Talos Rules 2020-06-25
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-image, malware-cnc, os-windows, policy-other and server-other rule sets to provide coverage for emerging threats from these technologies.

Change logs

2020-06-25 17:42:38 UTC

Snort Subscriber Rules Update

Date: 2020-06-25

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54388 <-> ENABLED <-> SERVER-OTHER OpenSMTPD mta_io remote command injection attempt (server-other.rules)
 * 1:54394 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload variant outbound connection attempt (malware-cnc.rules)
 * 1:54389 <-> ENABLED <-> PROTOCOL-TELNET netkit-telnet server memory corruption attempt (protocol-telnet.rules)
 * 3:54391 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1096 attack attempt (file-image.rules)
 * 3:54390 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1096 attack attempt (file-image.rules)
 * 3:54392 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2020-1098 attack attempt (os-windows.rules)
 * 3:54393 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2020-1098 attack attempt (os-windows.rules)

Modified Rules:


 * 1:54022 <-> ENABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (server-other.rules)
 * 1:54033 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54031 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54023 <-> ENABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (server-other.rules)
 * 1:54032 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54030 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:51377 <-> DISABLED <-> POLICY-OTHER Progress Telerik UI for ASP.NET AJAX arbitrary file upload attempt (policy-other.rules)

2020-06-25 17:42:38 UTC

Snort Subscriber Rules Update

Date: 2020-06-25

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54388 <-> ENABLED <-> SERVER-OTHER OpenSMTPD mta_io remote command injection attempt (server-other.rules)
 * 1:54389 <-> ENABLED <-> PROTOCOL-TELNET netkit-telnet server memory corruption attempt (protocol-telnet.rules)
 * 1:54394 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload variant outbound connection attempt (malware-cnc.rules)
 * 3:54391 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1096 attack attempt (file-image.rules)
 * 3:54392 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2020-1098 attack attempt (os-windows.rules)
 * 3:54393 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2020-1098 attack attempt (os-windows.rules)
 * 3:54390 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1096 attack attempt (file-image.rules)

Modified Rules:


 * 1:54022 <-> ENABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (server-other.rules)
 * 1:54033 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54023 <-> ENABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (server-other.rules)
 * 1:54032 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54030 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:51377 <-> DISABLED <-> POLICY-OTHER Progress Telerik UI for ASP.NET AJAX arbitrary file upload attempt (policy-other.rules)
 * 1:54031 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)

2020-06-25 17:42:38 UTC

Snort Subscriber Rules Update

Date: 2020-06-25

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54389 <-> ENABLED <-> PROTOCOL-TELNET netkit-telnet server memory corruption attempt (protocol-telnet.rules)
 * 1:54394 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload variant outbound connection attempt (malware-cnc.rules)
 * 1:54388 <-> ENABLED <-> SERVER-OTHER OpenSMTPD mta_io remote command injection attempt (server-other.rules)
 * 3:54392 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2020-1098 attack attempt (os-windows.rules)
 * 3:54391 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1096 attack attempt (file-image.rules)
 * 3:54390 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1096 attack attempt (file-image.rules)
 * 3:54393 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2020-1098 attack attempt (os-windows.rules)

Modified Rules:


 * 1:54022 <-> ENABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (server-other.rules)
 * 1:54033 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54031 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54032 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54023 <-> ENABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (server-other.rules)
 * 1:51377 <-> DISABLED <-> POLICY-OTHER Progress Telerik UI for ASP.NET AJAX arbitrary file upload attempt (policy-other.rules)
 * 1:54030 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)

2020-06-25 17:42:38 UTC

Snort Subscriber Rules Update

Date: 2020-06-25

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54394 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload variant outbound connection attempt (malware-cnc.rules)
 * 1:54389 <-> ENABLED <-> PROTOCOL-TELNET netkit-telnet server memory corruption attempt (protocol-telnet.rules)
 * 1:54388 <-> ENABLED <-> SERVER-OTHER OpenSMTPD mta_io remote command injection attempt (server-other.rules)
 * 3:54390 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1096 attack attempt (file-image.rules)
 * 3:54391 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1096 attack attempt (file-image.rules)
 * 3:54392 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2020-1098 attack attempt (os-windows.rules)
 * 3:54393 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2020-1098 attack attempt (os-windows.rules)

Modified Rules:


 * 1:54033 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54031 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54022 <-> ENABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (server-other.rules)
 * 1:51377 <-> DISABLED <-> POLICY-OTHER Progress Telerik UI for ASP.NET AJAX arbitrary file upload attempt (policy-other.rules)
 * 1:54032 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54030 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54023 <-> ENABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (server-other.rules)

