Talos Rules 2019-09-12
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-image, file-office, malware-backdoor, malware-cnc, malware-other, protocol-voip and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-09-12 13:55:49 UTC

Snort Subscriber Rules Update

Date: 2019-09-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51515 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request Max-Forwards header of zero attempt (protocol-voip.rules)
 * 1:51498 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple SP separating request-line elements attempt (protocol-voip.rules)
 * 1:51497 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture failure to enclose name-addr URI in angle brackets attempt (protocol-voip.rules)
 * 1:51496 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture 200 OK response with broadcast in Via header attempt (protocol-voip.rules)
 * 1:51495 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture negative Content-Length attempt (protocol-voip.rules)
 * 1:51494 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple content-length headers attempt (protocol-voip.rules)
 * 1:51493 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture failure to enclose name-addr URI in angle brackets attempt (protocol-voip.rules)
 * 1:51492 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unacceptable accept offering attempt (protocol-voip.rules)
 * 1:51491 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown method with CSeq method mismatch attempt (protocol-voip.rules)
 * 1:51490 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown method with CSeq method mismatch attempt (protocol-voip.rules)
 * 1:51489 <-> DISABLED <-> SERVER-WEBAPP Webmin password_change command injection attempt (server-webapp.rules)
 * 1:51488 <-> DISABLED <-> SERVER-WEBAPP Webmin password_change command injection attempt (server-webapp.rules)
 * 1:51487 <-> DISABLED <-> SERVER-WEBAPP Webmin password_change command injection attempt (server-webapp.rules)
 * 1:51486 <-> DISABLED <-> SERVER-WEBAPP Webmin password_change command injection attempt (server-webapp.rules)
 * 1:51485 <-> DISABLED <-> SERVER-OTHER Squid proxy DNS CNAME record response denial of service attempt (server-other.rules)
 * 1:51484 <-> ENABLED <-> MALWARE-OTHER ANDR.Trojan.Agent outbound connection attempt (malware-other.rules)
 * 1:51514 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large CSeq header value attempt (protocol-voip.rules)
 * 1:51513 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown URI scheme in Contact field attempt (protocol-voip.rules)
 * 1:51512 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown Content-Type attempt (protocol-voip.rules)
 * 1:51511 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request URI with atypical scheme attempt (protocol-voip.rules)
 * 1:51510 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown Authorization scheme attempt (protocol-voip.rules)
 * 1:51509 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules)
 * 1:51508 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules)
 * 1:51507 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple SP separating request-line elements attempt (protocol-voip.rules)
 * 1:51506 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture invalid Proxy-Require header value attempt (protocol-voip.rules)
 * 1:51505 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large CSeq header value attempt (protocol-voip.rules)
 * 1:51504 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules)
 * 1:51503 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large Expires header value attempt (protocol-voip.rules)
 * 1:51502 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture invalid Date header time zone attempt (protocol-voip.rules)
 * 1:51501 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large Warning header value attempt (protocol-voip.rules)
 * 1:51500 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing Contact header field attempt (protocol-voip.rules)
 * 1:51499 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture invalid Require header value attempt (protocol-voip.rules)
 * 1:51521 <-> ENABLED <-> MALWARE-OTHER Win.Exploit.Hacktool malicious executable download attempt (malware-other.rules)
 * 1:51518 <-> DISABLED <-> MALWARE-OTHER Html.Downloader.Agent download attempt (malware-other.rules)
 * 1:51517 <-> DISABLED <-> MALWARE-OTHER Html.Downloader.Agent download attempt (malware-other.rules)
 * 1:51516 <-> DISABLED <-> MALWARE-OTHER Html.Downloader.Agent download attempt (malware-other.rules)
 * 1:51520 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51519 <-> DISABLED <-> MALWARE-OTHER Html.Downloader.Agent download attempt (malware-other.rules)
 * 1:51522 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51525 <-> ENABLED <-> MALWARE-OTHER Win.Exploit.Hacktool malicious executable download attempt (malware-other.rules)
 * 1:51524 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51523 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51527 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51526 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51528 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51535 <-> ENABLED <-> MALWARE-BACKDOOR TLS certificate securing LocalXpose reverse proxy backdoor (malware-backdoor.rules)
 * 1:51534 <-> ENABLED <-> MALWARE-BACKDOOR DNS request for open LocalXpose reverse proxy backdoor domain ANY.loclx.io (malware-backdoor.rules)
 * 1:51533 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRAT variant inbound connection (malware-cnc.rules)
 * 1:51532 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRAT variant outbound connection (malware-cnc.rules)
 * 1:51529 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 3:51531 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0892 attack attempt (file-image.rules)
 * 3:51530 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0892 attack attempt (file-image.rules)

