Talos Rules 2020-05-26
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-chrome, browser-plugins, file-identify, file-other, file-pdf, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2020-05-26 20:27:35 UTC

Snort Subscriber Rules Update

Date: 2020-05-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54046 <-> ENABLED <-> MALWARE-CNC Win.Malware.Qealler variant outbound connection (malware-cnc.rules)
 * 1:54045 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Evilnum malicious LNK file download attempt (malware-other.rules)
 * 1:54044 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Evilnum malicious LNK file download attempt (malware-other.rules)
 * 1:54043 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant inbound connection (malware-cnc.rules)
 * 1:54042 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (malware-cnc.rules)
 * 1:54041 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (malware-cnc.rules)
 * 1:54040 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (malware-cnc.rules)
 * 1:54039 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7880797-0 download attempt (malware-other.rules)
 * 1:54038 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7880797-0 download attempt (malware-other.rules)
 * 1:54037 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules)
 * 1:54036 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Fareitvb-7861078-0 download attempt (malware-other.rules)
 * 1:54035 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Fareitvb-7861078-0 download attempt (malware-other.rules)
 * 3:54047 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1084 attack attempt (file-pdf.rules)
 * 3:54048 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1084 attack attempt (file-pdf.rules)
 * 3:54049 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1087 attack attempt (server-webapp.rules)
 * 3:54050 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1087 attack attempt (server-webapp.rules)
 * 3:54051 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2020-1085 attack attempt (browser-chrome.rules)
 * 3:54052 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2020-1085 attack attempt (browser-chrome.rules)

Modified Rules:


 * 1:31775 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:47885 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (file-other.rules)
 * 1:45908 <-> ENABLED <-> MALWARE-CNC Cobalt Strike DNS beacon inbound TXT record (malware-cnc.rules)
 * 1:47886 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (file-other.rules)
 * 1:18593 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file download request (file-identify.rules)
 * 1:31773 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:47887 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (browser-plugins.rules)
 * 1:31774 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:31776 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:45907 <-> ENABLED <-> MALWARE-CNC Cobalt Strike DNS beacon outbound TXT record (malware-cnc.rules)
 * 1:47888 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (browser-plugins.rules)

2020-05-26 20:27:35 UTC

Snort Subscriber Rules Update

Date: 2020-05-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54036 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Fareitvb-7861078-0 download attempt (malware-other.rules)
 * 1:54042 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (malware-cnc.rules)
 * 1:54045 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Evilnum malicious LNK file download attempt (malware-other.rules)
 * 1:54044 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Evilnum malicious LNK file download attempt (malware-other.rules)
 * 1:54043 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant inbound connection (malware-cnc.rules)
 * 1:54037 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules)
 * 1:54038 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7880797-0 download attempt (malware-other.rules)
 * 1:54039 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7880797-0 download attempt (malware-other.rules)
 * 1:54040 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (malware-cnc.rules)
 * 1:54041 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (malware-cnc.rules)
 * 1:54046 <-> ENABLED <-> MALWARE-CNC Win.Malware.Qealler variant outbound connection (malware-cnc.rules)
 * 1:54035 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Fareitvb-7861078-0 download attempt (malware-other.rules)
 * 3:54047 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1084 attack attempt (file-pdf.rules)
 * 3:54048 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1084 attack attempt (file-pdf.rules)
 * 3:54049 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1087 attack attempt (server-webapp.rules)
 * 3:54050 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1087 attack attempt (server-webapp.rules)
 * 3:54051 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2020-1085 attack attempt (browser-chrome.rules)
 * 3:54052 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2020-1085 attack attempt (browser-chrome.rules)

Modified Rules:


 * 1:45908 <-> ENABLED <-> MALWARE-CNC Cobalt Strike DNS beacon inbound TXT record (malware-cnc.rules)
 * 1:47887 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (browser-plugins.rules)
 * 1:31776 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:47888 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (browser-plugins.rules)
 * 1:47885 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (file-other.rules)
 * 1:18593 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file download request (file-identify.rules)
 * 1:31775 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:47886 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (file-other.rules)
 * 1:31773 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:45907 <-> ENABLED <-> MALWARE-CNC Cobalt Strike DNS beacon outbound TXT record (malware-cnc.rules)
 * 1:31774 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)

2020-05-26 20:27:35 UTC

Snort Subscriber Rules Update

Date: 2020-05-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54045 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Evilnum malicious LNK file download attempt (malware-other.rules)
 * 1:54038 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7880797-0 download attempt (malware-other.rules)
 * 1:54036 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Fareitvb-7861078-0 download attempt (malware-other.rules)
 * 1:54041 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (malware-cnc.rules)
 * 1:54046 <-> ENABLED <-> MALWARE-CNC Win.Malware.Qealler variant outbound connection (malware-cnc.rules)
 * 1:54040 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (malware-cnc.rules)
 * 1:54037 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules)
 * 1:54039 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7880797-0 download attempt (malware-other.rules)
 * 1:54043 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant inbound connection (malware-cnc.rules)
 * 1:54035 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Fareitvb-7861078-0 download attempt (malware-other.rules)
 * 1:54042 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (malware-cnc.rules)
 * 1:54044 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Evilnum malicious LNK file download attempt (malware-other.rules)
 * 3:54047 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1084 attack attempt (file-pdf.rules)
 * 3:54048 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1084 attack attempt (file-pdf.rules)
 * 3:54049 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1087 attack attempt (server-webapp.rules)
 * 3:54050 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1087 attack attempt (server-webapp.rules)
 * 3:54051 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2020-1085 attack attempt (browser-chrome.rules)
 * 3:54052 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2020-1085 attack attempt (browser-chrome.rules)

Modified Rules:


 * 1:47886 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (file-other.rules)
 * 1:31775 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:45908 <-> ENABLED <-> MALWARE-CNC Cobalt Strike DNS beacon inbound TXT record (malware-cnc.rules)
 * 1:18593 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file download request (file-identify.rules)
 * 1:47888 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (browser-plugins.rules)
 * 1:31773 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:31776 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:47887 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (browser-plugins.rules)
 * 1:31774 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:47885 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (file-other.rules)
 * 1:45907 <-> ENABLED <-> MALWARE-CNC Cobalt Strike DNS beacon outbound TXT record (malware-cnc.rules)

2020-05-26 20:27:35 UTC

Snort Subscriber Rules Update

Date: 2020-05-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54035 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Fareitvb-7861078-0 download attempt (malware-other.rules)
 * 1:54036 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Fareitvb-7861078-0 download attempt (malware-other.rules)
 * 1:54045 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Evilnum malicious LNK file download attempt (malware-other.rules)
 * 1:54037 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules)
 * 1:54038 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7880797-0 download attempt (malware-other.rules)
 * 1:54039 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7880797-0 download attempt (malware-other.rules)
 * 1:54040 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (malware-cnc.rules)
 * 1:54041 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (malware-cnc.rules)
 * 1:54046 <-> ENABLED <-> MALWARE-CNC Win.Malware.Qealler variant outbound connection (malware-cnc.rules)
 * 1:54042 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (malware-cnc.rules)
 * 1:54044 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Evilnum malicious LNK file download attempt (malware-other.rules)
 * 1:54043 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant inbound connection (malware-cnc.rules)
 * 3:54047 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1084 attack attempt (file-pdf.rules)
 * 3:54048 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1084 attack attempt (file-pdf.rules)
 * 3:54049 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1087 attack attempt (server-webapp.rules)
 * 3:54050 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1087 attack attempt (server-webapp.rules)
 * 3:54051 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2020-1085 attack attempt (browser-chrome.rules)
 * 3:54052 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2020-1085 attack attempt (browser-chrome.rules)

Modified Rules:


 * 1:31775 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:31776 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:47885 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (file-other.rules)
 * 1:47886 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (file-other.rules)
 * 1:45907 <-> ENABLED <-> MALWARE-CNC Cobalt Strike DNS beacon outbound TXT record (malware-cnc.rules)
 * 1:31774 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:45908 <-> ENABLED <-> MALWARE-CNC Cobalt Strike DNS beacon inbound TXT record (malware-cnc.rules)
 * 1:18593 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file download request (file-identify.rules)
 * 1:47888 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (browser-plugins.rules)
 * 1:31773 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:47887 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (browser-plugins.rules)

2020-05-26 20:27:35 UTC

Snort Subscriber Rules Update

Date: 2020-05-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54044 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Evilnum malicious LNK file download attempt (malware-other.rules)
 * 1:54035 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Fareitvb-7861078-0 download attempt (malware-other.rules)
 * 1:54046 <-> ENABLED <-> MALWARE-CNC Win.Malware.Qealler variant outbound connection (malware-cnc.rules)
 * 1:54045 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Evilnum malicious LNK file download attempt (malware-other.rules)
 * 1:54036 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Fareitvb-7861078-0 download attempt (malware-other.rules)
 * 1:54037 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules)
 * 1:54038 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7880797-0 download attempt (malware-other.rules)
 * 1:54039 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7880797-0 download attempt (malware-other.rules)
 * 1:54040 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (malware-cnc.rules)
 * 1:54041 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (malware-cnc.rules)
 * 1:54042 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (malware-cnc.rules)
 * 1:54043 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant inbound connection (malware-cnc.rules)
 * 3:54047 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1084 attack attempt (file-pdf.rules)
 * 3:54048 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1084 attack attempt (file-pdf.rules)
 * 3:54049 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1087 attack attempt (server-webapp.rules)
 * 3:54050 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1087 attack attempt (server-webapp.rules)
 * 3:54051 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2020-1085 attack attempt (browser-chrome.rules)
 * 3:54052 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2020-1085 attack attempt (browser-chrome.rules)

Modified Rules:


 * 1:45908 <-> ENABLED <-> MALWARE-CNC Cobalt Strike DNS beacon inbound TXT record (malware-cnc.rules)
 * 1:31775 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:47886 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (file-other.rules)
 * 1:18593 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file download request (file-identify.rules)
 * 1:47887 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (browser-plugins.rules)
 * 1:31774 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:31776 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:45907 <-> ENABLED <-> MALWARE-CNC Cobalt Strike DNS beacon outbound TXT record (malware-cnc.rules)
 * 1:31773 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:47885 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (file-other.rules)
 * 1:47888 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (browser-plugins.rules)

2020-05-26 20:27:35 UTC

Snort Subscriber Rules Update

Date: 2020-05-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54046 <-> ENABLED <-> MALWARE-CNC Win.Malware.Qealler variant outbound connection (malware-cnc.rules)
 * 1:54045 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Evilnum malicious LNK file download attempt (malware-other.rules)
 * 1:54035 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Fareitvb-7861078-0 download attempt (malware-other.rules)
 * 1:54036 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Fareitvb-7861078-0 download attempt (malware-other.rules)
 * 1:54037 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules)
 * 1:54038 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7880797-0 download attempt (malware-other.rules)
 * 1:54039 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7880797-0 download attempt (malware-other.rules)
 * 1:54040 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (malware-cnc.rules)
 * 1:54041 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (malware-cnc.rules)
 * 1:54042 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (malware-cnc.rules)
 * 1:54043 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant inbound connection (malware-cnc.rules)
 * 1:54044 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Evilnum malicious LNK file download attempt (malware-other.rules)
 * 3:54047 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1084 attack attempt (file-pdf.rules)
 * 3:54048 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1084 attack attempt (file-pdf.rules)
 * 3:54049 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1087 attack attempt (server-webapp.rules)
 * 3:54050 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1087 attack attempt (server-webapp.rules)
 * 3:54051 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2020-1085 attack attempt (browser-chrome.rules)
 * 3:54052 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2020-1085 attack attempt (browser-chrome.rules)

Modified Rules:


 * 1:45908 <-> ENABLED <-> MALWARE-CNC Cobalt Strike DNS beacon inbound TXT record (malware-cnc.rules)
 * 1:31775 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:31776 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:18593 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file download request (file-identify.rules)
 * 1:47886 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (file-other.rules)
 * 1:47887 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (browser-plugins.rules)
 * 1:31774 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:45907 <-> ENABLED <-> MALWARE-CNC Cobalt Strike DNS beacon outbound TXT record (malware-cnc.rules)
 * 1:47888 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (browser-plugins.rules)
 * 1:31773 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:47885 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (file-other.rules)

2020-05-26 20:27:35 UTC

Snort Subscriber Rules Update

Date: 2020-05-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54038 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7880797-0 download attempt (snort3-malware-other.rules)
 * 1:54039 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7880797-0 download attempt (snort3-malware-other.rules)
 * 1:54040 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (snort3-malware-cnc.rules)
 * 1:54041 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (snort3-malware-cnc.rules)
 * 1:54042 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (snort3-malware-cnc.rules)
 * 1:54043 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant inbound connection (snort3-malware-cnc.rules)
 * 1:54044 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Evilnum malicious LNK file download attempt (snort3-malware-other.rules)
 * 1:54045 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Evilnum malicious LNK file download attempt (snort3-malware-other.rules)
 * 1:54037 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (snort3-malware-other.rules)
 * 1:54036 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Fareitvb-7861078-0 download attempt (snort3-malware-other.rules)
 * 1:54046 <-> ENABLED <-> MALWARE-CNC Win.Malware.Qealler variant outbound connection (snort3-malware-cnc.rules)
 * 1:54035 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Fareitvb-7861078-0 download attempt (snort3-malware-other.rules)

Modified Rules:


 * 1:47886 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (snort3-file-other.rules)
 * 1:47885 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (snort3-file-other.rules)
 * 1:31773 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (snort3-file-identify.rules)
 * 1:31776 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (snort3-file-identify.rules)
 * 1:31774 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (snort3-file-identify.rules)
 * 1:47887 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (snort3-browser-plugins.rules)
 * 1:18593 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file download request (snort3-file-identify.rules)
 * 1:45907 <-> ENABLED <-> MALWARE-CNC Cobalt Strike DNS beacon outbound TXT record (snort3-malware-cnc.rules)
 * 1:31775 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (snort3-file-identify.rules)
 * 1:45908 <-> ENABLED <-> MALWARE-CNC Cobalt Strike DNS beacon inbound TXT record (snort3-malware-cnc.rules)
 * 1:47888 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (snort3-browser-plugins.rules)

2020-05-26 20:27:35 UTC

Snort Subscriber Rules Update

Date: 2020-05-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54044 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Evilnum malicious LNK file download attempt (malware-other.rules)
 * 1:54042 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (malware-cnc.rules)
 * 1:54041 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (malware-cnc.rules)
 * 1:54035 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Fareitvb-7861078-0 download attempt (malware-other.rules)
 * 1:54036 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Fareitvb-7861078-0 download attempt (malware-other.rules)
 * 1:54037 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules)
 * 1:54046 <-> ENABLED <-> MALWARE-CNC Win.Malware.Qealler variant outbound connection (malware-cnc.rules)
 * 1:54038 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7880797-0 download attempt (malware-other.rules)
 * 1:54039 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7880797-0 download attempt (malware-other.rules)
 * 1:54040 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (malware-cnc.rules)
 * 1:54043 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant inbound connection (malware-cnc.rules)
 * 1:54045 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Evilnum malicious LNK file download attempt (malware-other.rules)
 * 3:54047 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1084 attack attempt (file-pdf.rules)
 * 3:54048 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1084 attack attempt (file-pdf.rules)
 * 3:54049 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1087 attack attempt (server-webapp.rules)
 * 3:54050 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1087 attack attempt (server-webapp.rules)
 * 3:54051 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2020-1085 attack attempt (browser-chrome.rules)
 * 3:54052 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2020-1085 attack attempt (browser-chrome.rules)

Modified Rules:


 * 1:47887 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (browser-plugins.rules)
 * 1:47886 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (file-other.rules)
 * 1:31775 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:31776 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:45907 <-> ENABLED <-> MALWARE-CNC Cobalt Strike DNS beacon outbound TXT record (malware-cnc.rules)
 * 1:45908 <-> ENABLED <-> MALWARE-CNC Cobalt Strike DNS beacon inbound TXT record (malware-cnc.rules)
 * 1:47888 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (browser-plugins.rules)
 * 1:31773 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:18593 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file download request (file-identify.rules)
 * 1:31774 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:47885 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (file-other.rules)