Talos Rules 2020-06-23
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-firefox, malware-cnc and policy-other rule sets to provide coverage for emerging threats from these technologies.

Change logs

2020-06-23 11:51:29 UTC

Snort Subscriber Rules Update

Date: 2020-06-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54377 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zbot-8108321-0 download attempt (malware-other.rules)
 * 1:54376 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.IndigoDrop variant binary download attempt (malware-other.rules)
 * 1:54375 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.IndigoDrop variant binary download attempt (malware-other.rules)
 * 1:54374 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.IndigoDrop variant binary download attempt (malware-other.rules)
 * 1:54373 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.IndigoDrop variant binary download attempt (malware-other.rules)
 * 1:54387 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qbot malicious executable download attempt (malware-other.rules)
 * 1:54386 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qbot malicious executable download attempt (malware-other.rules)
 * 1:54385 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qbot malicious executable download attempt (malware-other.rules)
 * 1:54384 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qbot malicious executable download attempt (malware-other.rules)
 * 1:54383 <-> DISABLED <-> POLICY-OTHER Potentially suspicious fragmented IP in IP packet (policy-other.rules)
 * 1:54382 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Vidar-8170701-0 download attempt (malware-other.rules)
 * 1:54381 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Vidar-8170701-0 download attempt (malware-other.rules)
 * 1:54380 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox ReadableStreamCloseInternal out-of-bounds access attempt (browser-firefox.rules)
 * 1:54379 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox ReadableStreamCloseInternal out-of-bounds access attempt (browser-firefox.rules)
 * 1:54378 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zbot-8108321-0 download attempt (malware-other.rules)

Modified Rules:


 * 1:54357 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Delf variant outbound connection  (malware-cnc.rules)

2020-06-23 11:51:29 UTC

Snort Subscriber Rules Update

Date: 2020-06-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54376 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.IndigoDrop variant binary download attempt (malware-other.rules)
 * 1:54385 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qbot malicious executable download attempt (malware-other.rules)
 * 1:54386 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qbot malicious executable download attempt (malware-other.rules)
 * 1:54387 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qbot malicious executable download attempt (malware-other.rules)
 * 1:54375 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.IndigoDrop variant binary download attempt (malware-other.rules)
 * 1:54377 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zbot-8108321-0 download attempt (malware-other.rules)
 * 1:54378 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zbot-8108321-0 download attempt (malware-other.rules)
 * 1:54379 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox ReadableStreamCloseInternal out-of-bounds access attempt (browser-firefox.rules)
 * 1:54380 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox ReadableStreamCloseInternal out-of-bounds access attempt (browser-firefox.rules)
 * 1:54381 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Vidar-8170701-0 download attempt (malware-other.rules)
 * 1:54382 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Vidar-8170701-0 download attempt (malware-other.rules)
 * 1:54383 <-> DISABLED <-> POLICY-OTHER Potentially suspicious fragmented IP in IP packet (policy-other.rules)
 * 1:54373 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.IndigoDrop variant binary download attempt (malware-other.rules)
 * 1:54384 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qbot malicious executable download attempt (malware-other.rules)
 * 1:54374 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.IndigoDrop variant binary download attempt (malware-other.rules)

Modified Rules:


 * 1:54357 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Delf variant outbound connection  (malware-cnc.rules)

2020-06-23 11:51:29 UTC

Snort Subscriber Rules Update

Date: 2020-06-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54385 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qbot malicious executable download attempt (malware-other.rules)
 * 1:54387 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qbot malicious executable download attempt (malware-other.rules)
 * 1:54386 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qbot malicious executable download attempt (malware-other.rules)
 * 1:54374 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.IndigoDrop variant binary download attempt (malware-other.rules)
 * 1:54377 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zbot-8108321-0 download attempt (malware-other.rules)
 * 1:54378 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zbot-8108321-0 download attempt (malware-other.rules)
 * 1:54379 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox ReadableStreamCloseInternal out-of-bounds access attempt (browser-firefox.rules)
 * 1:54380 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox ReadableStreamCloseInternal out-of-bounds access attempt (browser-firefox.rules)
 * 1:54381 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Vidar-8170701-0 download attempt (malware-other.rules)
 * 1:54376 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.IndigoDrop variant binary download attempt (malware-other.rules)
 * 1:54382 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Vidar-8170701-0 download attempt (malware-other.rules)
 * 1:54384 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qbot malicious executable download attempt (malware-other.rules)
 * 1:54383 <-> DISABLED <-> POLICY-OTHER Potentially suspicious fragmented IP in IP packet (policy-other.rules)
 * 1:54375 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.IndigoDrop variant binary download attempt (malware-other.rules)
 * 1:54373 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.IndigoDrop variant binary download attempt (malware-other.rules)

Modified Rules:


 * 1:54357 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Delf variant outbound connection  (malware-cnc.rules)

2020-06-23 11:51:29 UTC

Snort Subscriber Rules Update

Date: 2020-06-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54386 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qbot malicious executable download attempt (malware-other.rules)
 * 1:54383 <-> DISABLED <-> POLICY-OTHER Potentially suspicious fragmented IP in IP packet (policy-other.rules)
 * 1:54384 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qbot malicious executable download attempt (malware-other.rules)
 * 1:54377 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zbot-8108321-0 download attempt (malware-other.rules)
 * 1:54387 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qbot malicious executable download attempt (malware-other.rules)
 * 1:54374 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.IndigoDrop variant binary download attempt (malware-other.rules)
 * 1:54382 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Vidar-8170701-0 download attempt (malware-other.rules)
 * 1:54376 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.IndigoDrop variant binary download attempt (malware-other.rules)
 * 1:54378 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zbot-8108321-0 download attempt (malware-other.rules)
 * 1:54379 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox ReadableStreamCloseInternal out-of-bounds access attempt (browser-firefox.rules)
 * 1:54380 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox ReadableStreamCloseInternal out-of-bounds access attempt (browser-firefox.rules)
 * 1:54385 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qbot malicious executable download attempt (malware-other.rules)
 * 1:54381 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Vidar-8170701-0 download attempt (malware-other.rules)
 * 1:54373 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.IndigoDrop variant binary download attempt (malware-other.rules)
 * 1:54375 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.IndigoDrop variant binary download attempt (malware-other.rules)

Modified Rules:


 * 1:54357 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Delf variant outbound connection  (malware-cnc.rules)

2020-06-23 11:51:29 UTC

Snort Subscriber Rules Update

Date: 2020-06-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54386 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qbot malicious executable download attempt (malware-other.rules)
 * 1:54376 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.IndigoDrop variant binary download attempt (malware-other.rules)
 * 1:54374 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.IndigoDrop variant binary download attempt (malware-other.rules)
 * 1:54387 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qbot malicious executable download attempt (malware-other.rules)
 * 1:54375 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.IndigoDrop variant binary download attempt (malware-other.rules)
 * 1:54385 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qbot malicious executable download attempt (malware-other.rules)
 * 1:54373 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.IndigoDrop variant binary download attempt (malware-other.rules)
 * 1:54384 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qbot malicious executable download attempt (malware-other.rules)
 * 1:54381 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Vidar-8170701-0 download attempt (malware-other.rules)
 * 1:54383 <-> DISABLED <-> POLICY-OTHER Potentially suspicious fragmented IP in IP packet (policy-other.rules)
 * 1:54380 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox ReadableStreamCloseInternal out-of-bounds access attempt (browser-firefox.rules)
 * 1:54377 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zbot-8108321-0 download attempt (malware-other.rules)
 * 1:54382 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Vidar-8170701-0 download attempt (malware-other.rules)
 * 1:54379 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox ReadableStreamCloseInternal out-of-bounds access attempt (browser-firefox.rules)
 * 1:54378 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zbot-8108321-0 download attempt (malware-other.rules)

Modified Rules:


 * 1:54357 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Delf variant outbound connection  (malware-cnc.rules)

2020-06-23 11:51:29 UTC

Snort Subscriber Rules Update

Date: 2020-06-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54385 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qbot malicious executable download attempt (malware-other.rules)
 * 1:54374 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.IndigoDrop variant binary download attempt (malware-other.rules)
 * 1:54386 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qbot malicious executable download attempt (malware-other.rules)
 * 1:54376 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.IndigoDrop variant binary download attempt (malware-other.rules)
 * 1:54387 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qbot malicious executable download attempt (malware-other.rules)
 * 1:54373 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.IndigoDrop variant binary download attempt (malware-other.rules)
 * 1:54375 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.IndigoDrop variant binary download attempt (malware-other.rules)
 * 1:54377 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zbot-8108321-0 download attempt (malware-other.rules)
 * 1:54378 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zbot-8108321-0 download attempt (malware-other.rules)
 * 1:54379 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox ReadableStreamCloseInternal out-of-bounds access attempt (browser-firefox.rules)
 * 1:54380 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox ReadableStreamCloseInternal out-of-bounds access attempt (browser-firefox.rules)
 * 1:54381 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Vidar-8170701-0 download attempt (malware-other.rules)
 * 1:54382 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Vidar-8170701-0 download attempt (malware-other.rules)
 * 1:54383 <-> DISABLED <-> POLICY-OTHER Potentially suspicious fragmented IP in IP packet (policy-other.rules)
 * 1:54384 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qbot malicious executable download attempt (malware-other.rules)

Modified Rules:


 * 1:54357 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Delf variant outbound connection  (malware-cnc.rules)

2020-06-23 11:51:29 UTC

Snort Subscriber Rules Update

Date: 2020-06-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54380 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox ReadableStreamCloseInternal out-of-bounds access attempt (snort3-browser-firefox.rules)
 * 1:54385 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qbot malicious executable download attempt (snort3-malware-other.rules)
 * 1:54386 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qbot malicious executable download attempt (snort3-malware-other.rules)
 * 1:54376 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.IndigoDrop variant binary download attempt (snort3-malware-other.rules)
 * 1:54373 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.IndigoDrop variant binary download attempt (snort3-malware-other.rules)
 * 1:54387 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qbot malicious executable download attempt (snort3-malware-other.rules)
 * 1:54384 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qbot malicious executable download attempt (snort3-malware-other.rules)
 * 1:54375 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.IndigoDrop variant binary download attempt (snort3-malware-other.rules)
 * 1:54383 <-> DISABLED <-> POLICY-OTHER Potentially suspicious fragmented IP in IP packet (snort3-policy-other.rules)
 * 1:54377 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zbot-8108321-0 download attempt (snort3-malware-other.rules)
 * 1:54378 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zbot-8108321-0 download attempt (snort3-malware-other.rules)
 * 1:54381 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Vidar-8170701-0 download attempt (snort3-malware-other.rules)
 * 1:54382 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Vidar-8170701-0 download attempt (snort3-malware-other.rules)
 * 1:54379 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox ReadableStreamCloseInternal out-of-bounds access attempt (snort3-browser-firefox.rules)
 * 1:54374 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.IndigoDrop variant binary download attempt (snort3-malware-other.rules)

Modified Rules:


 * 1:54357 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Delf variant outbound connection  (snort3-malware-cnc.rules)

2020-06-23 11:51:29 UTC

Snort Subscriber Rules Update

Date: 2020-06-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54374 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.IndigoDrop variant binary download attempt (malware-other.rules)
 * 1:54385 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qbot malicious executable download attempt (malware-other.rules)
 * 1:54387 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qbot malicious executable download attempt (malware-other.rules)
 * 1:54384 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qbot malicious executable download attempt (malware-other.rules)
 * 1:54376 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.IndigoDrop variant binary download attempt (malware-other.rules)
 * 1:54375 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.IndigoDrop variant binary download attempt (malware-other.rules)
 * 1:54377 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zbot-8108321-0 download attempt (malware-other.rules)
 * 1:54378 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zbot-8108321-0 download attempt (malware-other.rules)
 * 1:54379 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox ReadableStreamCloseInternal out-of-bounds access attempt (browser-firefox.rules)
 * 1:54380 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox ReadableStreamCloseInternal out-of-bounds access attempt (browser-firefox.rules)
 * 1:54381 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Vidar-8170701-0 download attempt (malware-other.rules)
 * 1:54382 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Vidar-8170701-0 download attempt (malware-other.rules)
 * 1:54383 <-> DISABLED <-> POLICY-OTHER Potentially suspicious fragmented IP in IP packet (policy-other.rules)
 * 1:54386 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qbot malicious executable download attempt (malware-other.rules)
 * 1:54373 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.IndigoDrop variant binary download attempt (malware-other.rules)

Modified Rules:


 * 1:54357 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Delf variant outbound connection  (malware-cnc.rules)