2020-06-25 17:42:38 UTC

Snort Subscriber Rules Update

Date: 2020-06-25

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54394 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload variant outbound connection attempt (malware-cnc.rules)
 * 1:54388 <-> ENABLED <-> SERVER-OTHER OpenSMTPD mta_io remote command injection attempt (server-other.rules)
 * 1:54389 <-> ENABLED <-> PROTOCOL-TELNET netkit-telnet server memory corruption attempt (protocol-telnet.rules)
 * 3:54393 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2020-1098 attack attempt (os-windows.rules)
 * 3:54392 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2020-1098 attack attempt (os-windows.rules)
 * 3:54390 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1096 attack attempt (file-image.rules)
 * 3:54391 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1096 attack attempt (file-image.rules)

Modified Rules:


 * 1:54022 <-> ENABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (server-other.rules)
 * 1:54032 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54030 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54033 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54031 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:51377 <-> DISABLED <-> POLICY-OTHER Progress Telerik UI for ASP.NET AJAX arbitrary file upload attempt (policy-other.rules)
 * 1:54023 <-> ENABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (server-other.rules)

2020-06-25 17:42:38 UTC

Snort Subscriber Rules Update

Date: 2020-06-25

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54394 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload variant outbound connection attempt (malware-cnc.rules)
 * 1:54389 <-> ENABLED <-> PROTOCOL-TELNET netkit-telnet server memory corruption attempt (protocol-telnet.rules)
 * 1:54388 <-> ENABLED <-> SERVER-OTHER OpenSMTPD mta_io remote command injection attempt (server-other.rules)
 * 3:54392 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2020-1098 attack attempt (os-windows.rules)
 * 3:54390 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1096 attack attempt (file-image.rules)
 * 3:54391 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1096 attack attempt (file-image.rules)
 * 3:54393 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2020-1098 attack attempt (os-windows.rules)

Modified Rules:


 * 1:54031 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:51377 <-> DISABLED <-> POLICY-OTHER Progress Telerik UI for ASP.NET AJAX arbitrary file upload attempt (policy-other.rules)
 * 1:54030 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54033 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54022 <-> ENABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (server-other.rules)
 * 1:54032 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54023 <-> ENABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (server-other.rules)

2020-06-25 17:42:38 UTC

Snort Subscriber Rules Update

Date: 2020-06-25

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54388 <-> ENABLED <-> SERVER-OTHER OpenSMTPD mta_io remote command injection attempt (snort3-server-other.rules)
 * 1:54394 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload variant outbound connection attempt (snort3-malware-cnc.rules)
 * 1:54389 <-> ENABLED <-> PROTOCOL-TELNET netkit-telnet server memory corruption attempt (snort3-protocol-telnet.rules)

Modified Rules:


 * 1:54023 <-> ENABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (snort3-server-other.rules)
 * 1:54031 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (snort3-server-other.rules)
 * 1:54032 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (snort3-server-other.rules)
 * 1:54033 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (snort3-server-other.rules)
 * 1:54030 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (snort3-server-other.rules)
 * 1:54022 <-> ENABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (snort3-server-other.rules)
 * 1:51377 <-> DISABLED <-> POLICY-OTHER Progress Telerik UI for ASP.NET AJAX arbitrary file upload attempt (snort3-policy-other.rules)

2020-06-25 17:42:38 UTC

Snort Subscriber Rules Update

Date: 2020-06-25

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54394 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload variant outbound connection attempt (malware-cnc.rules)
 * 1:54388 <-> ENABLED <-> SERVER-OTHER OpenSMTPD mta_io remote command injection attempt (server-other.rules)
 * 1:54389 <-> ENABLED <-> PROTOCOL-TELNET netkit-telnet server memory corruption attempt (protocol-telnet.rules)
 * 3:54392 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2020-1098 attack attempt (os-windows.rules)
 * 3:54391 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1096 attack attempt (file-image.rules)
 * 3:54390 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1096 attack attempt (file-image.rules)
 * 3:54393 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2020-1098 attack attempt (os-windows.rules)

Modified Rules:


 * 1:54022 <-> ENABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (server-other.rules)
 * 1:54032 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:51377 <-> DISABLED <-> POLICY-OTHER Progress Telerik UI for ASP.NET AJAX arbitrary file upload attempt (policy-other.rules)
 * 1:54030 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54031 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54033 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54023 <-> ENABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (server-other.rules)