Modified Rules:


 * 3:51124 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0886 attack attempt (file-office.rules)
 * 3:51123 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0886 attack attempt (file-office.rules)

2019-09-12 13:55:49 UTC

Snort Subscriber Rules Update

Date: 2019-09-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51523 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51522 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51484 <-> ENABLED <-> MALWARE-OTHER ANDR.Trojan.Agent outbound connection attempt (malware-other.rules)
 * 1:51485 <-> DISABLED <-> SERVER-OTHER Squid proxy DNS CNAME record response denial of service attempt (server-other.rules)
 * 1:51486 <-> DISABLED <-> SERVER-WEBAPP Webmin password_change command injection attempt (server-webapp.rules)
 * 1:51487 <-> DISABLED <-> SERVER-WEBAPP Webmin password_change command injection attempt (server-webapp.rules)
 * 1:51488 <-> DISABLED <-> SERVER-WEBAPP Webmin password_change command injection attempt (server-webapp.rules)
 * 1:51489 <-> DISABLED <-> SERVER-WEBAPP Webmin password_change command injection attempt (server-webapp.rules)
 * 1:51490 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown method with CSeq method mismatch attempt (protocol-voip.rules)
 * 1:51491 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown method with CSeq method mismatch attempt (protocol-voip.rules)
 * 1:51492 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unacceptable accept offering attempt (protocol-voip.rules)
 * 1:51493 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture failure to enclose name-addr URI in angle brackets attempt (protocol-voip.rules)
 * 1:51494 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple content-length headers attempt (protocol-voip.rules)
 * 1:51495 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture negative Content-Length attempt (protocol-voip.rules)
 * 1:51496 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture 200 OK response with broadcast in Via header attempt (protocol-voip.rules)
 * 1:51497 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture failure to enclose name-addr URI in angle brackets attempt (protocol-voip.rules)
 * 1:51498 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple SP separating request-line elements attempt (protocol-voip.rules)
 * 1:51499 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture invalid Require header value attempt (protocol-voip.rules)
 * 1:51500 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing Contact header field attempt (protocol-voip.rules)
 * 1:51501 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large Warning header value attempt (protocol-voip.rules)
 * 1:51502 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture invalid Date header time zone attempt (protocol-voip.rules)
 * 1:51503 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large Expires header value attempt (protocol-voip.rules)
 * 1:51504 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules)
 * 1:51507 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple SP separating request-line elements attempt (protocol-voip.rules)
 * 1:51508 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules)
 * 1:51509 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules)
 * 1:51510 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown Authorization scheme attempt (protocol-voip.rules)
 * 1:51506 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture invalid Proxy-Require header value attempt (protocol-voip.rules)
 * 1:51515 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request Max-Forwards header of zero attempt (protocol-voip.rules)
 * 1:51505 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large CSeq header value attempt (protocol-voip.rules)
 * 1:51513 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown URI scheme in Contact field attempt (protocol-voip.rules)
 * 1:51514 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large CSeq header value attempt (protocol-voip.rules)
 * 1:51511 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request URI with atypical scheme attempt (protocol-voip.rules)
 * 1:51516 <-> DISABLED <-> MALWARE-OTHER Html.Downloader.Agent download attempt (malware-other.rules)
 * 1:51512 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown Content-Type attempt (protocol-voip.rules)
 * 1:51535 <-> ENABLED <-> MALWARE-BACKDOOR TLS certificate securing LocalXpose reverse proxy backdoor (malware-backdoor.rules)
 * 1:51534 <-> ENABLED <-> MALWARE-BACKDOOR DNS request for open LocalXpose reverse proxy backdoor domain ANY.loclx.io (malware-backdoor.rules)
 * 1:51533 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRAT variant inbound connection (malware-cnc.rules)
 * 1:51532 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRAT variant outbound connection (malware-cnc.rules)
 * 1:51529 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51528 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51527 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51526 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51525 <-> ENABLED <-> MALWARE-OTHER Win.Exploit.Hacktool malicious executable download attempt (malware-other.rules)
 * 1:51524 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51518 <-> DISABLED <-> MALWARE-OTHER Html.Downloader.Agent download attempt (malware-other.rules)
 * 1:51519 <-> DISABLED <-> MALWARE-OTHER Html.Downloader.Agent download attempt (malware-other.rules)
 * 1:51520 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51521 <-> ENABLED <-> MALWARE-OTHER Win.Exploit.Hacktool malicious executable download attempt (malware-other.rules)
 * 1:51517 <-> DISABLED <-> MALWARE-OTHER Html.Downloader.Agent download attempt (malware-other.rules)
 * 3:51530 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0892 attack attempt (file-image.rules)
 * 3:51531 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0892 attack attempt (file-image.rules)

