Talos Rules 2020-05-05
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-plugins, exploit-kit, file-multimedia, indicator-compromise, malware-backdoor, malware-cnc, malware-other, os-windows, policy-other, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2020-05-05 14:37:04 UTC

Snort Subscriber Rules Update

Date: 2020-05-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53811 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Multibanker-7729242-0 download attempt (malware-other.rules)
 * 1:53810 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727238-0 download attempt (malware-other.rules)
 * 1:53809 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727238-0 download attempt (malware-other.rules)
 * 1:53808 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727237-0 download attempt (malware-other.rules)
 * 1:53807 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727237-0 download attempt (malware-other.rules)
 * 1:53806 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Upatre-7725946-0 download attempt (malware-other.rules)
 * 1:53805 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Upatre-7725946-0 download attempt (malware-other.rules)
 * 1:53804 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Kuluoz-7725577-0 download attempt (malware-other.rules)
 * 1:53803 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Kuluoz-7725577-0 download attempt (malware-other.rules)
 * 1:53802 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-7725478-0 download attempt (malware-other.rules)
 * 1:53801 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-7725478-0 download attempt (malware-other.rules)
 * 1:53827 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7751494-0 download attempt (malware-other.rules)
 * 1:53826 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zbot-7727211-0 download attempt (malware-other.rules)
 * 1:53825 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zbot-7727211-0 download attempt (malware-other.rules)
 * 1:53824 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Gh0stRAT-7737919-0 download attempt (malware-other.rules)
 * 1:53823 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Gh0stRAT-7737919-0 download attempt (malware-other.rules)
 * 1:53822 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730819-0 download attempt (malware-other.rules)
 * 1:53821 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730819-0 download attempt (malware-other.rules)
 * 1:53820 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730732-0 download attempt (malware-other.rules)
 * 1:53819 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730732-0 download attempt (malware-other.rules)
 * 1:53818 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7730667-0 download attempt (malware-other.rules)
 * 1:53817 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7730667-0 download attempt (malware-other.rules)
 * 1:53816 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730394-0 download attempt (malware-other.rules)
 * 1:53815 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730394-0 download attempt (malware-other.rules)
 * 1:53814 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7729710-0 download attempt (malware-other.rules)
 * 1:53813 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7729710-0 download attempt (malware-other.rules)
 * 1:53812 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Multibanker-7729242-0 download attempt (malware-other.rules)
 * 1:53830 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7752290-0 download attempt (malware-other.rules)
 * 1:53829 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7752290-0 download attempt (malware-other.rules)
 * 1:53828 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7751494-0 download attempt (malware-other.rules)
 * 1:53833 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-7752430-0 download attempt (malware-other.rules)
 * 1:53832 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Kuluoz-7752297-0 download attempt (malware-other.rules)
 * 1:53831 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Kuluoz-7752297-0 download attempt (malware-other.rules)
 * 1:53835 <-> DISABLED <-> INDICATOR-COMPROMISE Chromium use after free exploitation attempt (indicator-compromise.rules)
 * 1:53834 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-7752430-0 download attempt (malware-other.rules)
 * 1:53838 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Maze variant download attempt (malware-other.rules)
 * 1:53837 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Maze variant download attempt (malware-other.rules)
 * 1:53836 <-> DISABLED <-> INDICATOR-COMPROMISE Chromium use after free exploitation attempt (indicator-compromise.rules)
 * 1:53842 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7752919-0 download attempt (malware-other.rules)
 * 1:53841 <-> DISABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection attempt (malware-cnc.rules)
 * 1:53843 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7752919-0 download attempt (malware-other.rules)
 * 3:53840 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1060 attack attempt (policy-other.rules)
 * 3:53839 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1059 attack attempt (policy-other.rules)

Modified Rules:


 * 1:49439 <-> DISABLED <-> SERVER-OTHER Interactive Graphical SCADA System arbitrary file read attempt (server-other.rules)
 * 1:44474 <-> DISABLED <-> MALWARE-OTHER GHBkdr TLS Change Cipher spoof runtime detection (malware-other.rules)
 * 1:39908 <-> DISABLED <-> SERVER-APACHE Apache Tomcat Commons FileUpload library denial of service attempt (server-apache.rules)
 * 1:44037 <-> ENABLED <-> INDICATOR-COMPROMISE DNS request for known malware sinkhole domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com - WannaCry (indicator-compromise.rules)
 * 1:30090 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nitol variant outbound connection (malware-cnc.rules)
 * 1:37447 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Evilgrab outbound connection (malware-cnc.rules)
 * 1:19186 <-> DISABLED <-> OS-WINDOWS Microsoft Certification service XSS attempt (os-windows.rules)
 * 1:26892 <-> ENABLED <-> EXPLOIT-KIT Flashpack/Safe/CritX exploit kit jar file download (exploit-kit.rules)
 * 1:20116 <-> DISABLED <-> SERVER-WEBAPP Microsoft Office SharePoint Javascript XSS attempt (server-webapp.rules)
 * 1:19332 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Clampi variant outbound connection (malware-cnc.rules)
 * 1:18796 <-> DISABLED <-> SERVER-WEBAPP Novell iManager ClassName handling overflow attempt (server-webapp.rules)
 * 1:18985 <-> DISABLED <-> POLICY-OTHER CA ARCserve Axis2 default credential login attempt (policy-other.rules)
 * 1:17666 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer invalid chunk size heap overflow attempt (file-multimedia.rules)
 * 1:1807 <-> DISABLED <-> POLICY-OTHER Chunked-Encoding transfer with no data attempt (policy-other.rules)
 * 1:14081 <-> DISABLED <-> MALWARE-CNC Win.Trojan.agent.aarm variant outbound connection call home (malware-cnc.rules)
 * 1:16704 <-> DISABLED <-> BROWSER-PLUGINS CA eTrust PestPatrol ActiveX Initialize method overflow attempt (browser-plugins.rules)
 * 1:12239 <-> DISABLED <-> MALWARE-BACKDOOR webcenter v1.0 Backdoor - init connection (malware-backdoor.rules)
 * 1:53381 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:53348 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:53350 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:53256 <-> ENABLED <-> SERVER-WEBAPP SQL Server Reporting Services web application remote code execution attempt (server-webapp.rules)
 * 1:53346 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:50658 <-> DISABLED <-> SERVER-WEBAPP Sitefinity WCMS arbitrary file upload attempt (server-webapp.rules)
 * 1:53119 <-> DISABLED <-> SERVER-WEBAPP Wordpress DreamworkGallery plugin file upload attempt (server-webapp.rules)

