Snort - Network Intrusion Detection & Prevention System

Talos Rules 2020-05-05

This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-plugins, exploit-kit, file-multimedia, indicator-compromise, malware-backdoor, malware-cnc, malware-other, os-windows, policy-other, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

29160

2020-05-05 14:37:04 UTC

Snort Subscriber Rules Update

Date: 2020-05-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53811 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Multibanker-7729242-0 download attempt (malware-other.rules)
 * 1:53810 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727238-0 download attempt (malware-other.rules)
 * 1:53809 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727238-0 download attempt (malware-other.rules)
 * 1:53808 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727237-0 download attempt (malware-other.rules)
 * 1:53807 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727237-0 download attempt (malware-other.rules)
 * 1:53806 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Upatre-7725946-0 download attempt (malware-other.rules)
 * 1:53805 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Upatre-7725946-0 download attempt (malware-other.rules)
 * 1:53804 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Kuluoz-7725577-0 download attempt (malware-other.rules)
 * 1:53803 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Kuluoz-7725577-0 download attempt (malware-other.rules)
 * 1:53802 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-7725478-0 download attempt (malware-other.rules)
 * 1:53801 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-7725478-0 download attempt (malware-other.rules)
 * 1:53827 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7751494-0 download attempt (malware-other.rules)
 * 1:53826 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zbot-7727211-0 download attempt (malware-other.rules)
 * 1:53825 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zbot-7727211-0 download attempt (malware-other.rules)
 * 1:53824 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Gh0stRAT-7737919-0 download attempt (malware-other.rules)
 * 1:53823 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Gh0stRAT-7737919-0 download attempt (malware-other.rules)
 * 1:53822 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730819-0 download attempt (malware-other.rules)
 * 1:53821 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730819-0 download attempt (malware-other.rules)
 * 1:53820 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730732-0 download attempt (malware-other.rules)
 * 1:53819 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730732-0 download attempt (malware-other.rules)
 * 1:53818 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7730667-0 download attempt (malware-other.rules)
 * 1:53817 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7730667-0 download attempt (malware-other.rules)
 * 1:53816 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730394-0 download attempt (malware-other.rules)
 * 1:53815 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730394-0 download attempt (malware-other.rules)
 * 1:53814 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7729710-0 download attempt (malware-other.rules)
 * 1:53813 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7729710-0 download attempt (malware-other.rules)
 * 1:53812 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Multibanker-7729242-0 download attempt (malware-other.rules)
 * 1:53830 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7752290-0 download attempt (malware-other.rules)
 * 1:53829 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7752290-0 download attempt (malware-other.rules)
 * 1:53828 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7751494-0 download attempt (malware-other.rules)
 * 1:53833 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-7752430-0 download attempt (malware-other.rules)
 * 1:53832 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Kuluoz-7752297-0 download attempt (malware-other.rules)
 * 1:53831 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Kuluoz-7752297-0 download attempt (malware-other.rules)
 * 1:53835 <-> DISABLED <-> INDICATOR-COMPROMISE Chromium use after free exploitation attempt (indicator-compromise.rules)
 * 1:53834 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-7752430-0 download attempt (malware-other.rules)
 * 1:53838 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Maze variant download attempt (malware-other.rules)
 * 1:53837 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Maze variant download attempt (malware-other.rules)
 * 1:53836 <-> DISABLED <-> INDICATOR-COMPROMISE Chromium use after free exploitation attempt (indicator-compromise.rules)
 * 1:53842 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7752919-0 download attempt (malware-other.rules)
 * 1:53841 <-> DISABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection attempt (malware-cnc.rules)
 * 1:53843 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7752919-0 download attempt (malware-other.rules)
 * 3:53840 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1060 attack attempt (policy-other.rules)
 * 3:53839 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1059 attack attempt (policy-other.rules)

Modified Rules:


 * 1:49439 <-> DISABLED <-> SERVER-OTHER Interactive Graphical SCADA System arbitrary file read attempt (server-other.rules)
 * 1:44474 <-> DISABLED <-> MALWARE-OTHER GHBkdr TLS Change Cipher spoof runtime detection (malware-other.rules)
 * 1:39908 <-> DISABLED <-> SERVER-APACHE Apache Tomcat Commons FileUpload library denial of service attempt (server-apache.rules)
 * 1:44037 <-> ENABLED <-> INDICATOR-COMPROMISE DNS request for known malware sinkhole domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com - WannaCry (indicator-compromise.rules)
 * 1:30090 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nitol variant outbound connection (malware-cnc.rules)
 * 1:37447 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Evilgrab outbound connection (malware-cnc.rules)
 * 1:19186 <-> DISABLED <-> OS-WINDOWS Microsoft Certification service XSS attempt (os-windows.rules)
 * 1:26892 <-> ENABLED <-> EXPLOIT-KIT Flashpack/Safe/CritX exploit kit jar file download (exploit-kit.rules)
 * 1:20116 <-> DISABLED <-> SERVER-WEBAPP Microsoft Office SharePoint Javascript XSS attempt (server-webapp.rules)
 * 1:19332 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Clampi variant outbound connection (malware-cnc.rules)
 * 1:18796 <-> DISABLED <-> SERVER-WEBAPP Novell iManager ClassName handling overflow attempt (server-webapp.rules)
 * 1:18985 <-> DISABLED <-> POLICY-OTHER CA ARCserve Axis2 default credential login attempt (policy-other.rules)
 * 1:17666 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer invalid chunk size heap overflow attempt (file-multimedia.rules)
 * 1:1807 <-> DISABLED <-> POLICY-OTHER Chunked-Encoding transfer with no data attempt (policy-other.rules)
 * 1:14081 <-> DISABLED <-> MALWARE-CNC Win.Trojan.agent.aarm variant outbound connection call home (malware-cnc.rules)
 * 1:16704 <-> DISABLED <-> BROWSER-PLUGINS CA eTrust PestPatrol ActiveX Initialize method overflow attempt (browser-plugins.rules)
 * 1:12239 <-> DISABLED <-> MALWARE-BACKDOOR webcenter v1.0 Backdoor - init connection (malware-backdoor.rules)
 * 1:53381 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:53348 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:53350 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:53256 <-> ENABLED <-> SERVER-WEBAPP SQL Server Reporting Services web application remote code execution attempt (server-webapp.rules)
 * 1:53346 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:50658 <-> DISABLED <-> SERVER-WEBAPP Sitefinity WCMS arbitrary file upload attempt (server-webapp.rules)
 * 1:53119 <-> DISABLED <-> SERVER-WEBAPP Wordpress DreamworkGallery plugin file upload attempt (server-webapp.rules)

29151

2020-05-05 14:37:04 UTC

Snort Subscriber Rules Update

Date: 2020-05-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53816 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730394-0 download attempt (malware-other.rules)
 * 1:53843 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7752919-0 download attempt (malware-other.rules)
 * 1:53804 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Kuluoz-7725577-0 download attempt (malware-other.rules)
 * 1:53829 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7752290-0 download attempt (malware-other.rules)
 * 1:53837 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Maze variant download attempt (malware-other.rules)
 * 1:53808 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727237-0 download attempt (malware-other.rules)
 * 1:53830 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7752290-0 download attempt (malware-other.rules)
 * 1:53809 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727238-0 download attempt (malware-other.rules)
 * 1:53806 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Upatre-7725946-0 download attempt (malware-other.rules)
 * 1:53807 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727237-0 download attempt (malware-other.rules)
 * 1:53832 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Kuluoz-7752297-0 download attempt (malware-other.rules)
 * 1:53831 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Kuluoz-7752297-0 download attempt (malware-other.rules)
 * 1:53805 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Upatre-7725946-0 download attempt (malware-other.rules)
 * 1:53803 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Kuluoz-7725577-0 download attempt (malware-other.rules)
 * 1:53833 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-7752430-0 download attempt (malware-other.rules)
 * 1:53802 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-7725478-0 download attempt (malware-other.rules)
 * 1:53801 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-7725478-0 download attempt (malware-other.rules)
 * 1:53834 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-7752430-0 download attempt (malware-other.rules)
 * 1:53835 <-> DISABLED <-> INDICATOR-COMPROMISE Chromium use after free exploitation attempt (indicator-compromise.rules)
 * 1:53814 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7729710-0 download attempt (malware-other.rules)
 * 1:53815 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730394-0 download attempt (malware-other.rules)
 * 1:53836 <-> DISABLED <-> INDICATOR-COMPROMISE Chromium use after free exploitation attempt (indicator-compromise.rules)
 * 1:53810 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727238-0 download attempt (malware-other.rules)
 * 1:53812 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Multibanker-7729242-0 download attempt (malware-other.rules)
 * 1:53813 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7729710-0 download attempt (malware-other.rules)
 * 1:53811 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Multibanker-7729242-0 download attempt (malware-other.rules)
 * 1:53818 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7730667-0 download attempt (malware-other.rules)
 * 1:53822 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730819-0 download attempt (malware-other.rules)
 * 1:53823 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Gh0stRAT-7737919-0 download attempt (malware-other.rules)
 * 1:53838 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Maze variant download attempt (malware-other.rules)
 * 1:53825 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zbot-7727211-0 download attempt (malware-other.rules)
 * 1:53841 <-> DISABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection attempt (malware-cnc.rules)
 * 1:53820 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730732-0 download attempt (malware-other.rules)
 * 1:53821 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730819-0 download attempt (malware-other.rules)
 * 1:53826 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zbot-7727211-0 download attempt (malware-other.rules)
 * 1:53824 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Gh0stRAT-7737919-0 download attempt (malware-other.rules)
 * 1:53827 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7751494-0 download attempt (malware-other.rules)
 * 1:53817 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7730667-0 download attempt (malware-other.rules)
 * 1:53828 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7751494-0 download attempt (malware-other.rules)
 * 1:53842 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7752919-0 download attempt (malware-other.rules)
 * 1:53819 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730732-0 download attempt (malware-other.rules)
 * 3:53839 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1059 attack attempt (policy-other.rules)
 * 3:53840 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1060 attack attempt (policy-other.rules)

Modified Rules:


 * 1:53381 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:53348 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:53350 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:53256 <-> ENABLED <-> SERVER-WEBAPP SQL Server Reporting Services web application remote code execution attempt (server-webapp.rules)
 * 1:53346 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:50658 <-> DISABLED <-> SERVER-WEBAPP Sitefinity WCMS arbitrary file upload attempt (server-webapp.rules)
 * 1:53119 <-> DISABLED <-> SERVER-WEBAPP Wordpress DreamworkGallery plugin file upload attempt (server-webapp.rules)
 * 1:44474 <-> DISABLED <-> MALWARE-OTHER GHBkdr TLS Change Cipher spoof runtime detection (malware-other.rules)
 * 1:49439 <-> DISABLED <-> SERVER-OTHER Interactive Graphical SCADA System arbitrary file read attempt (server-other.rules)
 * 1:44037 <-> ENABLED <-> INDICATOR-COMPROMISE DNS request for known malware sinkhole domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com - WannaCry (indicator-compromise.rules)
 * 1:39908 <-> DISABLED <-> SERVER-APACHE Apache Tomcat Commons FileUpload library denial of service attempt (server-apache.rules)
 * 1:30090 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nitol variant outbound connection (malware-cnc.rules)
 * 1:37447 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Evilgrab outbound connection (malware-cnc.rules)
 * 1:20116 <-> DISABLED <-> SERVER-WEBAPP Microsoft Office SharePoint Javascript XSS attempt (server-webapp.rules)
 * 1:26892 <-> ENABLED <-> EXPLOIT-KIT Flashpack/Safe/CritX exploit kit jar file download (exploit-kit.rules)
 * 1:19186 <-> DISABLED <-> OS-WINDOWS Microsoft Certification service XSS attempt (os-windows.rules)
 * 1:19332 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Clampi variant outbound connection (malware-cnc.rules)
 * 1:18796 <-> DISABLED <-> SERVER-WEBAPP Novell iManager ClassName handling overflow attempt (server-webapp.rules)
 * 1:18985 <-> DISABLED <-> POLICY-OTHER CA ARCserve Axis2 default credential login attempt (policy-other.rules)
 * 1:17666 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer invalid chunk size heap overflow attempt (file-multimedia.rules)
 * 1:1807 <-> DISABLED <-> POLICY-OTHER Chunked-Encoding transfer with no data attempt (policy-other.rules)
 * 1:14081 <-> DISABLED <-> MALWARE-CNC Win.Trojan.agent.aarm variant outbound connection call home (malware-cnc.rules)
 * 1:16704 <-> DISABLED <-> BROWSER-PLUGINS CA eTrust PestPatrol ActiveX Initialize method overflow attempt (browser-plugins.rules)
 * 1:12239 <-> DISABLED <-> MALWARE-BACKDOOR webcenter v1.0 Backdoor - init connection (malware-backdoor.rules)

29150

2020-05-05 14:37:04 UTC

Snort Subscriber Rules Update

Date: 2020-05-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53843 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7752919-0 download attempt (malware-other.rules)
 * 1:53816 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730394-0 download attempt (malware-other.rules)
 * 1:53825 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zbot-7727211-0 download attempt (malware-other.rules)
 * 1:53817 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7730667-0 download attempt (malware-other.rules)
 * 1:53829 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7752290-0 download attempt (malware-other.rules)
 * 1:53815 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730394-0 download attempt (malware-other.rules)
 * 1:53813 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7729710-0 download attempt (malware-other.rules)
 * 1:53830 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7752290-0 download attempt (malware-other.rules)
 * 1:53812 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Multibanker-7729242-0 download attempt (malware-other.rules)
 * 1:53811 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Multibanker-7729242-0 download attempt (malware-other.rules)
 * 1:53832 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Kuluoz-7752297-0 download attempt (malware-other.rules)
 * 1:53809 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727238-0 download attempt (malware-other.rules)
 * 1:53814 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7729710-0 download attempt (malware-other.rules)
 * 1:53807 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727237-0 download attempt (malware-other.rules)
 * 1:53833 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-7752430-0 download attempt (malware-other.rules)
 * 1:53808 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727237-0 download attempt (malware-other.rules)
 * 1:53810 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727238-0 download attempt (malware-other.rules)
 * 1:53805 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Upatre-7725946-0 download attempt (malware-other.rules)
 * 1:53834 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-7752430-0 download attempt (malware-other.rules)
 * 1:53806 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Upatre-7725946-0 download attempt (malware-other.rules)
 * 1:53804 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Kuluoz-7725577-0 download attempt (malware-other.rules)
 * 1:53835 <-> DISABLED <-> INDICATOR-COMPROMISE Chromium use after free exploitation attempt (indicator-compromise.rules)
 * 1:53826 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zbot-7727211-0 download attempt (malware-other.rules)
 * 1:53803 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Kuluoz-7725577-0 download attempt (malware-other.rules)
 * 1:53802 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-7725478-0 download attempt (malware-other.rules)
 * 1:53801 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-7725478-0 download attempt (malware-other.rules)
 * 1:53836 <-> DISABLED <-> INDICATOR-COMPROMISE Chromium use after free exploitation attempt (indicator-compromise.rules)
 * 1:53818 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7730667-0 download attempt (malware-other.rules)
 * 1:53820 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730732-0 download attempt (malware-other.rules)
 * 1:53821 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730819-0 download attempt (malware-other.rules)
 * 1:53822 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730819-0 download attempt (malware-other.rules)
 * 1:53831 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Kuluoz-7752297-0 download attempt (malware-other.rules)
 * 1:53837 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Maze variant download attempt (malware-other.rules)
 * 1:53823 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Gh0stRAT-7737919-0 download attempt (malware-other.rules)
 * 1:53838 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Maze variant download attempt (malware-other.rules)
 * 1:53841 <-> DISABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection attempt (malware-cnc.rules)
 * 1:53819 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730732-0 download attempt (malware-other.rules)
 * 1:53824 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Gh0stRAT-7737919-0 download attempt (malware-other.rules)
 * 1:53827 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7751494-0 download attempt (malware-other.rules)
 * 1:53828 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7751494-0 download attempt (malware-other.rules)
 * 1:53842 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7752919-0 download attempt (malware-other.rules)
 * 3:53840 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1060 attack attempt (policy-other.rules)
 * 3:53839 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1059 attack attempt (policy-other.rules)

Modified Rules:


 * 1:39908 <-> DISABLED <-> SERVER-APACHE Apache Tomcat Commons FileUpload library denial of service attempt (server-apache.rules)
 * 1:49439 <-> DISABLED <-> SERVER-OTHER Interactive Graphical SCADA System arbitrary file read attempt (server-other.rules)
 * 1:44037 <-> ENABLED <-> INDICATOR-COMPROMISE DNS request for known malware sinkhole domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com - WannaCry (indicator-compromise.rules)
 * 1:44474 <-> DISABLED <-> MALWARE-OTHER GHBkdr TLS Change Cipher spoof runtime detection (malware-other.rules)
 * 1:37447 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Evilgrab outbound connection (malware-cnc.rules)
 * 1:20116 <-> DISABLED <-> SERVER-WEBAPP Microsoft Office SharePoint Javascript XSS attempt (server-webapp.rules)
 * 1:26892 <-> ENABLED <-> EXPLOIT-KIT Flashpack/Safe/CritX exploit kit jar file download (exploit-kit.rules)
 * 1:30090 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nitol variant outbound connection (malware-cnc.rules)
 * 1:19332 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Clampi variant outbound connection (malware-cnc.rules)
 * 1:18796 <-> DISABLED <-> SERVER-WEBAPP Novell iManager ClassName handling overflow attempt (server-webapp.rules)
 * 1:18985 <-> DISABLED <-> POLICY-OTHER CA ARCserve Axis2 default credential login attempt (policy-other.rules)
 * 1:19186 <-> DISABLED <-> OS-WINDOWS Microsoft Certification service XSS attempt (os-windows.rules)
 * 1:1807 <-> DISABLED <-> POLICY-OTHER Chunked-Encoding transfer with no data attempt (policy-other.rules)
 * 1:14081 <-> DISABLED <-> MALWARE-CNC Win.Trojan.agent.aarm variant outbound connection call home (malware-cnc.rules)
 * 1:16704 <-> DISABLED <-> BROWSER-PLUGINS CA eTrust PestPatrol ActiveX Initialize method overflow attempt (browser-plugins.rules)
 * 1:17666 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer invalid chunk size heap overflow attempt (file-multimedia.rules)
 * 1:12239 <-> DISABLED <-> MALWARE-BACKDOOR webcenter v1.0 Backdoor - init connection (malware-backdoor.rules)
 * 1:53348 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:53350 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:53381 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:53346 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:50658 <-> DISABLED <-> SERVER-WEBAPP Sitefinity WCMS arbitrary file upload attempt (server-webapp.rules)
 * 1:53119 <-> DISABLED <-> SERVER-WEBAPP Wordpress DreamworkGallery plugin file upload attempt (server-webapp.rules)
 * 1:53256 <-> ENABLED <-> SERVER-WEBAPP SQL Server Reporting Services web application remote code execution attempt (server-webapp.rules)

29141

2020-05-05 14:37:04 UTC

Snort Subscriber Rules Update

Date: 2020-05-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53816 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730394-0 download attempt (malware-other.rules)
 * 1:53825 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zbot-7727211-0 download attempt (malware-other.rules)
 * 1:53826 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zbot-7727211-0 download attempt (malware-other.rules)
 * 1:53811 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Multibanker-7729242-0 download attempt (malware-other.rules)
 * 1:53843 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7752919-0 download attempt (malware-other.rules)
 * 1:53837 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Maze variant download attempt (malware-other.rules)
 * 1:53817 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7730667-0 download attempt (malware-other.rules)
 * 1:53807 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727237-0 download attempt (malware-other.rules)
 * 1:53830 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7752290-0 download attempt (malware-other.rules)
 * 1:53832 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Kuluoz-7752297-0 download attempt (malware-other.rules)
 * 1:53806 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Upatre-7725946-0 download attempt (malware-other.rules)
 * 1:53833 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-7752430-0 download attempt (malware-other.rules)
 * 1:53802 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-7725478-0 download attempt (malware-other.rules)
 * 1:53803 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Kuluoz-7725577-0 download attempt (malware-other.rules)
 * 1:53834 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-7752430-0 download attempt (malware-other.rules)
 * 1:53835 <-> DISABLED <-> INDICATOR-COMPROMISE Chromium use after free exploitation attempt (indicator-compromise.rules)
 * 1:53801 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-7725478-0 download attempt (malware-other.rules)
 * 1:53836 <-> DISABLED <-> INDICATOR-COMPROMISE Chromium use after free exploitation attempt (indicator-compromise.rules)
 * 1:53812 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Multibanker-7729242-0 download attempt (malware-other.rules)
 * 1:53814 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7729710-0 download attempt (malware-other.rules)
 * 1:53821 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730819-0 download attempt (malware-other.rules)
 * 1:53820 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730732-0 download attempt (malware-other.rules)
 * 1:53810 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727238-0 download attempt (malware-other.rules)
 * 1:53818 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7730667-0 download attempt (malware-other.rules)
 * 1:53824 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Gh0stRAT-7737919-0 download attempt (malware-other.rules)
 * 1:53827 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7751494-0 download attempt (malware-other.rules)
 * 1:53828 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7751494-0 download attempt (malware-other.rules)
 * 1:53805 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Upatre-7725946-0 download attempt (malware-other.rules)
 * 1:53809 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727238-0 download attempt (malware-other.rules)
 * 1:53808 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727237-0 download attempt (malware-other.rules)
 * 1:53804 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Kuluoz-7725577-0 download attempt (malware-other.rules)
 * 1:53822 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730819-0 download attempt (malware-other.rules)
 * 1:53823 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Gh0stRAT-7737919-0 download attempt (malware-other.rules)
 * 1:53813 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7729710-0 download attempt (malware-other.rules)
 * 1:53831 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Kuluoz-7752297-0 download attempt (malware-other.rules)
 * 1:53838 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Maze variant download attempt (malware-other.rules)
 * 1:53841 <-> DISABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection attempt (malware-cnc.rules)
 * 1:53842 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7752919-0 download attempt (malware-other.rules)
 * 1:53819 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730732-0 download attempt (malware-other.rules)
 * 1:53829 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7752290-0 download attempt (malware-other.rules)
 * 1:53815 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730394-0 download attempt (malware-other.rules)
 * 3:53840 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1060 attack attempt (policy-other.rules)
 * 3:53839 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1059 attack attempt (policy-other.rules)

Modified Rules:


 * 1:12239 <-> DISABLED <-> MALWARE-BACKDOOR webcenter v1.0 Backdoor - init connection (malware-backdoor.rules)
 * 1:53348 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:53381 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:53346 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:50658 <-> DISABLED <-> SERVER-WEBAPP Sitefinity WCMS arbitrary file upload attempt (server-webapp.rules)
 * 1:53350 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:53256 <-> ENABLED <-> SERVER-WEBAPP SQL Server Reporting Services web application remote code execution attempt (server-webapp.rules)
 * 1:49439 <-> DISABLED <-> SERVER-OTHER Interactive Graphical SCADA System arbitrary file read attempt (server-other.rules)
 * 1:39908 <-> DISABLED <-> SERVER-APACHE Apache Tomcat Commons FileUpload library denial of service attempt (server-apache.rules)
 * 1:53119 <-> DISABLED <-> SERVER-WEBAPP Wordpress DreamworkGallery plugin file upload attempt (server-webapp.rules)
 * 1:44474 <-> DISABLED <-> MALWARE-OTHER GHBkdr TLS Change Cipher spoof runtime detection (malware-other.rules)
 * 1:37447 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Evilgrab outbound connection (malware-cnc.rules)
 * 1:20116 <-> DISABLED <-> SERVER-WEBAPP Microsoft Office SharePoint Javascript XSS attempt (server-webapp.rules)
 * 1:44037 <-> ENABLED <-> INDICATOR-COMPROMISE DNS request for known malware sinkhole domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com - WannaCry (indicator-compromise.rules)
 * 1:30090 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nitol variant outbound connection (malware-cnc.rules)
 * 1:19332 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Clampi variant outbound connection (malware-cnc.rules)
 * 1:18796 <-> DISABLED <-> SERVER-WEBAPP Novell iManager ClassName handling overflow attempt (server-webapp.rules)
 * 1:26892 <-> ENABLED <-> EXPLOIT-KIT Flashpack/Safe/CritX exploit kit jar file download (exploit-kit.rules)
 * 1:19186 <-> DISABLED <-> OS-WINDOWS Microsoft Certification service XSS attempt (os-windows.rules)
 * 1:1807 <-> DISABLED <-> POLICY-OTHER Chunked-Encoding transfer with no data attempt (policy-other.rules)
 * 1:14081 <-> DISABLED <-> MALWARE-CNC Win.Trojan.agent.aarm variant outbound connection call home (malware-cnc.rules)
 * 1:18985 <-> DISABLED <-> POLICY-OTHER CA ARCserve Axis2 default credential login attempt (policy-other.rules)
 * 1:17666 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer invalid chunk size heap overflow attempt (file-multimedia.rules)
 * 1:16704 <-> DISABLED <-> BROWSER-PLUGINS CA eTrust PestPatrol ActiveX Initialize method overflow attempt (browser-plugins.rules)

29130

2020-05-05 14:37:04 UTC

Snort Subscriber Rules Update

Date: 2020-05-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53825 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zbot-7727211-0 download attempt (malware-other.rules)
 * 1:53826 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zbot-7727211-0 download attempt (malware-other.rules)
 * 1:53803 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Kuluoz-7725577-0 download attempt (malware-other.rules)
 * 1:53816 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730394-0 download attempt (malware-other.rules)
 * 1:53837 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Maze variant download attempt (malware-other.rules)
 * 1:53830 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7752290-0 download attempt (malware-other.rules)
 * 1:53821 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730819-0 download attempt (malware-other.rules)
 * 1:53820 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730732-0 download attempt (malware-other.rules)
 * 1:53832 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Kuluoz-7752297-0 download attempt (malware-other.rules)
 * 1:53813 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7729710-0 download attempt (malware-other.rules)
 * 1:53810 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727238-0 download attempt (malware-other.rules)
 * 1:53833 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-7752430-0 download attempt (malware-other.rules)
 * 1:53811 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Multibanker-7729242-0 download attempt (malware-other.rules)
 * 1:53809 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727238-0 download attempt (malware-other.rules)
 * 1:53806 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Upatre-7725946-0 download attempt (malware-other.rules)
 * 1:53834 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-7752430-0 download attempt (malware-other.rules)
 * 1:53828 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7751494-0 download attempt (malware-other.rules)
 * 1:53829 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7752290-0 download attempt (malware-other.rules)
 * 1:53808 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727237-0 download attempt (malware-other.rules)
 * 1:53835 <-> DISABLED <-> INDICATOR-COMPROMISE Chromium use after free exploitation attempt (indicator-compromise.rules)
 * 1:53831 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Kuluoz-7752297-0 download attempt (malware-other.rules)
 * 1:53836 <-> DISABLED <-> INDICATOR-COMPROMISE Chromium use after free exploitation attempt (indicator-compromise.rules)
 * 1:53842 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7752919-0 download attempt (malware-other.rules)
 * 1:53819 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730732-0 download attempt (malware-other.rules)
 * 1:53824 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Gh0stRAT-7737919-0 download attempt (malware-other.rules)
 * 1:53827 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7751494-0 download attempt (malware-other.rules)
 * 1:53817 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7730667-0 download attempt (malware-other.rules)
 * 1:53818 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7730667-0 download attempt (malware-other.rules)
 * 1:53804 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Kuluoz-7725577-0 download attempt (malware-other.rules)
 * 1:53801 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-7725478-0 download attempt (malware-other.rules)
 * 1:53822 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730819-0 download attempt (malware-other.rules)
 * 1:53802 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-7725478-0 download attempt (malware-other.rules)
 * 1:53815 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730394-0 download attempt (malware-other.rules)
 * 1:53814 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7729710-0 download attempt (malware-other.rules)
 * 1:53812 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Multibanker-7729242-0 download attempt (malware-other.rules)
 * 1:53823 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Gh0stRAT-7737919-0 download attempt (malware-other.rules)
 * 1:53838 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Maze variant download attempt (malware-other.rules)
 * 1:53807 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727237-0 download attempt (malware-other.rules)
 * 1:53841 <-> DISABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection attempt (malware-cnc.rules)
 * 1:53843 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7752919-0 download attempt (malware-other.rules)
 * 1:53805 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Upatre-7725946-0 download attempt (malware-other.rules)
 * 3:53840 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1060 attack attempt (policy-other.rules)
 * 3:53839 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1059 attack attempt (policy-other.rules)

Modified Rules:


 * 1:18985 <-> DISABLED <-> POLICY-OTHER CA ARCserve Axis2 default credential login attempt (policy-other.rules)
 * 1:12239 <-> DISABLED <-> MALWARE-BACKDOOR webcenter v1.0 Backdoor - init connection (malware-backdoor.rules)
 * 1:16704 <-> DISABLED <-> BROWSER-PLUGINS CA eTrust PestPatrol ActiveX Initialize method overflow attempt (browser-plugins.rules)
 * 1:14081 <-> DISABLED <-> MALWARE-CNC Win.Trojan.agent.aarm variant outbound connection call home (malware-cnc.rules)
 * 1:53381 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:53348 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:53346 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:53350 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:53256 <-> ENABLED <-> SERVER-WEBAPP SQL Server Reporting Services web application remote code execution attempt (server-webapp.rules)
 * 1:49439 <-> DISABLED <-> SERVER-OTHER Interactive Graphical SCADA System arbitrary file read attempt (server-other.rules)
 * 1:50658 <-> DISABLED <-> SERVER-WEBAPP Sitefinity WCMS arbitrary file upload attempt (server-webapp.rules)
 * 1:53119 <-> DISABLED <-> SERVER-WEBAPP Wordpress DreamworkGallery plugin file upload attempt (server-webapp.rules)
 * 1:44474 <-> DISABLED <-> MALWARE-OTHER GHBkdr TLS Change Cipher spoof runtime detection (malware-other.rules)
 * 1:37447 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Evilgrab outbound connection (malware-cnc.rules)
 * 1:39908 <-> DISABLED <-> SERVER-APACHE Apache Tomcat Commons FileUpload library denial of service attempt (server-apache.rules)
 * 1:44037 <-> ENABLED <-> INDICATOR-COMPROMISE DNS request for known malware sinkhole domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com - WannaCry (indicator-compromise.rules)
 * 1:30090 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nitol variant outbound connection (malware-cnc.rules)
 * 1:19332 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Clampi variant outbound connection (malware-cnc.rules)
 * 1:20116 <-> DISABLED <-> SERVER-WEBAPP Microsoft Office SharePoint Javascript XSS attempt (server-webapp.rules)
 * 1:26892 <-> ENABLED <-> EXPLOIT-KIT Flashpack/Safe/CritX exploit kit jar file download (exploit-kit.rules)
 * 1:19186 <-> DISABLED <-> OS-WINDOWS Microsoft Certification service XSS attempt (os-windows.rules)
 * 1:1807 <-> DISABLED <-> POLICY-OTHER Chunked-Encoding transfer with no data attempt (policy-other.rules)
 * 1:18796 <-> DISABLED <-> SERVER-WEBAPP Novell iManager ClassName handling overflow attempt (server-webapp.rules)
 * 1:17666 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer invalid chunk size heap overflow attempt (file-multimedia.rules)

29111

2020-05-05 14:37:04 UTC

Snort Subscriber Rules Update

Date: 2020-05-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53825 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zbot-7727211-0 download attempt (malware-other.rules)
 * 1:53810 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727238-0 download attempt (malware-other.rules)
 * 1:53816 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730394-0 download attempt (malware-other.rules)
 * 1:53805 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Upatre-7725946-0 download attempt (malware-other.rules)
 * 1:53821 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730819-0 download attempt (malware-other.rules)
 * 1:53803 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Kuluoz-7725577-0 download attempt (malware-other.rules)
 * 1:53820 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730732-0 download attempt (malware-other.rules)
 * 1:53828 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7751494-0 download attempt (malware-other.rules)
 * 1:53809 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727238-0 download attempt (malware-other.rules)
 * 1:53829 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7752290-0 download attempt (malware-other.rules)
 * 1:53813 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7729710-0 download attempt (malware-other.rules)
 * 1:53830 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7752290-0 download attempt (malware-other.rules)
 * 1:53832 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Kuluoz-7752297-0 download attempt (malware-other.rules)
 * 1:53837 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Maze variant download attempt (malware-other.rules)
 * 1:53814 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7729710-0 download attempt (malware-other.rules)
 * 1:53807 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727237-0 download attempt (malware-other.rules)
 * 1:53833 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-7752430-0 download attempt (malware-other.rules)
 * 1:53827 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7751494-0 download attempt (malware-other.rules)
 * 1:53817 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7730667-0 download attempt (malware-other.rules)
 * 1:53824 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Gh0stRAT-7737919-0 download attempt (malware-other.rules)
 * 1:53842 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7752919-0 download attempt (malware-other.rules)
 * 1:53819 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730732-0 download attempt (malware-other.rules)
 * 1:53812 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Multibanker-7729242-0 download attempt (malware-other.rules)
 * 1:53802 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-7725478-0 download attempt (malware-other.rules)
 * 1:53834 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-7752430-0 download attempt (malware-other.rules)
 * 1:53815 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730394-0 download attempt (malware-other.rules)
 * 1:53808 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727237-0 download attempt (malware-other.rules)
 * 1:53835 <-> DISABLED <-> INDICATOR-COMPROMISE Chromium use after free exploitation attempt (indicator-compromise.rules)
 * 1:53831 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Kuluoz-7752297-0 download attempt (malware-other.rules)
 * 1:53826 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zbot-7727211-0 download attempt (malware-other.rules)
 * 1:53836 <-> DISABLED <-> INDICATOR-COMPROMISE Chromium use after free exploitation attempt (indicator-compromise.rules)
 * 1:53806 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Upatre-7725946-0 download attempt (malware-other.rules)
 * 1:53804 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Kuluoz-7725577-0 download attempt (malware-other.rules)
 * 1:53811 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Multibanker-7729242-0 download attempt (malware-other.rules)
 * 1:53818 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7730667-0 download attempt (malware-other.rules)
 * 1:53822 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730819-0 download attempt (malware-other.rules)
 * 1:53823 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Gh0stRAT-7737919-0 download attempt (malware-other.rules)
 * 1:53838 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Maze variant download attempt (malware-other.rules)
 * 1:53841 <-> DISABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection attempt (malware-cnc.rules)
 * 1:53801 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-7725478-0 download attempt (malware-other.rules)
 * 1:53843 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7752919-0 download attempt (malware-other.rules)
 * 3:53840 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1060 attack attempt (policy-other.rules)
 * 3:53839 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1059 attack attempt (policy-other.rules)

Modified Rules:


 * 1:18796 <-> DISABLED <-> SERVER-WEBAPP Novell iManager ClassName handling overflow attempt (server-webapp.rules)
 * 1:53381 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:53348 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:53256 <-> ENABLED <-> SERVER-WEBAPP SQL Server Reporting Services web application remote code execution attempt (server-webapp.rules)
 * 1:53346 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:50658 <-> DISABLED <-> SERVER-WEBAPP Sitefinity WCMS arbitrary file upload attempt (server-webapp.rules)
 * 1:53350 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:44474 <-> DISABLED <-> MALWARE-OTHER GHBkdr TLS Change Cipher spoof runtime detection (malware-other.rules)
 * 1:49439 <-> DISABLED <-> SERVER-OTHER Interactive Graphical SCADA System arbitrary file read attempt (server-other.rules)
 * 1:53119 <-> DISABLED <-> SERVER-WEBAPP Wordpress DreamworkGallery plugin file upload attempt (server-webapp.rules)
 * 1:44037 <-> ENABLED <-> INDICATOR-COMPROMISE DNS request for known malware sinkhole domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com - WannaCry (indicator-compromise.rules)
 * 1:37447 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Evilgrab outbound connection (malware-cnc.rules)
 * 1:39908 <-> DISABLED <-> SERVER-APACHE Apache Tomcat Commons FileUpload library denial of service attempt (server-apache.rules)
 * 1:30090 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nitol variant outbound connection (malware-cnc.rules)
 * 1:19332 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Clampi variant outbound connection (malware-cnc.rules)
 * 1:20116 <-> DISABLED <-> SERVER-WEBAPP Microsoft Office SharePoint Javascript XSS attempt (server-webapp.rules)
 * 1:19186 <-> DISABLED <-> OS-WINDOWS Microsoft Certification service XSS attempt (os-windows.rules)
 * 1:16704 <-> DISABLED <-> BROWSER-PLUGINS CA eTrust PestPatrol ActiveX Initialize method overflow attempt (browser-plugins.rules)
 * 1:26892 <-> ENABLED <-> EXPLOIT-KIT Flashpack/Safe/CritX exploit kit jar file download (exploit-kit.rules)
 * 1:17666 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer invalid chunk size heap overflow attempt (file-multimedia.rules)
 * 1:14081 <-> DISABLED <-> MALWARE-CNC Win.Trojan.agent.aarm variant outbound connection call home (malware-cnc.rules)
 * 1:18985 <-> DISABLED <-> POLICY-OTHER CA ARCserve Axis2 default credential login attempt (policy-other.rules)
 * 1:12239 <-> DISABLED <-> MALWARE-BACKDOOR webcenter v1.0 Backdoor - init connection (malware-backdoor.rules)
 * 1:1807 <-> DISABLED <-> POLICY-OTHER Chunked-Encoding transfer with no data attempt (policy-other.rules)

3000

2020-05-05 14:37:04 UTC

Snort Subscriber Rules Update

Date: 2020-05-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53807 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727237-0 download attempt (snort3-malware-other.rules)
 * 1:53826 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zbot-7727211-0 download attempt (snort3-malware-other.rules)
 * 1:53821 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730819-0 download attempt (snort3-malware-other.rules)
 * 1:53814 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7729710-0 download attempt (snort3-malware-other.rules)
 * 1:53815 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730394-0 download attempt (snort3-malware-other.rules)
 * 1:53822 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730819-0 download attempt (snort3-malware-other.rules)
 * 1:53831 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Kuluoz-7752297-0 download attempt (snort3-malware-other.rules)
 * 1:53803 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Kuluoz-7725577-0 download attempt (snort3-malware-other.rules)
 * 1:53820 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730732-0 download attempt (snort3-malware-other.rules)
 * 1:53833 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-7752430-0 download attempt (snort3-malware-other.rules)
 * 1:53808 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727237-0 download attempt (snort3-malware-other.rules)
 * 1:53818 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7730667-0 download attempt (snort3-malware-other.rules)
 * 1:53828 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7751494-0 download attempt (snort3-malware-other.rules)
 * 1:53801 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-7725478-0 download attempt (snort3-malware-other.rules)
 * 1:53834 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-7752430-0 download attempt (snort3-malware-other.rules)
 * 1:53816 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730394-0 download attempt (snort3-malware-other.rules)
 * 1:53825 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zbot-7727211-0 download attempt (snort3-malware-other.rules)
 * 1:53835 <-> DISABLED <-> INDICATOR-COMPROMISE Chromium use after free exploitation attempt (snort3-indicator-compromise.rules)
 * 1:53832 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Kuluoz-7752297-0 download attempt (snort3-malware-other.rules)
 * 1:53811 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Multibanker-7729242-0 download attempt (snort3-malware-other.rules)
 * 1:53838 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Maze variant download attempt (snort3-malware-other.rules)
 * 1:53836 <-> DISABLED <-> INDICATOR-COMPROMISE Chromium use after free exploitation attempt (snort3-indicator-compromise.rules)
 * 1:53813 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7729710-0 download attempt (snort3-malware-other.rules)
 * 1:53827 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7751494-0 download attempt (snort3-malware-other.rules)
 * 1:53817 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7730667-0 download attempt (snort3-malware-other.rules)
 * 1:53837 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Maze variant download attempt (snort3-malware-other.rules)
 * 1:53804 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Kuluoz-7725577-0 download attempt (snort3-malware-other.rules)
 * 1:53829 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7752290-0 download attempt (snort3-malware-other.rules)
 * 1:53809 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727238-0 download attempt (snort3-malware-other.rules)
 * 1:53812 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Multibanker-7729242-0 download attempt (snort3-malware-other.rules)
 * 1:53819 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730732-0 download attempt (snort3-malware-other.rules)
 * 1:53810 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727238-0 download attempt (snort3-malware-other.rules)
 * 1:53823 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Gh0stRAT-7737919-0 download attempt (snort3-malware-other.rules)
 * 1:53802 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-7725478-0 download attempt (snort3-malware-other.rules)
 * 1:53806 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Upatre-7725946-0 download attempt (snort3-malware-other.rules)
 * 1:53824 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Gh0stRAT-7737919-0 download attempt (snort3-malware-other.rules)
 * 1:53830 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7752290-0 download attempt (snort3-malware-other.rules)
 * 1:53841 <-> DISABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection attempt (snort3-malware-cnc.rules)
 * 1:53842 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7752919-0 download attempt (snort3-malware-other.rules)
 * 1:53843 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7752919-0 download attempt (snort3-malware-other.rules)
 * 1:53805 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Upatre-7725946-0 download attempt (snort3-malware-other.rules)

Modified Rules:


 * 1:20116 <-> DISABLED <-> SERVER-WEBAPP Microsoft Office SharePoint Javascript XSS attempt (snort3-server-webapp.rules)
 * 1:44474 <-> DISABLED <-> MALWARE-OTHER GHBkdr TLS Change Cipher spoof runtime detection (snort3-malware-other.rules)
 * 1:26892 <-> ENABLED <-> EXPLOIT-KIT Flashpack/Safe/CritX exploit kit jar file download (snort3-exploit-kit.rules)
 * 1:53350 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (snort3-server-webapp.rules)
 * 1:18796 <-> DISABLED <-> SERVER-WEBAPP Novell iManager ClassName handling overflow attempt (snort3-server-webapp.rules)
 * 1:19186 <-> DISABLED <-> OS-WINDOWS Microsoft Certification service XSS attempt (snort3-os-windows.rules)
 * 1:12239 <-> DISABLED <-> MALWARE-BACKDOOR webcenter v1.0 Backdoor - init connection (snort3-malware-backdoor.rules)
 * 1:16704 <-> DISABLED <-> BROWSER-PLUGINS CA eTrust PestPatrol ActiveX Initialize method overflow attempt (snort3-browser-plugins.rules)
 * 1:44037 <-> ENABLED <-> INDICATOR-COMPROMISE DNS request for known malware sinkhole domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com - WannaCry (snort3-indicator-compromise.rules)
 * 1:14081 <-> DISABLED <-> MALWARE-CNC Win.Trojan.agent.aarm variant outbound connection call home (snort3-malware-cnc.rules)
 * 1:53346 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (snort3-server-webapp.rules)
 * 1:53348 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (snort3-server-webapp.rules)
 * 1:50658 <-> DISABLED <-> SERVER-WEBAPP Sitefinity WCMS arbitrary file upload attempt (snort3-server-webapp.rules)
 * 1:53119 <-> DISABLED <-> SERVER-WEBAPP Wordpress DreamworkGallery plugin file upload attempt (snort3-server-webapp.rules)
 * 1:39908 <-> DISABLED <-> SERVER-APACHE Apache Tomcat Commons FileUpload library denial of service attempt (snort3-server-apache.rules)
 * 1:18985 <-> DISABLED <-> POLICY-OTHER CA ARCserve Axis2 default credential login attempt (snort3-policy-other.rules)
 * 1:17666 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer invalid chunk size heap overflow attempt (snort3-file-multimedia.rules)
 * 1:1807 <-> DISABLED <-> POLICY-OTHER Chunked-Encoding transfer with no data attempt (snort3-policy-other.rules)
 * 1:30090 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nitol variant outbound connection (snort3-malware-cnc.rules)
 * 1:37447 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Evilgrab outbound connection (snort3-malware-cnc.rules)
 * 1:49439 <-> DISABLED <-> SERVER-OTHER Interactive Graphical SCADA System arbitrary file read attempt (snort3-server-other.rules)
 * 1:53256 <-> ENABLED <-> SERVER-WEBAPP SQL Server Reporting Services web application remote code execution attempt (snort3-server-webapp.rules)
 * 1:53381 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (snort3-server-webapp.rules)
 * 1:19332 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Clampi variant outbound connection (snort3-malware-cnc.rules)

2983

2020-05-05 14:37:04 UTC

Snort Subscriber Rules Update

Date: 2020-05-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53820 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730732-0 download attempt (malware-other.rules)
 * 1:53819 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730732-0 download attempt (malware-other.rules)
 * 1:53803 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Kuluoz-7725577-0 download attempt (malware-other.rules)
 * 1:53808 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727237-0 download attempt (malware-other.rules)
 * 1:53843 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7752919-0 download attempt (malware-other.rules)
 * 1:53805 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Upatre-7725946-0 download attempt (malware-other.rules)
 * 1:53836 <-> DISABLED <-> INDICATOR-COMPROMISE Chromium use after free exploitation attempt (indicator-compromise.rules)
 * 1:53828 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7751494-0 download attempt (malware-other.rules)
 * 1:53829 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7752290-0 download attempt (malware-other.rules)
 * 1:53830 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7752290-0 download attempt (malware-other.rules)
 * 1:53812 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Multibanker-7729242-0 download attempt (malware-other.rules)
 * 1:53831 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Kuluoz-7752297-0 download attempt (malware-other.rules)
 * 1:53825 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zbot-7727211-0 download attempt (malware-other.rules)
 * 1:53818 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7730667-0 download attempt (malware-other.rules)
 * 1:53809 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727238-0 download attempt (malware-other.rules)
 * 1:53832 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Kuluoz-7752297-0 download attempt (malware-other.rules)
 * 1:53841 <-> DISABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection attempt (malware-cnc.rules)
 * 1:53824 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Gh0stRAT-7737919-0 download attempt (malware-other.rules)
 * 1:53823 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Gh0stRAT-7737919-0 download attempt (malware-other.rules)
 * 1:53813 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7729710-0 download attempt (malware-other.rules)
 * 1:53833 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-7752430-0 download attempt (malware-other.rules)
 * 1:53826 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zbot-7727211-0 download attempt (malware-other.rules)
 * 1:53827 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7751494-0 download attempt (malware-other.rules)
 * 1:53811 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Multibanker-7729242-0 download attempt (malware-other.rules)
 * 1:53807 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727237-0 download attempt (malware-other.rules)
 * 1:53815 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730394-0 download attempt (malware-other.rules)
 * 1:53810 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727238-0 download attempt (malware-other.rules)
 * 1:53834 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-7752430-0 download attempt (malware-other.rules)
 * 1:53842 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7752919-0 download attempt (malware-other.rules)
 * 1:53835 <-> DISABLED <-> INDICATOR-COMPROMISE Chromium use after free exploitation attempt (indicator-compromise.rules)
 * 1:53814 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7729710-0 download attempt (malware-other.rules)
 * 1:53806 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Upatre-7725946-0 download attempt (malware-other.rules)
 * 1:53802 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-7725478-0 download attempt (malware-other.rules)
 * 1:53817 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7730667-0 download attempt (malware-other.rules)
 * 1:53821 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730819-0 download attempt (malware-other.rules)
 * 1:53822 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730819-0 download attempt (malware-other.rules)
 * 1:53804 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Kuluoz-7725577-0 download attempt (malware-other.rules)
 * 1:53801 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-7725478-0 download attempt (malware-other.rules)
 * 1:53837 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Maze variant download attempt (malware-other.rules)
 * 1:53838 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Maze variant download attempt (malware-other.rules)
 * 1:53816 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730394-0 download attempt (malware-other.rules)
 * 3:53839 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1059 attack attempt (policy-other.rules)
 * 3:53840 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1060 attack attempt (policy-other.rules)

Modified Rules:


 * 1:18796 <-> DISABLED <-> SERVER-WEBAPP Novell iManager ClassName handling overflow attempt (server-webapp.rules)
 * 1:17666 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer invalid chunk size heap overflow attempt (file-multimedia.rules)
 * 1:18985 <-> DISABLED <-> POLICY-OTHER CA ARCserve Axis2 default credential login attempt (policy-other.rules)
 * 1:53350 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:30090 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nitol variant outbound connection (malware-cnc.rules)
 * 1:12239 <-> DISABLED <-> MALWARE-BACKDOOR webcenter v1.0 Backdoor - init connection (malware-backdoor.rules)
 * 1:53119 <-> DISABLED <-> SERVER-WEBAPP Wordpress DreamworkGallery plugin file upload attempt (server-webapp.rules)
 * 1:16704 <-> DISABLED <-> BROWSER-PLUGINS CA eTrust PestPatrol ActiveX Initialize method overflow attempt (browser-plugins.rules)
 * 1:50658 <-> DISABLED <-> SERVER-WEBAPP Sitefinity WCMS arbitrary file upload attempt (server-webapp.rules)
 * 1:53348 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:39908 <-> DISABLED <-> SERVER-APACHE Apache Tomcat Commons FileUpload library denial of service attempt (server-apache.rules)
 * 1:14081 <-> DISABLED <-> MALWARE-CNC Win.Trojan.agent.aarm variant outbound connection call home (malware-cnc.rules)
 * 1:26892 <-> ENABLED <-> EXPLOIT-KIT Flashpack/Safe/CritX exploit kit jar file download (exploit-kit.rules)
 * 1:20116 <-> DISABLED <-> SERVER-WEBAPP Microsoft Office SharePoint Javascript XSS attempt (server-webapp.rules)
 * 1:19186 <-> DISABLED <-> OS-WINDOWS Microsoft Certification service XSS attempt (os-windows.rules)
 * 1:19332 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Clampi variant outbound connection (malware-cnc.rules)
 * 1:37447 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Evilgrab outbound connection (malware-cnc.rules)
 * 1:44474 <-> DISABLED <-> MALWARE-OTHER GHBkdr TLS Change Cipher spoof runtime detection (malware-other.rules)
 * 1:53256 <-> ENABLED <-> SERVER-WEBAPP SQL Server Reporting Services web application remote code execution attempt (server-webapp.rules)
 * 1:53381 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:1807 <-> DISABLED <-> POLICY-OTHER Chunked-Encoding transfer with no data attempt (policy-other.rules)
 * 1:44037 <-> ENABLED <-> INDICATOR-COMPROMISE DNS request for known malware sinkhole domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com - WannaCry (indicator-compromise.rules)
 * 1:53346 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:49439 <-> DISABLED <-> SERVER-OTHER Interactive Graphical SCADA System arbitrary file read attempt (server-other.rules)