Talos Rules 2020-02-04
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the app-detect, file-image, file-office, file-other, malware-backdoor, malware-cnc, malware-other, policy-other, server-other and sql rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2020-02-04 13:08:50 UTC

Snort Subscriber Rules Update

Date: 2020-02-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53025 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.VBGeneric-7564971-0 download attempt (malware-other.rules)
 * 1:53024 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Ako variant payload download attempt (malware-other.rules)
 * 1:53023 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Ako variant payload download attempt (malware-other.rules)
 * 1:53022 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Pakes-7564913-0 download attempt (malware-other.rules)
 * 1:53021 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Agen-7564562-0 download attempt (malware-other.rules)
 * 1:53020 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ursu-7564978-0 download attempt (malware-other.rules)
 * 1:53019 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.VBGeneric-7564976-0 download attempt (malware-other.rules)
 * 1:53018 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Fareitvb-7564626-0 download attempt (malware-other.rules)
 * 1:53017 <-> DISABLED <-> SERVER-WEBAPP NeoFrag CMS database information disclosure attempt (server-webapp.rules)
 * 1:53030 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565093-0 download attempt (malware-other.rules)
 * 1:53029 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565106-0 download attempt (malware-other.rules)
 * 1:53028 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565095-0 download attempt (malware-other.rules)
 * 1:53027 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565085-0 download attempt (malware-other.rules)
 * 1:53026 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565080-0 download attempt (malware-other.rules)
 * 3:53014 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)
 * 3:53015 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0987 attack attempt (file-image.rules)
 * 3:53012 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)
 * 3:53002 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0993 attack attempt (file-image.rules)
 * 3:53003 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0993 attack attempt (file-image.rules)
 * 3:53004 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0988 attack attempt (file-other.rules)
 * 3:53005 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0988 attack attempt (file-other.rules)
 * 3:53016 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0987 attack attempt (file-image.rules)
 * 3:53011 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)
 * 3:53010 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1003 attack attempt (policy-other.rules)
 * 3:53013 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)
 * 3:53006 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0998 attack attempt (file-image.rules)
 * 3:53007 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0998 attack attempt (file-image.rules)
 * 3:53008 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0989 attack attempt (file-other.rules)
 * 3:53009 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0989 attack attempt (file-other.rules)

Modified Rules:


 * 1:688 <-> ENABLED <-> SQL sa login failed (sql.rules)
 * 1:5797 <-> DISABLED <-> APP-DETECT Kontiki runtime detection (app-detect.rules)
 * 1:6472 <-> ENABLED <-> MALWARE-BACKDOOR bugs runtime detection - file manager client-to-server (malware-backdoor.rules)
 * 1:52285 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52286 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52283 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52284 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:45046 <-> ENABLED <-> SERVER-OTHER Exim malformed BDAT code execution attempt (server-other.rules)
 * 1:51377 <-> DISABLED <-> SERVER-WEBAPP Progress Telerik UI for ASP.NET AJAX arbitrary file upload attempt (server-webapp.rules)
 * 1:44561 <-> DISABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:44562 <-> DISABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:6473 <-> DISABLED <-> MALWARE-BACKDOOR bugs runtime detection - file manager server-to-client (malware-backdoor.rules)
 * 3:51531 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0892 attack attempt (file-image.rules)
 * 3:51530 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0892 attack attempt (file-image.rules)

2020-02-04 13:08:50 UTC

Snort Subscriber Rules Update

Date: 2020-02-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53028 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565095-0 download attempt (malware-other.rules)
 * 1:53026 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565080-0 download attempt (malware-other.rules)
 * 1:53017 <-> DISABLED <-> SERVER-WEBAPP NeoFrag CMS database information disclosure attempt (server-webapp.rules)
 * 1:53018 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Fareitvb-7564626-0 download attempt (malware-other.rules)
 * 1:53029 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565106-0 download attempt (malware-other.rules)
 * 1:53030 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565093-0 download attempt (malware-other.rules)
 * 1:53027 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565085-0 download attempt (malware-other.rules)
 * 1:53025 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.VBGeneric-7564971-0 download attempt (malware-other.rules)
 * 1:53024 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Ako variant payload download attempt (malware-other.rules)
 * 1:53022 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Pakes-7564913-0 download attempt (malware-other.rules)
 * 1:53023 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Ako variant payload download attempt (malware-other.rules)
 * 1:53019 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.VBGeneric-7564976-0 download attempt (malware-other.rules)
 * 1:53020 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ursu-7564978-0 download attempt (malware-other.rules)
 * 1:53021 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Agen-7564562-0 download attempt (malware-other.rules)
 * 3:53010 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1003 attack attempt (policy-other.rules)
 * 3:53004 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0988 attack attempt (file-other.rules)
 * 3:53009 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0989 attack attempt (file-other.rules)
 * 3:53012 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)
 * 3:53011 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)
 * 3:53007 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0998 attack attempt (file-image.rules)
 * 3:53016 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0987 attack attempt (file-image.rules)
 * 3:53003 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0993 attack attempt (file-image.rules)
 * 3:53015 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0987 attack attempt (file-image.rules)
 * 3:53013 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)
 * 3:53005 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0988 attack attempt (file-other.rules)
 * 3:53008 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0989 attack attempt (file-other.rules)
 * 3:53014 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)
 * 3:53002 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0993 attack attempt (file-image.rules)
 * 3:53006 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0998 attack attempt (file-image.rules)

Modified Rules:


 * 1:688 <-> ENABLED <-> SQL sa login failed (sql.rules)
 * 1:6473 <-> DISABLED <-> MALWARE-BACKDOOR bugs runtime detection - file manager server-to-client (malware-backdoor.rules)
 * 1:45046 <-> ENABLED <-> SERVER-OTHER Exim malformed BDAT code execution attempt (server-other.rules)
 * 1:5797 <-> DISABLED <-> APP-DETECT Kontiki runtime detection (app-detect.rules)
 * 1:6472 <-> ENABLED <-> MALWARE-BACKDOOR bugs runtime detection - file manager client-to-server (malware-backdoor.rules)
 * 1:52285 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52286 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52283 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52284 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:51377 <-> DISABLED <-> SERVER-WEBAPP Progress Telerik UI for ASP.NET AJAX arbitrary file upload attempt (server-webapp.rules)
 * 1:44562 <-> DISABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:44561 <-> DISABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 3:51531 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0892 attack attempt (file-image.rules)
 * 3:51530 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0892 attack attempt (file-image.rules)

2020-02-04 13:08:50 UTC

Snort Subscriber Rules Update

Date: 2020-02-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53017 <-> DISABLED <-> SERVER-WEBAPP NeoFrag CMS database information disclosure attempt (server-webapp.rules)
 * 1:53027 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565085-0 download attempt (malware-other.rules)
 * 1:53025 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.VBGeneric-7564971-0 download attempt (malware-other.rules)
 * 1:53020 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ursu-7564978-0 download attempt (malware-other.rules)
 * 1:53024 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Ako variant payload download attempt (malware-other.rules)
 * 1:53028 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565095-0 download attempt (malware-other.rules)
 * 1:53022 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Pakes-7564913-0 download attempt (malware-other.rules)
 * 1:53018 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Fareitvb-7564626-0 download attempt (malware-other.rules)
 * 1:53023 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Ako variant payload download attempt (malware-other.rules)
 * 1:53019 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.VBGeneric-7564976-0 download attempt (malware-other.rules)
 * 1:53021 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Agen-7564562-0 download attempt (malware-other.rules)
 * 1:53029 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565106-0 download attempt (malware-other.rules)
 * 1:53026 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565080-0 download attempt (malware-other.rules)
 * 1:53030 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565093-0 download attempt (malware-other.rules)
 * 3:53016 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0987 attack attempt (file-image.rules)
 * 3:53010 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1003 attack attempt (policy-other.rules)
 * 3:53012 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)
 * 3:53005 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0988 attack attempt (file-other.rules)
 * 3:53002 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0993 attack attempt (file-image.rules)
 * 3:53004 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0988 attack attempt (file-other.rules)
 * 3:53003 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0993 attack attempt (file-image.rules)
 * 3:53015 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0987 attack attempt (file-image.rules)
 * 3:53009 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0989 attack attempt (file-other.rules)
 * 3:53011 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)
 * 3:53013 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)
 * 3:53007 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0998 attack attempt (file-image.rules)
 * 3:53008 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0989 attack attempt (file-other.rules)
 * 3:53006 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0998 attack attempt (file-image.rules)
 * 3:53014 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)

Modified Rules:


 * 1:6473 <-> DISABLED <-> MALWARE-BACKDOOR bugs runtime detection - file manager server-to-client (malware-backdoor.rules)
 * 1:688 <-> ENABLED <-> SQL sa login failed (sql.rules)
 * 1:6472 <-> ENABLED <-> MALWARE-BACKDOOR bugs runtime detection - file manager client-to-server (malware-backdoor.rules)
 * 1:52286 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52284 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52283 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:44562 <-> DISABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:51377 <-> DISABLED <-> SERVER-WEBAPP Progress Telerik UI for ASP.NET AJAX arbitrary file upload attempt (server-webapp.rules)
 * 1:44561 <-> DISABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:45046 <-> ENABLED <-> SERVER-OTHER Exim malformed BDAT code execution attempt (server-other.rules)
 * 1:52285 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:5797 <-> DISABLED <-> APP-DETECT Kontiki runtime detection (app-detect.rules)
 * 3:51530 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0892 attack attempt (file-image.rules)
 * 3:51531 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0892 attack attempt (file-image.rules)

2020-02-04 13:08:50 UTC

Snort Subscriber Rules Update

Date: 2020-02-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53026 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565080-0 download attempt (malware-other.rules)
 * 1:53025 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.VBGeneric-7564971-0 download attempt (malware-other.rules)
 * 1:53024 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Ako variant payload download attempt (malware-other.rules)
 * 1:53027 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565085-0 download attempt (malware-other.rules)
 * 1:53022 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Pakes-7564913-0 download attempt (malware-other.rules)
 * 1:53017 <-> DISABLED <-> SERVER-WEBAPP NeoFrag CMS database information disclosure attempt (server-webapp.rules)
 * 1:53023 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Ako variant payload download attempt (malware-other.rules)
 * 1:53028 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565095-0 download attempt (malware-other.rules)
 * 1:53020 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ursu-7564978-0 download attempt (malware-other.rules)
 * 1:53029 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565106-0 download attempt (malware-other.rules)
 * 1:53021 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Agen-7564562-0 download attempt (malware-other.rules)
 * 1:53018 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Fareitvb-7564626-0 download attempt (malware-other.rules)
 * 1:53019 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.VBGeneric-7564976-0 download attempt (malware-other.rules)
 * 1:53030 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565093-0 download attempt (malware-other.rules)
 * 3:53012 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)
 * 3:53010 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1003 attack attempt (policy-other.rules)
 * 3:53011 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)
 * 3:53015 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0987 attack attempt (file-image.rules)
 * 3:53007 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0998 attack attempt (file-image.rules)
 * 3:53003 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0993 attack attempt (file-image.rules)
 * 3:53008 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0989 attack attempt (file-other.rules)
 * 3:53009 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0989 attack attempt (file-other.rules)
 * 3:53014 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)
 * 3:53016 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0987 attack attempt (file-image.rules)
 * 3:53004 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0988 attack attempt (file-other.rules)
 * 3:53013 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)
 * 3:53002 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0993 attack attempt (file-image.rules)
 * 3:53006 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0998 attack attempt (file-image.rules)
 * 3:53005 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0988 attack attempt (file-other.rules)

Modified Rules:


 * 1:44562 <-> DISABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:6473 <-> DISABLED <-> MALWARE-BACKDOOR bugs runtime detection - file manager server-to-client (malware-backdoor.rules)
 * 1:52285 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52283 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52284 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:688 <-> ENABLED <-> SQL sa login failed (sql.rules)
 * 1:45046 <-> ENABLED <-> SERVER-OTHER Exim malformed BDAT code execution attempt (server-other.rules)
 * 1:51377 <-> DISABLED <-> SERVER-WEBAPP Progress Telerik UI for ASP.NET AJAX arbitrary file upload attempt (server-webapp.rules)
 * 1:44561 <-> DISABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:52286 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:6472 <-> ENABLED <-> MALWARE-BACKDOOR bugs runtime detection - file manager client-to-server (malware-backdoor.rules)
 * 1:5797 <-> DISABLED <-> APP-DETECT Kontiki runtime detection (app-detect.rules)
 * 3:51531 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0892 attack attempt (file-image.rules)
 * 3:51530 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0892 attack attempt (file-image.rules)