2020-05-05 14:37:04 UTC

Snort Subscriber Rules Update

Date: 2020-05-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53816 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730394-0 download attempt (malware-other.rules)
 * 1:53843 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7752919-0 download attempt (malware-other.rules)
 * 1:53804 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Kuluoz-7725577-0 download attempt (malware-other.rules)
 * 1:53829 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7752290-0 download attempt (malware-other.rules)
 * 1:53837 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Maze variant download attempt (malware-other.rules)
 * 1:53808 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727237-0 download attempt (malware-other.rules)
 * 1:53830 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7752290-0 download attempt (malware-other.rules)
 * 1:53809 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727238-0 download attempt (malware-other.rules)
 * 1:53806 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Upatre-7725946-0 download attempt (malware-other.rules)
 * 1:53807 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727237-0 download attempt (malware-other.rules)
 * 1:53832 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Kuluoz-7752297-0 download attempt (malware-other.rules)
 * 1:53831 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Kuluoz-7752297-0 download attempt (malware-other.rules)
 * 1:53805 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Upatre-7725946-0 download attempt (malware-other.rules)
 * 1:53803 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Kuluoz-7725577-0 download attempt (malware-other.rules)
 * 1:53833 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-7752430-0 download attempt (malware-other.rules)
 * 1:53802 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-7725478-0 download attempt (malware-other.rules)
 * 1:53801 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-7725478-0 download attempt (malware-other.rules)
 * 1:53834 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-7752430-0 download attempt (malware-other.rules)
 * 1:53835 <-> DISABLED <-> INDICATOR-COMPROMISE Chromium use after free exploitation attempt (indicator-compromise.rules)
 * 1:53814 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7729710-0 download attempt (malware-other.rules)
 * 1:53815 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730394-0 download attempt (malware-other.rules)
 * 1:53836 <-> DISABLED <-> INDICATOR-COMPROMISE Chromium use after free exploitation attempt (indicator-compromise.rules)
 * 1:53810 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727238-0 download attempt (malware-other.rules)
 * 1:53812 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Multibanker-7729242-0 download attempt (malware-other.rules)
 * 1:53813 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7729710-0 download attempt (malware-other.rules)
 * 1:53811 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Multibanker-7729242-0 download attempt (malware-other.rules)
 * 1:53818 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7730667-0 download attempt (malware-other.rules)
 * 1:53822 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730819-0 download attempt (malware-other.rules)
 * 1:53823 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Gh0stRAT-7737919-0 download attempt (malware-other.rules)
 * 1:53838 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Maze variant download attempt (malware-other.rules)
 * 1:53825 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zbot-7727211-0 download attempt (malware-other.rules)
 * 1:53841 <-> DISABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection attempt (malware-cnc.rules)
 * 1:53820 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730732-0 download attempt (malware-other.rules)
 * 1:53821 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730819-0 download attempt (malware-other.rules)
 * 1:53826 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zbot-7727211-0 download attempt (malware-other.rules)
 * 1:53824 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Gh0stRAT-7737919-0 download attempt (malware-other.rules)
 * 1:53827 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7751494-0 download attempt (malware-other.rules)
 * 1:53817 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7730667-0 download attempt (malware-other.rules)
 * 1:53828 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7751494-0 download attempt (malware-other.rules)
 * 1:53842 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7752919-0 download attempt (malware-other.rules)
 * 1:53819 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730732-0 download attempt (malware-other.rules)
 * 3:53839 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1059 attack attempt (policy-other.rules)
 * 3:53840 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1060 attack attempt (policy-other.rules)

Modified Rules:


 * 1:53381 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:53348 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:53350 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:53256 <-> ENABLED <-> SERVER-WEBAPP SQL Server Reporting Services web application remote code execution attempt (server-webapp.rules)
 * 1:53346 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:50658 <-> DISABLED <-> SERVER-WEBAPP Sitefinity WCMS arbitrary file upload attempt (server-webapp.rules)
 * 1:53119 <-> DISABLED <-> SERVER-WEBAPP Wordpress DreamworkGallery plugin file upload attempt (server-webapp.rules)
 * 1:44474 <-> DISABLED <-> MALWARE-OTHER GHBkdr TLS Change Cipher spoof runtime detection (malware-other.rules)
 * 1:49439 <-> DISABLED <-> SERVER-OTHER Interactive Graphical SCADA System arbitrary file read attempt (server-other.rules)
 * 1:44037 <-> ENABLED <-> INDICATOR-COMPROMISE DNS request for known malware sinkhole domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com - WannaCry (indicator-compromise.rules)
 * 1:39908 <-> DISABLED <-> SERVER-APACHE Apache Tomcat Commons FileUpload library denial of service attempt (server-apache.rules)
 * 1:30090 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nitol variant outbound connection (malware-cnc.rules)
 * 1:37447 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Evilgrab outbound connection (malware-cnc.rules)
 * 1:20116 <-> DISABLED <-> SERVER-WEBAPP Microsoft Office SharePoint Javascript XSS attempt (server-webapp.rules)
 * 1:26892 <-> ENABLED <-> EXPLOIT-KIT Flashpack/Safe/CritX exploit kit jar file download (exploit-kit.rules)
 * 1:19186 <-> DISABLED <-> OS-WINDOWS Microsoft Certification service XSS attempt (os-windows.rules)
 * 1:19332 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Clampi variant outbound connection (malware-cnc.rules)
 * 1:18796 <-> DISABLED <-> SERVER-WEBAPP Novell iManager ClassName handling overflow attempt (server-webapp.rules)
 * 1:18985 <-> DISABLED <-> POLICY-OTHER CA ARCserve Axis2 default credential login attempt (policy-other.rules)
 * 1:17666 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer invalid chunk size heap overflow attempt (file-multimedia.rules)
 * 1:1807 <-> DISABLED <-> POLICY-OTHER Chunked-Encoding transfer with no data attempt (policy-other.rules)
 * 1:14081 <-> DISABLED <-> MALWARE-CNC Win.Trojan.agent.aarm variant outbound connection call home (malware-cnc.rules)
 * 1:16704 <-> DISABLED <-> BROWSER-PLUGINS CA eTrust PestPatrol ActiveX Initialize method overflow attempt (browser-plugins.rules)
 * 1:12239 <-> DISABLED <-> MALWARE-BACKDOOR webcenter v1.0 Backdoor - init connection (malware-backdoor.rules)

2020-05-05 14:37:04 UTC

Snort Subscriber Rules Update

Date: 2020-05-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53843 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7752919-0 download attempt (malware-other.rules)
 * 1:53816 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730394-0 download attempt (malware-other.rules)
 * 1:53825 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zbot-7727211-0 download attempt (malware-other.rules)
 * 1:53817 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7730667-0 download attempt (malware-other.rules)
 * 1:53829 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7752290-0 download attempt (malware-other.rules)
 * 1:53815 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730394-0 download attempt (malware-other.rules)
 * 1:53813 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7729710-0 download attempt (malware-other.rules)
 * 1:53830 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7752290-0 download attempt (malware-other.rules)
 * 1:53812 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Multibanker-7729242-0 download attempt (malware-other.rules)
 * 1:53811 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Multibanker-7729242-0 download attempt (malware-other.rules)
 * 1:53832 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Kuluoz-7752297-0 download attempt (malware-other.rules)
 * 1:53809 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727238-0 download attempt (malware-other.rules)
 * 1:53814 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7729710-0 download attempt (malware-other.rules)
 * 1:53807 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727237-0 download attempt (malware-other.rules)
 * 1:53833 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-7752430-0 download attempt (malware-other.rules)
 * 1:53808 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727237-0 download attempt (malware-other.rules)
 * 1:53810 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727238-0 download attempt (malware-other.rules)
 * 1:53805 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Upatre-7725946-0 download attempt (malware-other.rules)
 * 1:53834 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-7752430-0 download attempt (malware-other.rules)
 * 1:53806 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Upatre-7725946-0 download attempt (malware-other.rules)
 * 1:53804 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Kuluoz-7725577-0 download attempt (malware-other.rules)
 * 1:53835 <-> DISABLED <-> INDICATOR-COMPROMISE Chromium use after free exploitation attempt (indicator-compromise.rules)
 * 1:53826 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zbot-7727211-0 download attempt (malware-other.rules)
 * 1:53803 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Kuluoz-7725577-0 download attempt (malware-other.rules)
 * 1:53802 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-7725478-0 download attempt (malware-other.rules)
 * 1:53801 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-7725478-0 download attempt (malware-other.rules)
 * 1:53836 <-> DISABLED <-> INDICATOR-COMPROMISE Chromium use after free exploitation attempt (indicator-compromise.rules)
 * 1:53818 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7730667-0 download attempt (malware-other.rules)
 * 1:53820 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730732-0 download attempt (malware-other.rules)
 * 1:53821 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730819-0 download attempt (malware-other.rules)
 * 1:53822 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730819-0 download attempt (malware-other.rules)
 * 1:53831 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Kuluoz-7752297-0 download attempt (malware-other.rules)
 * 1:53837 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Maze variant download attempt (malware-other.rules)
 * 1:53823 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Gh0stRAT-7737919-0 download attempt (malware-other.rules)
 * 1:53838 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Maze variant download attempt (malware-other.rules)
 * 1:53841 <-> DISABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection attempt (malware-cnc.rules)
 * 1:53819 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730732-0 download attempt (malware-other.rules)
 * 1:53824 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Gh0stRAT-7737919-0 download attempt (malware-other.rules)
 * 1:53827 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7751494-0 download attempt (malware-other.rules)
 * 1:53828 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7751494-0 download attempt (malware-other.rules)
 * 1:53842 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7752919-0 download attempt (malware-other.rules)
 * 3:53840 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1060 attack attempt (policy-other.rules)
 * 3:53839 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1059 attack attempt (policy-other.rules)

Modified Rules:


 * 1:39908 <-> DISABLED <-> SERVER-APACHE Apache Tomcat Commons FileUpload library denial of service attempt (server-apache.rules)
 * 1:49439 <-> DISABLED <-> SERVER-OTHER Interactive Graphical SCADA System arbitrary file read attempt (server-other.rules)
 * 1:44037 <-> ENABLED <-> INDICATOR-COMPROMISE DNS request for known malware sinkhole domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com - WannaCry (indicator-compromise.rules)
 * 1:44474 <-> DISABLED <-> MALWARE-OTHER GHBkdr TLS Change Cipher spoof runtime detection (malware-other.rules)
 * 1:37447 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Evilgrab outbound connection (malware-cnc.rules)
 * 1:20116 <-> DISABLED <-> SERVER-WEBAPP Microsoft Office SharePoint Javascript XSS attempt (server-webapp.rules)
 * 1:26892 <-> ENABLED <-> EXPLOIT-KIT Flashpack/Safe/CritX exploit kit jar file download (exploit-kit.rules)
 * 1:30090 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nitol variant outbound connection (malware-cnc.rules)
 * 1:19332 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Clampi variant outbound connection (malware-cnc.rules)
 * 1:18796 <-> DISABLED <-> SERVER-WEBAPP Novell iManager ClassName handling overflow attempt (server-webapp.rules)
 * 1:18985 <-> DISABLED <-> POLICY-OTHER CA ARCserve Axis2 default credential login attempt (policy-other.rules)
 * 1:19186 <-> DISABLED <-> OS-WINDOWS Microsoft Certification service XSS attempt (os-windows.rules)
 * 1:1807 <-> DISABLED <-> POLICY-OTHER Chunked-Encoding transfer with no data attempt (policy-other.rules)
 * 1:14081 <-> DISABLED <-> MALWARE-CNC Win.Trojan.agent.aarm variant outbound connection call home (malware-cnc.rules)
 * 1:16704 <-> DISABLED <-> BROWSER-PLUGINS CA eTrust PestPatrol ActiveX Initialize method overflow attempt (browser-plugins.rules)
 * 1:17666 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer invalid chunk size heap overflow attempt (file-multimedia.rules)
 * 1:12239 <-> DISABLED <-> MALWARE-BACKDOOR webcenter v1.0 Backdoor - init connection (malware-backdoor.rules)
 * 1:53348 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:53350 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:53381 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:53346 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:50658 <-> DISABLED <-> SERVER-WEBAPP Sitefinity WCMS arbitrary file upload attempt (server-webapp.rules)
 * 1:53119 <-> DISABLED <-> SERVER-WEBAPP Wordpress DreamworkGallery plugin file upload attempt (server-webapp.rules)
 * 1:53256 <-> ENABLED <-> SERVER-WEBAPP SQL Server Reporting Services web application remote code execution attempt (server-webapp.rules)

2020-05-05 14:37:04 UTC

Snort Subscriber Rules Update

Date: 2020-05-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53816 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730394-0 download attempt (malware-other.rules)
 * 1:53825 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zbot-7727211-0 download attempt (malware-other.rules)
 * 1:53826 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zbot-7727211-0 download attempt (malware-other.rules)
 * 1:53811 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Multibanker-7729242-0 download attempt (malware-other.rules)
 * 1:53843 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7752919-0 download attempt (malware-other.rules)
 * 1:53837 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Maze variant download attempt (malware-other.rules)
 * 1:53817 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7730667-0 download attempt (malware-other.rules)
 * 1:53807 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727237-0 download attempt (malware-other.rules)
 * 1:53830 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7752290-0 download attempt (malware-other.rules)
 * 1:53832 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Kuluoz-7752297-0 download attempt (malware-other.rules)
 * 1:53806 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Upatre-7725946-0 download attempt (malware-other.rules)
 * 1:53833 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-7752430-0 download attempt (malware-other.rules)
 * 1:53802 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-7725478-0 download attempt (malware-other.rules)
 * 1:53803 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Kuluoz-7725577-0 download attempt (malware-other.rules)
 * 1:53834 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-7752430-0 download attempt (malware-other.rules)
 * 1:53835 <-> DISABLED <-> INDICATOR-COMPROMISE Chromium use after free exploitation attempt (indicator-compromise.rules)
 * 1:53801 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-7725478-0 download attempt (malware-other.rules)
 * 1:53836 <-> DISABLED <-> INDICATOR-COMPROMISE Chromium use after free exploitation attempt (indicator-compromise.rules)
 * 1:53812 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Multibanker-7729242-0 download attempt (malware-other.rules)
 * 1:53814 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7729710-0 download attempt (malware-other.rules)
 * 1:53821 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730819-0 download attempt (malware-other.rules)
 * 1:53820 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730732-0 download attempt (malware-other.rules)
 * 1:53810 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727238-0 download attempt (malware-other.rules)
 * 1:53818 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7730667-0 download attempt (malware-other.rules)
 * 1:53824 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Gh0stRAT-7737919-0 download attempt (malware-other.rules)
 * 1:53827 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7751494-0 download attempt (malware-other.rules)
 * 1:53828 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7751494-0 download attempt (malware-other.rules)
 * 1:53805 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Upatre-7725946-0 download attempt (malware-other.rules)
 * 1:53809 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727238-0 download attempt (malware-other.rules)
 * 1:53808 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727237-0 download attempt (malware-other.rules)
 * 1:53804 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Kuluoz-7725577-0 download attempt (malware-other.rules)
 * 1:53822 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730819-0 download attempt (malware-other.rules)
 * 1:53823 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Gh0stRAT-7737919-0 download attempt (malware-other.rules)
 * 1:53813 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7729710-0 download attempt (malware-other.rules)
 * 1:53831 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Kuluoz-7752297-0 download attempt (malware-other.rules)
 * 1:53838 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Maze variant download attempt (malware-other.rules)
 * 1:53841 <-> DISABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection attempt (malware-cnc.rules)
 * 1:53842 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7752919-0 download attempt (malware-other.rules)
 * 1:53819 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730732-0 download attempt (malware-other.rules)
 * 1:53829 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7752290-0 download attempt (malware-other.rules)
 * 1:53815 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730394-0 download attempt (malware-other.rules)
 * 3:53840 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1060 attack attempt (policy-other.rules)
 * 3:53839 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1059 attack attempt (policy-other.rules)

Modified Rules:


 * 1:12239 <-> DISABLED <-> MALWARE-BACKDOOR webcenter v1.0 Backdoor - init connection (malware-backdoor.rules)
 * 1:53348 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:53381 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:53346 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:50658 <-> DISABLED <-> SERVER-WEBAPP Sitefinity WCMS arbitrary file upload attempt (server-webapp.rules)
 * 1:53350 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:53256 <-> ENABLED <-> SERVER-WEBAPP SQL Server Reporting Services web application remote code execution attempt (server-webapp.rules)
 * 1:49439 <-> DISABLED <-> SERVER-OTHER Interactive Graphical SCADA System arbitrary file read attempt (server-other.rules)
 * 1:39908 <-> DISABLED <-> SERVER-APACHE Apache Tomcat Commons FileUpload library denial of service attempt (server-apache.rules)
 * 1:53119 <-> DISABLED <-> SERVER-WEBAPP Wordpress DreamworkGallery plugin file upload attempt (server-webapp.rules)
 * 1:44474 <-> DISABLED <-> MALWARE-OTHER GHBkdr TLS Change Cipher spoof runtime detection (malware-other.rules)
 * 1:37447 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Evilgrab outbound connection (malware-cnc.rules)
 * 1:20116 <-> DISABLED <-> SERVER-WEBAPP Microsoft Office SharePoint Javascript XSS attempt (server-webapp.rules)
 * 1:44037 <-> ENABLED <-> INDICATOR-COMPROMISE DNS request for known malware sinkhole domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com - WannaCry (indicator-compromise.rules)
 * 1:30090 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nitol variant outbound connection (malware-cnc.rules)
 * 1:19332 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Clampi variant outbound connection (malware-cnc.rules)
 * 1:18796 <-> DISABLED <-> SERVER-WEBAPP Novell iManager ClassName handling overflow attempt (server-webapp.rules)
 * 1:26892 <-> ENABLED <-> EXPLOIT-KIT Flashpack/Safe/CritX exploit kit jar file download (exploit-kit.rules)
 * 1:19186 <-> DISABLED <-> OS-WINDOWS Microsoft Certification service XSS attempt (os-windows.rules)
 * 1:1807 <-> DISABLED <-> POLICY-OTHER Chunked-Encoding transfer with no data attempt (policy-other.rules)
 * 1:14081 <-> DISABLED <-> MALWARE-CNC Win.Trojan.agent.aarm variant outbound connection call home (malware-cnc.rules)
 * 1:18985 <-> DISABLED <-> POLICY-OTHER CA ARCserve Axis2 default credential login attempt (policy-other.rules)
 * 1:17666 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer invalid chunk size heap overflow attempt (file-multimedia.rules)
 * 1:16704 <-> DISABLED <-> BROWSER-PLUGINS CA eTrust PestPatrol ActiveX Initialize method overflow attempt (browser-plugins.rules)

2020-05-05 14:37:04 UTC

Snort Subscriber Rules Update

Date: 2020-05-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53825 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zbot-7727211-0 download attempt (malware-other.rules)
 * 1:53826 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zbot-7727211-0 download attempt (malware-other.rules)
 * 1:53803 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Kuluoz-7725577-0 download attempt (malware-other.rules)
 * 1:53816 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730394-0 download attempt (malware-other.rules)
 * 1:53837 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Maze variant download attempt (malware-other.rules)
 * 1:53830 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7752290-0 download attempt (malware-other.rules)
 * 1:53821 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730819-0 download attempt (malware-other.rules)
 * 1:53820 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730732-0 download attempt (malware-other.rules)
 * 1:53832 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Kuluoz-7752297-0 download attempt (malware-other.rules)
 * 1:53813 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7729710-0 download attempt (malware-other.rules)
 * 1:53810 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727238-0 download attempt (malware-other.rules)
 * 1:53833 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-7752430-0 download attempt (malware-other.rules)
 * 1:53811 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Multibanker-7729242-0 download attempt (malware-other.rules)
 * 1:53809 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727238-0 download attempt (malware-other.rules)
 * 1:53806 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Upatre-7725946-0 download attempt (malware-other.rules)
 * 1:53834 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-7752430-0 download attempt (malware-other.rules)
 * 1:53828 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7751494-0 download attempt (malware-other.rules)
 * 1:53829 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7752290-0 download attempt (malware-other.rules)
 * 1:53808 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727237-0 download attempt (malware-other.rules)
 * 1:53835 <-> DISABLED <-> INDICATOR-COMPROMISE Chromium use after free exploitation attempt (indicator-compromise.rules)
 * 1:53831 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Kuluoz-7752297-0 download attempt (malware-other.rules)
 * 1:53836 <-> DISABLED <-> INDICATOR-COMPROMISE Chromium use after free exploitation attempt (indicator-compromise.rules)
 * 1:53842 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7752919-0 download attempt (malware-other.rules)
 * 1:53819 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730732-0 download attempt (malware-other.rules)
 * 1:53824 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Gh0stRAT-7737919-0 download attempt (malware-other.rules)
 * 1:53827 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7751494-0 download attempt (malware-other.rules)
 * 1:53817 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7730667-0 download attempt (malware-other.rules)
 * 1:53818 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7730667-0 download attempt (malware-other.rules)
 * 1:53804 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Kuluoz-7725577-0 download attempt (malware-other.rules)
 * 1:53801 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-7725478-0 download attempt (malware-other.rules)
 * 1:53822 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730819-0 download attempt (malware-other.rules)
 * 1:53802 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-7725478-0 download attempt (malware-other.rules)
 * 1:53815 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730394-0 download attempt (malware-other.rules)
 * 1:53814 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7729710-0 download attempt (malware-other.rules)
 * 1:53812 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Multibanker-7729242-0 download attempt (malware-other.rules)
 * 1:53823 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Gh0stRAT-7737919-0 download attempt (malware-other.rules)
 * 1:53838 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Maze variant download attempt (malware-other.rules)
 * 1:53807 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727237-0 download attempt (malware-other.rules)
 * 1:53841 <-> DISABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection attempt (malware-cnc.rules)
 * 1:53843 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7752919-0 download attempt (malware-other.rules)
 * 1:53805 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Upatre-7725946-0 download attempt (malware-other.rules)
 * 3:53840 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1060 attack attempt (policy-other.rules)
 * 3:53839 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1059 attack attempt (policy-other.rules)

Modified Rules:


 * 1:18985 <-> DISABLED <-> POLICY-OTHER CA ARCserve Axis2 default credential login attempt (policy-other.rules)
 * 1:12239 <-> DISABLED <-> MALWARE-BACKDOOR webcenter v1.0 Backdoor - init connection (malware-backdoor.rules)
 * 1:16704 <-> DISABLED <-> BROWSER-PLUGINS CA eTrust PestPatrol ActiveX Initialize method overflow attempt (browser-plugins.rules)
 * 1:14081 <-> DISABLED <-> MALWARE-CNC Win.Trojan.agent.aarm variant outbound connection call home (malware-cnc.rules)
 * 1:53381 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:53348 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:53346 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:53350 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:53256 <-> ENABLED <-> SERVER-WEBAPP SQL Server Reporting Services web application remote code execution attempt (server-webapp.rules)
 * 1:49439 <-> DISABLED <-> SERVER-OTHER Interactive Graphical SCADA System arbitrary file read attempt (server-other.rules)
 * 1:50658 <-> DISABLED <-> SERVER-WEBAPP Sitefinity WCMS arbitrary file upload attempt (server-webapp.rules)
 * 1:53119 <-> DISABLED <-> SERVER-WEBAPP Wordpress DreamworkGallery plugin file upload attempt (server-webapp.rules)
 * 1:44474 <-> DISABLED <-> MALWARE-OTHER GHBkdr TLS Change Cipher spoof runtime detection (malware-other.rules)
 * 1:37447 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Evilgrab outbound connection (malware-cnc.rules)
 * 1:39908 <-> DISABLED <-> SERVER-APACHE Apache Tomcat Commons FileUpload library denial of service attempt (server-apache.rules)
 * 1:44037 <-> ENABLED <-> INDICATOR-COMPROMISE DNS request for known malware sinkhole domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com - WannaCry (indicator-compromise.rules)
 * 1:30090 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nitol variant outbound connection (malware-cnc.rules)
 * 1:19332 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Clampi variant outbound connection (malware-cnc.rules)
 * 1:20116 <-> DISABLED <-> SERVER-WEBAPP Microsoft Office SharePoint Javascript XSS attempt (server-webapp.rules)
 * 1:26892 <-> ENABLED <-> EXPLOIT-KIT Flashpack/Safe/CritX exploit kit jar file download (exploit-kit.rules)
 * 1:19186 <-> DISABLED <-> OS-WINDOWS Microsoft Certification service XSS attempt (os-windows.rules)
 * 1:1807 <-> DISABLED <-> POLICY-OTHER Chunked-Encoding transfer with no data attempt (policy-other.rules)
 * 1:18796 <-> DISABLED <-> SERVER-WEBAPP Novell iManager ClassName handling overflow attempt (server-webapp.rules)
 * 1:17666 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer invalid chunk size heap overflow attempt (file-multimedia.rules)

2020-05-05 14:37:04 UTC

Snort Subscriber Rules Update

Date: 2020-05-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53825 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zbot-7727211-0 download attempt (malware-other.rules)
 * 1:53810 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727238-0 download attempt (malware-other.rules)
 * 1:53816 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730394-0 download attempt (malware-other.rules)
 * 1:53805 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Upatre-7725946-0 download attempt (malware-other.rules)
 * 1:53821 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730819-0 download attempt (malware-other.rules)
 * 1:53803 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Kuluoz-7725577-0 download attempt (malware-other.rules)
 * 1:53820 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730732-0 download attempt (malware-other.rules)
 * 1:53828 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7751494-0 download attempt (malware-other.rules)
 * 1:53809 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727238-0 download attempt (malware-other.rules)
 * 1:53829 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7752290-0 download attempt (malware-other.rules)
 * 1:53813 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7729710-0 download attempt (malware-other.rules)
 * 1:53830 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7752290-0 download attempt (malware-other.rules)
 * 1:53832 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Kuluoz-7752297-0 download attempt (malware-other.rules)
 * 1:53837 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Maze variant download attempt (malware-other.rules)
 * 1:53814 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7729710-0 download attempt (malware-other.rules)
 * 1:53807 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727237-0 download attempt (malware-other.rules)
 * 1:53833 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-7752430-0 download attempt (malware-other.rules)
 * 1:53827 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7751494-0 download attempt (malware-other.rules)
 * 1:53817 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7730667-0 download attempt (malware-other.rules)
 * 1:53824 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Gh0stRAT-7737919-0 download attempt (malware-other.rules)
 * 1:53842 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7752919-0 download attempt (malware-other.rules)
 * 1:53819 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730732-0 download attempt (malware-other.rules)
 * 1:53812 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Multibanker-7729242-0 download attempt (malware-other.rules)
 * 1:53802 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-7725478-0 download attempt (malware-other.rules)
 * 1:53834 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-7752430-0 download attempt (malware-other.rules)
 * 1:53815 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730394-0 download attempt (malware-other.rules)
 * 1:53808 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727237-0 download attempt (malware-other.rules)
 * 1:53835 <-> DISABLED <-> INDICATOR-COMPROMISE Chromium use after free exploitation attempt (indicator-compromise.rules)
 * 1:53831 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Kuluoz-7752297-0 download attempt (malware-other.rules)
 * 1:53826 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zbot-7727211-0 download attempt (malware-other.rules)
 * 1:53836 <-> DISABLED <-> INDICATOR-COMPROMISE Chromium use after free exploitation attempt (indicator-compromise.rules)
 * 1:53806 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Upatre-7725946-0 download attempt (malware-other.rules)
 * 1:53804 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Kuluoz-7725577-0 download attempt (malware-other.rules)
 * 1:53811 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Multibanker-7729242-0 download attempt (malware-other.rules)
 * 1:53818 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7730667-0 download attempt (malware-other.rules)
 * 1:53822 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730819-0 download attempt (malware-other.rules)
 * 1:53823 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Gh0stRAT-7737919-0 download attempt (malware-other.rules)
 * 1:53838 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Maze variant download attempt (malware-other.rules)
 * 1:53841 <-> DISABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection attempt (malware-cnc.rules)
 * 1:53801 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-7725478-0 download attempt (malware-other.rules)
 * 1:53843 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7752919-0 download attempt (malware-other.rules)
 * 3:53840 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1060 attack attempt (policy-other.rules)
 * 3:53839 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1059 attack attempt (policy-other.rules)

Modified Rules:


 * 1:18796 <-> DISABLED <-> SERVER-WEBAPP Novell iManager ClassName handling overflow attempt (server-webapp.rules)
 * 1:53381 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:53348 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:53256 <-> ENABLED <-> SERVER-WEBAPP SQL Server Reporting Services web application remote code execution attempt (server-webapp.rules)
 * 1:53346 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:50658 <-> DISABLED <-> SERVER-WEBAPP Sitefinity WCMS arbitrary file upload attempt (server-webapp.rules)
 * 1:53350 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:44474 <-> DISABLED <-> MALWARE-OTHER GHBkdr TLS Change Cipher spoof runtime detection (malware-other.rules)
 * 1:49439 <-> DISABLED <-> SERVER-OTHER Interactive Graphical SCADA System arbitrary file read attempt (server-other.rules)
 * 1:53119 <-> DISABLED <-> SERVER-WEBAPP Wordpress DreamworkGallery plugin file upload attempt (server-webapp.rules)
 * 1:44037 <-> ENABLED <-> INDICATOR-COMPROMISE DNS request for known malware sinkhole domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com - WannaCry (indicator-compromise.rules)
 * 1:37447 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Evilgrab outbound connection (malware-cnc.rules)
 * 1:39908 <-> DISABLED <-> SERVER-APACHE Apache Tomcat Commons FileUpload library denial of service attempt (server-apache.rules)
 * 1:30090 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nitol variant outbound connection (malware-cnc.rules)
 * 1:19332 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Clampi variant outbound connection (malware-cnc.rules)
 * 1:20116 <-> DISABLED <-> SERVER-WEBAPP Microsoft Office SharePoint Javascript XSS attempt (server-webapp.rules)
 * 1:19186 <-> DISABLED <-> OS-WINDOWS Microsoft Certification service XSS attempt (os-windows.rules)
 * 1:16704 <-> DISABLED <-> BROWSER-PLUGINS CA eTrust PestPatrol ActiveX Initialize method overflow attempt (browser-plugins.rules)
 * 1:26892 <-> ENABLED <-> EXPLOIT-KIT Flashpack/Safe/CritX exploit kit jar file download (exploit-kit.rules)
 * 1:17666 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer invalid chunk size heap overflow attempt (file-multimedia.rules)
 * 1:14081 <-> DISABLED <-> MALWARE-CNC Win.Trojan.agent.aarm variant outbound connection call home (malware-cnc.rules)
 * 1:18985 <-> DISABLED <-> POLICY-OTHER CA ARCserve Axis2 default credential login attempt (policy-other.rules)
 * 1:12239 <-> DISABLED <-> MALWARE-BACKDOOR webcenter v1.0 Backdoor - init connection (malware-backdoor.rules)
 * 1:1807 <-> DISABLED <-> POLICY-OTHER Chunked-Encoding transfer with no data attempt (policy-other.rules)

2020-05-05 14:37:04 UTC

Snort Subscriber Rules Update

Date: 2020-05-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53807 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727237-0 download attempt (snort3-malware-other.rules)
 * 1:53826 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zbot-7727211-0 download attempt (snort3-malware-other.rules)
 * 1:53821 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730819-0 download attempt (snort3-malware-other.rules)
 * 1:53814 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7729710-0 download attempt (snort3-malware-other.rules)
 * 1:53815 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730394-0 download attempt (snort3-malware-other.rules)
 * 1:53822 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730819-0 download attempt (snort3-malware-other.rules)
 * 1:53831 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Kuluoz-7752297-0 download attempt (snort3-malware-other.rules)
 * 1:53803 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Kuluoz-7725577-0 download attempt (snort3-malware-other.rules)
 * 1:53820 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730732-0 download attempt (snort3-malware-other.rules)
 * 1:53833 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-7752430-0 download attempt (snort3-malware-other.rules)
 * 1:53808 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727237-0 download attempt (snort3-malware-other.rules)
 * 1:53818 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7730667-0 download attempt (snort3-malware-other.rules)
 * 1:53828 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7751494-0 download attempt (snort3-malware-other.rules)
 * 1:53801 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-7725478-0 download attempt (snort3-malware-other.rules)
 * 1:53834 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-7752430-0 download attempt (snort3-malware-other.rules)
 * 1:53816 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730394-0 download attempt (snort3-malware-other.rules)
 * 1:53825 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zbot-7727211-0 download attempt (snort3-malware-other.rules)
 * 1:53835 <-> DISABLED <-> INDICATOR-COMPROMISE Chromium use after free exploitation attempt (snort3-indicator-compromise.rules)
 * 1:53832 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Kuluoz-7752297-0 download attempt (snort3-malware-other.rules)
 * 1:53811 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Multibanker-7729242-0 download attempt (snort3-malware-other.rules)
 * 1:53838 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Maze variant download attempt (snort3-malware-other.rules)
 * 1:53836 <-> DISABLED <-> INDICATOR-COMPROMISE Chromium use after free exploitation attempt (snort3-indicator-compromise.rules)
 * 1:53813 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7729710-0 download attempt (snort3-malware-other.rules)
 * 1:53827 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7751494-0 download attempt (snort3-malware-other.rules)
 * 1:53817 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7730667-0 download attempt (snort3-malware-other.rules)
 * 1:53837 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Maze variant download attempt (snort3-malware-other.rules)
 * 1:53804 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Kuluoz-7725577-0 download attempt (snort3-malware-other.rules)
 * 1:53829 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7752290-0 download attempt (snort3-malware-other.rules)
 * 1:53809 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727238-0 download attempt (snort3-malware-other.rules)
 * 1:53812 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Multibanker-7729242-0 download attempt (snort3-malware-other.rules)
 * 1:53819 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730732-0 download attempt (snort3-malware-other.rules)
 * 1:53810 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727238-0 download attempt (snort3-malware-other.rules)
 * 1:53823 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Gh0stRAT-7737919-0 download attempt (snort3-malware-other.rules)
 * 1:53802 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-7725478-0 download attempt (snort3-malware-other.rules)
 * 1:53806 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Upatre-7725946-0 download attempt (snort3-malware-other.rules)
 * 1:53824 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Gh0stRAT-7737919-0 download attempt (snort3-malware-other.rules)
 * 1:53830 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7752290-0 download attempt (snort3-malware-other.rules)
 * 1:53841 <-> DISABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection attempt (snort3-malware-cnc.rules)
 * 1:53842 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7752919-0 download attempt (snort3-malware-other.rules)
 * 1:53843 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7752919-0 download attempt (snort3-malware-other.rules)
 * 1:53805 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Upatre-7725946-0 download attempt (snort3-malware-other.rules)

Modified Rules:


 * 1:20116 <-> DISABLED <-> SERVER-WEBAPP Microsoft Office SharePoint Javascript XSS attempt (snort3-server-webapp.rules)
 * 1:44474 <-> DISABLED <-> MALWARE-OTHER GHBkdr TLS Change Cipher spoof runtime detection (snort3-malware-other.rules)
 * 1:26892 <-> ENABLED <-> EXPLOIT-KIT Flashpack/Safe/CritX exploit kit jar file download (snort3-exploit-kit.rules)
 * 1:53350 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (snort3-server-webapp.rules)
 * 1:18796 <-> DISABLED <-> SERVER-WEBAPP Novell iManager ClassName handling overflow attempt (snort3-server-webapp.rules)
 * 1:19186 <-> DISABLED <-> OS-WINDOWS Microsoft Certification service XSS attempt (snort3-os-windows.rules)
 * 1:12239 <-> DISABLED <-> MALWARE-BACKDOOR webcenter v1.0 Backdoor - init connection (snort3-malware-backdoor.rules)
 * 1:16704 <-> DISABLED <-> BROWSER-PLUGINS CA eTrust PestPatrol ActiveX Initialize method overflow attempt (snort3-browser-plugins.rules)
 * 1:44037 <-> ENABLED <-> INDICATOR-COMPROMISE DNS request for known malware sinkhole domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com - WannaCry (snort3-indicator-compromise.rules)
 * 1:14081 <-> DISABLED <-> MALWARE-CNC Win.Trojan.agent.aarm variant outbound connection call home (snort3-malware-cnc.rules)
 * 1:53346 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (snort3-server-webapp.rules)
 * 1:53348 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (snort3-server-webapp.rules)
 * 1:50658 <-> DISABLED <-> SERVER-WEBAPP Sitefinity WCMS arbitrary file upload attempt (snort3-server-webapp.rules)
 * 1:53119 <-> DISABLED <-> SERVER-WEBAPP Wordpress DreamworkGallery plugin file upload attempt (snort3-server-webapp.rules)
 * 1:39908 <-> DISABLED <-> SERVER-APACHE Apache Tomcat Commons FileUpload library denial of service attempt (snort3-server-apache.rules)
 * 1:18985 <-> DISABLED <-> POLICY-OTHER CA ARCserve Axis2 default credential login attempt (snort3-policy-other.rules)
 * 1:17666 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer invalid chunk size heap overflow attempt (snort3-file-multimedia.rules)
 * 1:1807 <-> DISABLED <-> POLICY-OTHER Chunked-Encoding transfer with no data attempt (snort3-policy-other.rules)
 * 1:30090 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nitol variant outbound connection (snort3-malware-cnc.rules)
 * 1:37447 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Evilgrab outbound connection (snort3-malware-cnc.rules)
 * 1:49439 <-> DISABLED <-> SERVER-OTHER Interactive Graphical SCADA System arbitrary file read attempt (snort3-server-other.rules)
 * 1:53256 <-> ENABLED <-> SERVER-WEBAPP SQL Server Reporting Services web application remote code execution attempt (snort3-server-webapp.rules)
 * 1:53381 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (snort3-server-webapp.rules)
 * 1:19332 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Clampi variant outbound connection (snort3-malware-cnc.rules)

2020-05-05 14:37:04 UTC

Snort Subscriber Rules Update

Date: 2020-05-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53820 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730732-0 download attempt (malware-other.rules)
 * 1:53819 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730732-0 download attempt (malware-other.rules)
 * 1:53803 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Kuluoz-7725577-0 download attempt (malware-other.rules)
 * 1:53808 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727237-0 download attempt (malware-other.rules)
 * 1:53843 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7752919-0 download attempt (malware-other.rules)
 * 1:53805 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Upatre-7725946-0 download attempt (malware-other.rules)
 * 1:53836 <-> DISABLED <-> INDICATOR-COMPROMISE Chromium use after free exploitation attempt (indicator-compromise.rules)
 * 1:53828 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7751494-0 download attempt (malware-other.rules)
 * 1:53829 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7752290-0 download attempt (malware-other.rules)
 * 1:53830 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7752290-0 download attempt (malware-other.rules)
 * 1:53812 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Multibanker-7729242-0 download attempt (malware-other.rules)
 * 1:53831 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Kuluoz-7752297-0 download attempt (malware-other.rules)
 * 1:53825 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zbot-7727211-0 download attempt (malware-other.rules)
 * 1:53818 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7730667-0 download attempt (malware-other.rules)
 * 1:53809 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727238-0 download attempt (malware-other.rules)
 * 1:53832 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Kuluoz-7752297-0 download attempt (malware-other.rules)
 * 1:53841 <-> DISABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection attempt (malware-cnc.rules)
 * 1:53824 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Gh0stRAT-7737919-0 download attempt (malware-other.rules)
 * 1:53823 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Gh0stRAT-7737919-0 download attempt (malware-other.rules)
 * 1:53813 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7729710-0 download attempt (malware-other.rules)
 * 1:53833 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-7752430-0 download attempt (malware-other.rules)
 * 1:53826 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zbot-7727211-0 download attempt (malware-other.rules)
 * 1:53827 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-7751494-0 download attempt (malware-other.rules)
 * 1:53811 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Multibanker-7729242-0 download attempt (malware-other.rules)
 * 1:53807 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727237-0 download attempt (malware-other.rules)
 * 1:53815 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730394-0 download attempt (malware-other.rules)
 * 1:53810 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Auqxpmli-7727238-0 download attempt (malware-other.rules)
 * 1:53834 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-7752430-0 download attempt (malware-other.rules)
 * 1:53842 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7752919-0 download attempt (malware-other.rules)
 * 1:53835 <-> DISABLED <-> INDICATOR-COMPROMISE Chromium use after free exploitation attempt (indicator-compromise.rules)
 * 1:53814 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7729710-0 download attempt (malware-other.rules)
 * 1:53806 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Upatre-7725946-0 download attempt (malware-other.rules)
 * 1:53802 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-7725478-0 download attempt (malware-other.rules)
 * 1:53817 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7730667-0 download attempt (malware-other.rules)
 * 1:53821 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730819-0 download attempt (malware-other.rules)
 * 1:53822 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730819-0 download attempt (malware-other.rules)
 * 1:53804 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Kuluoz-7725577-0 download attempt (malware-other.rules)
 * 1:53801 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-7725478-0 download attempt (malware-other.rules)
 * 1:53837 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Maze variant download attempt (malware-other.rules)
 * 1:53838 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Maze variant download attempt (malware-other.rules)
 * 1:53816 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7730394-0 download attempt (malware-other.rules)
 * 3:53839 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1059 attack attempt (policy-other.rules)
 * 3:53840 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1060 attack attempt (policy-other.rules)

Modified Rules:


 * 1:18796 <-> DISABLED <-> SERVER-WEBAPP Novell iManager ClassName handling overflow attempt (server-webapp.rules)
 * 1:17666 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer invalid chunk size heap overflow attempt (file-multimedia.rules)
 * 1:18985 <-> DISABLED <-> POLICY-OTHER CA ARCserve Axis2 default credential login attempt (policy-other.rules)
 * 1:53350 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:30090 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nitol variant outbound connection (malware-cnc.rules)
 * 1:12239 <-> DISABLED <-> MALWARE-BACKDOOR webcenter v1.0 Backdoor - init connection (malware-backdoor.rules)
 * 1:53119 <-> DISABLED <-> SERVER-WEBAPP Wordpress DreamworkGallery plugin file upload attempt (server-webapp.rules)
 * 1:16704 <-> DISABLED <-> BROWSER-PLUGINS CA eTrust PestPatrol ActiveX Initialize method overflow attempt (browser-plugins.rules)
 * 1:50658 <-> DISABLED <-> SERVER-WEBAPP Sitefinity WCMS arbitrary file upload attempt (server-webapp.rules)
 * 1:53348 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:39908 <-> DISABLED <-> SERVER-APACHE Apache Tomcat Commons FileUpload library denial of service attempt (server-apache.rules)
 * 1:14081 <-> DISABLED <-> MALWARE-CNC Win.Trojan.agent.aarm variant outbound connection call home (malware-cnc.rules)
 * 1:26892 <-> ENABLED <-> EXPLOIT-KIT Flashpack/Safe/CritX exploit kit jar file download (exploit-kit.rules)
 * 1:20116 <-> DISABLED <-> SERVER-WEBAPP Microsoft Office SharePoint Javascript XSS attempt (server-webapp.rules)
 * 1:19186 <-> DISABLED <-> OS-WINDOWS Microsoft Certification service XSS attempt (os-windows.rules)
 * 1:19332 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Clampi variant outbound connection (malware-cnc.rules)
 * 1:37447 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Evilgrab outbound connection (malware-cnc.rules)
 * 1:44474 <-> DISABLED <-> MALWARE-OTHER GHBkdr TLS Change Cipher spoof runtime detection (malware-other.rules)
 * 1:53256 <-> ENABLED <-> SERVER-WEBAPP SQL Server Reporting Services web application remote code execution attempt (server-webapp.rules)
 * 1:53381 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:1807 <-> DISABLED <-> POLICY-OTHER Chunked-Encoding transfer with no data attempt (policy-other.rules)
 * 1:44037 <-> ENABLED <-> INDICATOR-COMPROMISE DNS request for known malware sinkhole domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com - WannaCry (indicator-compromise.rules)
 * 1:53346 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt (server-webapp.rules)
 * 1:49439 <-> DISABLED <-> SERVER-OTHER Interactive Graphical SCADA System arbitrary file read attempt (server-other.rules)