Talos Rules 2020-08-18
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-executable, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2020-08-18 17:13:07 UTC

Snort Subscriber Rules Update

Date: 2020-08-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54775 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Johnnie-9294701-0 download attempt (malware-other.rules)
 * 1:54776 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Johnnie-9294701-0 download attempt (malware-other.rules)
 * 1:54777 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-9294966-0 download attempt (malware-other.rules)
 * 1:54778 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-9294966-0 download attempt (malware-other.rules)
 * 1:54779 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Ircbot-9310443-0 download attempt (malware-other.rules)
 * 1:54780 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Ircbot-9310443-0 download attempt (malware-other.rules)
 * 1:54781 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zeroaccess-9315513-0 download attempt (malware-other.rules)
 * 1:54782 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zeroaccess-9315513-0 download attempt (malware-other.rules)
 * 1:54783 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Ursnif-9351552-0 download attempt (malware-other.rules)
 * 1:54784 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Ursnif-9351552-0 download attempt (malware-other.rules)
 * 1:54785 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi-9367751-0 download attempt (malware-other.rules)
 * 1:54786 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi-9367751-0 download attempt (malware-other.rules)
 * 1:54787 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Malware Protection Engine denial-of-service attempt (file-executable.rules)
 * 1:54788 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Malware Protection Engine denial-of-service attempt (file-executable.rules)
 * 1:54789 <-> DISABLED <-> SERVER-WEBAPP Microsoft Windows .NET API XML unsafe deserialization attempt (server-webapp.rules)
 * 1:54790 <-> DISABLED <-> SERVER-WEBAPP Microsoft Windows .NET API XML unsafe deserialization attempt (server-webapp.rules)
 * 1:54791 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kovter variant payload download attempt (malware-other.rules)
 * 1:54792 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kovter variant payload download attempt (malware-other.rules)
 * 1:54793 <-> ENABLED <-> MALWARE-CNC Unix.Malware.Drovorub cnc inbound connection attempt (malware-cnc.rules)
 * 1:54794 <-> ENABLED <-> SERVER-WEBAPP Zeroshell Linux Router command injection attempt (server-webapp.rules)
 * 1:54795 <-> ENABLED <-> SERVER-WEBAPP Zeroshell Linux Router command injection attempt (server-webapp.rules)
 * 1:54796 <-> ENABLED <-> SERVER-WEBAPP Zeroshell Linux Router command injection attempt (server-webapp.rules)
 * 1:54797 <-> ENABLED <-> SERVER-WEBAPP Zeroshell Linux Router command injection attempt (server-webapp.rules)
 * 1:54801 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Taidoor variant outbound connection (malware-cnc.rules)
 * 1:54802 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Poison-9371279-0 download attempt (malware-other.rules)
 * 1:54803 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Poison-9371279-0 download attempt (malware-other.rules)
 * 1:54804 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Emotet-9371545-0 download attempt (malware-other.rules)
 * 1:54805 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Emotet-9371545-0 download attempt (malware-other.rules)
 * 1:54806 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9371729-0 download attempt (malware-other.rules)
 * 1:54807 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9371729-0 download attempt (malware-other.rules)
 * 1:54808 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9371733-0 download attempt (malware-other.rules)
 * 1:54809 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9371733-0 download attempt (malware-other.rules)
 * 1:54810 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Fdld-9371797-0 download attempt (malware-other.rules)
 * 1:54811 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Fdld-9371797-0 download attempt (malware-other.rules)
 * 1:54812 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Kuluoz-9372655-0 download attempt (malware-other.rules)
 * 1:54813 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Kuluoz-9372655-0 download attempt (malware-other.rules)
 * 3:54798 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1135 attack attempt (server-webapp.rules)
 * 3:54799 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1135 attack attempt (server-webapp.rules)
 * 3:54800 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1135 attack attempt (server-webapp.rules)

Modified Rules:



2020-08-18 17:13:07 UTC

Snort Subscriber Rules Update

Date: 2020-08-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54806 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9371729-0 download attempt (malware-other.rules)
 * 1:54775 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Johnnie-9294701-0 download attempt (malware-other.rules)
 * 1:54776 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Johnnie-9294701-0 download attempt (malware-other.rules)
 * 1:54777 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-9294966-0 download attempt (malware-other.rules)
 * 1:54778 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-9294966-0 download attempt (malware-other.rules)
 * 1:54779 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Ircbot-9310443-0 download attempt (malware-other.rules)
 * 1:54780 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Ircbot-9310443-0 download attempt (malware-other.rules)
 * 1:54781 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zeroaccess-9315513-0 download attempt (malware-other.rules)
 * 1:54782 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zeroaccess-9315513-0 download attempt (malware-other.rules)
 * 1:54783 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Ursnif-9351552-0 download attempt (malware-other.rules)
 * 1:54784 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Ursnif-9351552-0 download attempt (malware-other.rules)
 * 1:54785 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi-9367751-0 download attempt (malware-other.rules)
 * 1:54786 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi-9367751-0 download attempt (malware-other.rules)
 * 1:54787 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Malware Protection Engine denial-of-service attempt (file-executable.rules)
 * 1:54788 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Malware Protection Engine denial-of-service attempt (file-executable.rules)
 * 1:54789 <-> DISABLED <-> SERVER-WEBAPP Microsoft Windows .NET API XML unsafe deserialization attempt (server-webapp.rules)
 * 1:54790 <-> DISABLED <-> SERVER-WEBAPP Microsoft Windows .NET API XML unsafe deserialization attempt (server-webapp.rules)
 * 1:54791 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kovter variant payload download attempt (malware-other.rules)
 * 1:54792 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kovter variant payload download attempt (malware-other.rules)
 * 1:54793 <-> ENABLED <-> MALWARE-CNC Unix.Malware.Drovorub cnc inbound connection attempt (malware-cnc.rules)
 * 1:54794 <-> ENABLED <-> SERVER-WEBAPP Zeroshell Linux Router command injection attempt (server-webapp.rules)
 * 1:54795 <-> ENABLED <-> SERVER-WEBAPP Zeroshell Linux Router command injection attempt (server-webapp.rules)
 * 1:54796 <-> ENABLED <-> SERVER-WEBAPP Zeroshell Linux Router command injection attempt (server-webapp.rules)
 * 1:54797 <-> ENABLED <-> SERVER-WEBAPP Zeroshell Linux Router command injection attempt (server-webapp.rules)
 * 1:54801 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Taidoor variant outbound connection (malware-cnc.rules)
 * 1:54802 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Poison-9371279-0 download attempt (malware-other.rules)
 * 1:54803 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Poison-9371279-0 download attempt (malware-other.rules)
 * 1:54804 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Emotet-9371545-0 download attempt (malware-other.rules)
 * 1:54808 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9371733-0 download attempt (malware-other.rules)
 * 1:54807 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9371729-0 download attempt (malware-other.rules)
 * 1:54809 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9371733-0 download attempt (malware-other.rules)
 * 1:54810 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Fdld-9371797-0 download attempt (malware-other.rules)
 * 1:54811 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Fdld-9371797-0 download attempt (malware-other.rules)
 * 1:54812 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Kuluoz-9372655-0 download attempt (malware-other.rules)
 * 1:54813 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Kuluoz-9372655-0 download attempt (malware-other.rules)
 * 1:54805 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Emotet-9371545-0 download attempt (malware-other.rules)
 * 3:54798 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1135 attack attempt (server-webapp.rules)
 * 3:54800 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1135 attack attempt (server-webapp.rules)
 * 3:54799 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1135 attack attempt (server-webapp.rules)

Modified Rules:



2020-08-18 17:13:07 UTC

Snort Subscriber Rules Update

Date: 2020-08-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54807 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9371729-0 download attempt (malware-other.rules)
 * 1:54805 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Emotet-9371545-0 download attempt (malware-other.rules)
 * 1:54806 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9371729-0 download attempt (malware-other.rules)
 * 1:54809 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9371733-0 download attempt (malware-other.rules)
 * 1:54808 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9371733-0 download attempt (malware-other.rules)
 * 1:54810 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Fdld-9371797-0 download attempt (malware-other.rules)
 * 1:54811 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Fdld-9371797-0 download attempt (malware-other.rules)
 * 1:54775 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Johnnie-9294701-0 download attempt (malware-other.rules)
 * 1:54812 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Kuluoz-9372655-0 download attempt (malware-other.rules)
 * 1:54813 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Kuluoz-9372655-0 download attempt (malware-other.rules)
 * 1:54777 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-9294966-0 download attempt (malware-other.rules)
 * 1:54778 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-9294966-0 download attempt (malware-other.rules)
 * 1:54779 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Ircbot-9310443-0 download attempt (malware-other.rules)
 * 1:54781 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zeroaccess-9315513-0 download attempt (malware-other.rules)
 * 1:54780 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Ircbot-9310443-0 download attempt (malware-other.rules)
 * 1:54782 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zeroaccess-9315513-0 download attempt (malware-other.rules)
 * 1:54783 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Ursnif-9351552-0 download attempt (malware-other.rules)
 * 1:54784 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Ursnif-9351552-0 download attempt (malware-other.rules)
 * 1:54785 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi-9367751-0 download attempt (malware-other.rules)
 * 1:54786 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi-9367751-0 download attempt (malware-other.rules)
 * 1:54787 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Malware Protection Engine denial-of-service attempt (file-executable.rules)
 * 1:54788 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Malware Protection Engine denial-of-service attempt (file-executable.rules)
 * 1:54789 <-> DISABLED <-> SERVER-WEBAPP Microsoft Windows .NET API XML unsafe deserialization attempt (server-webapp.rules)
 * 1:54790 <-> DISABLED <-> SERVER-WEBAPP Microsoft Windows .NET API XML unsafe deserialization attempt (server-webapp.rules)
 * 1:54791 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kovter variant payload download attempt (malware-other.rules)
 * 1:54792 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kovter variant payload download attempt (malware-other.rules)
 * 1:54793 <-> ENABLED <-> MALWARE-CNC Unix.Malware.Drovorub cnc inbound connection attempt (malware-cnc.rules)
 * 1:54796 <-> ENABLED <-> SERVER-WEBAPP Zeroshell Linux Router command injection attempt (server-webapp.rules)
 * 1:54795 <-> ENABLED <-> SERVER-WEBAPP Zeroshell Linux Router command injection attempt (server-webapp.rules)
 * 1:54797 <-> ENABLED <-> SERVER-WEBAPP Zeroshell Linux Router command injection attempt (server-webapp.rules)
 * 1:54801 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Taidoor variant outbound connection (malware-cnc.rules)
 * 1:54802 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Poison-9371279-0 download attempt (malware-other.rules)
 * 1:54803 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Poison-9371279-0 download attempt (malware-other.rules)
 * 1:54804 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Emotet-9371545-0 download attempt (malware-other.rules)
 * 1:54776 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Johnnie-9294701-0 download attempt (malware-other.rules)
 * 1:54794 <-> ENABLED <-> SERVER-WEBAPP Zeroshell Linux Router command injection attempt (server-webapp.rules)
 * 3:54798 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1135 attack attempt (server-webapp.rules)
 * 3:54800 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1135 attack attempt (server-webapp.rules)
 * 3:54799 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1135 attack attempt (server-webapp.rules)

Modified Rules:



2020-08-18 17:13:07 UTC

Snort Subscriber Rules Update

Date: 2020-08-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54810 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Fdld-9371797-0 download attempt (malware-other.rules)
 * 1:54806 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9371729-0 download attempt (malware-other.rules)
 * 1:54777 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-9294966-0 download attempt (malware-other.rules)
 * 1:54807 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9371729-0 download attempt (malware-other.rules)
 * 1:54775 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Johnnie-9294701-0 download attempt (malware-other.rules)
 * 1:54811 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Fdld-9371797-0 download attempt (malware-other.rules)
 * 1:54813 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Kuluoz-9372655-0 download attempt (malware-other.rules)
 * 1:54808 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9371733-0 download attempt (malware-other.rules)
 * 1:54804 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Emotet-9371545-0 download attempt (malware-other.rules)
 * 1:54778 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-9294966-0 download attempt (malware-other.rules)
 * 1:54786 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi-9367751-0 download attempt (malware-other.rules)
 * 1:54790 <-> DISABLED <-> SERVER-WEBAPP Microsoft Windows .NET API XML unsafe deserialization attempt (server-webapp.rules)
 * 1:54791 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kovter variant payload download attempt (malware-other.rules)
 * 1:54792 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kovter variant payload download attempt (malware-other.rules)
 * 1:54812 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Kuluoz-9372655-0 download attempt (malware-other.rules)
 * 1:54796 <-> ENABLED <-> SERVER-WEBAPP Zeroshell Linux Router command injection attempt (server-webapp.rules)
 * 1:54801 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Taidoor variant outbound connection (malware-cnc.rules)
 * 1:54805 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Emotet-9371545-0 download attempt (malware-other.rules)
 * 1:54776 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Johnnie-9294701-0 download attempt (malware-other.rules)
 * 1:54781 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zeroaccess-9315513-0 download attempt (malware-other.rules)
 * 1:54779 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Ircbot-9310443-0 download attempt (malware-other.rules)
 * 1:54782 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zeroaccess-9315513-0 download attempt (malware-other.rules)
 * 1:54780 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Ircbot-9310443-0 download attempt (malware-other.rules)
 * 1:54783 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Ursnif-9351552-0 download attempt (malware-other.rules)
 * 1:54785 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi-9367751-0 download attempt (malware-other.rules)
 * 1:54784 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Ursnif-9351552-0 download attempt (malware-other.rules)
 * 1:54787 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Malware Protection Engine denial-of-service attempt (file-executable.rules)
 * 1:54789 <-> DISABLED <-> SERVER-WEBAPP Microsoft Windows .NET API XML unsafe deserialization attempt (server-webapp.rules)
 * 1:54788 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Malware Protection Engine denial-of-service attempt (file-executable.rules)
 * 1:54793 <-> ENABLED <-> MALWARE-CNC Unix.Malware.Drovorub cnc inbound connection attempt (malware-cnc.rules)
 * 1:54795 <-> ENABLED <-> SERVER-WEBAPP Zeroshell Linux Router command injection attempt (server-webapp.rules)
 * 1:54794 <-> ENABLED <-> SERVER-WEBAPP Zeroshell Linux Router command injection attempt (server-webapp.rules)
 * 1:54797 <-> ENABLED <-> SERVER-WEBAPP Zeroshell Linux Router command injection attempt (server-webapp.rules)
 * 1:54809 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9371733-0 download attempt (malware-other.rules)
 * 1:54802 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Poison-9371279-0 download attempt (malware-other.rules)
 * 1:54803 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Poison-9371279-0 download attempt (malware-other.rules)
 * 3:54799 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1135 attack attempt (server-webapp.rules)
 * 3:54798 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1135 attack attempt (server-webapp.rules)
 * 3:54800 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1135 attack attempt (server-webapp.rules)

Modified Rules:



2020-08-18 17:13:07 UTC

Snort Subscriber Rules Update

Date: 2020-08-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54806 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9371729-0 download attempt (malware-other.rules)
 * 1:54805 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Emotet-9371545-0 download attempt (malware-other.rules)
 * 1:54808 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9371733-0 download attempt (malware-other.rules)
 * 1:54785 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi-9367751-0 download attempt (malware-other.rules)
 * 1:54781 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zeroaccess-9315513-0 download attempt (malware-other.rules)
 * 1:54807 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9371729-0 download attempt (malware-other.rules)
 * 1:54813 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Kuluoz-9372655-0 download attempt (malware-other.rules)
 * 1:54803 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Poison-9371279-0 download attempt (malware-other.rules)
 * 1:54812 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Kuluoz-9372655-0 download attempt (malware-other.rules)
 * 1:54809 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9371733-0 download attempt (malware-other.rules)
 * 1:54810 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Fdld-9371797-0 download attempt (malware-other.rules)
 * 1:54777 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-9294966-0 download attempt (malware-other.rules)
 * 1:54787 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Malware Protection Engine denial-of-service attempt (file-executable.rules)
 * 1:54786 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi-9367751-0 download attempt (malware-other.rules)
 * 1:54788 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Malware Protection Engine denial-of-service attempt (file-executable.rules)
 * 1:54792 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kovter variant payload download attempt (malware-other.rules)
 * 1:54793 <-> ENABLED <-> MALWARE-CNC Unix.Malware.Drovorub cnc inbound connection attempt (malware-cnc.rules)
 * 1:54811 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Fdld-9371797-0 download attempt (malware-other.rules)
 * 1:54780 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Ircbot-9310443-0 download attempt (malware-other.rules)
 * 1:54796 <-> ENABLED <-> SERVER-WEBAPP Zeroshell Linux Router command injection attempt (server-webapp.rules)
 * 1:54801 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Taidoor variant outbound connection (malware-cnc.rules)
 * 1:54784 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Ursnif-9351552-0 download attempt (malware-other.rules)
 * 1:54782 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zeroaccess-9315513-0 download attempt (malware-other.rules)
 * 1:54783 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Ursnif-9351552-0 download attempt (malware-other.rules)
 * 1:54776 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Johnnie-9294701-0 download attempt (malware-other.rules)
 * 1:54789 <-> DISABLED <-> SERVER-WEBAPP Microsoft Windows .NET API XML unsafe deserialization attempt (server-webapp.rules)
 * 1:54790 <-> DISABLED <-> SERVER-WEBAPP Microsoft Windows .NET API XML unsafe deserialization attempt (server-webapp.rules)
 * 1:54791 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kovter variant payload download attempt (malware-other.rules)
 * 1:54795 <-> ENABLED <-> SERVER-WEBAPP Zeroshell Linux Router command injection attempt (server-webapp.rules)
 * 1:54778 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-9294966-0 download attempt (malware-other.rules)
 * 1:54779 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Ircbot-9310443-0 download attempt (malware-other.rules)
 * 1:54794 <-> ENABLED <-> SERVER-WEBAPP Zeroshell Linux Router command injection attempt (server-webapp.rules)
 * 1:54797 <-> ENABLED <-> SERVER-WEBAPP Zeroshell Linux Router command injection attempt (server-webapp.rules)
 * 1:54804 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Emotet-9371545-0 download attempt (malware-other.rules)
 * 1:54802 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Poison-9371279-0 download attempt (malware-other.rules)
 * 1:54775 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Johnnie-9294701-0 download attempt (malware-other.rules)
 * 3:54798 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1135 attack attempt (server-webapp.rules)
 * 3:54800 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1135 attack attempt (server-webapp.rules)
 * 3:54799 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1135 attack attempt (server-webapp.rules)

