Talos Rules 2020-06-16
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-other, malware-other, policy-other, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2020-06-16 12:04:44 UTC

Snort Subscriber Rules Update

Date: 2020-06-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54307 <-> ENABLED <-> PUA-ADWARE Js.Adware.Agent variant redirect attempt (pua-adware.rules)
 * 1:54306 <-> DISABLED <-> POLICY-OTHER Novell ZENworks Configuration Management session id disclosure attempt (policy-other.rules)
 * 1:54305 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Nanocore-8030566-0 download attempt (malware-other.rules)
 * 1:54304 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Nanocore-8030566-0 download attempt (malware-other.rules)
 * 1:54303 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Kuluoz-8027829-0 download attempt (malware-other.rules)
 * 1:54302 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Kuluoz-8027829-0 download attempt (malware-other.rules)
 * 1:54301 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Bladabindi-8025641-0 download attempt (malware-other.rules)
 * 1:54300 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Bladabindi-8025641-0 download attempt (malware-other.rules)
 * 1:54299 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Tinba-8025802-0 download attempt (malware-other.rules)
 * 1:54298 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Tinba-8025802-0 download attempt (malware-other.rules)
 * 3:54315 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54314 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54308 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54309 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54310 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54311 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54312 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54313 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)

Modified Rules:


 * 1:20656 <-> DISABLED <-> SERVER-WEBAPP GestArtremote file include in aide.php3 aide (server-webapp.rules)
 * 1:42093 <-> DISABLED <-> POLICY-OTHER NetBiter WebSCADA ws100/ws200 file read attempt (policy-other.rules)
 * 1:20654 <-> DISABLED <-> SERVER-WEBAPP GrapAgenda remote file include in index.php page (server-webapp.rules)
 * 1:20651 <-> DISABLED <-> SERVER-WEBAPP Modernbill remote file include in config.php DIR (server-webapp.rules)
 * 1:46428 <-> DISABLED <-> SERVER-APACHE Apache mod_http2 NULL pointer dereference attempt (server-apache.rules)
 * 1:20650 <-> DISABLED <-> SERVER-WEBAPP MyNewsGroups remote file include in layersmenu.inc.php myng_root (server-webapp.rules)
 * 1:20663 <-> DISABLED <-> SERVER-WEBAPP Comet WebFileManager remote file include in CheckUpload.php Language (server-webapp.rules)
 * 1:46316 <-> ENABLED <-> SERVER-WEBAPP Drupal 8 remote code execution attempt (server-webapp.rules)
 * 1:20640 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection in login.php username attempt (server-webapp.rules)
 * 1:20652 <-> DISABLED <-> SERVER-WEBAPP ME Download System remote file include in header.php Vb8878b936c2bd8ae0cab (server-webapp.rules)
 * 1:20657 <-> DISABLED <-> SERVER-WEBAPP Free File Hosting remote file include in forgot_pass.php ad_body_temp (server-webapp.rules)
 * 1:42094 <-> DISABLED <-> SERVER-WEBAPP NetBiter WebSCADA ws100/ws200 information gathering attempt (server-webapp.rules)
 * 1:20643 <-> DISABLED <-> SERVER-WEBAPP ScozBook SQL injection in auth.php adminname attempt (server-webapp.rules)
 * 1:34584 <-> DISABLED <-> POLICY-OTHER Novell ZENworks Configuration Management session id disclosure attempt (policy-other.rules)
 * 1:42095 <-> DISABLED <-> SERVER-WEBAPP NetBiter WebSCADA ws100/ws200 directory traversal attempt (server-webapp.rules)
 * 1:42092 <-> DISABLED <-> POLICY-OTHER NetBiter WebSCADA ws100/ws200 logo modification attempt (policy-other.rules)