Modified Rules:


 * 3:51124 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0886 attack attempt (file-office.rules)
 * 3:51123 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0886 attack attempt (file-office.rules)

2019-09-12 13:55:49 UTC

Snort Subscriber Rules Update

Date: 2019-09-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51508 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules)
 * 1:51523 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51522 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51527 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51526 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51524 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51525 <-> ENABLED <-> MALWARE-OTHER Win.Exploit.Hacktool malicious executable download attempt (malware-other.rules)
 * 1:51535 <-> ENABLED <-> MALWARE-BACKDOOR TLS certificate securing LocalXpose reverse proxy backdoor (malware-backdoor.rules)
 * 1:51534 <-> ENABLED <-> MALWARE-BACKDOOR DNS request for open LocalXpose reverse proxy backdoor domain ANY.loclx.io (malware-backdoor.rules)
 * 1:51533 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRAT variant inbound connection (malware-cnc.rules)
 * 1:51532 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRAT variant outbound connection (malware-cnc.rules)
 * 1:51529 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51528 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51484 <-> ENABLED <-> MALWARE-OTHER ANDR.Trojan.Agent outbound connection attempt (malware-other.rules)
 * 1:51485 <-> DISABLED <-> SERVER-OTHER Squid proxy DNS CNAME record response denial of service attempt (server-other.rules)
 * 1:51486 <-> DISABLED <-> SERVER-WEBAPP Webmin password_change command injection attempt (server-webapp.rules)
 * 1:51487 <-> DISABLED <-> SERVER-WEBAPP Webmin password_change command injection attempt (server-webapp.rules)
 * 1:51488 <-> DISABLED <-> SERVER-WEBAPP Webmin password_change command injection attempt (server-webapp.rules)
 * 1:51489 <-> DISABLED <-> SERVER-WEBAPP Webmin password_change command injection attempt (server-webapp.rules)
 * 1:51490 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown method with CSeq method mismatch attempt (protocol-voip.rules)
 * 1:51491 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown method with CSeq method mismatch attempt (protocol-voip.rules)
 * 1:51492 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unacceptable accept offering attempt (protocol-voip.rules)
 * 1:51493 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture failure to enclose name-addr URI in angle brackets attempt (protocol-voip.rules)
 * 1:51494 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple content-length headers attempt (protocol-voip.rules)
 * 1:51495 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture negative Content-Length attempt (protocol-voip.rules)
 * 1:51502 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture invalid Date header time zone attempt (protocol-voip.rules)
 * 1:51500 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing Contact header field attempt (protocol-voip.rules)
 * 1:51496 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture 200 OK response with broadcast in Via header attempt (protocol-voip.rules)
 * 1:51497 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture failure to enclose name-addr URI in angle brackets attempt (protocol-voip.rules)
 * 1:51498 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple SP separating request-line elements attempt (protocol-voip.rules)
 * 1:51499 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture invalid Require header value attempt (protocol-voip.rules)
 * 1:51505 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large CSeq header value attempt (protocol-voip.rules)
 * 1:51507 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple SP separating request-line elements attempt (protocol-voip.rules)
 * 1:51503 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large Expires header value attempt (protocol-voip.rules)
 * 1:51504 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules)
 * 1:51501 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large Warning header value attempt (protocol-voip.rules)
 * 1:51506 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture invalid Proxy-Require header value attempt (protocol-voip.rules)
 * 1:51509 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules)
 * 1:51510 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown Authorization scheme attempt (protocol-voip.rules)
 * 1:51511 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request URI with atypical scheme attempt (protocol-voip.rules)
 * 1:51512 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown Content-Type attempt (protocol-voip.rules)
 * 1:51513 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown URI scheme in Contact field attempt (protocol-voip.rules)
 * 1:51514 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large CSeq header value attempt (protocol-voip.rules)
 * 1:51515 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request Max-Forwards header of zero attempt (protocol-voip.rules)
 * 1:51516 <-> DISABLED <-> MALWARE-OTHER Html.Downloader.Agent download attempt (malware-other.rules)
 * 1:51517 <-> DISABLED <-> MALWARE-OTHER Html.Downloader.Agent download attempt (malware-other.rules)
 * 1:51518 <-> DISABLED <-> MALWARE-OTHER Html.Downloader.Agent download attempt (malware-other.rules)
 * 1:51519 <-> DISABLED <-> MALWARE-OTHER Html.Downloader.Agent download attempt (malware-other.rules)
 * 1:51520 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51521 <-> ENABLED <-> MALWARE-OTHER Win.Exploit.Hacktool malicious executable download attempt (malware-other.rules)
 * 3:51530 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0892 attack attempt (file-image.rules)
 * 3:51531 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0892 attack attempt (file-image.rules)

