Talos Rules 2020-07-30
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-webkit, file-other, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2020-07-30 12:22:53 UTC

Snort Subscriber Rules Update

Date: 2020-07-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54669 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules)
 * 1:54666 <-> DISABLED <-> BROWSER-WEBKIT WebKit JIT compiler common subexpression elimination out of bounds access attempt (browser-webkit.rules)
 * 1:54665 <-> DISABLED <-> BROWSER-WEBKIT WebKit JIT compiler common subexpression elimination out of bounds access attempt (browser-webkit.rules)
 * 1:54664 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Cerber-9130422-0 download attempt (malware-other.rules)
 * 1:54663 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Cerber-9130422-0 download attempt (malware-other.rules)
 * 1:54662 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Cerber-9130272-0 download attempt (malware-other.rules)
 * 1:54661 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Cerber-9130272-0 download attempt (malware-other.rules)
 * 1:54660 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bunitu-9127509-0 download attempt (malware-other.rules)
 * 1:54659 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bunitu-9127509-0 download attempt (malware-other.rules)
 * 1:54658 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bunitu-9128889-0 download attempt (malware-other.rules)
 * 1:54657 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bunitu-9128889-0 download attempt (malware-other.rules)
 * 1:54654 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-9107742-0 download attempt (malware-other.rules)
 * 1:54653 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-9107742-0 download attempt (malware-other.rules)
 * 1:54652 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Nanocore-9025522-0 download attempt (malware-other.rules)
 * 1:54651 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Nanocore-9025522-0 download attempt (malware-other.rules)
 * 1:54675 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE remote project back directory traversal attempt (server-webapp.rules)
 * 1:54674 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE remote project copy attempt (server-webapp.rules)
 * 1:54673 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE remote project backup download attempt (server-webapp.rules)
 * 1:54672 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE remote code execution attempt (server-webapp.rules)
 * 1:54671 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE project information disclosure attempt (server-webapp.rules)
 * 1:54670 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE project list disclosure attempt (server-webapp.rules)
 * 3:54655 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager command injection attempt (server-webapp.rules)
 * 3:54656 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager device manager access detected (policy-other.rules)
 * 3:54667 <-> ENABLED <-> FILE-OTHER TAR file directory traversal attempt (file-other.rules)
 * 3:54668 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 3:53504 <-> ENABLED <-> FILE-OTHER TAR file directory traversal attempt (file-other.rules)

2020-07-30 12:22:53 UTC

Snort Subscriber Rules Update

Date: 2020-07-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54672 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE remote code execution attempt (server-webapp.rules)
 * 1:54671 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE project information disclosure attempt (server-webapp.rules)
 * 1:54651 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Nanocore-9025522-0 download attempt (malware-other.rules)
 * 1:54653 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-9107742-0 download attempt (malware-other.rules)
 * 1:54658 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bunitu-9128889-0 download attempt (malware-other.rules)
 * 1:54659 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bunitu-9127509-0 download attempt (malware-other.rules)
 * 1:54660 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bunitu-9127509-0 download attempt (malware-other.rules)
 * 1:54661 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Cerber-9130272-0 download attempt (malware-other.rules)
 * 1:54665 <-> DISABLED <-> BROWSER-WEBKIT WebKit JIT compiler common subexpression elimination out of bounds access attempt (browser-webkit.rules)
 * 1:54657 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bunitu-9128889-0 download attempt (malware-other.rules)
 * 1:54675 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE remote project back directory traversal attempt (server-webapp.rules)
 * 1:54674 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE remote project copy attempt (server-webapp.rules)
 * 1:54673 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE remote project backup download attempt (server-webapp.rules)
 * 1:54654 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-9107742-0 download attempt (malware-other.rules)
 * 1:54664 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Cerber-9130422-0 download attempt (malware-other.rules)
 * 1:54652 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Nanocore-9025522-0 download attempt (malware-other.rules)
 * 1:54663 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Cerber-9130422-0 download attempt (malware-other.rules)
 * 1:54662 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Cerber-9130272-0 download attempt (malware-other.rules)
 * 1:54670 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE project list disclosure attempt (server-webapp.rules)
 * 1:54666 <-> DISABLED <-> BROWSER-WEBKIT WebKit JIT compiler common subexpression elimination out of bounds access attempt (browser-webkit.rules)
 * 1:54669 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules)
 * 3:54655 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager command injection attempt (server-webapp.rules)
 * 3:54656 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager device manager access detected (policy-other.rules)
 * 3:54667 <-> ENABLED <-> FILE-OTHER TAR file directory traversal attempt (file-other.rules)
 * 3:54668 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 3:53504 <-> ENABLED <-> FILE-OTHER TAR file directory traversal attempt (file-other.rules)