Modified Rules:



2020-08-18 17:13:07 UTC

Snort Subscriber Rules Update

Date: 2020-08-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54806 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9371729-0 download attempt (malware-other.rules)
 * 1:54808 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9371733-0 download attempt (malware-other.rules)
 * 1:54805 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Emotet-9371545-0 download attempt (malware-other.rules)
 * 1:54811 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Fdld-9371797-0 download attempt (malware-other.rules)
 * 1:54813 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Kuluoz-9372655-0 download attempt (malware-other.rules)
 * 1:54809 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9371733-0 download attempt (malware-other.rules)
 * 1:54812 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Kuluoz-9372655-0 download attempt (malware-other.rules)
 * 1:54784 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Ursnif-9351552-0 download attempt (malware-other.rules)
 * 1:54810 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Fdld-9371797-0 download attempt (malware-other.rules)
 * 1:54777 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-9294966-0 download attempt (malware-other.rules)
 * 1:54778 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-9294966-0 download attempt (malware-other.rules)
 * 1:54796 <-> ENABLED <-> SERVER-WEBAPP Zeroshell Linux Router command injection attempt (server-webapp.rules)
 * 1:54797 <-> ENABLED <-> SERVER-WEBAPP Zeroshell Linux Router command injection attempt (server-webapp.rules)
 * 1:54775 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Johnnie-9294701-0 download attempt (malware-other.rules)
 * 1:54785 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi-9367751-0 download attempt (malware-other.rules)
 * 1:54790 <-> DISABLED <-> SERVER-WEBAPP Microsoft Windows .NET API XML unsafe deserialization attempt (server-webapp.rules)
 * 1:54776 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Johnnie-9294701-0 download attempt (malware-other.rules)
 * 1:54789 <-> DISABLED <-> SERVER-WEBAPP Microsoft Windows .NET API XML unsafe deserialization attempt (server-webapp.rules)
 * 1:54788 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Malware Protection Engine denial-of-service attempt (file-executable.rules)
 * 1:54779 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Ircbot-9310443-0 download attempt (malware-other.rules)
 * 1:54781 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zeroaccess-9315513-0 download attempt (malware-other.rules)
 * 1:54792 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kovter variant payload download attempt (malware-other.rules)
 * 1:54786 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi-9367751-0 download attempt (malware-other.rules)
 * 1:54803 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Poison-9371279-0 download attempt (malware-other.rules)
 * 1:54791 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kovter variant payload download attempt (malware-other.rules)
 * 1:54807 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9371729-0 download attempt (malware-other.rules)
 * 1:54780 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Ircbot-9310443-0 download attempt (malware-other.rules)
 * 1:54793 <-> ENABLED <-> MALWARE-CNC Unix.Malware.Drovorub cnc inbound connection attempt (malware-cnc.rules)
 * 1:54794 <-> ENABLED <-> SERVER-WEBAPP Zeroshell Linux Router command injection attempt (server-webapp.rules)
 * 1:54782 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zeroaccess-9315513-0 download attempt (malware-other.rules)
 * 1:54783 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Ursnif-9351552-0 download attempt (malware-other.rules)
 * 1:54801 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Taidoor variant outbound connection (malware-cnc.rules)
 * 1:54795 <-> ENABLED <-> SERVER-WEBAPP Zeroshell Linux Router command injection attempt (server-webapp.rules)
 * 1:54802 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Poison-9371279-0 download attempt (malware-other.rules)
 * 1:54787 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Malware Protection Engine denial-of-service attempt (file-executable.rules)
 * 1:54804 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Emotet-9371545-0 download attempt (malware-other.rules)
 * 3:54799 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1135 attack attempt (server-webapp.rules)
 * 3:54800 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1135 attack attempt (server-webapp.rules)
 * 3:54798 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1135 attack attempt (server-webapp.rules)

Modified Rules:



2020-08-18 17:13:07 UTC

Snort Subscriber Rules Update

Date: 2020-08-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54811 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Fdld-9371797-0 download attempt (malware-other.rules)
 * 1:54783 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Ursnif-9351552-0 download attempt (malware-other.rules)
 * 1:54806 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9371729-0 download attempt (malware-other.rules)
 * 1:54805 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Emotet-9371545-0 download attempt (malware-other.rules)
 * 1:54792 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kovter variant payload download attempt (malware-other.rules)
 * 1:54808 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9371733-0 download attempt (malware-other.rules)
 * 1:54775 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Johnnie-9294701-0 download attempt (malware-other.rules)
 * 1:54809 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9371733-0 download attempt (malware-other.rules)
 * 1:54813 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Kuluoz-9372655-0 download attempt (malware-other.rules)
 * 1:54812 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Kuluoz-9372655-0 download attempt (malware-other.rules)
 * 1:54776 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Johnnie-9294701-0 download attempt (malware-other.rules)
 * 1:54777 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-9294966-0 download attempt (malware-other.rules)
 * 1:54786 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi-9367751-0 download attempt (malware-other.rules)
 * 1:54810 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Fdld-9371797-0 download attempt (malware-other.rules)
 * 1:54796 <-> ENABLED <-> SERVER-WEBAPP Zeroshell Linux Router command injection attempt (server-webapp.rules)
 * 1:54781 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zeroaccess-9315513-0 download attempt (malware-other.rules)
 * 1:54804 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Emotet-9371545-0 download attempt (malware-other.rules)
 * 1:54793 <-> ENABLED <-> MALWARE-CNC Unix.Malware.Drovorub cnc inbound connection attempt (malware-cnc.rules)
 * 1:54789 <-> DISABLED <-> SERVER-WEBAPP Microsoft Windows .NET API XML unsafe deserialization attempt (server-webapp.rules)
 * 1:54787 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Malware Protection Engine denial-of-service attempt (file-executable.rules)
 * 1:54797 <-> ENABLED <-> SERVER-WEBAPP Zeroshell Linux Router command injection attempt (server-webapp.rules)
 * 1:54785 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi-9367751-0 download attempt (malware-other.rules)
 * 1:54784 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Ursnif-9351552-0 download attempt (malware-other.rules)
 * 1:54788 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Malware Protection Engine denial-of-service attempt (file-executable.rules)
 * 1:54801 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Taidoor variant outbound connection (malware-cnc.rules)
 * 1:54779 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Ircbot-9310443-0 download attempt (malware-other.rules)
 * 1:54790 <-> DISABLED <-> SERVER-WEBAPP Microsoft Windows .NET API XML unsafe deserialization attempt (server-webapp.rules)
 * 1:54803 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Poison-9371279-0 download attempt (malware-other.rules)
 * 1:54782 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zeroaccess-9315513-0 download attempt (malware-other.rules)
 * 1:54780 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Ircbot-9310443-0 download attempt (malware-other.rules)
 * 1:54807 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9371729-0 download attempt (malware-other.rules)
 * 1:54791 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kovter variant payload download attempt (malware-other.rules)
 * 1:54794 <-> ENABLED <-> SERVER-WEBAPP Zeroshell Linux Router command injection attempt (server-webapp.rules)
 * 1:54795 <-> ENABLED <-> SERVER-WEBAPP Zeroshell Linux Router command injection attempt (server-webapp.rules)
 * 1:54802 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Poison-9371279-0 download attempt (malware-other.rules)
 * 1:54778 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-9294966-0 download attempt (malware-other.rules)
 * 3:54798 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1135 attack attempt (server-webapp.rules)
 * 3:54799 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1135 attack attempt (server-webapp.rules)
 * 3:54800 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1135 attack attempt (server-webapp.rules)