Modified Rules:


 * 3:51124 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0886 attack attempt (file-office.rules)
 * 3:51123 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0886 attack attempt (file-office.rules)

2019-09-12 13:55:49 UTC

Snort Subscriber Rules Update

Date: 2019-09-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51522 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51534 <-> ENABLED <-> MALWARE-BACKDOOR DNS request for open LocalXpose reverse proxy backdoor domain ANY.loclx.io (malware-backdoor.rules)
 * 1:51523 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51524 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51525 <-> ENABLED <-> MALWARE-OTHER Win.Exploit.Hacktool malicious executable download attempt (malware-other.rules)
 * 1:51527 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51533 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRAT variant inbound connection (malware-cnc.rules)
 * 1:51528 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51535 <-> ENABLED <-> MALWARE-BACKDOOR TLS certificate securing LocalXpose reverse proxy backdoor (malware-backdoor.rules)
 * 1:51484 <-> ENABLED <-> MALWARE-OTHER ANDR.Trojan.Agent outbound connection attempt (malware-other.rules)
 * 1:51485 <-> DISABLED <-> SERVER-OTHER Squid proxy DNS CNAME record response denial of service attempt (server-other.rules)
 * 1:51486 <-> DISABLED <-> SERVER-WEBAPP Webmin password_change command injection attempt (server-webapp.rules)
 * 1:51487 <-> DISABLED <-> SERVER-WEBAPP Webmin password_change command injection attempt (server-webapp.rules)
 * 1:51488 <-> DISABLED <-> SERVER-WEBAPP Webmin password_change command injection attempt (server-webapp.rules)
 * 1:51489 <-> DISABLED <-> SERVER-WEBAPP Webmin password_change command injection attempt (server-webapp.rules)
 * 1:51490 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown method with CSeq method mismatch attempt (protocol-voip.rules)
 * 1:51491 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown method with CSeq method mismatch attempt (protocol-voip.rules)
 * 1:51492 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unacceptable accept offering attempt (protocol-voip.rules)
 * 1:51493 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture failure to enclose name-addr URI in angle brackets attempt (protocol-voip.rules)
 * 1:51494 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple content-length headers attempt (protocol-voip.rules)
 * 1:51495 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture negative Content-Length attempt (protocol-voip.rules)
 * 1:51496 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture 200 OK response with broadcast in Via header attempt (protocol-voip.rules)
 * 1:51497 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture failure to enclose name-addr URI in angle brackets attempt (protocol-voip.rules)
 * 1:51500 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing Contact header field attempt (protocol-voip.rules)
 * 1:51529 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51501 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large Warning header value attempt (protocol-voip.rules)
 * 1:51502 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture invalid Date header time zone attempt (protocol-voip.rules)
 * 1:51503 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large Expires header value attempt (protocol-voip.rules)
 * 1:51499 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture invalid Require header value attempt (protocol-voip.rules)
 * 1:51508 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules)
 * 1:51498 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple SP separating request-line elements attempt (protocol-voip.rules)
 * 1:51506 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture invalid Proxy-Require header value attempt (protocol-voip.rules)
 * 1:51507 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple SP separating request-line elements attempt (protocol-voip.rules)
 * 1:51504 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules)
 * 1:51509 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules)
 * 1:51505 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large CSeq header value attempt (protocol-voip.rules)
 * 1:51510 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown Authorization scheme attempt (protocol-voip.rules)
 * 1:51511 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request URI with atypical scheme attempt (protocol-voip.rules)
 * 1:51512 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown Content-Type attempt (protocol-voip.rules)
 * 1:51513 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown URI scheme in Contact field attempt (protocol-voip.rules)
 * 1:51514 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large CSeq header value attempt (protocol-voip.rules)
 * 1:51532 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRAT variant outbound connection (malware-cnc.rules)
 * 1:51515 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request Max-Forwards header of zero attempt (protocol-voip.rules)
 * 1:51516 <-> DISABLED <-> MALWARE-OTHER Html.Downloader.Agent download attempt (malware-other.rules)
 * 1:51517 <-> DISABLED <-> MALWARE-OTHER Html.Downloader.Agent download attempt (malware-other.rules)
 * 1:51518 <-> DISABLED <-> MALWARE-OTHER Html.Downloader.Agent download attempt (malware-other.rules)
 * 1:51519 <-> DISABLED <-> MALWARE-OTHER Html.Downloader.Agent download attempt (malware-other.rules)
 * 1:51520 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51521 <-> ENABLED <-> MALWARE-OTHER Win.Exploit.Hacktool malicious executable download attempt (malware-other.rules)
 * 1:51526 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 3:51530 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0892 attack attempt (file-image.rules)
 * 3:51531 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0892 attack attempt (file-image.rules)