2020-07-30 12:22:53 UTC

Snort Subscriber Rules Update

Date: 2020-07-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54673 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE remote project backup download attempt (server-webapp.rules)
 * 1:54662 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Cerber-9130272-0 download attempt (malware-other.rules)
 * 1:54654 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-9107742-0 download attempt (malware-other.rules)
 * 1:54675 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE remote project back directory traversal attempt (server-webapp.rules)
 * 1:54674 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE remote project copy attempt (server-webapp.rules)
 * 1:54657 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bunitu-9128889-0 download attempt (malware-other.rules)
 * 1:54652 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Nanocore-9025522-0 download attempt (malware-other.rules)
 * 1:54651 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Nanocore-9025522-0 download attempt (malware-other.rules)
 * 1:54659 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bunitu-9127509-0 download attempt (malware-other.rules)
 * 1:54666 <-> DISABLED <-> BROWSER-WEBKIT WebKit JIT compiler common subexpression elimination out of bounds access attempt (browser-webkit.rules)
 * 1:54658 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bunitu-9128889-0 download attempt (malware-other.rules)
 * 1:54660 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bunitu-9127509-0 download attempt (malware-other.rules)
 * 1:54672 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE remote code execution attempt (server-webapp.rules)
 * 1:54661 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Cerber-9130272-0 download attempt (malware-other.rules)
 * 1:54665 <-> DISABLED <-> BROWSER-WEBKIT WebKit JIT compiler common subexpression elimination out of bounds access attempt (browser-webkit.rules)
 * 1:54653 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-9107742-0 download attempt (malware-other.rules)
 * 1:54664 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Cerber-9130422-0 download attempt (malware-other.rules)
 * 1:54663 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Cerber-9130422-0 download attempt (malware-other.rules)
 * 1:54671 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE project information disclosure attempt (server-webapp.rules)
 * 1:54669 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules)
 * 1:54670 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE project list disclosure attempt (server-webapp.rules)
 * 3:54668 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:54656 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager device manager access detected (policy-other.rules)
 * 3:54667 <-> ENABLED <-> FILE-OTHER TAR file directory traversal attempt (file-other.rules)
 * 3:54655 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager command injection attempt (server-webapp.rules)

Modified Rules:


 * 3:53504 <-> ENABLED <-> FILE-OTHER TAR file directory traversal attempt (file-other.rules)

2020-07-30 12:22:53 UTC

Snort Subscriber Rules Update

Date: 2020-07-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54673 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE remote project backup download attempt (server-webapp.rules)
 * 1:54675 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE remote project back directory traversal attempt (server-webapp.rules)
 * 1:54672 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE remote code execution attempt (server-webapp.rules)
 * 1:54657 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bunitu-9128889-0 download attempt (malware-other.rules)
 * 1:54664 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Cerber-9130422-0 download attempt (malware-other.rules)
 * 1:54665 <-> DISABLED <-> BROWSER-WEBKIT WebKit JIT compiler common subexpression elimination out of bounds access attempt (browser-webkit.rules)
 * 1:54653 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-9107742-0 download attempt (malware-other.rules)
 * 1:54669 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules)
 * 1:54654 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-9107742-0 download attempt (malware-other.rules)
 * 1:54666 <-> DISABLED <-> BROWSER-WEBKIT WebKit JIT compiler common subexpression elimination out of bounds access attempt (browser-webkit.rules)
 * 1:54662 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Cerber-9130272-0 download attempt (malware-other.rules)
 * 1:54663 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Cerber-9130422-0 download attempt (malware-other.rules)
 * 1:54671 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE project information disclosure attempt (server-webapp.rules)
 * 1:54660 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bunitu-9127509-0 download attempt (malware-other.rules)
 * 1:54661 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Cerber-9130272-0 download attempt (malware-other.rules)
 * 1:54658 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bunitu-9128889-0 download attempt (malware-other.rules)
 * 1:54651 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Nanocore-9025522-0 download attempt (malware-other.rules)
 * 1:54652 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Nanocore-9025522-0 download attempt (malware-other.rules)
 * 1:54659 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bunitu-9127509-0 download attempt (malware-other.rules)
 * 1:54670 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE project list disclosure attempt (server-webapp.rules)
 * 1:54674 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE remote project copy attempt (server-webapp.rules)
 * 3:54656 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager device manager access detected (policy-other.rules)
 * 3:54655 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager command injection attempt (server-webapp.rules)
 * 3:54668 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:54667 <-> ENABLED <-> FILE-OTHER TAR file directory traversal attempt (file-other.rules)

Modified Rules:


 * 3:53504 <-> ENABLED <-> FILE-OTHER TAR file directory traversal attempt (file-other.rules)

2020-07-30 12:22:53 UTC

Snort Subscriber Rules Update

Date: 2020-07-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54675 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE remote project back directory traversal attempt (server-webapp.rules)
 * 1:54666 <-> DISABLED <-> BROWSER-WEBKIT WebKit JIT compiler common subexpression elimination out of bounds access attempt (browser-webkit.rules)
 * 1:54673 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE remote project backup download attempt (server-webapp.rules)
 * 1:54654 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-9107742-0 download attempt (malware-other.rules)
 * 1:54672 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE remote code execution attempt (server-webapp.rules)
 * 1:54674 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE remote project copy attempt (server-webapp.rules)
 * 1:54663 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Cerber-9130422-0 download attempt (malware-other.rules)
 * 1:54661 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Cerber-9130272-0 download attempt (malware-other.rules)
 * 1:54660 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bunitu-9127509-0 download attempt (malware-other.rules)
 * 1:54659 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bunitu-9127509-0 download attempt (malware-other.rules)
 * 1:54652 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Nanocore-9025522-0 download attempt (malware-other.rules)
 * 1:54658 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bunitu-9128889-0 download attempt (malware-other.rules)
 * 1:54651 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Nanocore-9025522-0 download attempt (malware-other.rules)
 * 1:54664 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Cerber-9130422-0 download attempt (malware-other.rules)
 * 1:54657 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bunitu-9128889-0 download attempt (malware-other.rules)
 * 1:54662 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Cerber-9130272-0 download attempt (malware-other.rules)
 * 1:54653 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-9107742-0 download attempt (malware-other.rules)
 * 1:54670 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE project list disclosure attempt (server-webapp.rules)
 * 1:54665 <-> DISABLED <-> BROWSER-WEBKIT WebKit JIT compiler common subexpression elimination out of bounds access attempt (browser-webkit.rules)
 * 1:54669 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules)
 * 1:54671 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE project information disclosure attempt (server-webapp.rules)
 * 3:54667 <-> ENABLED <-> FILE-OTHER TAR file directory traversal attempt (file-other.rules)
 * 3:54668 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:54656 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager device manager access detected (policy-other.rules)
 * 3:54655 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager command injection attempt (server-webapp.rules)

Modified Rules:


 * 3:53504 <-> ENABLED <-> FILE-OTHER TAR file directory traversal attempt (file-other.rules)

2020-07-30 12:22:53 UTC

Snort Subscriber Rules Update

Date: 2020-07-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54673 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE remote project backup download attempt (server-webapp.rules)
 * 1:54674 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE remote project copy attempt (server-webapp.rules)
 * 1:54675 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE remote project back directory traversal attempt (server-webapp.rules)
 * 1:54666 <-> DISABLED <-> BROWSER-WEBKIT WebKit JIT compiler common subexpression elimination out of bounds access attempt (browser-webkit.rules)
 * 1:54672 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE remote code execution attempt (server-webapp.rules)
 * 1:54652 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Nanocore-9025522-0 download attempt (malware-other.rules)
 * 1:54659 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bunitu-9127509-0 download attempt (malware-other.rules)
 * 1:54651 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Nanocore-9025522-0 download attempt (malware-other.rules)
 * 1:54660 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bunitu-9127509-0 download attempt (malware-other.rules)
 * 1:54654 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-9107742-0 download attempt (malware-other.rules)
 * 1:54669 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules)
 * 1:54663 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Cerber-9130422-0 download attempt (malware-other.rules)
 * 1:54670 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE project list disclosure attempt (server-webapp.rules)
 * 1:54662 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Cerber-9130272-0 download attempt (malware-other.rules)
 * 1:54665 <-> DISABLED <-> BROWSER-WEBKIT WebKit JIT compiler common subexpression elimination out of bounds access attempt (browser-webkit.rules)
 * 1:54671 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE project information disclosure attempt (server-webapp.rules)
 * 1:54661 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Cerber-9130272-0 download attempt (malware-other.rules)
 * 1:54657 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bunitu-9128889-0 download attempt (malware-other.rules)
 * 1:54658 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bunitu-9128889-0 download attempt (malware-other.rules)
 * 1:54664 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Cerber-9130422-0 download attempt (malware-other.rules)
 * 1:54653 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-9107742-0 download attempt (malware-other.rules)
 * 3:54668 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:54655 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager command injection attempt (server-webapp.rules)
 * 3:54656 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager device manager access detected (policy-other.rules)
 * 3:54667 <-> ENABLED <-> FILE-OTHER TAR file directory traversal attempt (file-other.rules)

Modified Rules:


 * 3:53504 <-> ENABLED <-> FILE-OTHER TAR file directory traversal attempt (file-other.rules)

2020-07-30 12:22:53 UTC

Snort Subscriber Rules Update

Date: 2020-07-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54662 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Cerber-9130272-0 download attempt (snort3-malware-other.rules)
 * 1:54671 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE project information disclosure attempt (snort3-server-webapp.rules)
 * 1:54658 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bunitu-9128889-0 download attempt (snort3-malware-other.rules)
 * 1:54674 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE remote project copy attempt (snort3-server-webapp.rules)
 * 1:54653 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-9107742-0 download attempt (snort3-malware-other.rules)
 * 1:54663 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Cerber-9130422-0 download attempt (snort3-malware-other.rules)
 * 1:54652 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Nanocore-9025522-0 download attempt (snort3-malware-other.rules)
 * 1:54661 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Cerber-9130272-0 download attempt (snort3-malware-other.rules)
 * 1:54673 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE remote project backup download attempt (snort3-server-webapp.rules)
 * 1:54675 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE remote project back directory traversal attempt (snort3-server-webapp.rules)
 * 1:54665 <-> DISABLED <-> BROWSER-WEBKIT WebKit JIT compiler common subexpression elimination out of bounds access attempt (snort3-browser-webkit.rules)
 * 1:54669 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (snort3-malware-other.rules)
 * 1:54672 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE remote code execution attempt (snort3-server-webapp.rules)
 * 1:54659 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bunitu-9127509-0 download attempt (snort3-malware-other.rules)
 * 1:54657 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bunitu-9128889-0 download attempt (snort3-malware-other.rules)
 * 1:54670 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE project list disclosure attempt (snort3-server-webapp.rules)
 * 1:54660 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bunitu-9127509-0 download attempt (snort3-malware-other.rules)
 * 1:54666 <-> DISABLED <-> BROWSER-WEBKIT WebKit JIT compiler common subexpression elimination out of bounds access attempt (snort3-browser-webkit.rules)
 * 1:54651 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Nanocore-9025522-0 download attempt (snort3-malware-other.rules)
 * 1:54664 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Cerber-9130422-0 download attempt (snort3-malware-other.rules)
 * 1:54654 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-9107742-0 download attempt (snort3-malware-other.rules)

Modified Rules:



2020-07-30 12:22:53 UTC

Snort Subscriber Rules Update

Date: 2020-07-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54671 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE project information disclosure attempt (server-webapp.rules)
 * 1:54672 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE remote code execution attempt (server-webapp.rules)
 * 1:54666 <-> DISABLED <-> BROWSER-WEBKIT WebKit JIT compiler common subexpression elimination out of bounds access attempt (browser-webkit.rules)
 * 1:54673 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE remote project backup download attempt (server-webapp.rules)
 * 1:54674 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE remote project copy attempt (server-webapp.rules)
 * 1:54651 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Nanocore-9025522-0 download attempt (malware-other.rules)
 * 1:54652 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Nanocore-9025522-0 download attempt (malware-other.rules)
 * 1:54653 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-9107742-0 download attempt (malware-other.rules)
 * 1:54675 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE remote project back directory traversal attempt (server-webapp.rules)
 * 1:54654 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Gh0stRAT-9107742-0 download attempt (malware-other.rules)
 * 1:54658 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bunitu-9128889-0 download attempt (malware-other.rules)
 * 1:54659 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bunitu-9127509-0 download attempt (malware-other.rules)
 * 1:54660 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bunitu-9127509-0 download attempt (malware-other.rules)
 * 1:54665 <-> DISABLED <-> BROWSER-WEBKIT WebKit JIT compiler common subexpression elimination out of bounds access attempt (browser-webkit.rules)
 * 1:54657 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bunitu-9128889-0 download attempt (malware-other.rules)
 * 1:54662 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Cerber-9130272-0 download attempt (malware-other.rules)
 * 1:54661 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Cerber-9130272-0 download attempt (malware-other.rules)
 * 1:54669 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules)
 * 1:54664 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Cerber-9130422-0 download attempt (malware-other.rules)
 * 1:54663 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Cerber-9130422-0 download attempt (malware-other.rules)
 * 1:54670 <-> DISABLED <-> SERVER-WEBAPP Rockwell FactoryTalk View SE project list disclosure attempt (server-webapp.rules)
 * 3:54656 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager device manager access detected (policy-other.rules)
 * 3:54668 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:54667 <-> ENABLED <-> FILE-OTHER TAR file directory traversal attempt (file-other.rules)
 * 3:54655 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager command injection attempt (server-webapp.rules)

Modified Rules:


 * 3:53504 <-> ENABLED <-> FILE-OTHER TAR file directory traversal attempt (file-other.rules)