Talos Rules 2020-04-23
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-chrome, browser-other, file-other, indicator-shellcode, malware-cnc, malware-other and server-other rule sets to provide coverage for emerging threats from these technologies.

Change logs

2020-04-23 12:00:42 UTC

Snort Subscriber Rules Update

Date: 2020-04-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53750 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Basbanke variant outbound connection (malware-cnc.rules)
 * 1:53749 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Basbanke variant outbound connection (malware-cnc.rules)
 * 1:53748 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.Aggah payload download attempt (malware-other.rules)
 * 1:53747 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.Aggah payload download attempt (malware-other.rules)
 * 1:53746 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.Aggah payload download attempt (malware-other.rules)
 * 1:53745 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.Aggah payload download attempt (malware-other.rules)
 * 1:53744 <-> ENABLED <-> SERVER-ORACLE Oracle Coherence library LimitFilter insecure deserialization attempt (server-oracle.rules)
 * 1:53741 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kwampirs malicious executable download attempt (malware-other.rules)
 * 1:53740 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kwampirs malicious executable download attempt (malware-other.rules)
 * 1:53739 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kwampirs malicious executable download attempt (malware-other.rules)
 * 1:53738 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kwampirs malicious executable download attempt (malware-other.rules)
 * 1:53737 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zbot-7678962-0 download attempt (malware-other.rules)
 * 1:53736 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zbot-7678962-0 download attempt (malware-other.rules)
 * 1:53758 <-> ENABLED <-> MALWARE-OTHER CobaltStrike beacon.dll download attempt (malware-other.rules)
 * 1:53757 <-> ENABLED <-> MALWARE-OTHER CobaltStrike beacon.dll download attempt (malware-other.rules)
 * 1:53754 <-> ENABLED <-> BROWSER-CHROME Google Chrome ObjectCreate type confusion attempt (browser-chrome.rules)
 * 1:53753 <-> ENABLED <-> BROWSER-CHROME Google Chrome ObjectCreate type confusion attempt (browser-chrome.rules)
 * 1:53752 <-> ENABLED <-> BROWSER-CHROME Google Chrome ObjectCreate type confusion attempt (browser-chrome.rules)
 * 1:53751 <-> ENABLED <-> BROWSER-CHROME Google Chrome ObjectCreate type confusion attempt (browser-chrome.rules)
 * 3:53742 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1048 attack attempt (file-other.rules)
 * 3:53743 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1048 attack attempt (file-other.rules)
 * 3:53755 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2020-1051 attack attempt (server-other.rules)
 * 3:53756 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2020-1051 attack attempt (server-other.rules)
 * 3:53759 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2020-1053 attack attempt (browser-other.rules)
 * 3:53760 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2020-1053 attack attempt (browser-other.rules)
 * 3:53761 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2020-1054 attack attempt (browser-other.rules)
 * 3:53762 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2020-1054 attack attempt (browser-other.rules)

Modified Rules:


 * 1:30229 <-> DISABLED <-> INDICATOR-SHELLCODE Metasploit windows/shell stage transfer attempt (indicator-shellcode.rules)
 * 1:30471 <-> DISABLED <-> INDICATOR-SHELLCODE Metasploit payload windows_adduser (indicator-shellcode.rules)
 * 1:30480 <-> DISABLED <-> INDICATOR-SHELLCODE Metasploit payload windows_x64_meterpreter_reverse_https (indicator-shellcode.rules)
 * 3:53684 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1047 attack attempt (file-other.rules)
 * 3:53685 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1047 attack attempt (file-other.rules)

2020-04-23 12:00:42 UTC

Snort Subscriber Rules Update

Date: 2020-04-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53747 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.Aggah payload download attempt (malware-other.rules)
 * 1:53757 <-> ENABLED <-> MALWARE-OTHER CobaltStrike beacon.dll download attempt (malware-other.rules)
 * 1:53749 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Basbanke variant outbound connection (malware-cnc.rules)
 * 1:53736 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zbot-7678962-0 download attempt (malware-other.rules)
 * 1:53741 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kwampirs malicious executable download attempt (malware-other.rules)
 * 1:53751 <-> ENABLED <-> BROWSER-CHROME Google Chrome ObjectCreate type confusion attempt (browser-chrome.rules)
 * 1:53748 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.Aggah payload download attempt (malware-other.rules)
 * 1:53740 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kwampirs malicious executable download attempt (malware-other.rules)
 * 1:53750 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Basbanke variant outbound connection (malware-cnc.rules)
 * 1:53758 <-> ENABLED <-> MALWARE-OTHER CobaltStrike beacon.dll download attempt (malware-other.rules)
 * 1:53746 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.Aggah payload download attempt (malware-other.rules)
 * 1:53737 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zbot-7678962-0 download attempt (malware-other.rules)
 * 1:53739 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kwampirs malicious executable download attempt (malware-other.rules)
 * 1:53752 <-> ENABLED <-> BROWSER-CHROME Google Chrome ObjectCreate type confusion attempt (browser-chrome.rules)
 * 1:53753 <-> ENABLED <-> BROWSER-CHROME Google Chrome ObjectCreate type confusion attempt (browser-chrome.rules)
 * 1:53754 <-> ENABLED <-> BROWSER-CHROME Google Chrome ObjectCreate type confusion attempt (browser-chrome.rules)
 * 1:53744 <-> ENABLED <-> SERVER-ORACLE Oracle Coherence library LimitFilter insecure deserialization attempt (server-oracle.rules)
 * 1:53745 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.Aggah payload download attempt (malware-other.rules)
 * 1:53738 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kwampirs malicious executable download attempt (malware-other.rules)
 * 3:53742 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1048 attack attempt (file-other.rules)
 * 3:53743 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1048 attack attempt (file-other.rules)
 * 3:53755 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2020-1051 attack attempt (server-other.rules)
 * 3:53756 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2020-1051 attack attempt (server-other.rules)
 * 3:53759 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2020-1053 attack attempt (browser-other.rules)
 * 3:53760 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2020-1053 attack attempt (browser-other.rules)
 * 3:53761 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2020-1054 attack attempt (browser-other.rules)
 * 3:53762 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2020-1054 attack attempt (browser-other.rules)

Modified Rules:


 * 1:30480 <-> DISABLED <-> INDICATOR-SHELLCODE Metasploit payload windows_x64_meterpreter_reverse_https (indicator-shellcode.rules)
 * 1:30471 <-> DISABLED <-> INDICATOR-SHELLCODE Metasploit payload windows_adduser (indicator-shellcode.rules)
 * 1:30229 <-> DISABLED <-> INDICATOR-SHELLCODE Metasploit windows/shell stage transfer attempt (indicator-shellcode.rules)
 * 3:53684 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1047 attack attempt (file-other.rules)
 * 3:53685 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1047 attack attempt (file-other.rules)

2020-04-23 12:00:42 UTC

Snort Subscriber Rules Update

Date: 2020-04-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53750 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Basbanke variant outbound connection (malware-cnc.rules)
 * 1:53744 <-> ENABLED <-> SERVER-ORACLE Oracle Coherence library LimitFilter insecure deserialization attempt (server-oracle.rules)
 * 1:53753 <-> ENABLED <-> BROWSER-CHROME Google Chrome ObjectCreate type confusion attempt (browser-chrome.rules)
 * 1:53758 <-> ENABLED <-> MALWARE-OTHER CobaltStrike beacon.dll download attempt (malware-other.rules)
 * 1:53752 <-> ENABLED <-> BROWSER-CHROME Google Chrome ObjectCreate type confusion attempt (browser-chrome.rules)
 * 1:53736 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zbot-7678962-0 download attempt (malware-other.rules)
 * 1:53747 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.Aggah payload download attempt (malware-other.rules)
 * 1:53738 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kwampirs malicious executable download attempt (malware-other.rules)
 * 1:53757 <-> ENABLED <-> MALWARE-OTHER CobaltStrike beacon.dll download attempt (malware-other.rules)
 * 1:53741 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kwampirs malicious executable download attempt (malware-other.rules)
 * 1:53740 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kwampirs malicious executable download attempt (malware-other.rules)
 * 1:53754 <-> ENABLED <-> BROWSER-CHROME Google Chrome ObjectCreate type confusion attempt (browser-chrome.rules)
 * 1:53737 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zbot-7678962-0 download attempt (malware-other.rules)
 * 1:53751 <-> ENABLED <-> BROWSER-CHROME Google Chrome ObjectCreate type confusion attempt (browser-chrome.rules)
 * 1:53749 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Basbanke variant outbound connection (malware-cnc.rules)
 * 1:53745 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.Aggah payload download attempt (malware-other.rules)
 * 1:53746 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.Aggah payload download attempt (malware-other.rules)
 * 1:53739 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kwampirs malicious executable download attempt (malware-other.rules)
 * 1:53748 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.Aggah payload download attempt (malware-other.rules)
 * 3:53742 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1048 attack attempt (file-other.rules)
 * 3:53743 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1048 attack attempt (file-other.rules)
 * 3:53755 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2020-1051 attack attempt (server-other.rules)
 * 3:53756 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2020-1051 attack attempt (server-other.rules)
 * 3:53759 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2020-1053 attack attempt (browser-other.rules)
 * 3:53760 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2020-1053 attack attempt (browser-other.rules)
 * 3:53761 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2020-1054 attack attempt (browser-other.rules)
 * 3:53762 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2020-1054 attack attempt (browser-other.rules)

Modified Rules:


 * 1:30480 <-> DISABLED <-> INDICATOR-SHELLCODE Metasploit payload windows_x64_meterpreter_reverse_https (indicator-shellcode.rules)
 * 1:30229 <-> DISABLED <-> INDICATOR-SHELLCODE Metasploit windows/shell stage transfer attempt (indicator-shellcode.rules)
 * 1:30471 <-> DISABLED <-> INDICATOR-SHELLCODE Metasploit payload windows_adduser (indicator-shellcode.rules)
 * 3:53684 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1047 attack attempt (file-other.rules)
 * 3:53685 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1047 attack attempt (file-other.rules)

2020-04-23 12:00:42 UTC

Snort Subscriber Rules Update

Date: 2020-04-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53758 <-> ENABLED <-> MALWARE-OTHER CobaltStrike beacon.dll download attempt (malware-other.rules)
 * 1:53757 <-> ENABLED <-> MALWARE-OTHER CobaltStrike beacon.dll download attempt (malware-other.rules)
 * 1:53749 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Basbanke variant outbound connection (malware-cnc.rules)
 * 1:53750 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Basbanke variant outbound connection (malware-cnc.rules)
 * 1:53740 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kwampirs malicious executable download attempt (malware-other.rules)
 * 1:53744 <-> ENABLED <-> SERVER-ORACLE Oracle Coherence library LimitFilter insecure deserialization attempt (server-oracle.rules)
 * 1:53737 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zbot-7678962-0 download attempt (malware-other.rules)
 * 1:53747 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.Aggah payload download attempt (malware-other.rules)
 * 1:53739 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kwampirs malicious executable download attempt (malware-other.rules)
 * 1:53741 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kwampirs malicious executable download attempt (malware-other.rules)
 * 1:53748 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.Aggah payload download attempt (malware-other.rules)
 * 1:53746 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.Aggah payload download attempt (malware-other.rules)
 * 1:53745 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.Aggah payload download attempt (malware-other.rules)
 * 1:53753 <-> ENABLED <-> BROWSER-CHROME Google Chrome ObjectCreate type confusion attempt (browser-chrome.rules)
 * 1:53754 <-> ENABLED <-> BROWSER-CHROME Google Chrome ObjectCreate type confusion attempt (browser-chrome.rules)
 * 1:53752 <-> ENABLED <-> BROWSER-CHROME Google Chrome ObjectCreate type confusion attempt (browser-chrome.rules)
 * 1:53751 <-> ENABLED <-> BROWSER-CHROME Google Chrome ObjectCreate type confusion attempt (browser-chrome.rules)
 * 1:53736 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zbot-7678962-0 download attempt (malware-other.rules)
 * 1:53738 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kwampirs malicious executable download attempt (malware-other.rules)
 * 3:53742 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1048 attack attempt (file-other.rules)
 * 3:53743 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1048 attack attempt (file-other.rules)
 * 3:53755 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2020-1051 attack attempt (server-other.rules)
 * 3:53756 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2020-1051 attack attempt (server-other.rules)
 * 3:53759 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2020-1053 attack attempt (browser-other.rules)
 * 3:53760 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2020-1053 attack attempt (browser-other.rules)
 * 3:53761 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2020-1054 attack attempt (browser-other.rules)
 * 3:53762 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2020-1054 attack attempt (browser-other.rules)

Modified Rules:


 * 1:30480 <-> DISABLED <-> INDICATOR-SHELLCODE Metasploit payload windows_x64_meterpreter_reverse_https (indicator-shellcode.rules)
 * 1:30471 <-> DISABLED <-> INDICATOR-SHELLCODE Metasploit payload windows_adduser (indicator-shellcode.rules)
 * 1:30229 <-> DISABLED <-> INDICATOR-SHELLCODE Metasploit windows/shell stage transfer attempt (indicator-shellcode.rules)
 * 3:53684 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1047 attack attempt (file-other.rules)
 * 3:53685 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1047 attack attempt (file-other.rules)

2020-04-23 12:00:42 UTC

Snort Subscriber Rules Update

Date: 2020-04-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53744 <-> ENABLED <-> SERVER-ORACLE Oracle Coherence library LimitFilter insecure deserialization attempt (server-oracle.rules)
 * 1:53757 <-> ENABLED <-> MALWARE-OTHER CobaltStrike beacon.dll download attempt (malware-other.rules)
 * 1:53741 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kwampirs malicious executable download attempt (malware-other.rules)
 * 1:53739 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kwampirs malicious executable download attempt (malware-other.rules)
 * 1:53748 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.Aggah payload download attempt (malware-other.rules)
 * 1:53747 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.Aggah payload download attempt (malware-other.rules)
 * 1:53740 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kwampirs malicious executable download attempt (malware-other.rules)
 * 1:53746 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.Aggah payload download attempt (malware-other.rules)
 * 1:53737 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zbot-7678962-0 download attempt (malware-other.rules)
 * 1:53754 <-> ENABLED <-> BROWSER-CHROME Google Chrome ObjectCreate type confusion attempt (browser-chrome.rules)
 * 1:53751 <-> ENABLED <-> BROWSER-CHROME Google Chrome ObjectCreate type confusion attempt (browser-chrome.rules)
 * 1:53753 <-> ENABLED <-> BROWSER-CHROME Google Chrome ObjectCreate type confusion attempt (browser-chrome.rules)
 * 1:53752 <-> ENABLED <-> BROWSER-CHROME Google Chrome ObjectCreate type confusion attempt (browser-chrome.rules)
 * 1:53738 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kwampirs malicious executable download attempt (malware-other.rules)
 * 1:53736 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zbot-7678962-0 download attempt (malware-other.rules)
 * 1:53745 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.Aggah payload download attempt (malware-other.rules)
 * 1:53750 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Basbanke variant outbound connection (malware-cnc.rules)
 * 1:53749 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Basbanke variant outbound connection (malware-cnc.rules)
 * 1:53758 <-> ENABLED <-> MALWARE-OTHER CobaltStrike beacon.dll download attempt (malware-other.rules)
 * 3:53742 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1048 attack attempt (file-other.rules)
 * 3:53743 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1048 attack attempt (file-other.rules)
 * 3:53755 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2020-1051 attack attempt (server-other.rules)
 * 3:53756 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2020-1051 attack attempt (server-other.rules)
 * 3:53759 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2020-1053 attack attempt (browser-other.rules)
 * 3:53760 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2020-1053 attack attempt (browser-other.rules)
 * 3:53761 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2020-1054 attack attempt (browser-other.rules)
 * 3:53762 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2020-1054 attack attempt (browser-other.rules)

Modified Rules:


 * 1:30480 <-> DISABLED <-> INDICATOR-SHELLCODE Metasploit payload windows_x64_meterpreter_reverse_https (indicator-shellcode.rules)
 * 1:30229 <-> DISABLED <-> INDICATOR-SHELLCODE Metasploit windows/shell stage transfer attempt (indicator-shellcode.rules)
 * 1:30471 <-> DISABLED <-> INDICATOR-SHELLCODE Metasploit payload windows_adduser (indicator-shellcode.rules)
 * 3:53684 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1047 attack attempt (file-other.rules)
 * 3:53685 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1047 attack attempt (file-other.rules)

2020-04-23 12:00:42 UTC

Snort Subscriber Rules Update

Date: 2020-04-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53738 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kwampirs malicious executable download attempt (malware-other.rules)
 * 1:53757 <-> ENABLED <-> MALWARE-OTHER CobaltStrike beacon.dll download attempt (malware-other.rules)
 * 1:53737 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zbot-7678962-0 download attempt (malware-other.rules)
 * 1:53758 <-> ENABLED <-> MALWARE-OTHER CobaltStrike beacon.dll download attempt (malware-other.rules)
 * 1:53745 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.Aggah payload download attempt (malware-other.rules)
 * 1:53744 <-> ENABLED <-> SERVER-ORACLE Oracle Coherence library LimitFilter insecure deserialization attempt (server-oracle.rules)
 * 1:53750 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Basbanke variant outbound connection (malware-cnc.rules)
 * 1:53739 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kwampirs malicious executable download attempt (malware-other.rules)
 * 1:53740 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kwampirs malicious executable download attempt (malware-other.rules)
 * 1:53748 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.Aggah payload download attempt (malware-other.rules)
 * 1:53752 <-> ENABLED <-> BROWSER-CHROME Google Chrome ObjectCreate type confusion attempt (browser-chrome.rules)
 * 1:53753 <-> ENABLED <-> BROWSER-CHROME Google Chrome ObjectCreate type confusion attempt (browser-chrome.rules)
 * 1:53754 <-> ENABLED <-> BROWSER-CHROME Google Chrome ObjectCreate type confusion attempt (browser-chrome.rules)
 * 1:53751 <-> ENABLED <-> BROWSER-CHROME Google Chrome ObjectCreate type confusion attempt (browser-chrome.rules)
 * 1:53736 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zbot-7678962-0 download attempt (malware-other.rules)
 * 1:53741 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kwampirs malicious executable download attempt (malware-other.rules)
 * 1:53746 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.Aggah payload download attempt (malware-other.rules)
 * 1:53747 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.Aggah payload download attempt (malware-other.rules)
 * 1:53749 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Basbanke variant outbound connection (malware-cnc.rules)
 * 3:53742 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1048 attack attempt (file-other.rules)
 * 3:53743 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1048 attack attempt (file-other.rules)
 * 3:53755 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2020-1051 attack attempt (server-other.rules)
 * 3:53756 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2020-1051 attack attempt (server-other.rules)
 * 3:53759 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2020-1053 attack attempt (browser-other.rules)
 * 3:53760 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2020-1053 attack attempt (browser-other.rules)
 * 3:53761 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2020-1054 attack attempt (browser-other.rules)
 * 3:53762 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2020-1054 attack attempt (browser-other.rules)

Modified Rules:


 * 1:30471 <-> DISABLED <-> INDICATOR-SHELLCODE Metasploit payload windows_adduser (indicator-shellcode.rules)
 * 1:30480 <-> DISABLED <-> INDICATOR-SHELLCODE Metasploit payload windows_x64_meterpreter_reverse_https (indicator-shellcode.rules)
 * 1:30229 <-> DISABLED <-> INDICATOR-SHELLCODE Metasploit windows/shell stage transfer attempt (indicator-shellcode.rules)
 * 3:53684 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1047 attack attempt (file-other.rules)
 * 3:53685 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1047 attack attempt (file-other.rules)

2020-04-23 12:00:42 UTC

Snort Subscriber Rules Update

Date: 2020-04-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53749 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Basbanke variant outbound connection (snort3-malware-cnc.rules)
 * 1:53744 <-> ENABLED <-> SERVER-ORACLE Oracle Coherence library LimitFilter insecure deserialization attempt (snort3-server-oracle.rules)
 * 1:53750 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Basbanke variant outbound connection (snort3-malware-cnc.rules)
 * 1:53736 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zbot-7678962-0 download attempt (snort3-malware-other.rules)
 * 1:53745 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.Aggah payload download attempt (snort3-malware-other.rules)
 * 1:53748 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.Aggah payload download attempt (snort3-malware-other.rules)
 * 1:53738 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kwampirs malicious executable download attempt (snort3-malware-other.rules)
 * 1:53746 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.Aggah payload download attempt (snort3-malware-other.rules)
 * 1:53741 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kwampirs malicious executable download attempt (snort3-malware-other.rules)
 * 1:53753 <-> ENABLED <-> BROWSER-CHROME Google Chrome ObjectCreate type confusion attempt (snort3-browser-chrome.rules)
 * 1:53740 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kwampirs malicious executable download attempt (snort3-malware-other.rules)
 * 1:53747 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.Aggah payload download attempt (snort3-malware-other.rules)
 * 1:53751 <-> ENABLED <-> BROWSER-CHROME Google Chrome ObjectCreate type confusion attempt (snort3-browser-chrome.rules)
 * 1:53757 <-> ENABLED <-> MALWARE-OTHER CobaltStrike beacon.dll download attempt (snort3-malware-other.rules)
 * 1:53752 <-> ENABLED <-> BROWSER-CHROME Google Chrome ObjectCreate type confusion attempt (snort3-browser-chrome.rules)
 * 1:53737 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zbot-7678962-0 download attempt (snort3-malware-other.rules)
 * 1:53739 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kwampirs malicious executable download attempt (snort3-malware-other.rules)
 * 1:53758 <-> ENABLED <-> MALWARE-OTHER CobaltStrike beacon.dll download attempt (snort3-malware-other.rules)
 * 1:53754 <-> ENABLED <-> BROWSER-CHROME Google Chrome ObjectCreate type confusion attempt (snort3-browser-chrome.rules)

Modified Rules:


 * 1:30471 <-> DISABLED <-> INDICATOR-SHELLCODE Metasploit payload windows_adduser (snort3-indicator-shellcode.rules)
 * 1:30480 <-> DISABLED <-> INDICATOR-SHELLCODE Metasploit payload windows_x64_meterpreter_reverse_https (snort3-indicator-shellcode.rules)
 * 1:30229 <-> DISABLED <-> INDICATOR-SHELLCODE Metasploit windows/shell stage transfer attempt (snort3-indicator-shellcode.rules)

2020-04-23 12:00:42 UTC

Snort Subscriber Rules Update

Date: 2020-04-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53741 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kwampirs malicious executable download attempt (malware-other.rules)
 * 1:53750 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Basbanke variant outbound connection (malware-cnc.rules)
 * 1:53738 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kwampirs malicious executable download attempt (malware-other.rules)
 * 1:53748 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.Aggah payload download attempt (malware-other.rules)
 * 1:53753 <-> ENABLED <-> BROWSER-CHROME Google Chrome ObjectCreate type confusion attempt (browser-chrome.rules)
 * 1:53754 <-> ENABLED <-> BROWSER-CHROME Google Chrome ObjectCreate type confusion attempt (browser-chrome.rules)
 * 1:53749 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Basbanke variant outbound connection (malware-cnc.rules)
 * 1:53747 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.Aggah payload download attempt (malware-other.rules)
 * 1:53736 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zbot-7678962-0 download attempt (malware-other.rules)
 * 1:53737 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zbot-7678962-0 download attempt (malware-other.rules)
 * 1:53739 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kwampirs malicious executable download attempt (malware-other.rules)
 * 1:53744 <-> ENABLED <-> SERVER-ORACLE Oracle Coherence library LimitFilter insecure deserialization attempt (server-oracle.rules)
 * 1:53758 <-> ENABLED <-> MALWARE-OTHER CobaltStrike beacon.dll download attempt (malware-other.rules)
 * 1:53751 <-> ENABLED <-> BROWSER-CHROME Google Chrome ObjectCreate type confusion attempt (browser-chrome.rules)
 * 1:53740 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kwampirs malicious executable download attempt (malware-other.rules)
 * 1:53757 <-> ENABLED <-> MALWARE-OTHER CobaltStrike beacon.dll download attempt (malware-other.rules)
 * 1:53746 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.Aggah payload download attempt (malware-other.rules)
 * 1:53752 <-> ENABLED <-> BROWSER-CHROME Google Chrome ObjectCreate type confusion attempt (browser-chrome.rules)
 * 1:53745 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.Aggah payload download attempt (malware-other.rules)
 * 3:53742 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1048 attack attempt (file-other.rules)
 * 3:53743 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1048 attack attempt (file-other.rules)
 * 3:53755 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2020-1051 attack attempt (server-other.rules)
 * 3:53756 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2020-1051 attack attempt (server-other.rules)
 * 3:53759 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2020-1053 attack attempt (browser-other.rules)
 * 3:53760 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2020-1053 attack attempt (browser-other.rules)
 * 3:53761 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2020-1054 attack attempt (browser-other.rules)
 * 3:53762 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2020-1054 attack attempt (browser-other.rules)

Modified Rules:


 * 1:30229 <-> DISABLED <-> INDICATOR-SHELLCODE Metasploit windows/shell stage transfer attempt (indicator-shellcode.rules)
 * 1:30471 <-> DISABLED <-> INDICATOR-SHELLCODE Metasploit payload windows_adduser (indicator-shellcode.rules)
 * 1:30480 <-> DISABLED <-> INDICATOR-SHELLCODE Metasploit payload windows_x64_meterpreter_reverse_https (indicator-shellcode.rules)
 * 3:53684 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1047 attack attempt (file-other.rules)
 * 3:53685 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1047 attack attempt (file-other.rules)