Modified Rules:



2020-08-18 17:13:07 UTC

Snort Subscriber Rules Update

Date: 2020-08-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54809 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9371733-0 download attempt (snort3-malware-other.rules)
 * 1:54812 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Kuluoz-9372655-0 download attempt (snort3-malware-other.rules)
 * 1:54808 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9371733-0 download attempt (snort3-malware-other.rules)
 * 1:54777 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-9294966-0 download attempt (snort3-malware-other.rules)
 * 1:54810 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Fdld-9371797-0 download attempt (snort3-malware-other.rules)
 * 1:54778 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-9294966-0 download attempt (snort3-malware-other.rules)
 * 1:54794 <-> ENABLED <-> SERVER-WEBAPP Zeroshell Linux Router command injection attempt (snort3-server-webapp.rules)
 * 1:54807 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9371729-0 download attempt (snort3-malware-other.rules)
 * 1:54775 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Johnnie-9294701-0 download attempt (snort3-malware-other.rules)
 * 1:54790 <-> DISABLED <-> SERVER-WEBAPP Microsoft Windows .NET API XML unsafe deserialization attempt (snort3-server-webapp.rules)
 * 1:54811 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Fdld-9371797-0 download attempt (snort3-malware-other.rules)
 * 1:54792 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kovter variant payload download attempt (snort3-malware-other.rules)
 * 1:54795 <-> ENABLED <-> SERVER-WEBAPP Zeroshell Linux Router command injection attempt (snort3-server-webapp.rules)
 * 1:54786 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi-9367751-0 download attempt (snort3-malware-other.rules)
 * 1:54806 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9371729-0 download attempt (snort3-malware-other.rules)
 * 1:54785 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi-9367751-0 download attempt (snort3-malware-other.rules)
 * 1:54780 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Ircbot-9310443-0 download attempt (snort3-malware-other.rules)
 * 1:54776 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Johnnie-9294701-0 download attempt (snort3-malware-other.rules)
 * 1:54801 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Taidoor variant outbound connection (snort3-malware-cnc.rules)
 * 1:54813 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Kuluoz-9372655-0 download attempt (snort3-malware-other.rules)
 * 1:54784 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Ursnif-9351552-0 download attempt (snort3-malware-other.rules)
 * 1:54797 <-> ENABLED <-> SERVER-WEBAPP Zeroshell Linux Router command injection attempt (snort3-server-webapp.rules)
 * 1:54782 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zeroaccess-9315513-0 download attempt (snort3-malware-other.rules)
 * 1:54802 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Poison-9371279-0 download attempt (snort3-malware-other.rules)
 * 1:54779 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Ircbot-9310443-0 download attempt (snort3-malware-other.rules)
 * 1:54791 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kovter variant payload download attempt (snort3-malware-other.rules)
 * 1:54781 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zeroaccess-9315513-0 download attempt (snort3-malware-other.rules)
 * 1:54788 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Malware Protection Engine denial-of-service attempt (snort3-file-executable.rules)
 * 1:54787 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Malware Protection Engine denial-of-service attempt (snort3-file-executable.rules)
 * 1:54803 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Poison-9371279-0 download attempt (snort3-malware-other.rules)
 * 1:54804 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Emotet-9371545-0 download attempt (snort3-malware-other.rules)
 * 1:54805 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Emotet-9371545-0 download attempt (snort3-malware-other.rules)
 * 1:54783 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Ursnif-9351552-0 download attempt (snort3-malware-other.rules)
 * 1:54789 <-> DISABLED <-> SERVER-WEBAPP Microsoft Windows .NET API XML unsafe deserialization attempt (snort3-server-webapp.rules)
 * 1:54793 <-> ENABLED <-> MALWARE-CNC Unix.Malware.Drovorub cnc inbound connection attempt (snort3-malware-cnc.rules)
 * 1:54796 <-> ENABLED <-> SERVER-WEBAPP Zeroshell Linux Router command injection attempt (snort3-server-webapp.rules)

Modified Rules:



2020-08-18 17:13:07 UTC

Snort Subscriber Rules Update

Date: 2020-08-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54813 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Kuluoz-9372655-0 download attempt (malware-other.rules)
 * 1:54804 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Emotet-9371545-0 download attempt (malware-other.rules)
 * 1:54807 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9371729-0 download attempt (malware-other.rules)
 * 1:54809 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9371733-0 download attempt (malware-other.rules)
 * 1:54775 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Johnnie-9294701-0 download attempt (malware-other.rules)
 * 1:54776 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Johnnie-9294701-0 download attempt (malware-other.rules)
 * 1:54777 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-9294966-0 download attempt (malware-other.rules)
 * 1:54778 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Cerber-9294966-0 download attempt (malware-other.rules)
 * 1:54779 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Ircbot-9310443-0 download attempt (malware-other.rules)
 * 1:54780 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Ircbot-9310443-0 download attempt (malware-other.rules)
 * 1:54781 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zeroaccess-9315513-0 download attempt (malware-other.rules)
 * 1:54782 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Zeroaccess-9315513-0 download attempt (malware-other.rules)
 * 1:54783 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Ursnif-9351552-0 download attempt (malware-other.rules)
 * 1:54808 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9371733-0 download attempt (malware-other.rules)
 * 1:54784 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Ursnif-9351552-0 download attempt (malware-other.rules)
 * 1:54811 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Fdld-9371797-0 download attempt (malware-other.rules)
 * 1:54803 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Poison-9371279-0 download attempt (malware-other.rules)
 * 1:54785 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi-9367751-0 download attempt (malware-other.rules)
 * 1:54786 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi-9367751-0 download attempt (malware-other.rules)
 * 1:54787 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Malware Protection Engine denial-of-service attempt (file-executable.rules)
 * 1:54788 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Malware Protection Engine denial-of-service attempt (file-executable.rules)
 * 1:54789 <-> DISABLED <-> SERVER-WEBAPP Microsoft Windows .NET API XML unsafe deserialization attempt (server-webapp.rules)
 * 1:54790 <-> DISABLED <-> SERVER-WEBAPP Microsoft Windows .NET API XML unsafe deserialization attempt (server-webapp.rules)
 * 1:54791 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kovter variant payload download attempt (malware-other.rules)
 * 1:54792 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Kovter variant payload download attempt (malware-other.rules)
 * 1:54793 <-> ENABLED <-> MALWARE-CNC Unix.Malware.Drovorub cnc inbound connection attempt (malware-cnc.rules)
 * 1:54806 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9371729-0 download attempt (malware-other.rules)
 * 1:54812 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Kuluoz-9372655-0 download attempt (malware-other.rules)
 * 1:54805 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Emotet-9371545-0 download attempt (malware-other.rules)
 * 1:54794 <-> ENABLED <-> SERVER-WEBAPP Zeroshell Linux Router command injection attempt (server-webapp.rules)
 * 1:54810 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Fdld-9371797-0 download attempt (malware-other.rules)
 * 1:54795 <-> ENABLED <-> SERVER-WEBAPP Zeroshell Linux Router command injection attempt (server-webapp.rules)
 * 1:54796 <-> ENABLED <-> SERVER-WEBAPP Zeroshell Linux Router command injection attempt (server-webapp.rules)
 * 1:54797 <-> ENABLED <-> SERVER-WEBAPP Zeroshell Linux Router command injection attempt (server-webapp.rules)
 * 1:54801 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Taidoor variant outbound connection (malware-cnc.rules)
 * 1:54802 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Poison-9371279-0 download attempt (malware-other.rules)
 * 3:54798 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1135 attack attempt (server-webapp.rules)
 * 3:54799 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1135 attack attempt (server-webapp.rules)
 * 3:54800 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1135 attack attempt (server-webapp.rules)

Modified Rules: