Talos Rules 2019-06-04
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-webkit, file-other, file-pdf, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-06-04 11:58:54 UTC

Snort Subscriber Rules Update

Date: 2019-06-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50279 <-> ENABLED <-> MALWARE-OTHER Doc.Trojan.Xshell variant download attempt (malware-other.rules)
 * 1:50297 <-> ENABLED <-> FILE-PDF Adobe Acrobat execCalculate use after free attempt (file-pdf.rules)
 * 1:50294 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateDescendantDependentFlags use-after-free attempt (browser-webkit.rules)
 * 1:50293 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateDescendantDependentFlags use-after-free attempt (browser-webkit.rules)
 * 1:50292 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (malware-other.rules)
 * 1:50291 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (malware-other.rules)
 * 1:50290 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (malware-other.rules)
 * 1:50289 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (malware-other.rules)
 * 1:50288 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (malware-other.rules)
 * 1:50287 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (malware-other.rules)
 * 1:50286 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (malware-other.rules)
 * 1:50285 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (malware-other.rules)
 * 1:50284 <-> ENABLED <-> MALWARE-CNC Unix.Miner.Decred variant outbound connection (malware-cnc.rules)
 * 1:50283 <-> ENABLED <-> MALWARE-CNC Unix.Miner.Decred variant outbound connection (malware-cnc.rules)
 * 1:50282 <-> ENABLED <-> MALWARE-CNC Unix.Miner.Decred variant outbound connection (malware-cnc.rules)
 * 1:50281 <-> ENABLED <-> MALWARE-CNC Unix.Miner.Decred variant outbound connection (malware-cnc.rules)
 * 1:50280 <-> ENABLED <-> MALWARE-OTHER Doc.Trojan.Xshell variant download attempt (malware-other.rules)
 * 1:50299 <-> DISABLED <-> SERVER-WEBAPP WordPress plugin Convert Plus unauthenticated administrator account creation attempt (server-webapp.rules)
 * 1:50298 <-> ENABLED <-> FILE-PDF Adobe Acrobat execCalculate use after free attempt (file-pdf.rules)
 * 3:50295 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0845 attack attempt (file-other.rules)
 * 3:50296 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0845 attack attempt (file-other.rules)

Modified Rules:


 * 3:49296 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:49362 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0787 attack attempt (server-webapp.rules)

2019-06-04 11:58:54 UTC

Snort Subscriber Rules Update

Date: 2019-06-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50281 <-> ENABLED <-> MALWARE-CNC Unix.Miner.Decred variant outbound connection (malware-cnc.rules)
 * 1:50297 <-> ENABLED <-> FILE-PDF Adobe Acrobat execCalculate use after free attempt (file-pdf.rules)
 * 1:50283 <-> ENABLED <-> MALWARE-CNC Unix.Miner.Decred variant outbound connection (malware-cnc.rules)
 * 1:50294 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateDescendantDependentFlags use-after-free attempt (browser-webkit.rules)
 * 1:50280 <-> ENABLED <-> MALWARE-OTHER Doc.Trojan.Xshell variant download attempt (malware-other.rules)
 * 1:50298 <-> ENABLED <-> FILE-PDF Adobe Acrobat execCalculate use after free attempt (file-pdf.rules)
 * 1:50299 <-> DISABLED <-> SERVER-WEBAPP WordPress plugin Convert Plus unauthenticated administrator account creation attempt (server-webapp.rules)
 * 1:50292 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (malware-other.rules)
 * 1:50293 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateDescendantDependentFlags use-after-free attempt (browser-webkit.rules)
 * 1:50290 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (malware-other.rules)
 * 1:50291 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (malware-other.rules)
 * 1:50288 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (malware-other.rules)
 * 1:50289 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (malware-other.rules)
 * 1:50286 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (malware-other.rules)
 * 1:50287 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (malware-other.rules)
 * 1:50284 <-> ENABLED <-> MALWARE-CNC Unix.Miner.Decred variant outbound connection (malware-cnc.rules)
 * 1:50285 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (malware-other.rules)
 * 1:50282 <-> ENABLED <-> MALWARE-CNC Unix.Miner.Decred variant outbound connection (malware-cnc.rules)
 * 1:50279 <-> ENABLED <-> MALWARE-OTHER Doc.Trojan.Xshell variant download attempt (malware-other.rules)
 * 3:50296 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0845 attack attempt (file-other.rules)
 * 3:50295 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0845 attack attempt (file-other.rules)

Modified Rules:


 * 3:49296 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:49362 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0787 attack attempt (server-webapp.rules)

2019-06-04 11:58:54 UTC

Snort Subscriber Rules Update

Date: 2019-06-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50284 <-> ENABLED <-> MALWARE-CNC Unix.Miner.Decred variant outbound connection (malware-cnc.rules)
 * 1:50298 <-> ENABLED <-> FILE-PDF Adobe Acrobat execCalculate use after free attempt (file-pdf.rules)
 * 1:50299 <-> DISABLED <-> SERVER-WEBAPP WordPress plugin Convert Plus unauthenticated administrator account creation attempt (server-webapp.rules)
 * 1:50279 <-> ENABLED <-> MALWARE-OTHER Doc.Trojan.Xshell variant download attempt (malware-other.rules)
 * 1:50297 <-> ENABLED <-> FILE-PDF Adobe Acrobat execCalculate use after free attempt (file-pdf.rules)
 * 1:50290 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (malware-other.rules)
 * 1:50293 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateDescendantDependentFlags use-after-free attempt (browser-webkit.rules)
 * 1:50294 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateDescendantDependentFlags use-after-free attempt (browser-webkit.rules)
 * 1:50291 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (malware-other.rules)
 * 1:50292 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (malware-other.rules)
 * 1:50281 <-> ENABLED <-> MALWARE-CNC Unix.Miner.Decred variant outbound connection (malware-cnc.rules)
 * 1:50289 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (malware-other.rules)
 * 1:50287 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (malware-other.rules)
 * 1:50288 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (malware-other.rules)
 * 1:50285 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (malware-other.rules)
 * 1:50286 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (malware-other.rules)
 * 1:50283 <-> ENABLED <-> MALWARE-CNC Unix.Miner.Decred variant outbound connection (malware-cnc.rules)
 * 1:50280 <-> ENABLED <-> MALWARE-OTHER Doc.Trojan.Xshell variant download attempt (malware-other.rules)
 * 1:50282 <-> ENABLED <-> MALWARE-CNC Unix.Miner.Decred variant outbound connection (malware-cnc.rules)
 * 3:50295 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0845 attack attempt (file-other.rules)
 * 3:50296 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0845 attack attempt (file-other.rules)

Modified Rules:


 * 3:49296 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:49362 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0787 attack attempt (server-webapp.rules)

2019-06-04 11:58:54 UTC

Snort Subscriber Rules Update

Date: 2019-06-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50298 <-> ENABLED <-> FILE-PDF Adobe Acrobat execCalculate use after free attempt (snort3-file-pdf.rules)
 * 1:50283 <-> ENABLED <-> MALWARE-CNC Unix.Miner.Decred variant outbound connection (snort3-malware-cnc.rules)
 * 1:50282 <-> ENABLED <-> MALWARE-CNC Unix.Miner.Decred variant outbound connection (snort3-malware-cnc.rules)
 * 1:50299 <-> DISABLED <-> SERVER-WEBAPP WordPress plugin Convert Plus unauthenticated administrator account creation attempt (snort3-server-webapp.rules)
 * 1:50279 <-> ENABLED <-> MALWARE-OTHER Doc.Trojan.Xshell variant download attempt (snort3-malware-other.rules)
 * 1:50281 <-> ENABLED <-> MALWARE-CNC Unix.Miner.Decred variant outbound connection (snort3-malware-cnc.rules)
 * 1:50284 <-> ENABLED <-> MALWARE-CNC Unix.Miner.Decred variant outbound connection (snort3-malware-cnc.rules)
 * 1:50286 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (snort3-malware-other.rules)
 * 1:50287 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (snort3-malware-other.rules)
 * 1:50289 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (snort3-malware-other.rules)
 * 1:50290 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (snort3-malware-other.rules)
 * 1:50291 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (snort3-malware-other.rules)
 * 1:50292 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (snort3-malware-other.rules)
 * 1:50293 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateDescendantDependentFlags use-after-free attempt (snort3-browser-webkit.rules)
 * 1:50280 <-> ENABLED <-> MALWARE-OTHER Doc.Trojan.Xshell variant download attempt (snort3-malware-other.rules)
 * 1:50294 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateDescendantDependentFlags use-after-free attempt (snort3-browser-webkit.rules)
 * 1:50285 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (snort3-malware-other.rules)
 * 1:50297 <-> ENABLED <-> FILE-PDF Adobe Acrobat execCalculate use after free attempt (snort3-file-pdf.rules)
 * 1:50288 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (snort3-malware-other.rules)

Modified Rules:



2019-06-04 11:58:54 UTC

Snort Subscriber Rules Update

Date: 2019-06-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50280 <-> ENABLED <-> MALWARE-OTHER Doc.Trojan.Xshell variant download attempt (malware-other.rules)
 * 1:50297 <-> ENABLED <-> FILE-PDF Adobe Acrobat execCalculate use after free attempt (file-pdf.rules)
 * 1:50299 <-> DISABLED <-> SERVER-WEBAPP WordPress plugin Convert Plus unauthenticated administrator account creation attempt (server-webapp.rules)
 * 1:50292 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (malware-other.rules)
 * 1:50293 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateDescendantDependentFlags use-after-free attempt (browser-webkit.rules)
 * 1:50279 <-> ENABLED <-> MALWARE-OTHER Doc.Trojan.Xshell variant download attempt (malware-other.rules)
 * 1:50294 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateDescendantDependentFlags use-after-free attempt (browser-webkit.rules)
 * 1:50298 <-> ENABLED <-> FILE-PDF Adobe Acrobat execCalculate use after free attempt (file-pdf.rules)
 * 1:50290 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (malware-other.rules)
 * 1:50281 <-> ENABLED <-> MALWARE-CNC Unix.Miner.Decred variant outbound connection (malware-cnc.rules)
 * 1:50282 <-> ENABLED <-> MALWARE-CNC Unix.Miner.Decred variant outbound connection (malware-cnc.rules)
 * 1:50283 <-> ENABLED <-> MALWARE-CNC Unix.Miner.Decred variant outbound connection (malware-cnc.rules)
 * 1:50284 <-> ENABLED <-> MALWARE-CNC Unix.Miner.Decred variant outbound connection (malware-cnc.rules)
 * 1:50285 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (malware-other.rules)
 * 1:50286 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (malware-other.rules)
 * 1:50288 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (malware-other.rules)
 * 1:50287 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (malware-other.rules)
 * 1:50289 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (malware-other.rules)
 * 1:50291 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (malware-other.rules)
 * 3:50295 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0845 attack attempt (file-other.rules)
 * 3:50296 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0845 attack attempt (file-other.rules)

Modified Rules:


 * 3:49296 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:49362 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0787 attack attempt (server-webapp.rules)

2019-06-04 11:58:54 UTC

Snort Subscriber Rules Update

Date: 2019-06-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50294 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateDescendantDependentFlags use-after-free attempt (browser-webkit.rules)
 * 1:50281 <-> ENABLED <-> MALWARE-CNC Unix.Miner.Decred variant outbound connection (malware-cnc.rules)
 * 1:50280 <-> ENABLED <-> MALWARE-OTHER Doc.Trojan.Xshell variant download attempt (malware-other.rules)
 * 1:50297 <-> ENABLED <-> FILE-PDF Adobe Acrobat execCalculate use after free attempt (file-pdf.rules)
 * 1:50279 <-> ENABLED <-> MALWARE-OTHER Doc.Trojan.Xshell variant download attempt (malware-other.rules)
 * 1:50298 <-> ENABLED <-> FILE-PDF Adobe Acrobat execCalculate use after free attempt (file-pdf.rules)
 * 1:50283 <-> ENABLED <-> MALWARE-CNC Unix.Miner.Decred variant outbound connection (malware-cnc.rules)
 * 1:50285 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (malware-other.rules)
 * 1:50286 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (malware-other.rules)
 * 1:50287 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (malware-other.rules)
 * 1:50288 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (malware-other.rules)
 * 1:50289 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (malware-other.rules)
 * 1:50299 <-> DISABLED <-> SERVER-WEBAPP WordPress plugin Convert Plus unauthenticated administrator account creation attempt (server-webapp.rules)
 * 1:50290 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (malware-other.rules)
 * 1:50282 <-> ENABLED <-> MALWARE-CNC Unix.Miner.Decred variant outbound connection (malware-cnc.rules)
 * 1:50292 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (malware-other.rules)
 * 1:50291 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Decred additional payload download attempt (malware-other.rules)
 * 1:50293 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateDescendantDependentFlags use-after-free attempt (browser-webkit.rules)
 * 1:50284 <-> ENABLED <-> MALWARE-CNC Unix.Miner.Decred variant outbound connection (malware-cnc.rules)
 * 3:50296 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0845 attack attempt (file-other.rules)
 * 3:50295 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0845 attack attempt (file-other.rules)

Modified Rules:


 * 3:49296 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:49362 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0787 attack attempt (server-webapp.rules)