Talos Rules 2019-06-19
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-java, file-office, file-other, indicator-compromise, malware-backdoor, malware-cnc, malware-other, malware-tools, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-06-20 00:52:34 UTC

Snort Subscriber Rules Update

Date: 2019-06-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50466 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (indicator-compromise.rules)
 * 1:50465 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (indicator-compromise.rules)
 * 1:50464 <-> DISABLED <-> INDICATOR-COMPROMISE Responder poisoner NetServer enumeration attempt (indicator-compromise.rules)
 * 1:50463 <-> ENABLED <-> INDICATOR-COMPROMISE Mimikatz use via SMB attempt (indicator-compromise.rules)
 * 1:50462 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malicious cce value following a PtgMemFunc token (file-office.rules)
 * 1:50461 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malicious cce value following a PtgMemFunc token (file-office.rules)
 * 1:50460 <-> DISABLED <-> FILE-JAVA Oracle Java AtomicReferenceFieldUpdater remote code execution attempt (file-java.rules)
 * 1:50459 <-> DISABLED <-> FILE-JAVA Oracle Java AtomicReferenceFieldUpdater remote code execution attempt (file-java.rules)
 * 1:50491 <-> DISABLED <-> SERVER-WEBAPP TYPO3 PharStreamWrapper Package directory traversal attempt (server-webapp.rules)
 * 1:50490 <-> DISABLED <-> SERVER-WEBAPP TYPO3 PharStreamWrapper Package directory traversal attempt (server-webapp.rules)
 * 1:50484 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful client app variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50483 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful client app variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50482 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50481 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50480 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50479 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.CoinMiner dropper transfer attempt (malware-tools.rules)
 * 1:50478 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.CoinMiner dropper transfer attempt (malware-tools.rules)
 * 1:50477 <-> ENABLED <-> MALWARE-BACKDOOR JSP Web shell transfer attempt (malware-backdoor.rules)
 * 1:50476 <-> ENABLED <-> MALWARE-BACKDOOR JSP Web shell transfer attempt (malware-backdoor.rules)
 * 1:50475 <-> ENABLED <-> MALWARE-BACKDOOR JSP Web shell access attempt (malware-backdoor.rules)
 * 1:50474 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules)
 * 1:50473 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules)
 * 1:50468 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (indicator-compromise.rules)
 * 1:50467 <-> ENABLED <-> INDICATOR-COMPROMISE Mimikatz use via SMB attempt (indicator-compromise.rules)
 * 3:50469 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers denial of service attempt (server-webapp.rules)
 * 3:50470 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers denial of service attempt (server-webapp.rules)
 * 3:50471 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers denial of service attempt (server-webapp.rules)
 * 3:50472 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers denial of service attempt (server-webapp.rules)
 * 3:50485 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site scripting attempt (server-webapp.rules)
 * 3:50486 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site scripting attempt (server-webapp.rules)
 * 3:50487 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site scripting attempt (server-webapp.rules)
 * 3:50488 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site scripting attempt (server-webapp.rules)
 * 3:50489 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site request forgery attempt (server-webapp.rules)
 * 3:50492 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN Solution command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:24083 <-> DISABLED <-> FILE-OTHER ESTsoft ALZip MIM file buffer overflow attempt (file-other.rules)
 * 1:26495 <-> DISABLED <-> FILE-OTHER WellinTech KingView KingMessage log file parsing buffer overflow attempt (file-other.rules)
 * 1:26496 <-> DISABLED <-> FILE-OTHER WellinTech KingView KingMessage log file parsing buffer overflow attempt (file-other.rules)
 * 1:48806 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules)
 * 3:49296 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:49982 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0822 attack attempt (policy-other.rules)

2019-06-20 00:52:34 UTC

Snort Subscriber Rules Update

Date: 2019-06-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50463 <-> ENABLED <-> INDICATOR-COMPROMISE Mimikatz use via SMB attempt (indicator-compromise.rules)
 * 1:50491 <-> DISABLED <-> SERVER-WEBAPP TYPO3 PharStreamWrapper Package directory traversal attempt (server-webapp.rules)
 * 1:50460 <-> DISABLED <-> FILE-JAVA Oracle Java AtomicReferenceFieldUpdater remote code execution attempt (file-java.rules)
 * 1:50459 <-> DISABLED <-> FILE-JAVA Oracle Java AtomicReferenceFieldUpdater remote code execution attempt (file-java.rules)
 * 1:50477 <-> ENABLED <-> MALWARE-BACKDOOR JSP Web shell transfer attempt (malware-backdoor.rules)
 * 1:50461 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malicious cce value following a PtgMemFunc token (file-office.rules)
 * 1:50465 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (indicator-compromise.rules)
 * 1:50478 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.CoinMiner dropper transfer attempt (malware-tools.rules)
 * 1:50466 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (indicator-compromise.rules)
 * 1:50468 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (indicator-compromise.rules)
 * 1:50479 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.CoinMiner dropper transfer attempt (malware-tools.rules)
 * 1:50480 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50481 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50482 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50483 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful client app variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50484 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful client app variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50490 <-> DISABLED <-> SERVER-WEBAPP TYPO3 PharStreamWrapper Package directory traversal attempt (server-webapp.rules)
 * 1:50467 <-> ENABLED <-> INDICATOR-COMPROMISE Mimikatz use via SMB attempt (indicator-compromise.rules)
 * 1:50473 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules)
 * 1:50464 <-> DISABLED <-> INDICATOR-COMPROMISE Responder poisoner NetServer enumeration attempt (indicator-compromise.rules)
 * 1:50475 <-> ENABLED <-> MALWARE-BACKDOOR JSP Web shell access attempt (malware-backdoor.rules)
 * 1:50462 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malicious cce value following a PtgMemFunc token (file-office.rules)
 * 1:50474 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules)
 * 1:50476 <-> ENABLED <-> MALWARE-BACKDOOR JSP Web shell transfer attempt (malware-backdoor.rules)
 * 3:50469 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers denial of service attempt (server-webapp.rules)
 * 3:50470 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers denial of service attempt (server-webapp.rules)
 * 3:50471 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers denial of service attempt (server-webapp.rules)
 * 3:50472 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers denial of service attempt (server-webapp.rules)
 * 3:50485 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site scripting attempt (server-webapp.rules)
 * 3:50486 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site scripting attempt (server-webapp.rules)
 * 3:50487 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site scripting attempt (server-webapp.rules)
 * 3:50488 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site scripting attempt (server-webapp.rules)
 * 3:50489 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site request forgery attempt (server-webapp.rules)
 * 3:50492 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN Solution command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:26496 <-> DISABLED <-> FILE-OTHER WellinTech KingView KingMessage log file parsing buffer overflow attempt (file-other.rules)
 * 1:26495 <-> DISABLED <-> FILE-OTHER WellinTech KingView KingMessage log file parsing buffer overflow attempt (file-other.rules)
 * 1:24083 <-> DISABLED <-> FILE-OTHER ESTsoft ALZip MIM file buffer overflow attempt (file-other.rules)
 * 1:48806 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules)
 * 3:49296 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:49982 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0822 attack attempt (policy-other.rules)

2019-06-20 00:52:34 UTC

Snort Subscriber Rules Update

Date: 2019-06-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50463 <-> ENABLED <-> INDICATOR-COMPROMISE Mimikatz use via SMB attempt (indicator-compromise.rules)
 * 1:50460 <-> DISABLED <-> FILE-JAVA Oracle Java AtomicReferenceFieldUpdater remote code execution attempt (file-java.rules)
 * 1:50467 <-> ENABLED <-> INDICATOR-COMPROMISE Mimikatz use via SMB attempt (indicator-compromise.rules)
 * 1:50477 <-> ENABLED <-> MALWARE-BACKDOOR JSP Web shell transfer attempt (malware-backdoor.rules)
 * 1:50459 <-> DISABLED <-> FILE-JAVA Oracle Java AtomicReferenceFieldUpdater remote code execution attempt (file-java.rules)
 * 1:50491 <-> DISABLED <-> SERVER-WEBAPP TYPO3 PharStreamWrapper Package directory traversal attempt (server-webapp.rules)
 * 1:50473 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules)
 * 1:50464 <-> DISABLED <-> INDICATOR-COMPROMISE Responder poisoner NetServer enumeration attempt (indicator-compromise.rules)
 * 1:50465 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (indicator-compromise.rules)
 * 1:50461 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malicious cce value following a PtgMemFunc token (file-office.rules)
 * 1:50479 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.CoinMiner dropper transfer attempt (malware-tools.rules)
 * 1:50480 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50481 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50482 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50478 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.CoinMiner dropper transfer attempt (malware-tools.rules)
 * 1:50483 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful client app variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50466 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (indicator-compromise.rules)
 * 1:50462 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malicious cce value following a PtgMemFunc token (file-office.rules)
 * 1:50475 <-> ENABLED <-> MALWARE-BACKDOOR JSP Web shell access attempt (malware-backdoor.rules)
 * 1:50474 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules)
 * 1:50484 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful client app variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50490 <-> DISABLED <-> SERVER-WEBAPP TYPO3 PharStreamWrapper Package directory traversal attempt (server-webapp.rules)
 * 1:50476 <-> ENABLED <-> MALWARE-BACKDOOR JSP Web shell transfer attempt (malware-backdoor.rules)
 * 1:50468 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (indicator-compromise.rules)
 * 3:50469 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers denial of service attempt (server-webapp.rules)
 * 3:50470 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers denial of service attempt (server-webapp.rules)
 * 3:50471 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers denial of service attempt (server-webapp.rules)
 * 3:50472 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers denial of service attempt (server-webapp.rules)
 * 3:50485 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site scripting attempt (server-webapp.rules)
 * 3:50486 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site scripting attempt (server-webapp.rules)
 * 3:50487 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site scripting attempt (server-webapp.rules)
 * 3:50488 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site scripting attempt (server-webapp.rules)
 * 3:50489 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site request forgery attempt (server-webapp.rules)
 * 3:50492 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN Solution command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:26496 <-> DISABLED <-> FILE-OTHER WellinTech KingView KingMessage log file parsing buffer overflow attempt (file-other.rules)
 * 1:48806 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules)
 * 1:24083 <-> DISABLED <-> FILE-OTHER ESTsoft ALZip MIM file buffer overflow attempt (file-other.rules)
 * 1:26495 <-> DISABLED <-> FILE-OTHER WellinTech KingView KingMessage log file parsing buffer overflow attempt (file-other.rules)
 * 3:49296 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:49982 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0822 attack attempt (policy-other.rules)

2019-06-20 00:52:34 UTC

Snort Subscriber Rules Update

Date: 2019-06-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50460 <-> DISABLED <-> FILE-JAVA Oracle Java AtomicReferenceFieldUpdater remote code execution attempt (snort3-file-java.rules)
 * 1:50484 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful client app variant post-compromise outbound connection detected (snort3-malware-cnc.rules)
 * 1:50466 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (snort3-indicator-compromise.rules)
 * 1:50473 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (snort3-server-oracle.rules)
 * 1:50465 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (snort3-indicator-compromise.rules)
 * 1:50461 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malicious cce value following a PtgMemFunc token (snort3-file-office.rules)
 * 1:50474 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (snort3-server-oracle.rules)
 * 1:50467 <-> ENABLED <-> INDICATOR-COMPROMISE Mimikatz use via SMB attempt (snort3-indicator-compromise.rules)
 * 1:50477 <-> ENABLED <-> MALWARE-BACKDOOR JSP Web shell transfer attempt (snort3-malware-backdoor.rules)
 * 1:50483 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful client app variant post-compromise outbound connection detected (snort3-malware-cnc.rules)
 * 1:50475 <-> ENABLED <-> MALWARE-BACKDOOR JSP Web shell access attempt (snort3-malware-backdoor.rules)
 * 1:50464 <-> DISABLED <-> INDICATOR-COMPROMISE Responder poisoner NetServer enumeration attempt (snort3-indicator-compromise.rules)
 * 1:50463 <-> ENABLED <-> INDICATOR-COMPROMISE Mimikatz use via SMB attempt (snort3-indicator-compromise.rules)
 * 1:50481 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful variant post-compromise outbound connection detected (snort3-malware-cnc.rules)
 * 1:50468 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (snort3-indicator-compromise.rules)
 * 1:50480 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful variant post-compromise outbound connection detected (snort3-malware-cnc.rules)
 * 1:50490 <-> DISABLED <-> SERVER-WEBAPP TYPO3 PharStreamWrapper Package directory traversal attempt (snort3-server-webapp.rules)
 * 1:50491 <-> DISABLED <-> SERVER-WEBAPP TYPO3 PharStreamWrapper Package directory traversal attempt (snort3-server-webapp.rules)
 * 1:50482 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful variant post-compromise outbound connection detected (snort3-malware-cnc.rules)
 * 1:50459 <-> DISABLED <-> FILE-JAVA Oracle Java AtomicReferenceFieldUpdater remote code execution attempt (snort3-file-java.rules)
 * 1:50478 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.CoinMiner dropper transfer attempt (snort3-malware-tools.rules)
 * 1:50476 <-> ENABLED <-> MALWARE-BACKDOOR JSP Web shell transfer attempt (snort3-malware-backdoor.rules)
 * 1:50479 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.CoinMiner dropper transfer attempt (snort3-malware-tools.rules)
 * 1:50462 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malicious cce value following a PtgMemFunc token (snort3-file-office.rules)

Modified Rules:


 * 1:48806 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (snort3-malware-other.rules)
 * 1:24083 <-> DISABLED <-> FILE-OTHER ESTsoft ALZip MIM file buffer overflow attempt (snort3-file-other.rules)
 * 1:26495 <-> DISABLED <-> FILE-OTHER WellinTech KingView KingMessage log file parsing buffer overflow attempt (snort3-file-other.rules)
 * 1:26496 <-> DISABLED <-> FILE-OTHER WellinTech KingView KingMessage log file parsing buffer overflow attempt (snort3-file-other.rules)

2019-06-20 00:52:34 UTC

Snort Subscriber Rules Update

Date: 2019-06-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50491 <-> DISABLED <-> SERVER-WEBAPP TYPO3 PharStreamWrapper Package directory traversal attempt (server-webapp.rules)
 * 1:50477 <-> ENABLED <-> MALWARE-BACKDOOR JSP Web shell transfer attempt (malware-backdoor.rules)
 * 1:50482 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50484 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful client app variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50480 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50481 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50490 <-> DISABLED <-> SERVER-WEBAPP TYPO3 PharStreamWrapper Package directory traversal attempt (server-webapp.rules)
 * 1:50459 <-> DISABLED <-> FILE-JAVA Oracle Java AtomicReferenceFieldUpdater remote code execution attempt (file-java.rules)
 * 1:50479 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.CoinMiner dropper transfer attempt (malware-tools.rules)
 * 1:50461 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malicious cce value following a PtgMemFunc token (file-office.rules)
 * 1:50462 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malicious cce value following a PtgMemFunc token (file-office.rules)
 * 1:50463 <-> ENABLED <-> INDICATOR-COMPROMISE Mimikatz use via SMB attempt (indicator-compromise.rules)
 * 1:50464 <-> DISABLED <-> INDICATOR-COMPROMISE Responder poisoner NetServer enumeration attempt (indicator-compromise.rules)
 * 1:50465 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (indicator-compromise.rules)
 * 1:50476 <-> ENABLED <-> MALWARE-BACKDOOR JSP Web shell transfer attempt (malware-backdoor.rules)
 * 1:50466 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (indicator-compromise.rules)
 * 1:50467 <-> ENABLED <-> INDICATOR-COMPROMISE Mimikatz use via SMB attempt (indicator-compromise.rules)
 * 1:50478 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.CoinMiner dropper transfer attempt (malware-tools.rules)
 * 1:50460 <-> DISABLED <-> FILE-JAVA Oracle Java AtomicReferenceFieldUpdater remote code execution attempt (file-java.rules)
 * 1:50468 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (indicator-compromise.rules)
 * 1:50473 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules)
 * 1:50474 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules)
 * 1:50475 <-> ENABLED <-> MALWARE-BACKDOOR JSP Web shell access attempt (malware-backdoor.rules)
 * 1:50483 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful client app variant post-compromise outbound connection detected (malware-cnc.rules)
 * 3:50469 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers denial of service attempt (server-webapp.rules)
 * 3:50470 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers denial of service attempt (server-webapp.rules)
 * 3:50471 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers denial of service attempt (server-webapp.rules)
 * 3:50472 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers denial of service attempt (server-webapp.rules)
 * 3:50485 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site scripting attempt (server-webapp.rules)
 * 3:50486 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site scripting attempt (server-webapp.rules)
 * 3:50487 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site scripting attempt (server-webapp.rules)
 * 3:50488 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site scripting attempt (server-webapp.rules)
 * 3:50489 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site request forgery attempt (server-webapp.rules)
 * 3:50492 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN Solution command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:26496 <-> DISABLED <-> FILE-OTHER WellinTech KingView KingMessage log file parsing buffer overflow attempt (file-other.rules)
 * 1:24083 <-> DISABLED <-> FILE-OTHER ESTsoft ALZip MIM file buffer overflow attempt (file-other.rules)
 * 1:48806 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules)
 * 1:26495 <-> DISABLED <-> FILE-OTHER WellinTech KingView KingMessage log file parsing buffer overflow attempt (file-other.rules)
 * 3:49296 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:49982 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0822 attack attempt (policy-other.rules)

2019-06-20 00:52:34 UTC

Snort Subscriber Rules Update

Date: 2019-06-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50466 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (indicator-compromise.rules)
 * 1:50460 <-> DISABLED <-> FILE-JAVA Oracle Java AtomicReferenceFieldUpdater remote code execution attempt (file-java.rules)
 * 1:50463 <-> ENABLED <-> INDICATOR-COMPROMISE Mimikatz use via SMB attempt (indicator-compromise.rules)
 * 1:50459 <-> DISABLED <-> FILE-JAVA Oracle Java AtomicReferenceFieldUpdater remote code execution attempt (file-java.rules)
 * 1:50474 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules)
 * 1:50477 <-> ENABLED <-> MALWARE-BACKDOOR JSP Web shell transfer attempt (malware-backdoor.rules)
 * 1:50467 <-> ENABLED <-> INDICATOR-COMPROMISE Mimikatz use via SMB attempt (indicator-compromise.rules)
 * 1:50461 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malicious cce value following a PtgMemFunc token (file-office.rules)
 * 1:50464 <-> DISABLED <-> INDICATOR-COMPROMISE Responder poisoner NetServer enumeration attempt (indicator-compromise.rules)
 * 1:50473 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules)
 * 1:50478 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.CoinMiner dropper transfer attempt (malware-tools.rules)
 * 1:50491 <-> DISABLED <-> SERVER-WEBAPP TYPO3 PharStreamWrapper Package directory traversal attempt (server-webapp.rules)
 * 1:50476 <-> ENABLED <-> MALWARE-BACKDOOR JSP Web shell transfer attempt (malware-backdoor.rules)
 * 1:50475 <-> ENABLED <-> MALWARE-BACKDOOR JSP Web shell access attempt (malware-backdoor.rules)
 * 1:50462 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malicious cce value following a PtgMemFunc token (file-office.rules)
 * 1:50468 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (indicator-compromise.rules)
 * 1:50479 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.CoinMiner dropper transfer attempt (malware-tools.rules)
 * 1:50480 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50481 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50482 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50465 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (indicator-compromise.rules)
 * 1:50483 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful client app variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50484 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful client app variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:50490 <-> DISABLED <-> SERVER-WEBAPP TYPO3 PharStreamWrapper Package directory traversal attempt (server-webapp.rules)
 * 3:50469 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers denial of service attempt (server-webapp.rules)
 * 3:50470 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers denial of service attempt (server-webapp.rules)
 * 3:50471 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers denial of service attempt (server-webapp.rules)
 * 3:50472 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers denial of service attempt (server-webapp.rules)
 * 3:50485 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site scripting attempt (server-webapp.rules)
 * 3:50486 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site scripting attempt (server-webapp.rules)
 * 3:50487 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site scripting attempt (server-webapp.rules)
 * 3:50488 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site scripting attempt (server-webapp.rules)
 * 3:50489 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site request forgery attempt (server-webapp.rules)
 * 3:50492 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN Solution command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:48806 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules)
 * 1:24083 <-> DISABLED <-> FILE-OTHER ESTsoft ALZip MIM file buffer overflow attempt (file-other.rules)
 * 1:26496 <-> DISABLED <-> FILE-OTHER WellinTech KingView KingMessage log file parsing buffer overflow attempt (file-other.rules)
 * 1:26495 <-> DISABLED <-> FILE-OTHER WellinTech KingView KingMessage log file parsing buffer overflow attempt (file-other.rules)
 * 3:49296 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:49982 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0822 attack attempt (policy-other.rules)