2020-02-04 13:08:50 UTC

Snort Subscriber Rules Update

Date: 2020-02-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53020 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ursu-7564978-0 download attempt (malware-other.rules)
 * 1:53022 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Pakes-7564913-0 download attempt (malware-other.rules)
 * 1:53027 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565085-0 download attempt (malware-other.rules)
 * 1:53026 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565080-0 download attempt (malware-other.rules)
 * 1:53024 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Ako variant payload download attempt (malware-other.rules)
 * 1:53029 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565106-0 download attempt (malware-other.rules)
 * 1:53023 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Ako variant payload download attempt (malware-other.rules)
 * 1:53030 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565093-0 download attempt (malware-other.rules)
 * 1:53018 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Fareitvb-7564626-0 download attempt (malware-other.rules)
 * 1:53025 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.VBGeneric-7564971-0 download attempt (malware-other.rules)
 * 1:53017 <-> DISABLED <-> SERVER-WEBAPP NeoFrag CMS database information disclosure attempt (server-webapp.rules)
 * 1:53021 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Agen-7564562-0 download attempt (malware-other.rules)
 * 1:53028 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565095-0 download attempt (malware-other.rules)
 * 1:53019 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.VBGeneric-7564976-0 download attempt (malware-other.rules)
 * 3:53010 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1003 attack attempt (policy-other.rules)
 * 3:53009 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0989 attack attempt (file-other.rules)
 * 3:53008 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0989 attack attempt (file-other.rules)
 * 3:53015 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0987 attack attempt (file-image.rules)
 * 3:53003 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0993 attack attempt (file-image.rules)
 * 3:53006 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0998 attack attempt (file-image.rules)
 * 3:53004 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0988 attack attempt (file-other.rules)
 * 3:53002 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0993 attack attempt (file-image.rules)
 * 3:53005 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0988 attack attempt (file-other.rules)
 * 3:53011 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)
 * 3:53012 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)
 * 3:53014 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)
 * 3:53007 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0998 attack attempt (file-image.rules)
 * 3:53016 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0987 attack attempt (file-image.rules)
 * 3:53013 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)

Modified Rules:


 * 1:688 <-> ENABLED <-> SQL sa login failed (sql.rules)
 * 1:52286 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:44561 <-> DISABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:44562 <-> DISABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:6472 <-> ENABLED <-> MALWARE-BACKDOOR bugs runtime detection - file manager client-to-server (malware-backdoor.rules)
 * 1:52285 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52283 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52284 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:6473 <-> DISABLED <-> MALWARE-BACKDOOR bugs runtime detection - file manager server-to-client (malware-backdoor.rules)
 * 1:51377 <-> DISABLED <-> SERVER-WEBAPP Progress Telerik UI for ASP.NET AJAX arbitrary file upload attempt (server-webapp.rules)
 * 1:5797 <-> DISABLED <-> APP-DETECT Kontiki runtime detection (app-detect.rules)
 * 1:45046 <-> ENABLED <-> SERVER-OTHER Exim malformed BDAT code execution attempt (server-other.rules)
 * 3:51531 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0892 attack attempt (file-image.rules)
 * 3:51530 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0892 attack attempt (file-image.rules)

2020-02-04 13:08:50 UTC

Snort Subscriber Rules Update

Date: 2020-02-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53017 <-> DISABLED <-> SERVER-WEBAPP NeoFrag CMS database information disclosure attempt (snort3-server-webapp.rules)
 * 1:53024 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Ako variant payload download attempt (snort3-malware-other.rules)
 * 1:53021 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Agen-7564562-0 download attempt (snort3-malware-other.rules)
 * 1:53019 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.VBGeneric-7564976-0 download attempt (snort3-malware-other.rules)
 * 1:53018 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Fareitvb-7564626-0 download attempt (snort3-malware-other.rules)
 * 1:53023 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Ako variant payload download attempt (snort3-malware-other.rules)
 * 1:53022 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Pakes-7564913-0 download attempt (snort3-malware-other.rules)
 * 1:53025 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.VBGeneric-7564971-0 download attempt (snort3-malware-other.rules)
 * 1:53030 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565093-0 download attempt (snort3-malware-other.rules)
 * 1:53028 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565095-0 download attempt (snort3-malware-other.rules)
 * 1:53029 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565106-0 download attempt (snort3-malware-other.rules)
 * 1:53026 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565080-0 download attempt (snort3-malware-other.rules)
 * 1:53020 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ursu-7564978-0 download attempt (snort3-malware-other.rules)
 * 1:53027 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565085-0 download attempt (snort3-malware-other.rules)

Modified Rules:


 * 1:52283 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (snort3-file-office.rules)
 * 1:45046 <-> ENABLED <-> SERVER-OTHER Exim malformed BDAT code execution attempt (snort3-server-other.rules)
 * 1:44562 <-> DISABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (snort3-malware-cnc.rules)
 * 1:6472 <-> ENABLED <-> MALWARE-BACKDOOR bugs runtime detection - file manager client-to-server (snort3-malware-backdoor.rules)
 * 1:6473 <-> DISABLED <-> MALWARE-BACKDOOR bugs runtime detection - file manager server-to-client (snort3-malware-backdoor.rules)
 * 1:52286 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (snort3-file-office.rules)
 * 1:44561 <-> DISABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (snort3-malware-cnc.rules)
 * 1:5797 <-> DISABLED <-> APP-DETECT Kontiki runtime detection (snort3-app-detect.rules)
 * 1:52285 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (snort3-file-office.rules)
 * 1:52284 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (snort3-file-office.rules)
 * 1:688 <-> ENABLED <-> SQL sa login failed (snort3-sql.rules)
 * 1:51377 <-> DISABLED <-> SERVER-WEBAPP Progress Telerik UI for ASP.NET AJAX arbitrary file upload attempt (snort3-server-webapp.rules)

2020-02-04 13:08:50 UTC

Snort Subscriber Rules Update

Date: 2020-02-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53018 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Fareitvb-7564626-0 download attempt (malware-other.rules)
 * 1:53023 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Ako variant payload download attempt (malware-other.rules)
 * 1:53024 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Ako variant payload download attempt (malware-other.rules)
 * 1:53025 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.VBGeneric-7564971-0 download attempt (malware-other.rules)
 * 1:53017 <-> DISABLED <-> SERVER-WEBAPP NeoFrag CMS database information disclosure attempt (server-webapp.rules)
 * 1:53022 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Pakes-7564913-0 download attempt (malware-other.rules)
 * 1:53019 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.VBGeneric-7564976-0 download attempt (malware-other.rules)
 * 1:53026 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565080-0 download attempt (malware-other.rules)
 * 1:53030 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565093-0 download attempt (malware-other.rules)
 * 1:53028 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565095-0 download attempt (malware-other.rules)
 * 1:53020 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ursu-7564978-0 download attempt (malware-other.rules)
 * 1:53021 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Agen-7564562-0 download attempt (malware-other.rules)
 * 1:53029 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565106-0 download attempt (malware-other.rules)
 * 1:53027 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.NetWire-7565085-0 download attempt (malware-other.rules)
 * 3:53012 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)
 * 3:53008 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0989 attack attempt (file-other.rules)
 * 3:53010 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1003 attack attempt (policy-other.rules)
 * 3:53002 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0993 attack attempt (file-image.rules)
 * 3:53009 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0989 attack attempt (file-other.rules)
 * 3:53003 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0993 attack attempt (file-image.rules)
 * 3:53005 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0988 attack attempt (file-other.rules)
 * 3:53007 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0998 attack attempt (file-image.rules)
 * 3:53015 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0987 attack attempt (file-image.rules)
 * 3:53013 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)
 * 3:53006 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0998 attack attempt (file-image.rules)
 * 3:53011 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)
 * 3:53004 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0988 attack attempt (file-other.rules)
 * 3:53016 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0987 attack attempt (file-image.rules)
 * 3:53014 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0991 attack attempt (file-image.rules)

Modified Rules:


 * 1:6473 <-> DISABLED <-> MALWARE-BACKDOOR bugs runtime detection - file manager server-to-client (malware-backdoor.rules)
 * 1:688 <-> ENABLED <-> SQL sa login failed (sql.rules)
 * 1:44561 <-> DISABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:6472 <-> ENABLED <-> MALWARE-BACKDOOR bugs runtime detection - file manager client-to-server (malware-backdoor.rules)
 * 1:52286 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52285 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52283 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:44562 <-> DISABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
 * 1:52284 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:5797 <-> DISABLED <-> APP-DETECT Kontiki runtime detection (app-detect.rules)
 * 1:51377 <-> DISABLED <-> SERVER-WEBAPP Progress Telerik UI for ASP.NET AJAX arbitrary file upload attempt (server-webapp.rules)
 * 1:45046 <-> ENABLED <-> SERVER-OTHER Exim malformed BDAT code execution attempt (server-other.rules)
 * 3:51531 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0892 attack attempt (file-image.rules)
 * 3:51530 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0892 attack attempt (file-image.rules)