Talos Rules 2019-07-18
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the malware-cnc, os-windows, policy-other, protocol-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-07-18 12:06:41 UTC

Snort Subscriber Rules Update

Date: 2019-07-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091400.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50752 <-> DISABLED <-> SERVER-WEBAPP Seowonintech system_config.cgi local file include attempt (server-webapp.rules)
 * 1:50751 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules)
 * 1:50750 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules)
 * 1:50749 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules)
 * 1:50748 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules)
 * 1:50744 <-> DISABLED <-> POLICY-OTHER DNS over HTTPS query attempt (policy-other.rules)
 * 1:50743 <-> DISABLED <-> POLICY-OTHER DNS over HTTPS query attempt (policy-other.rules)
 * 1:50742 <-> DISABLED <-> POLICY-OTHER DNS over HTTPS query attempt (policy-other.rules)
 * 1:50741 <-> DISABLED <-> POLICY-OTHER WordPress Ad Inserter debug feature access attempt (policy-other.rules)
 * 1:50740 <-> DISABLED <-> POLICY-OTHER WordPress Ad Inserter plugin PHP code execution attempt (policy-other.rules)
 * 1:50769 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QUADAGENT outbound DNS tunnel (malware-cnc.rules)
 * 1:50768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel (malware-cnc.rules)
 * 1:50767 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ALMA_Dot outbound DNS tunnel (malware-cnc.rules)
 * 1:50766 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ALMA_Dash outbound DNS tunnel (malware-cnc.rules)
 * 1:50765 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ISMAgent outbound DNS tunnel (malware-cnc.rules)
 * 1:50764 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules)
 * 1:50763 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules)
 * 1:50762 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules)
 * 1:50761 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules)
 * 1:50754 <-> DISABLED <-> SERVER-WEBAPP Seowonintech system_config.cgi local file include attempt (server-webapp.rules)
 * 1:50753 <-> DISABLED <-> SERVER-WEBAPP Seowonintech system_config.cgi local file include attempt (server-webapp.rules)
 * 3:50745 <-> ENABLED <-> SERVER-WEBAPP Cisco Vision Dynamic Signage Director authentication bypass attempt (server-webapp.rules)
 * 3:50746 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0859 attack attempt (server-webapp.rules)
 * 3:50747 <-> ENABLED <-> PROTOCOL-TFTP TRUFFLEHUNTER TALOS-2019-0851 attack attempt (protocol-tftp.rules)
 * 3:50755 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules)
 * 3:50756 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules)
 * 3:50757 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules)
 * 3:50758 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules)
 * 3:50759 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules)
 * 3:50760 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules)
 * 3:50770 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0854 attack attempt (protocol-other.rules)

Modified Rules:


 * 1:29601 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules)
 * 1:29599 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules)
 * 1:29600 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules)
 * 1:18400 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CRSS local process allowed to persist through logon or logoff attempt (os-windows.rules)
 * 1:29598 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules)

2019-07-18 12:06:41 UTC

Snort Subscriber Rules Update

Date: 2019-07-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50751 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules)
 * 1:50741 <-> DISABLED <-> POLICY-OTHER WordPress Ad Inserter debug feature access attempt (policy-other.rules)
 * 1:50752 <-> DISABLED <-> SERVER-WEBAPP Seowonintech system_config.cgi local file include attempt (server-webapp.rules)
 * 1:50761 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules)
 * 1:50764 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules)
 * 1:50743 <-> DISABLED <-> POLICY-OTHER DNS over HTTPS query attempt (policy-other.rules)
 * 1:50748 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules)
 * 1:50744 <-> DISABLED <-> POLICY-OTHER DNS over HTTPS query attempt (policy-other.rules)
 * 1:50768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel (malware-cnc.rules)
 * 1:50769 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QUADAGENT outbound DNS tunnel (malware-cnc.rules)
 * 1:50762 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules)
 * 1:50763 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules)
 * 1:50750 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules)
 * 1:50749 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules)
 * 1:50767 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ALMA_Dot outbound DNS tunnel (malware-cnc.rules)
 * 1:50740 <-> DISABLED <-> POLICY-OTHER WordPress Ad Inserter plugin PHP code execution attempt (policy-other.rules)
 * 1:50754 <-> DISABLED <-> SERVER-WEBAPP Seowonintech system_config.cgi local file include attempt (server-webapp.rules)
 * 1:50766 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ALMA_Dash outbound DNS tunnel (malware-cnc.rules)
 * 1:50765 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ISMAgent outbound DNS tunnel (malware-cnc.rules)
 * 1:50753 <-> DISABLED <-> SERVER-WEBAPP Seowonintech system_config.cgi local file include attempt (server-webapp.rules)
 * 1:50742 <-> DISABLED <-> POLICY-OTHER DNS over HTTPS query attempt (policy-other.rules)
 * 3:50745 <-> ENABLED <-> SERVER-WEBAPP Cisco Vision Dynamic Signage Director authentication bypass attempt (server-webapp.rules)
 * 3:50746 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0859 attack attempt (server-webapp.rules)
 * 3:50747 <-> ENABLED <-> PROTOCOL-TFTP TRUFFLEHUNTER TALOS-2019-0851 attack attempt (protocol-tftp.rules)
 * 3:50755 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules)
 * 3:50756 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules)
 * 3:50757 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules)
 * 3:50758 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules)
 * 3:50759 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules)
 * 3:50760 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules)
 * 3:50770 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0854 attack attempt (protocol-other.rules)

Modified Rules:


 * 1:29601 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules)
 * 1:18400 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CRSS local process allowed to persist through logon or logoff attempt (os-windows.rules)
 * 1:29598 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules)
 * 1:29599 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules)
 * 1:29600 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules)

2019-07-18 12:06:41 UTC

Snort Subscriber Rules Update

Date: 2019-07-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50742 <-> DISABLED <-> POLICY-OTHER DNS over HTTPS query attempt (policy-other.rules)
 * 1:50769 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QUADAGENT outbound DNS tunnel (malware-cnc.rules)
 * 1:50753 <-> DISABLED <-> SERVER-WEBAPP Seowonintech system_config.cgi local file include attempt (server-webapp.rules)
 * 1:50749 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules)
 * 1:50762 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules)
 * 1:50748 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules)
 * 1:50754 <-> DISABLED <-> SERVER-WEBAPP Seowonintech system_config.cgi local file include attempt (server-webapp.rules)
 * 1:50750 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules)
 * 1:50744 <-> DISABLED <-> POLICY-OTHER DNS over HTTPS query attempt (policy-other.rules)
 * 1:50763 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules)
 * 1:50752 <-> DISABLED <-> SERVER-WEBAPP Seowonintech system_config.cgi local file include attempt (server-webapp.rules)
 * 1:50764 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules)
 * 1:50751 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules)
 * 1:50765 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ISMAgent outbound DNS tunnel (malware-cnc.rules)
 * 1:50741 <-> DISABLED <-> POLICY-OTHER WordPress Ad Inserter debug feature access attempt (policy-other.rules)
 * 1:50740 <-> DISABLED <-> POLICY-OTHER WordPress Ad Inserter plugin PHP code execution attempt (policy-other.rules)
 * 1:50761 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules)
 * 1:50743 <-> DISABLED <-> POLICY-OTHER DNS over HTTPS query attempt (policy-other.rules)
 * 1:50767 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ALMA_Dot outbound DNS tunnel (malware-cnc.rules)
 * 1:50766 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ALMA_Dash outbound DNS tunnel (malware-cnc.rules)
 * 1:50768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel (malware-cnc.rules)
 * 3:50745 <-> ENABLED <-> SERVER-WEBAPP Cisco Vision Dynamic Signage Director authentication bypass attempt (server-webapp.rules)
 * 3:50746 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0859 attack attempt (server-webapp.rules)
 * 3:50747 <-> ENABLED <-> PROTOCOL-TFTP TRUFFLEHUNTER TALOS-2019-0851 attack attempt (protocol-tftp.rules)
 * 3:50755 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules)
 * 3:50756 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules)
 * 3:50757 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules)
 * 3:50758 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules)
 * 3:50759 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules)
 * 3:50760 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules)
 * 3:50770 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0854 attack attempt (protocol-other.rules)

Modified Rules:


 * 1:18400 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CRSS local process allowed to persist through logon or logoff attempt (os-windows.rules)
 * 1:29599 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules)
 * 1:29598 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules)
 * 1:29600 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules)
 * 1:29601 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules)

2019-07-18 12:06:41 UTC

Snort Subscriber Rules Update

Date: 2019-07-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50763 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules)
 * 1:50769 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QUADAGENT outbound DNS tunnel (malware-cnc.rules)
 * 1:50750 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules)
 * 1:50766 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ALMA_Dash outbound DNS tunnel (malware-cnc.rules)
 * 1:50740 <-> DISABLED <-> POLICY-OTHER WordPress Ad Inserter plugin PHP code execution attempt (policy-other.rules)
 * 1:50744 <-> DISABLED <-> POLICY-OTHER DNS over HTTPS query attempt (policy-other.rules)
 * 1:50764 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules)
 * 1:50741 <-> DISABLED <-> POLICY-OTHER WordPress Ad Inserter debug feature access attempt (policy-other.rules)
 * 1:50762 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules)
 * 1:50753 <-> DISABLED <-> SERVER-WEBAPP Seowonintech system_config.cgi local file include attempt (server-webapp.rules)
 * 1:50761 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules)
 * 1:50765 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ISMAgent outbound DNS tunnel (malware-cnc.rules)
 * 1:50767 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ALMA_Dot outbound DNS tunnel (malware-cnc.rules)
 * 1:50768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel (malware-cnc.rules)
 * 1:50748 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules)
 * 1:50751 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules)
 * 1:50754 <-> DISABLED <-> SERVER-WEBAPP Seowonintech system_config.cgi local file include attempt (server-webapp.rules)
 * 1:50743 <-> DISABLED <-> POLICY-OTHER DNS over HTTPS query attempt (policy-other.rules)
 * 1:50742 <-> DISABLED <-> POLICY-OTHER DNS over HTTPS query attempt (policy-other.rules)
 * 1:50749 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules)
 * 1:50752 <-> DISABLED <-> SERVER-WEBAPP Seowonintech system_config.cgi local file include attempt (server-webapp.rules)
 * 3:50745 <-> ENABLED <-> SERVER-WEBAPP Cisco Vision Dynamic Signage Director authentication bypass attempt (server-webapp.rules)
 * 3:50746 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0859 attack attempt (server-webapp.rules)
 * 3:50747 <-> ENABLED <-> PROTOCOL-TFTP TRUFFLEHUNTER TALOS-2019-0851 attack attempt (protocol-tftp.rules)
 * 3:50755 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules)
 * 3:50756 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules)
 * 3:50757 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules)
 * 3:50758 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules)
 * 3:50759 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules)
 * 3:50760 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules)
 * 3:50770 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0854 attack attempt (protocol-other.rules)

Modified Rules:


 * 1:29598 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules)
 * 1:29601 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules)
 * 1:18400 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CRSS local process allowed to persist through logon or logoff attempt (os-windows.rules)
 * 1:29600 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules)
 * 1:29599 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules)

2019-07-18 12:06:41 UTC

Snort Subscriber Rules Update

Date: 2019-07-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50761 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (snort3-malware-cnc.rules)
 * 1:50743 <-> DISABLED <-> POLICY-OTHER DNS over HTTPS query attempt (snort3-policy-other.rules)
 * 1:50749 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (snort3-server-webapp.rules)
 * 1:50768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel (snort3-malware-cnc.rules)
 * 1:50748 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (snort3-server-webapp.rules)
 * 1:50740 <-> DISABLED <-> POLICY-OTHER WordPress Ad Inserter plugin PHP code execution attempt (snort3-policy-other.rules)
 * 1:50744 <-> DISABLED <-> POLICY-OTHER DNS over HTTPS query attempt (snort3-policy-other.rules)
 * 1:50742 <-> DISABLED <-> POLICY-OTHER DNS over HTTPS query attempt (snort3-policy-other.rules)
 * 1:50753 <-> DISABLED <-> SERVER-WEBAPP Seowonintech system_config.cgi local file include attempt (snort3-server-webapp.rules)
 * 1:50769 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QUADAGENT outbound DNS tunnel (snort3-malware-cnc.rules)
 * 1:50766 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ALMA_Dash outbound DNS tunnel (snort3-malware-cnc.rules)
 * 1:50763 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (snort3-malware-cnc.rules)
 * 1:50741 <-> DISABLED <-> POLICY-OTHER WordPress Ad Inserter debug feature access attempt (snort3-policy-other.rules)
 * 1:50752 <-> DISABLED <-> SERVER-WEBAPP Seowonintech system_config.cgi local file include attempt (snort3-server-webapp.rules)
 * 1:50767 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ALMA_Dot outbound DNS tunnel (snort3-malware-cnc.rules)
 * 1:50751 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (snort3-server-webapp.rules)
 * 1:50765 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ISMAgent outbound DNS tunnel (snort3-malware-cnc.rules)
 * 1:50750 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (snort3-server-webapp.rules)
 * 1:50764 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (snort3-malware-cnc.rules)
 * 1:50754 <-> DISABLED <-> SERVER-WEBAPP Seowonintech system_config.cgi local file include attempt (snort3-server-webapp.rules)
 * 1:50762 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (snort3-malware-cnc.rules)

Modified Rules:


 * 1:29600 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (snort3-server-webapp.rules)
 * 1:29598 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (snort3-server-webapp.rules)
 * 1:29599 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (snort3-server-webapp.rules)
 * 1:29601 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (snort3-server-webapp.rules)
 * 1:18400 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CRSS local process allowed to persist through logon or logoff attempt (snort3-os-windows.rules)

2019-07-18 12:06:41 UTC

Snort Subscriber Rules Update

Date: 2019-07-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50744 <-> DISABLED <-> POLICY-OTHER DNS over HTTPS query attempt (policy-other.rules)
 * 1:50765 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ISMAgent outbound DNS tunnel (malware-cnc.rules)
 * 1:50748 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules)
 * 1:50766 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ALMA_Dash outbound DNS tunnel (malware-cnc.rules)
 * 1:50754 <-> DISABLED <-> SERVER-WEBAPP Seowonintech system_config.cgi local file include attempt (server-webapp.rules)
 * 1:50768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel (malware-cnc.rules)
 * 1:50750 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules)
 * 1:50767 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ALMA_Dot outbound DNS tunnel (malware-cnc.rules)
 * 1:50752 <-> DISABLED <-> SERVER-WEBAPP Seowonintech system_config.cgi local file include attempt (server-webapp.rules)
 * 1:50762 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules)
 * 1:50761 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules)
 * 1:50769 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QUADAGENT outbound DNS tunnel (malware-cnc.rules)
 * 1:50751 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules)
 * 1:50740 <-> DISABLED <-> POLICY-OTHER WordPress Ad Inserter plugin PHP code execution attempt (policy-other.rules)
 * 1:50763 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules)
 * 1:50753 <-> DISABLED <-> SERVER-WEBAPP Seowonintech system_config.cgi local file include attempt (server-webapp.rules)
 * 1:50742 <-> DISABLED <-> POLICY-OTHER DNS over HTTPS query attempt (policy-other.rules)
 * 1:50743 <-> DISABLED <-> POLICY-OTHER DNS over HTTPS query attempt (policy-other.rules)
 * 1:50741 <-> DISABLED <-> POLICY-OTHER WordPress Ad Inserter debug feature access attempt (policy-other.rules)
 * 1:50764 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules)
 * 1:50749 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules)
 * 3:50745 <-> ENABLED <-> SERVER-WEBAPP Cisco Vision Dynamic Signage Director authentication bypass attempt (server-webapp.rules)
 * 3:50746 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0859 attack attempt (server-webapp.rules)
 * 3:50747 <-> ENABLED <-> PROTOCOL-TFTP TRUFFLEHUNTER TALOS-2019-0851 attack attempt (protocol-tftp.rules)
 * 3:50755 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules)
 * 3:50756 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules)
 * 3:50757 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules)
 * 3:50758 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules)
 * 3:50759 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules)
 * 3:50760 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules)
 * 3:50770 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0854 attack attempt (protocol-other.rules)