Modified Rules:


 * 3:51124 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0886 attack attempt (file-office.rules)
 * 3:51123 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0886 attack attempt (file-office.rules)

2019-09-12 13:55:49 UTC

Snort Subscriber Rules Update

Date: 2019-09-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51524 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (snort3-malware-other.rules)
 * 1:51525 <-> ENABLED <-> MALWARE-OTHER Win.Exploit.Hacktool malicious executable download attempt (snort3-malware-other.rules)
 * 1:51533 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRAT variant inbound connection (snort3-malware-cnc.rules)
 * 1:51534 <-> ENABLED <-> MALWARE-BACKDOOR DNS request for open LocalXpose reverse proxy backdoor domain ANY.loclx.io (snort3-malware-backdoor.rules)
 * 1:51527 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (snort3-malware-other.rules)
 * 1:51499 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture invalid Require header value attempt (snort3-protocol-voip.rules)
 * 1:51516 <-> DISABLED <-> MALWARE-OTHER Html.Downloader.Agent download attempt (snort3-malware-other.rules)
 * 1:51535 <-> ENABLED <-> MALWARE-BACKDOOR TLS certificate securing LocalXpose reverse proxy backdoor (snort3-malware-backdoor.rules)
 * 1:51532 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRAT variant outbound connection (snort3-malware-cnc.rules)
 * 1:51484 <-> ENABLED <-> MALWARE-OTHER ANDR.Trojan.Agent outbound connection attempt (snort3-malware-other.rules)
 * 1:51485 <-> DISABLED <-> SERVER-OTHER Squid proxy DNS CNAME record response denial of service attempt (snort3-server-other.rules)
 * 1:51486 <-> DISABLED <-> SERVER-WEBAPP Webmin password_change command injection attempt (snort3-server-webapp.rules)
 * 1:51487 <-> DISABLED <-> SERVER-WEBAPP Webmin password_change command injection attempt (snort3-server-webapp.rules)
 * 1:51488 <-> DISABLED <-> SERVER-WEBAPP Webmin password_change command injection attempt (snort3-server-webapp.rules)
 * 1:51489 <-> DISABLED <-> SERVER-WEBAPP Webmin password_change command injection attempt (snort3-server-webapp.rules)
 * 1:51490 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown method with CSeq method mismatch attempt (snort3-protocol-voip.rules)
 * 1:51491 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown method with CSeq method mismatch attempt (snort3-protocol-voip.rules)
 * 1:51492 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unacceptable accept offering attempt (snort3-protocol-voip.rules)
 * 1:51493 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture failure to enclose name-addr URI in angle brackets attempt (snort3-protocol-voip.rules)
 * 1:51494 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple content-length headers attempt (snort3-protocol-voip.rules)
 * 1:51495 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture negative Content-Length attempt (snort3-protocol-voip.rules)
 * 1:51496 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture 200 OK response with broadcast in Via header attempt (snort3-protocol-voip.rules)
 * 1:51497 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture failure to enclose name-addr URI in angle brackets attempt (snort3-protocol-voip.rules)
 * 1:51505 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large CSeq header value attempt (snort3-protocol-voip.rules)
 * 1:51503 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large Expires header value attempt (snort3-protocol-voip.rules)
 * 1:51498 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple SP separating request-line elements attempt (snort3-protocol-voip.rules)
 * 1:51500 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing Contact header field attempt (snort3-protocol-voip.rules)
 * 1:51501 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large Warning header value attempt (snort3-protocol-voip.rules)
 * 1:51502 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture invalid Date header time zone attempt (snort3-protocol-voip.rules)
 * 1:51508 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (snort3-protocol-voip.rules)
 * 1:51526 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (snort3-malware-other.rules)
 * 1:51510 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown Authorization scheme attempt (snort3-protocol-voip.rules)
 * 1:51506 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture invalid Proxy-Require header value attempt (snort3-protocol-voip.rules)
 * 1:51507 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple SP separating request-line elements attempt (snort3-protocol-voip.rules)
 * 1:51504 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (snort3-protocol-voip.rules)
 * 1:51529 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (snort3-malware-other.rules)
 * 1:51509 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (snort3-protocol-voip.rules)
 * 1:51511 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request URI with atypical scheme attempt (snort3-protocol-voip.rules)
 * 1:51512 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown Content-Type attempt (snort3-protocol-voip.rules)
 * 1:51513 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown URI scheme in Contact field attempt (snort3-protocol-voip.rules)
 * 1:51514 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large CSeq header value attempt (snort3-protocol-voip.rules)
 * 1:51515 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request Max-Forwards header of zero attempt (snort3-protocol-voip.rules)
 * 1:51517 <-> DISABLED <-> MALWARE-OTHER Html.Downloader.Agent download attempt (snort3-malware-other.rules)
 * 1:51518 <-> DISABLED <-> MALWARE-OTHER Html.Downloader.Agent download attempt (snort3-malware-other.rules)
 * 1:51519 <-> DISABLED <-> MALWARE-OTHER Html.Downloader.Agent download attempt (snort3-malware-other.rules)
 * 1:51520 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (snort3-malware-other.rules)
 * 1:51521 <-> ENABLED <-> MALWARE-OTHER Win.Exploit.Hacktool malicious executable download attempt (snort3-malware-other.rules)
 * 1:51522 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (snort3-malware-other.rules)
 * 1:51523 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (snort3-malware-other.rules)
 * 1:51528 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (snort3-malware-other.rules)

Modified Rules:



2019-09-12 13:55:49 UTC

Snort Subscriber Rules Update

Date: 2019-09-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51520 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51521 <-> ENABLED <-> MALWARE-OTHER Win.Exploit.Hacktool malicious executable download attempt (malware-other.rules)
 * 1:51527 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51524 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51532 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRAT variant outbound connection (malware-cnc.rules)
 * 1:51534 <-> ENABLED <-> MALWARE-BACKDOOR DNS request for open LocalXpose reverse proxy backdoor domain ANY.loclx.io (malware-backdoor.rules)
 * 1:51526 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51535 <-> ENABLED <-> MALWARE-BACKDOOR TLS certificate securing LocalXpose reverse proxy backdoor (malware-backdoor.rules)
 * 1:51533 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRAT variant inbound connection (malware-cnc.rules)
 * 1:51528 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51525 <-> ENABLED <-> MALWARE-OTHER Win.Exploit.Hacktool malicious executable download attempt (malware-other.rules)
 * 1:51506 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture invalid Proxy-Require header value attempt (protocol-voip.rules)
 * 1:51522 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51523 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51484 <-> ENABLED <-> MALWARE-OTHER ANDR.Trojan.Agent outbound connection attempt (malware-other.rules)
 * 1:51485 <-> DISABLED <-> SERVER-OTHER Squid proxy DNS CNAME record response denial of service attempt (server-other.rules)
 * 1:51486 <-> DISABLED <-> SERVER-WEBAPP Webmin password_change command injection attempt (server-webapp.rules)
 * 1:51487 <-> DISABLED <-> SERVER-WEBAPP Webmin password_change command injection attempt (server-webapp.rules)
 * 1:51488 <-> DISABLED <-> SERVER-WEBAPP Webmin password_change command injection attempt (server-webapp.rules)
 * 1:51489 <-> DISABLED <-> SERVER-WEBAPP Webmin password_change command injection attempt (server-webapp.rules)
 * 1:51490 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown method with CSeq method mismatch attempt (protocol-voip.rules)
 * 1:51491 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown method with CSeq method mismatch attempt (protocol-voip.rules)
 * 1:51492 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unacceptable accept offering attempt (protocol-voip.rules)
 * 1:51493 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture failure to enclose name-addr URI in angle brackets attempt (protocol-voip.rules)
 * 1:51496 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture 200 OK response with broadcast in Via header attempt (protocol-voip.rules)
 * 1:51497 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture failure to enclose name-addr URI in angle brackets attempt (protocol-voip.rules)
 * 1:51498 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple SP separating request-line elements attempt (protocol-voip.rules)
 * 1:51499 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture invalid Require header value attempt (protocol-voip.rules)
 * 1:51495 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture negative Content-Length attempt (protocol-voip.rules)
 * 1:51505 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large CSeq header value attempt (protocol-voip.rules)
 * 1:51494 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple content-length headers attempt (protocol-voip.rules)
 * 1:51503 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large Expires header value attempt (protocol-voip.rules)
 * 1:51504 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules)
 * 1:51500 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing Contact header field attempt (protocol-voip.rules)
 * 1:51507 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple SP separating request-line elements attempt (protocol-voip.rules)
 * 1:51529 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51502 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture invalid Date header time zone attempt (protocol-voip.rules)
 * 1:51508 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules)
 * 1:51509 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules)
 * 1:51510 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown Authorization scheme attempt (protocol-voip.rules)
 * 1:51511 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request URI with atypical scheme attempt (protocol-voip.rules)
 * 1:51512 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown Content-Type attempt (protocol-voip.rules)
 * 1:51513 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown URI scheme in Contact field attempt (protocol-voip.rules)
 * 1:51514 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large CSeq header value attempt (protocol-voip.rules)
 * 1:51515 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request Max-Forwards header of zero attempt (protocol-voip.rules)
 * 1:51516 <-> DISABLED <-> MALWARE-OTHER Html.Downloader.Agent download attempt (malware-other.rules)
 * 1:51517 <-> DISABLED <-> MALWARE-OTHER Html.Downloader.Agent download attempt (malware-other.rules)
 * 1:51518 <-> DISABLED <-> MALWARE-OTHER Html.Downloader.Agent download attempt (malware-other.rules)
 * 1:51501 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large Warning header value attempt (protocol-voip.rules)
 * 1:51519 <-> DISABLED <-> MALWARE-OTHER Html.Downloader.Agent download attempt (malware-other.rules)
 * 3:51530 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0892 attack attempt (file-image.rules)
 * 3:51531 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0892 attack attempt (file-image.rules)

Modified Rules:


 * 3:51123 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0886 attack attempt (file-office.rules)
 * 3:51124 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0886 attack attempt (file-office.rules)

