DISABLED <-> SERVER-WEBAPP Avaya IP Office Customer Call Reporter invalid file upload attempt (snort3-server-webapp.rules)

2019-04-11 17:30:51 UTC

Snort Subscriber Rules Update

Date: 2019-04-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49765 <-> ENABLED <-> OS-WINDOWS Microsoft Windows AppXSVC privilege escalation attempt (os-windows.rules)
 * 1:49783 <-> DISABLED <-> FILE-OTHER Go binary dll-load exploit attempt (file-other.rules)
 * 1:49790 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zacinlo outbound connection (malware-cnc.rules)
 * 1:49794 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)
 * 1:49789 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zacinlo outbound connection (malware-cnc.rules)
 * 1:49785 <-> DISABLED <-> FILE-OTHER Go binary dll-load exploit attempt (file-other.rules)
 * 1:49792 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)
 * 1:49781 <-> DISABLED <-> FILE-OTHER Go binary dll-load exploit attempt (file-other.rules)
 * 1:49784 <-> DISABLED <-> FILE-OTHER Go binary dll-load exploit attempt (file-other.rules)
 * 1:49763 <-> ENABLED <-> OS-WINDOWS Microsoft Windows AppXSVC privilege escalation attempt (os-windows.rules)
 * 1:49796 <-> ENABLED <-> SERVER-WEBAPP WordPress Yuzo Related Posts plugin cross site scripting attempt (server-webapp.rules)
 * 1:49777 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye variant outbound cnc connection (malware-cnc.rules)
 * 1:49779 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye variant outbound cnc connection (malware-cnc.rules)
 * 1:49793 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)
 * 1:49766 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Cr1ptT0r download attempt (malware-other.rules)
 * 1:49762 <-> ENABLED <-> OS-WINDOWS Microsoft Windows AppXSVC privilege escalation attempt (os-windows.rules)
 * 1:49776 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor object stack buffer overflow attempt (file-office.rules)
 * 1:49775 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor object stack buffer overflow attempt (file-office.rules)
 * 1:49769 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320L ShareCenter PHP code injection attempt (server-webapp.rules)
 * 1:49770 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Imminent variant download attempt (malware-other.rules)
 * 1:49771 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Imminent variant download attempt (malware-other.rules)
 * 1:49772 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Imminent variant inbound response (malware-cnc.rules)
 * 1:49773 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Imminent variant outbound connection (malware-cnc.rules)
 * 1:49767 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Cr1ptT0r download attempt (malware-other.rules)
 * 1:49774 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Imminent variant outbound connection (malware-cnc.rules)
 * 1:49764 <-> ENABLED <-> OS-WINDOWS Microsoft Windows AppXSVC privilege escalation attempt (os-windows.rules)
 * 1:49768 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320L ShareCenter PHP code injection attempt (server-webapp.rules)
 * 1:49786 <-> DISABLED <-> FILE-OTHER Go binary bll-load exploit attempt (file-other.rules)
 * 1:49782 <-> DISABLED <-> FILE-OTHER Go binary dll-load exploit attempt (file-other.rules)
 * 1:49788 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zacinlo outbound connection (malware-cnc.rules)
 * 1:49778 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye variant outbound cnc connection (malware-cnc.rules)
 * 1:49795 <-> ENABLED <-> SERVER-WEBAPP WordPress Yuzo Related Posts plugin cross site scripting attempt (server-webapp.rules)
 * 1:49791 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)
 * 3:49787 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0807 attack attempt (protocol-scada.rules)
 * 3:49780 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0806 attack attempt (protocol-scada.rules)

Modified Rules:


 * 1:24520 <-> DISABLED <-> SERVER-WEBAPP Avaya IP Office Customer Call Reporter invalid file upload attempt (server-webapp.rules)
 * 1:35170 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MutationObserver use after free attempt (browser-ie.rules)
 * 1:35171 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MutationObserver use after free attempt (browser-ie.rules)
 * 1:35508 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer array prototype type confusion memory corruption attempt (browser-ie.rules)
 * 1:27862 <-> DISABLED <-> SERVER-WEBAPP Avaya IP Office Customer Call Reporter invalid file upload attempt (server-webapp.rules)
 * 1:45407 <-> ENABLED <-> SERVER-WEBAPP Western Digital MyCloud nas_sharing.cgi backdoor account access attempt (server-webapp.rules)
 * 1:35507 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer array prototype type confusion memory corruption attempt (browser-ie.rules)

2019-04-11 17:30:51 UTC

Snort Subscriber Rules Update

Date: 2019-04-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49790 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zacinlo outbound connection (malware-cnc.rules)
 * 1:49764 <-> ENABLED <-> OS-WINDOWS Microsoft Windows AppXSVC privilege escalation attempt (os-windows.rules)
 * 1:49763 <-> ENABLED <-> OS-WINDOWS Microsoft Windows AppXSVC privilege escalation attempt (os-windows.rules)
 * 1:49773 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Imminent variant outbound connection (malware-cnc.rules)
 * 1:49792 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)
 * 1:49794 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)
 * 1:49795 <-> ENABLED <-> SERVER-WEBAPP WordPress Yuzo Related Posts plugin cross site scripting attempt (server-webapp.rules)
 * 1:49793 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)
 * 1:49769 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320L ShareCenter PHP code injection attempt (server-webapp.rules)
 * 1:49765 <-> ENABLED <-> OS-WINDOWS Microsoft Windows AppXSVC privilege escalation attempt (os-windows.rules)
 * 1:49767 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Cr1ptT0r download attempt (malware-other.rules)
 * 1:49766 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Cr1ptT0r download attempt (malware-other.rules)
 * 1:49791 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)
 * 1:49776 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor object stack buffer overflow attempt (file-office.rules)
 * 1:49775 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor object stack buffer overflow attempt (file-office.rules)
 * 1:49785 <-> DISABLED <-> FILE-OTHER Go binary dll-load exploit attempt (file-other.rules)
 * 1:49782 <-> DISABLED <-> FILE-OTHER Go binary dll-load exploit attempt (file-other.rules)
 * 1:49783 <-> DISABLED <-> FILE-OTHER Go binary dll-load exploit attempt (file-other.rules)
 * 1:49784 <-> DISABLED <-> FILE-OTHER Go binary dll-load exploit attempt (file-other.rules)
 * 1:49781 <-> DISABLED <-> FILE-OTHER Go binary dll-load exploit attempt (file-other.rules)
 * 1:49777 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye variant outbound cnc connection (malware-cnc.rules)
 * 1:49778 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye variant outbound cnc connection (malware-cnc.rules)
 * 1:49779 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye variant outbound cnc connection (malware-cnc.rules)
 * 1:49768 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320L ShareCenter PHP code injection attempt (server-webapp.rules)
 * 1:49771 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Imminent variant download attempt (malware-other.rules)
 * 1:49770 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Imminent variant download attempt (malware-other.rules)
 * 1:49774 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Imminent variant outbound connection (malware-cnc.rules)
 * 1:49772 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Imminent variant inbound response (malware-cnc.rules)
 * 1:49786 <-> DISABLED <-> FILE-OTHER Go binary bll-load exploit attempt (file-other.rules)
 * 1:49762 <-> ENABLED <-> OS-WINDOWS Microsoft Windows AppXSVC privilege escalation attempt (os-windows.rules)
 * 1:49796 <-> ENABLED <-> SERVER-WEBAPP WordPress Yuzo Related Posts plugin cross site scripting attempt (server-webapp.rules)
 * 1:49788 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zacinlo outbound connection (malware-cnc.rules)
 * 1:49789 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zacinlo outbound connection (malware-cnc.rules)
 * 3:49780 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0806 attack attempt (protocol-scada.rules)
 * 3:49787 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0807 attack attempt (protocol-scada.rules)

Modified Rules:


 * 1:24520 <-> DISABLED <-> SERVER-WEBAPP Avaya IP Office Customer Call Reporter invalid file upload attempt (server-webapp.rules)
 * 1:35507 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer array prototype type confusion memory corruption attempt (browser-ie.rules)
 * 1:45407 <-> ENABLED <-> SERVER-WEBAPP Western Digital MyCloud nas_sharing.cgi backdoor account access attempt (server-webapp.rules)
 * 1:27862 <-> DISABLED <-> SERVER-WEBAPP Avaya IP Office Customer Call Reporter invalid file upload attempt (server-webapp.rules)
 * 1:35508 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer array prototype type confusion memory corruption attempt (browser-ie.rules)
 * 1:35171 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MutationObserver use after free attempt (browser-ie.rules)
 * 1:35170 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MutationObserver use after free attempt (browser-ie.rules)