Modified Rules:


 * 1:18400 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CRSS local process allowed to persist through logon or logoff attempt (os-windows.rules)
 * 1:29598 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules)
 * 1:29600 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules)
 * 1:29599 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules)
 * 1:29601 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules)

2019-07-18 12:06:41 UTC

Snort Subscriber Rules Update

Date: 2019-07-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50748 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules)
 * 1:50769 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QUADAGENT outbound DNS tunnel (malware-cnc.rules)
 * 1:50749 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules)
 * 1:50761 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules)
 * 1:50762 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules)
 * 1:50767 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ALMA_Dot outbound DNS tunnel (malware-cnc.rules)
 * 1:50754 <-> DISABLED <-> SERVER-WEBAPP Seowonintech system_config.cgi local file include attempt (server-webapp.rules)
 * 1:50743 <-> DISABLED <-> POLICY-OTHER DNS over HTTPS query attempt (policy-other.rules)
 * 1:50752 <-> DISABLED <-> SERVER-WEBAPP Seowonintech system_config.cgi local file include attempt (server-webapp.rules)
 * 1:50751 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules)
 * 1:50744 <-> DISABLED <-> POLICY-OTHER DNS over HTTPS query attempt (policy-other.rules)
 * 1:50742 <-> DISABLED <-> POLICY-OTHER DNS over HTTPS query attempt (policy-other.rules)
 * 1:50750 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules)
 * 1:50753 <-> DISABLED <-> SERVER-WEBAPP Seowonintech system_config.cgi local file include attempt (server-webapp.rules)
 * 1:50768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel (malware-cnc.rules)
 * 1:50740 <-> DISABLED <-> POLICY-OTHER WordPress Ad Inserter plugin PHP code execution attempt (policy-other.rules)
 * 1:50763 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules)
 * 1:50766 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ALMA_Dash outbound DNS tunnel (malware-cnc.rules)
 * 1:50765 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ISMAgent outbound DNS tunnel (malware-cnc.rules)
 * 1:50741 <-> DISABLED <-> POLICY-OTHER WordPress Ad Inserter debug feature access attempt (policy-other.rules)
 * 1:50764 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules)
 * 3:50745 <-> ENABLED <-> SERVER-WEBAPP Cisco Vision Dynamic Signage Director authentication bypass attempt (server-webapp.rules)
 * 3:50746 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0859 attack attempt (server-webapp.rules)
 * 3:50747 <-> ENABLED <-> PROTOCOL-TFTP TRUFFLEHUNTER TALOS-2019-0851 attack attempt (protocol-tftp.rules)
 * 3:50755 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules)
 * 3:50756 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules)
 * 3:50757 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules)
 * 3:50758 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules)
 * 3:50759 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules)
 * 3:50760 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules)
 * 3:50770 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0854 attack attempt (protocol-other.rules)

Modified Rules:


 * 1:29601 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules)
 * 1:29598 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules)
 * 1:29600 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules)
 * 1:18400 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CRSS local process allowed to persist through logon or logoff attempt (os-windows.rules)
 * 1:29599 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules)