Talos Rules 2020-03-31
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-other, indicator-obfuscation, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2020-03-31 12:07:02 UTC

Snort Subscriber Rules Update

Date: 2020-03-31

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53511 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi-7641431-0 download attempt (malware-other.rules)
 * 1:53510 <-> DISABLED <-> SERVER-WEBAPP Zyxel NAS devices command injection attempt (server-webapp.rules)
 * 1:53509 <-> DISABLED <-> SERVER-WEBAPP Zyxel NAS devices command injection attempt (server-webapp.rules)
 * 1:53508 <-> DISABLED <-> SERVER-WEBAPP Zyxel NAS devices command injection attempt (server-webapp.rules)
 * 1:53507 <-> DISABLED <-> SERVER-WEBAPP Zyxel NAS devices command injection attempt (server-webapp.rules)
 * 1:53516 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-7640443-0 download attempt (malware-other.rules)
 * 1:53515 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-7640443-0 download attempt (malware-other.rules)
 * 1:53514 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.XtremeRAT-7641498-0 download attempt (malware-other.rules)
 * 1:53513 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.XtremeRAT-7641498-0 download attempt (malware-other.rules)
 * 1:53512 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi-7641431-0 download attempt (malware-other.rules)
 * 3:53524 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1034 attack attempt (file-other.rules)
 * 3:53523 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1034 attack attempt (file-other.rules)
 * 3:53517 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1037 attack attempt (file-other.rules)
 * 3:53518 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1037 attack attempt (file-other.rules)
 * 3:53519 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1038 attack attempt (file-other.rules)
 * 3:53520 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1038 attack attempt (file-other.rules)
 * 3:53521 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1039 attack attempt (file-other.rules)
 * 3:53522 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1039 attack attempt (file-other.rules)

Modified Rules:


 * 1:39320 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt (indicator-obfuscation.rules)
 * 1:52847 <-> ENABLED <-> MALWARE-CNC Win.Trojan.COMRat outbound communication attempt (malware-cnc.rules)

2020-03-31 12:07:02 UTC

Snort Subscriber Rules Update

Date: 2020-03-31

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53515 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-7640443-0 download attempt (malware-other.rules)
 * 1:53516 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-7640443-0 download attempt (malware-other.rules)
 * 1:53514 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.XtremeRAT-7641498-0 download attempt (malware-other.rules)
 * 1:53509 <-> DISABLED <-> SERVER-WEBAPP Zyxel NAS devices command injection attempt (server-webapp.rules)
 * 1:53512 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi-7641431-0 download attempt (malware-other.rules)
 * 1:53507 <-> DISABLED <-> SERVER-WEBAPP Zyxel NAS devices command injection attempt (server-webapp.rules)
 * 1:53510 <-> DISABLED <-> SERVER-WEBAPP Zyxel NAS devices command injection attempt (server-webapp.rules)
 * 1:53511 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi-7641431-0 download attempt (malware-other.rules)
 * 1:53508 <-> DISABLED <-> SERVER-WEBAPP Zyxel NAS devices command injection attempt (server-webapp.rules)
 * 1:53513 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.XtremeRAT-7641498-0 download attempt (malware-other.rules)
 * 3:53518 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1037 attack attempt (file-other.rules)
 * 3:53524 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1034 attack attempt (file-other.rules)
 * 3:53521 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1039 attack attempt (file-other.rules)
 * 3:53519 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1038 attack attempt (file-other.rules)
 * 3:53520 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1038 attack attempt (file-other.rules)
 * 3:53522 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1039 attack attempt (file-other.rules)
 * 3:53517 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1037 attack attempt (file-other.rules)
 * 3:53523 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1034 attack attempt (file-other.rules)

Modified Rules:


 * 1:52847 <-> ENABLED <-> MALWARE-CNC Win.Trojan.COMRat outbound communication attempt (malware-cnc.rules)
 * 1:39320 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt (indicator-obfuscation.rules)

2020-03-31 12:07:02 UTC

Snort Subscriber Rules Update

Date: 2020-03-31

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53509 <-> DISABLED <-> SERVER-WEBAPP Zyxel NAS devices command injection attempt (server-webapp.rules)
 * 1:53514 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.XtremeRAT-7641498-0 download attempt (malware-other.rules)
 * 1:53515 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-7640443-0 download attempt (malware-other.rules)
 * 1:53516 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-7640443-0 download attempt (malware-other.rules)
 * 1:53507 <-> DISABLED <-> SERVER-WEBAPP Zyxel NAS devices command injection attempt (server-webapp.rules)
 * 1:53512 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi-7641431-0 download attempt (malware-other.rules)
 * 1:53508 <-> DISABLED <-> SERVER-WEBAPP Zyxel NAS devices command injection attempt (server-webapp.rules)
 * 1:53511 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi-7641431-0 download attempt (malware-other.rules)
 * 1:53510 <-> DISABLED <-> SERVER-WEBAPP Zyxel NAS devices command injection attempt (server-webapp.rules)
 * 1:53513 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.XtremeRAT-7641498-0 download attempt (malware-other.rules)
 * 3:53524 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1034 attack attempt (file-other.rules)
 * 3:53521 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1039 attack attempt (file-other.rules)
 * 3:53517 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1037 attack attempt (file-other.rules)
 * 3:53518 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1037 attack attempt (file-other.rules)
 * 3:53523 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1034 attack attempt (file-other.rules)
 * 3:53519 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1038 attack attempt (file-other.rules)
 * 3:53520 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1038 attack attempt (file-other.rules)
 * 3:53522 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1039 attack attempt (file-other.rules)

Modified Rules:


 * 1:39320 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt (indicator-obfuscation.rules)
 * 1:52847 <-> ENABLED <-> MALWARE-CNC Win.Trojan.COMRat outbound communication attempt (malware-cnc.rules)

2020-03-31 12:07:02 UTC

Snort Subscriber Rules Update

Date: 2020-03-31

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53507 <-> DISABLED <-> SERVER-WEBAPP Zyxel NAS devices command injection attempt (server-webapp.rules)
 * 1:53516 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-7640443-0 download attempt (malware-other.rules)
 * 1:53508 <-> DISABLED <-> SERVER-WEBAPP Zyxel NAS devices command injection attempt (server-webapp.rules)
 * 1:53509 <-> DISABLED <-> SERVER-WEBAPP Zyxel NAS devices command injection attempt (server-webapp.rules)
 * 1:53511 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi-7641431-0 download attempt (malware-other.rules)
 * 1:53514 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.XtremeRAT-7641498-0 download attempt (malware-other.rules)
 * 1:53510 <-> DISABLED <-> SERVER-WEBAPP Zyxel NAS devices command injection attempt (server-webapp.rules)
 * 1:53512 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi-7641431-0 download attempt (malware-other.rules)
 * 1:53515 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-7640443-0 download attempt (malware-other.rules)
 * 1:53513 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.XtremeRAT-7641498-0 download attempt (malware-other.rules)
 * 3:53520 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1038 attack attempt (file-other.rules)
 * 3:53524 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1034 attack attempt (file-other.rules)
 * 3:53523 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1034 attack attempt (file-other.rules)
 * 3:53519 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1038 attack attempt (file-other.rules)
 * 3:53517 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1037 attack attempt (file-other.rules)
 * 3:53522 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1039 attack attempt (file-other.rules)
 * 3:53521 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1039 attack attempt (file-other.rules)
 * 3:53518 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1037 attack attempt (file-other.rules)

Modified Rules:


 * 1:39320 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt (indicator-obfuscation.rules)
 * 1:52847 <-> ENABLED <-> MALWARE-CNC Win.Trojan.COMRat outbound communication attempt (malware-cnc.rules)

2020-03-31 12:07:02 UTC

Snort Subscriber Rules Update

Date: 2020-03-31

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53510 <-> DISABLED <-> SERVER-WEBAPP Zyxel NAS devices command injection attempt (server-webapp.rules)
 * 1:53511 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi-7641431-0 download attempt (malware-other.rules)
 * 1:53509 <-> DISABLED <-> SERVER-WEBAPP Zyxel NAS devices command injection attempt (server-webapp.rules)
 * 1:53512 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi-7641431-0 download attempt (malware-other.rules)
 * 1:53508 <-> DISABLED <-> SERVER-WEBAPP Zyxel NAS devices command injection attempt (server-webapp.rules)
 * 1:53514 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.XtremeRAT-7641498-0 download attempt (malware-other.rules)
 * 1:53515 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-7640443-0 download attempt (malware-other.rules)
 * 1:53516 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-7640443-0 download attempt (malware-other.rules)
 * 1:53507 <-> DISABLED <-> SERVER-WEBAPP Zyxel NAS devices command injection attempt (server-webapp.rules)
 * 1:53513 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.XtremeRAT-7641498-0 download attempt (malware-other.rules)
 * 3:53521 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1039 attack attempt (file-other.rules)
 * 3:53524 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1034 attack attempt (file-other.rules)
 * 3:53523 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1034 attack attempt (file-other.rules)
 * 3:53520 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1038 attack attempt (file-other.rules)
 * 3:53518 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1037 attack attempt (file-other.rules)
 * 3:53522 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1039 attack attempt (file-other.rules)
 * 3:53519 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1038 attack attempt (file-other.rules)
 * 3:53517 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1037 attack attempt (file-other.rules)

Modified Rules:


 * 1:39320 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt (indicator-obfuscation.rules)
 * 1:52847 <-> ENABLED <-> MALWARE-CNC Win.Trojan.COMRat outbound communication attempt (malware-cnc.rules)

2020-03-31 12:07:02 UTC

Snort Subscriber Rules Update

Date: 2020-03-31

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53510 <-> DISABLED <-> SERVER-WEBAPP Zyxel NAS devices command injection attempt (snort3-server-webapp.rules)
 * 1:53507 <-> DISABLED <-> SERVER-WEBAPP Zyxel NAS devices command injection attempt (snort3-server-webapp.rules)
 * 1:53508 <-> DISABLED <-> SERVER-WEBAPP Zyxel NAS devices command injection attempt (snort3-server-webapp.rules)
 * 1:53512 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi-7641431-0 download attempt (snort3-malware-other.rules)
 * 1:53513 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.XtremeRAT-7641498-0 download attempt (snort3-malware-other.rules)
 * 1:53516 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-7640443-0 download attempt (snort3-malware-other.rules)
 * 1:53511 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi-7641431-0 download attempt (snort3-malware-other.rules)
 * 1:53514 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.XtremeRAT-7641498-0 download attempt (snort3-malware-other.rules)
 * 1:53515 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-7640443-0 download attempt (snort3-malware-other.rules)
 * 1:53509 <-> DISABLED <-> SERVER-WEBAPP Zyxel NAS devices command injection attempt (snort3-server-webapp.rules)

Modified Rules:


 * 1:39320 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt (snort3-indicator-obfuscation.rules)
 * 1:52847 <-> ENABLED <-> MALWARE-CNC Win.Trojan.COMRat outbound communication attempt (snort3-malware-cnc.rules)

2020-03-31 12:07:02 UTC

Snort Subscriber Rules Update

Date: 2020-03-31

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53512 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi-7641431-0 download attempt (malware-other.rules)
 * 1:53514 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.XtremeRAT-7641498-0 download attempt (malware-other.rules)
 * 1:53515 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-7640443-0 download attempt (malware-other.rules)
 * 1:53510 <-> DISABLED <-> SERVER-WEBAPP Zyxel NAS devices command injection attempt (server-webapp.rules)
 * 1:53516 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Upatre-7640443-0 download attempt (malware-other.rules)
 * 1:53508 <-> DISABLED <-> SERVER-WEBAPP Zyxel NAS devices command injection attempt (server-webapp.rules)
 * 1:53511 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi-7641431-0 download attempt (malware-other.rules)
 * 1:53507 <-> DISABLED <-> SERVER-WEBAPP Zyxel NAS devices command injection attempt (server-webapp.rules)
 * 1:53513 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.XtremeRAT-7641498-0 download attempt (malware-other.rules)
 * 1:53509 <-> DISABLED <-> SERVER-WEBAPP Zyxel NAS devices command injection attempt (server-webapp.rules)
 * 3:53518 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1037 attack attempt (file-other.rules)
 * 3:53517 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1037 attack attempt (file-other.rules)
 * 3:53524 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1034 attack attempt (file-other.rules)
 * 3:53519 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1038 attack attempt (file-other.rules)
 * 3:53521 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1039 attack attempt (file-other.rules)
 * 3:53523 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1034 attack attempt (file-other.rules)
 * 3:53520 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1038 attack attempt (file-other.rules)
 * 3:53522 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1039 attack attempt (file-other.rules)

Modified Rules:


 * 1:52847 <-> ENABLED <-> MALWARE-CNC Win.Trojan.COMRat outbound communication attempt (malware-cnc.rules)
 * 1:39320 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt (indicator-obfuscation.rules)