2019-09-12 13:55:49 UTC

Snort Subscriber Rules Update

Date: 2019-09-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51524 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51525 <-> ENABLED <-> MALWARE-OTHER Win.Exploit.Hacktool malicious executable download attempt (malware-other.rules)
 * 1:51526 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51528 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51534 <-> ENABLED <-> MALWARE-BACKDOOR DNS request for open LocalXpose reverse proxy backdoor domain ANY.loclx.io (malware-backdoor.rules)
 * 1:51488 <-> DISABLED <-> SERVER-WEBAPP Webmin password_change command injection attempt (server-webapp.rules)
 * 1:51489 <-> DISABLED <-> SERVER-WEBAPP Webmin password_change command injection attempt (server-webapp.rules)
 * 1:51508 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules)
 * 1:51523 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51491 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown method with CSeq method mismatch attempt (protocol-voip.rules)
 * 1:51502 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture invalid Date header time zone attempt (protocol-voip.rules)
 * 1:51499 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture invalid Require header value attempt (protocol-voip.rules)
 * 1:51500 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing Contact header field attempt (protocol-voip.rules)
 * 1:51503 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large Expires header value attempt (protocol-voip.rules)
 * 1:51497 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture failure to enclose name-addr URI in angle brackets attempt (protocol-voip.rules)
 * 1:51498 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple SP separating request-line elements attempt (protocol-voip.rules)
 * 1:51496 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture 200 OK response with broadcast in Via header attempt (protocol-voip.rules)
 * 1:51494 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple content-length headers attempt (protocol-voip.rules)
 * 1:51493 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture failure to enclose name-addr URI in angle brackets attempt (protocol-voip.rules)
 * 1:51492 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unacceptable accept offering attempt (protocol-voip.rules)
 * 1:51532 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRAT variant outbound connection (malware-cnc.rules)
 * 1:51490 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown method with CSeq method mismatch attempt (protocol-voip.rules)
 * 1:51533 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackRAT variant inbound connection (malware-cnc.rules)
 * 1:51522 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51518 <-> DISABLED <-> MALWARE-OTHER Html.Downloader.Agent download attempt (malware-other.rules)
 * 1:51514 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large CSeq header value attempt (protocol-voip.rules)
 * 1:51486 <-> DISABLED <-> SERVER-WEBAPP Webmin password_change command injection attempt (server-webapp.rules)
 * 1:51520 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51521 <-> ENABLED <-> MALWARE-OTHER Win.Exploit.Hacktool malicious executable download attempt (malware-other.rules)
 * 1:51511 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request URI with atypical scheme attempt (protocol-voip.rules)
 * 1:51519 <-> DISABLED <-> MALWARE-OTHER Html.Downloader.Agent download attempt (malware-other.rules)
 * 1:51516 <-> DISABLED <-> MALWARE-OTHER Html.Downloader.Agent download attempt (malware-other.rules)
 * 1:51517 <-> DISABLED <-> MALWARE-OTHER Html.Downloader.Agent download attempt (malware-other.rules)
 * 1:51501 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large Warning header value attempt (protocol-voip.rules)
 * 1:51515 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request Max-Forwards header of zero attempt (protocol-voip.rules)
 * 1:51512 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown Content-Type attempt (protocol-voip.rules)
 * 1:51513 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown URI scheme in Contact field attempt (protocol-voip.rules)
 * 1:51505 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large CSeq header value attempt (protocol-voip.rules)
 * 1:51509 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules)
 * 1:51507 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple SP separating request-line elements attempt (protocol-voip.rules)
 * 1:51504 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules)
 * 1:51495 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture negative Content-Length attempt (protocol-voip.rules)
 * 1:51506 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture invalid Proxy-Require header value attempt (protocol-voip.rules)
 * 1:51510 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown Authorization scheme attempt (protocol-voip.rules)
 * 1:51535 <-> ENABLED <-> MALWARE-BACKDOOR TLS certificate securing LocalXpose reverse proxy backdoor (malware-backdoor.rules)
 * 1:51529 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51487 <-> DISABLED <-> SERVER-WEBAPP Webmin password_change command injection attempt (server-webapp.rules)
 * 1:51484 <-> ENABLED <-> MALWARE-OTHER ANDR.Trojan.Agent outbound connection attempt (malware-other.rules)
 * 1:51527 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 3:51531 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0892 attack attempt (file-image.rules)
 * 3:51530 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0892 attack attempt (file-image.rules)

Modified Rules:


 * 3:51123 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0886 attack attempt (file-office.rules)
 * 3:51124 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0886 attack attempt (file-office.rules)