2020-06-16 12:04:44 UTC

Snort Subscriber Rules Update

Date: 2020-06-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54300 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Bladabindi-8025641-0 download attempt (malware-other.rules)
 * 1:54305 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Nanocore-8030566-0 download attempt (malware-other.rules)
 * 1:54301 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Bladabindi-8025641-0 download attempt (malware-other.rules)
 * 1:54303 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Kuluoz-8027829-0 download attempt (malware-other.rules)
 * 1:54306 <-> DISABLED <-> POLICY-OTHER Novell ZENworks Configuration Management session id disclosure attempt (policy-other.rules)
 * 1:54298 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Tinba-8025802-0 download attempt (malware-other.rules)
 * 1:54302 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Kuluoz-8027829-0 download attempt (malware-other.rules)
 * 1:54299 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Tinba-8025802-0 download attempt (malware-other.rules)
 * 1:54304 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Nanocore-8030566-0 download attempt (malware-other.rules)
 * 1:54307 <-> ENABLED <-> PUA-ADWARE Js.Adware.Agent variant redirect attempt (pua-adware.rules)
 * 3:54314 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54315 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54308 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54309 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54310 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54313 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54311 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54312 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)

Modified Rules:


 * 1:20656 <-> DISABLED <-> SERVER-WEBAPP GestArtremote file include in aide.php3 aide (server-webapp.rules)
 * 1:42094 <-> DISABLED <-> SERVER-WEBAPP NetBiter WebSCADA ws100/ws200 information gathering attempt (server-webapp.rules)
 * 1:42093 <-> DISABLED <-> POLICY-OTHER NetBiter WebSCADA ws100/ws200 file read attempt (policy-other.rules)
 * 1:42092 <-> DISABLED <-> POLICY-OTHER NetBiter WebSCADA ws100/ws200 logo modification attempt (policy-other.rules)
 * 1:20650 <-> DISABLED <-> SERVER-WEBAPP MyNewsGroups remote file include in layersmenu.inc.php myng_root (server-webapp.rules)
 * 1:20651 <-> DISABLED <-> SERVER-WEBAPP Modernbill remote file include in config.php DIR (server-webapp.rules)
 * 1:20643 <-> DISABLED <-> SERVER-WEBAPP ScozBook SQL injection in auth.php adminname attempt (server-webapp.rules)
 * 1:46316 <-> ENABLED <-> SERVER-WEBAPP Drupal 8 remote code execution attempt (server-webapp.rules)
 * 1:20654 <-> DISABLED <-> SERVER-WEBAPP GrapAgenda remote file include in index.php page (server-webapp.rules)
 * 1:20663 <-> DISABLED <-> SERVER-WEBAPP Comet WebFileManager remote file include in CheckUpload.php Language (server-webapp.rules)
 * 1:42095 <-> DISABLED <-> SERVER-WEBAPP NetBiter WebSCADA ws100/ws200 directory traversal attempt (server-webapp.rules)
 * 1:20657 <-> DISABLED <-> SERVER-WEBAPP Free File Hosting remote file include in forgot_pass.php ad_body_temp (server-webapp.rules)
 * 1:20640 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection in login.php username attempt (server-webapp.rules)
 * 1:20652 <-> DISABLED <-> SERVER-WEBAPP ME Download System remote file include in header.php Vb8878b936c2bd8ae0cab (server-webapp.rules)
 * 1:34584 <-> DISABLED <-> POLICY-OTHER Novell ZENworks Configuration Management session id disclosure attempt (policy-other.rules)
 * 1:46428 <-> DISABLED <-> SERVER-APACHE Apache mod_http2 NULL pointer dereference attempt (server-apache.rules)

2020-06-16 12:04:44 UTC

Snort Subscriber Rules Update

Date: 2020-06-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54298 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Tinba-8025802-0 download attempt (malware-other.rules)
 * 1:54300 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Bladabindi-8025641-0 download attempt (malware-other.rules)
 * 1:54302 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Kuluoz-8027829-0 download attempt (malware-other.rules)
 * 1:54306 <-> DISABLED <-> POLICY-OTHER Novell ZENworks Configuration Management session id disclosure attempt (policy-other.rules)
 * 1:54301 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Bladabindi-8025641-0 download attempt (malware-other.rules)
 * 1:54307 <-> ENABLED <-> PUA-ADWARE Js.Adware.Agent variant redirect attempt (pua-adware.rules)
 * 1:54299 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Tinba-8025802-0 download attempt (malware-other.rules)
 * 1:54303 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Kuluoz-8027829-0 download attempt (malware-other.rules)
 * 1:54305 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Nanocore-8030566-0 download attempt (malware-other.rules)
 * 1:54304 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Nanocore-8030566-0 download attempt (malware-other.rules)
 * 3:54315 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54314 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54308 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54309 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54313 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54310 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54311 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54312 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)

Modified Rules:


 * 1:42094 <-> DISABLED <-> SERVER-WEBAPP NetBiter WebSCADA ws100/ws200 information gathering attempt (server-webapp.rules)
 * 1:20650 <-> DISABLED <-> SERVER-WEBAPP MyNewsGroups remote file include in layersmenu.inc.php myng_root (server-webapp.rules)
 * 1:20657 <-> DISABLED <-> SERVER-WEBAPP Free File Hosting remote file include in forgot_pass.php ad_body_temp (server-webapp.rules)
 * 1:20643 <-> DISABLED <-> SERVER-WEBAPP ScozBook SQL injection in auth.php adminname attempt (server-webapp.rules)
 * 1:20654 <-> DISABLED <-> SERVER-WEBAPP GrapAgenda remote file include in index.php page (server-webapp.rules)
 * 1:42093 <-> DISABLED <-> POLICY-OTHER NetBiter WebSCADA ws100/ws200 file read attempt (policy-other.rules)
 * 1:20652 <-> DISABLED <-> SERVER-WEBAPP ME Download System remote file include in header.php Vb8878b936c2bd8ae0cab (server-webapp.rules)
 * 1:42095 <-> DISABLED <-> SERVER-WEBAPP NetBiter WebSCADA ws100/ws200 directory traversal attempt (server-webapp.rules)
 * 1:20640 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection in login.php username attempt (server-webapp.rules)
 * 1:20663 <-> DISABLED <-> SERVER-WEBAPP Comet WebFileManager remote file include in CheckUpload.php Language (server-webapp.rules)
 * 1:46316 <-> ENABLED <-> SERVER-WEBAPP Drupal 8 remote code execution attempt (server-webapp.rules)
 * 1:20656 <-> DISABLED <-> SERVER-WEBAPP GestArtremote file include in aide.php3 aide (server-webapp.rules)
 * 1:42092 <-> DISABLED <-> POLICY-OTHER NetBiter WebSCADA ws100/ws200 logo modification attempt (policy-other.rules)
 * 1:34584 <-> DISABLED <-> POLICY-OTHER Novell ZENworks Configuration Management session id disclosure attempt (policy-other.rules)
 * 1:46428 <-> DISABLED <-> SERVER-APACHE Apache mod_http2 NULL pointer dereference attempt (server-apache.rules)
 * 1:20651 <-> DISABLED <-> SERVER-WEBAPP Modernbill remote file include in config.php DIR (server-webapp.rules)

2020-06-16 12:04:44 UTC

Snort Subscriber Rules Update

Date: 2020-06-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54299 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Tinba-8025802-0 download attempt (malware-other.rules)
 * 1:54300 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Bladabindi-8025641-0 download attempt (malware-other.rules)
 * 1:54301 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Bladabindi-8025641-0 download attempt (malware-other.rules)
 * 1:54302 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Kuluoz-8027829-0 download attempt (malware-other.rules)
 * 1:54303 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Kuluoz-8027829-0 download attempt (malware-other.rules)
 * 1:54298 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Tinba-8025802-0 download attempt (malware-other.rules)
 * 1:54304 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Nanocore-8030566-0 download attempt (malware-other.rules)
 * 1:54305 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Nanocore-8030566-0 download attempt (malware-other.rules)
 * 1:54306 <-> DISABLED <-> POLICY-OTHER Novell ZENworks Configuration Management session id disclosure attempt (policy-other.rules)
 * 1:54307 <-> ENABLED <-> PUA-ADWARE Js.Adware.Agent variant redirect attempt (pua-adware.rules)
 * 3:54314 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54315 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54308 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54309 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54313 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54310 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54311 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54312 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)

Modified Rules:


 * 1:20643 <-> DISABLED <-> SERVER-WEBAPP ScozBook SQL injection in auth.php adminname attempt (server-webapp.rules)
 * 1:20656 <-> DISABLED <-> SERVER-WEBAPP GestArtremote file include in aide.php3 aide (server-webapp.rules)
 * 1:20657 <-> DISABLED <-> SERVER-WEBAPP Free File Hosting remote file include in forgot_pass.php ad_body_temp (server-webapp.rules)
 * 1:20663 <-> DISABLED <-> SERVER-WEBAPP Comet WebFileManager remote file include in CheckUpload.php Language (server-webapp.rules)
 * 1:34584 <-> DISABLED <-> POLICY-OTHER Novell ZENworks Configuration Management session id disclosure attempt (policy-other.rules)
 * 1:20650 <-> DISABLED <-> SERVER-WEBAPP MyNewsGroups remote file include in layersmenu.inc.php myng_root (server-webapp.rules)
 * 1:46428 <-> DISABLED <-> SERVER-APACHE Apache mod_http2 NULL pointer dereference attempt (server-apache.rules)
 * 1:46316 <-> ENABLED <-> SERVER-WEBAPP Drupal 8 remote code execution attempt (server-webapp.rules)
 * 1:42093 <-> DISABLED <-> POLICY-OTHER NetBiter WebSCADA ws100/ws200 file read attempt (policy-other.rules)
 * 1:20651 <-> DISABLED <-> SERVER-WEBAPP Modernbill remote file include in config.php DIR (server-webapp.rules)
 * 1:20640 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection in login.php username attempt (server-webapp.rules)
 * 1:42095 <-> DISABLED <-> SERVER-WEBAPP NetBiter WebSCADA ws100/ws200 directory traversal attempt (server-webapp.rules)
 * 1:42094 <-> DISABLED <-> SERVER-WEBAPP NetBiter WebSCADA ws100/ws200 information gathering attempt (server-webapp.rules)
 * 1:42092 <-> DISABLED <-> POLICY-OTHER NetBiter WebSCADA ws100/ws200 logo modification attempt (policy-other.rules)
 * 1:20654 <-> DISABLED <-> SERVER-WEBAPP GrapAgenda remote file include in index.php page (server-webapp.rules)
 * 1:20652 <-> DISABLED <-> SERVER-WEBAPP ME Download System remote file include in header.php Vb8878b936c2bd8ae0cab (server-webapp.rules)

2020-06-16 12:04:44 UTC

Snort Subscriber Rules Update

Date: 2020-06-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54299 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Tinba-8025802-0 download attempt (malware-other.rules)
 * 1:54300 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Bladabindi-8025641-0 download attempt (malware-other.rules)
 * 1:54301 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Bladabindi-8025641-0 download attempt (malware-other.rules)
 * 1:54302 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Kuluoz-8027829-0 download attempt (malware-other.rules)
 * 1:54303 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Kuluoz-8027829-0 download attempt (malware-other.rules)
 * 1:54304 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Nanocore-8030566-0 download attempt (malware-other.rules)
 * 1:54305 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Nanocore-8030566-0 download attempt (malware-other.rules)
 * 1:54298 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Tinba-8025802-0 download attempt (malware-other.rules)
 * 1:54306 <-> DISABLED <-> POLICY-OTHER Novell ZENworks Configuration Management session id disclosure attempt (policy-other.rules)
 * 1:54307 <-> ENABLED <-> PUA-ADWARE Js.Adware.Agent variant redirect attempt (pua-adware.rules)
 * 3:54314 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54315 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54313 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54308 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54309 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54310 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54311 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54312 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)

Modified Rules:


 * 1:20657 <-> DISABLED <-> SERVER-WEBAPP Free File Hosting remote file include in forgot_pass.php ad_body_temp (server-webapp.rules)
 * 1:20643 <-> DISABLED <-> SERVER-WEBAPP ScozBook SQL injection in auth.php adminname attempt (server-webapp.rules)
 * 1:20656 <-> DISABLED <-> SERVER-WEBAPP GestArtremote file include in aide.php3 aide (server-webapp.rules)
 * 1:20650 <-> DISABLED <-> SERVER-WEBAPP MyNewsGroups remote file include in layersmenu.inc.php myng_root (server-webapp.rules)
 * 1:42092 <-> DISABLED <-> POLICY-OTHER NetBiter WebSCADA ws100/ws200 logo modification attempt (policy-other.rules)
 * 1:20651 <-> DISABLED <-> SERVER-WEBAPP Modernbill remote file include in config.php DIR (server-webapp.rules)
 * 1:20663 <-> DISABLED <-> SERVER-WEBAPP Comet WebFileManager remote file include in CheckUpload.php Language (server-webapp.rules)
 * 1:46316 <-> ENABLED <-> SERVER-WEBAPP Drupal 8 remote code execution attempt (server-webapp.rules)
 * 1:34584 <-> DISABLED <-> POLICY-OTHER Novell ZENworks Configuration Management session id disclosure attempt (policy-other.rules)
 * 1:42094 <-> DISABLED <-> SERVER-WEBAPP NetBiter WebSCADA ws100/ws200 information gathering attempt (server-webapp.rules)
 * 1:20654 <-> DISABLED <-> SERVER-WEBAPP GrapAgenda remote file include in index.php page (server-webapp.rules)
 * 1:20640 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection in login.php username attempt (server-webapp.rules)
 * 1:20652 <-> DISABLED <-> SERVER-WEBAPP ME Download System remote file include in header.php Vb8878b936c2bd8ae0cab (server-webapp.rules)
 * 1:46428 <-> DISABLED <-> SERVER-APACHE Apache mod_http2 NULL pointer dereference attempt (server-apache.rules)
 * 1:42095 <-> DISABLED <-> SERVER-WEBAPP NetBiter WebSCADA ws100/ws200 directory traversal attempt (server-webapp.rules)
 * 1:42093 <-> DISABLED <-> POLICY-OTHER NetBiter WebSCADA ws100/ws200 file read attempt (policy-other.rules)

2020-06-16 12:04:44 UTC

Snort Subscriber Rules Update

Date: 2020-06-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54299 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Tinba-8025802-0 download attempt (malware-other.rules)
 * 1:54300 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Bladabindi-8025641-0 download attempt (malware-other.rules)
 * 1:54301 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Bladabindi-8025641-0 download attempt (malware-other.rules)
 * 1:54302 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Kuluoz-8027829-0 download attempt (malware-other.rules)
 * 1:54303 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Kuluoz-8027829-0 download attempt (malware-other.rules)
 * 1:54304 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Nanocore-8030566-0 download attempt (malware-other.rules)
 * 1:54305 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Nanocore-8030566-0 download attempt (malware-other.rules)
 * 1:54306 <-> DISABLED <-> POLICY-OTHER Novell ZENworks Configuration Management session id disclosure attempt (policy-other.rules)
 * 1:54307 <-> ENABLED <-> PUA-ADWARE Js.Adware.Agent variant redirect attempt (pua-adware.rules)
 * 1:54298 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Tinba-8025802-0 download attempt (malware-other.rules)
 * 3:54315 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54314 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54308 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54309 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54310 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54311 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54312 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54313 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)

Modified Rules:


 * 1:20657 <-> DISABLED <-> SERVER-WEBAPP Free File Hosting remote file include in forgot_pass.php ad_body_temp (server-webapp.rules)
 * 1:46316 <-> ENABLED <-> SERVER-WEBAPP Drupal 8 remote code execution attempt (server-webapp.rules)
 * 1:20643 <-> DISABLED <-> SERVER-WEBAPP ScozBook SQL injection in auth.php adminname attempt (server-webapp.rules)
 * 1:20656 <-> DISABLED <-> SERVER-WEBAPP GestArtremote file include in aide.php3 aide (server-webapp.rules)
 * 1:20650 <-> DISABLED <-> SERVER-WEBAPP MyNewsGroups remote file include in layersmenu.inc.php myng_root (server-webapp.rules)
 * 1:42095 <-> DISABLED <-> SERVER-WEBAPP NetBiter WebSCADA ws100/ws200 directory traversal attempt (server-webapp.rules)
 * 1:20663 <-> DISABLED <-> SERVER-WEBAPP Comet WebFileManager remote file include in CheckUpload.php Language (server-webapp.rules)
 * 1:34584 <-> DISABLED <-> POLICY-OTHER Novell ZENworks Configuration Management session id disclosure attempt (policy-other.rules)
 * 1:20654 <-> DISABLED <-> SERVER-WEBAPP GrapAgenda remote file include in index.php page (server-webapp.rules)
 * 1:42093 <-> DISABLED <-> POLICY-OTHER NetBiter WebSCADA ws100/ws200 file read attempt (policy-other.rules)
 * 1:20640 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection in login.php username attempt (server-webapp.rules)
 * 1:42094 <-> DISABLED <-> SERVER-WEBAPP NetBiter WebSCADA ws100/ws200 information gathering attempt (server-webapp.rules)
 * 1:42092 <-> DISABLED <-> POLICY-OTHER NetBiter WebSCADA ws100/ws200 logo modification attempt (policy-other.rules)
 * 1:20651 <-> DISABLED <-> SERVER-WEBAPP Modernbill remote file include in config.php DIR (server-webapp.rules)
 * 1:46428 <-> DISABLED <-> SERVER-APACHE Apache mod_http2 NULL pointer dereference attempt (server-apache.rules)
 * 1:20652 <-> DISABLED <-> SERVER-WEBAPP ME Download System remote file include in header.php Vb8878b936c2bd8ae0cab (server-webapp.rules)

2020-06-16 12:04:44 UTC

Snort Subscriber Rules Update

Date: 2020-06-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54303 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Kuluoz-8027829-0 download attempt (snort3-malware-other.rules)
 * 1:54304 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Nanocore-8030566-0 download attempt (snort3-malware-other.rules)
 * 1:54305 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Nanocore-8030566-0 download attempt (snort3-malware-other.rules)
 * 1:54301 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Bladabindi-8025641-0 download attempt (snort3-malware-other.rules)
 * 1:54302 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Kuluoz-8027829-0 download attempt (snort3-malware-other.rules)
 * 1:54300 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Bladabindi-8025641-0 download attempt (snort3-malware-other.rules)
 * 1:54306 <-> DISABLED <-> POLICY-OTHER Novell ZENworks Configuration Management session id disclosure attempt (snort3-policy-other.rules)
 * 1:54307 <-> ENABLED <-> PUA-ADWARE Js.Adware.Agent variant redirect attempt (snort3-pua-adware.rules)
 * 1:54298 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Tinba-8025802-0 download attempt (snort3-malware-other.rules)
 * 1:54299 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Tinba-8025802-0 download attempt (snort3-malware-other.rules)

Modified Rules:


 * 1:42092 <-> DISABLED <-> POLICY-OTHER NetBiter WebSCADA ws100/ws200 logo modification attempt (snort3-policy-other.rules)
 * 1:20654 <-> DISABLED <-> SERVER-WEBAPP GrapAgenda remote file include in index.php page (snort3-server-webapp.rules)
 * 1:20652 <-> DISABLED <-> SERVER-WEBAPP ME Download System remote file include in header.php Vb8878b936c2bd8ae0cab (snort3-server-webapp.rules)
 * 1:34584 <-> DISABLED <-> POLICY-OTHER Novell ZENworks Configuration Management session id disclosure attempt (snort3-policy-other.rules)
 * 1:20651 <-> DISABLED <-> SERVER-WEBAPP Modernbill remote file include in config.php DIR (snort3-server-webapp.rules)
 * 1:20657 <-> DISABLED <-> SERVER-WEBAPP Free File Hosting remote file include in forgot_pass.php ad_body_temp (snort3-server-webapp.rules)
 * 1:20640 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection in login.php username attempt (snort3-server-webapp.rules)
 * 1:20643 <-> DISABLED <-> SERVER-WEBAPP ScozBook SQL injection in auth.php adminname attempt (snort3-server-webapp.rules)
 * 1:20656 <-> DISABLED <-> SERVER-WEBAPP GestArtremote file include in aide.php3 aide (snort3-server-webapp.rules)
 * 1:20663 <-> DISABLED <-> SERVER-WEBAPP Comet WebFileManager remote file include in CheckUpload.php Language (snort3-server-webapp.rules)
 * 1:42095 <-> DISABLED <-> SERVER-WEBAPP NetBiter WebSCADA ws100/ws200 directory traversal attempt (snort3-server-webapp.rules)
 * 1:42093 <-> DISABLED <-> POLICY-OTHER NetBiter WebSCADA ws100/ws200 file read attempt (snort3-policy-other.rules)
 * 1:46316 <-> ENABLED <-> SERVER-WEBAPP Drupal 8 remote code execution attempt (snort3-server-webapp.rules)
 * 1:42094 <-> DISABLED <-> SERVER-WEBAPP NetBiter WebSCADA ws100/ws200 information gathering attempt (snort3-server-webapp.rules)
 * 1:46428 <-> DISABLED <-> SERVER-APACHE Apache mod_http2 NULL pointer dereference attempt (snort3-server-apache.rules)
 * 1:20650 <-> DISABLED <-> SERVER-WEBAPP MyNewsGroups remote file include in layersmenu.inc.php myng_root (snort3-server-webapp.rules)

2020-06-16 12:04:44 UTC

Snort Subscriber Rules Update

Date: 2020-06-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54307 <-> ENABLED <-> PUA-ADWARE Js.Adware.Agent variant redirect attempt (pua-adware.rules)
 * 1:54298 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Tinba-8025802-0 download attempt (malware-other.rules)
 * 1:54299 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Tinba-8025802-0 download attempt (malware-other.rules)
 * 1:54300 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Bladabindi-8025641-0 download attempt (malware-other.rules)
 * 1:54301 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Bladabindi-8025641-0 download attempt (malware-other.rules)
 * 1:54302 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Kuluoz-8027829-0 download attempt (malware-other.rules)
 * 1:54303 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Kuluoz-8027829-0 download attempt (malware-other.rules)
 * 1:54304 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Nanocore-8030566-0 download attempt (malware-other.rules)
 * 1:54305 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Nanocore-8030566-0 download attempt (malware-other.rules)
 * 1:54306 <-> DISABLED <-> POLICY-OTHER Novell ZENworks Configuration Management session id disclosure attempt (policy-other.rules)
 * 3:54314 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54313 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54315 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54308 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54309 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54310 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54311 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)
 * 3:54312 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1094 attack attempt (file-other.rules)

Modified Rules:


 * 1:42093 <-> DISABLED <-> POLICY-OTHER NetBiter WebSCADA ws100/ws200 file read attempt (policy-other.rules)
 * 1:20656 <-> DISABLED <-> SERVER-WEBAPP GestArtremote file include in aide.php3 aide (server-webapp.rules)
 * 1:42095 <-> DISABLED <-> SERVER-WEBAPP NetBiter WebSCADA ws100/ws200 directory traversal attempt (server-webapp.rules)
 * 1:20650 <-> DISABLED <-> SERVER-WEBAPP MyNewsGroups remote file include in layersmenu.inc.php myng_root (server-webapp.rules)
 * 1:20657 <-> DISABLED <-> SERVER-WEBAPP Free File Hosting remote file include in forgot_pass.php ad_body_temp (server-webapp.rules)
 * 1:20654 <-> DISABLED <-> SERVER-WEBAPP GrapAgenda remote file include in index.php page (server-webapp.rules)
 * 1:42094 <-> DISABLED <-> SERVER-WEBAPP NetBiter WebSCADA ws100/ws200 information gathering attempt (server-webapp.rules)
 * 1:46316 <-> ENABLED <-> SERVER-WEBAPP Drupal 8 remote code execution attempt (server-webapp.rules)
 * 1:34584 <-> DISABLED <-> POLICY-OTHER Novell ZENworks Configuration Management session id disclosure attempt (policy-other.rules)
 * 1:20643 <-> DISABLED <-> SERVER-WEBAPP ScozBook SQL injection in auth.php adminname attempt (server-webapp.rules)
 * 1:20651 <-> DISABLED <-> SERVER-WEBAPP Modernbill remote file include in config.php DIR (server-webapp.rules)
 * 1:42092 <-> DISABLED <-> POLICY-OTHER NetBiter WebSCADA ws100/ws200 logo modification attempt (policy-other.rules)
 * 1:46428 <-> DISABLED <-> SERVER-APACHE Apache mod_http2 NULL pointer dereference attempt (server-apache.rules)
 * 1:20640 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection in login.php username attempt (server-webapp.rules)
 * 1:20663 <-> DISABLED <-> SERVER-WEBAPP Comet WebFileManager remote file include in CheckUpload.php Language (server-webapp.rules)
 * 1:20652 <-> DISABLED <-> SERVER-WEBAPP ME Download System remote file include in header.php Vb8878b936c2bd8ae0cab (server-webapp.rules)