Talos Rules 2020-09-22
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-other, malware-other, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2020-09-22 20:12:46 UTC

Snort Subscriber Rules Update

Date: 2020-09-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:55791 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Farfli-9763835-0 download attempt (malware-other.rules)
 * 1:55792 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Farfli-9763835-0 download attempt (malware-other.rules)
 * 1:55793 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Hupigon-9763906-0 download attempt (malware-other.rules)
 * 1:55794 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Hupigon-9763906-0 download attempt (malware-other.rules)
 * 1:55795 <-> DISABLED <-> MALWARE-OTHER PUA.Unix.Adware.Cimpli-9764278-0 download attempt (malware-other.rules)
 * 1:55796 <-> DISABLED <-> MALWARE-OTHER PUA.Unix.Adware.Cimpli-9764278-0 download attempt (malware-other.rules)
 * 1:55797 <-> DISABLED <-> SERVER-WEBAPP Wordpress plugin WP Database Reset database reset attempt (server-webapp.rules)
 * 1:55798 <-> DISABLED <-> FILE-OTHER Apple Safari WebKit HTMLFrameElementBase isURLAllowed Subframe exploit attempt (file-other.rules)
 * 1:55799 <-> DISABLED <-> FILE-OTHER Apple Safari WebKit HTMLFrameElementBase isURLAllowed Subframe exploit attempt (file-other.rules)
 * 1:55800 <-> DISABLED <-> SERVER-WEBAPP Apache Tomcat HTTP/2 denial of service attempt (server-webapp.rules)
 * 1:55801 <-> DISABLED <-> SERVER-WEBAPP Apache Tomcat HTTP/2 denial of service attempt (server-webapp.rules)
 * 1:55802 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NetrServerReqChallenge RPC transport sign and seal disabling attempt (os-windows.rules)
 * 1:55803 <-> DISABLED <-> SERVER-OTHER Redis replication arbitrary code execution attempt (server-other.rules)
 * 1:55804 <-> DISABLED <-> SERVER-OTHER Redis replication arbitrary code execution attempt (server-other.rules)
 * 1:55805 <-> DISABLED <-> SERVER-OTHER Redis replication arbitrary code execution attempt (server-other.rules)

Modified Rules:



2020-09-22 20:12:46 UTC

Snort Subscriber Rules Update

Date: 2020-09-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:55803 <-> DISABLED <-> SERVER-OTHER Redis replication arbitrary code execution attempt (server-other.rules)
 * 1:55802 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NetrServerReqChallenge RPC transport sign and seal disabling attempt (os-windows.rules)
 * 1:55801 <-> DISABLED <-> SERVER-WEBAPP Apache Tomcat HTTP/2 denial of service attempt (server-webapp.rules)
 * 1:55791 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Farfli-9763835-0 download attempt (malware-other.rules)
 * 1:55792 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Farfli-9763835-0 download attempt (malware-other.rules)
 * 1:55793 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Hupigon-9763906-0 download attempt (malware-other.rules)
 * 1:55794 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Hupigon-9763906-0 download attempt (malware-other.rules)
 * 1:55795 <-> DISABLED <-> MALWARE-OTHER PUA.Unix.Adware.Cimpli-9764278-0 download attempt (malware-other.rules)
 * 1:55796 <-> DISABLED <-> MALWARE-OTHER PUA.Unix.Adware.Cimpli-9764278-0 download attempt (malware-other.rules)
 * 1:55797 <-> DISABLED <-> SERVER-WEBAPP Wordpress plugin WP Database Reset database reset attempt (server-webapp.rules)
 * 1:55798 <-> DISABLED <-> FILE-OTHER Apple Safari WebKit HTMLFrameElementBase isURLAllowed Subframe exploit attempt (file-other.rules)
 * 1:55799 <-> DISABLED <-> FILE-OTHER Apple Safari WebKit HTMLFrameElementBase isURLAllowed Subframe exploit attempt (file-other.rules)
 * 1:55800 <-> DISABLED <-> SERVER-WEBAPP Apache Tomcat HTTP/2 denial of service attempt (server-webapp.rules)
 * 1:55804 <-> DISABLED <-> SERVER-OTHER Redis replication arbitrary code execution attempt (server-other.rules)
 * 1:55805 <-> DISABLED <-> SERVER-OTHER Redis replication arbitrary code execution attempt (server-other.rules)

Modified Rules:



2020-09-22 20:12:46 UTC

Snort Subscriber Rules Update

Date: 2020-09-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:55803 <-> DISABLED <-> SERVER-OTHER Redis replication arbitrary code execution attempt (server-other.rules)
 * 1:55805 <-> DISABLED <-> SERVER-OTHER Redis replication arbitrary code execution attempt (server-other.rules)
 * 1:55804 <-> DISABLED <-> SERVER-OTHER Redis replication arbitrary code execution attempt (server-other.rules)
 * 1:55802 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NetrServerReqChallenge RPC transport sign and seal disabling attempt (os-windows.rules)
 * 1:55797 <-> DISABLED <-> SERVER-WEBAPP Wordpress plugin WP Database Reset database reset attempt (server-webapp.rules)
 * 1:55792 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Farfli-9763835-0 download attempt (malware-other.rules)
 * 1:55791 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Farfli-9763835-0 download attempt (malware-other.rules)
 * 1:55794 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Hupigon-9763906-0 download attempt (malware-other.rules)
 * 1:55793 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Hupigon-9763906-0 download attempt (malware-other.rules)
 * 1:55796 <-> DISABLED <-> MALWARE-OTHER PUA.Unix.Adware.Cimpli-9764278-0 download attempt (malware-other.rules)
 * 1:55795 <-> DISABLED <-> MALWARE-OTHER PUA.Unix.Adware.Cimpli-9764278-0 download attempt (malware-other.rules)
 * 1:55798 <-> DISABLED <-> FILE-OTHER Apple Safari WebKit HTMLFrameElementBase isURLAllowed Subframe exploit attempt (file-other.rules)
 * 1:55800 <-> DISABLED <-> SERVER-WEBAPP Apache Tomcat HTTP/2 denial of service attempt (server-webapp.rules)
 * 1:55799 <-> DISABLED <-> FILE-OTHER Apple Safari WebKit HTMLFrameElementBase isURLAllowed Subframe exploit attempt (file-other.rules)
 * 1:55801 <-> DISABLED <-> SERVER-WEBAPP Apache Tomcat HTTP/2 denial of service attempt (server-webapp.rules)

Modified Rules:



2020-09-22 20:12:46 UTC

Snort Subscriber Rules Update

Date: 2020-09-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:55791 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Farfli-9763835-0 download attempt (malware-other.rules)
 * 1:55803 <-> DISABLED <-> SERVER-OTHER Redis replication arbitrary code execution attempt (server-other.rules)
 * 1:55804 <-> DISABLED <-> SERVER-OTHER Redis replication arbitrary code execution attempt (server-other.rules)
 * 1:55802 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NetrServerReqChallenge RPC transport sign and seal disabling attempt (os-windows.rules)
 * 1:55805 <-> DISABLED <-> SERVER-OTHER Redis replication arbitrary code execution attempt (server-other.rules)
 * 1:55794 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Hupigon-9763906-0 download attempt (malware-other.rules)
 * 1:55793 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Hupigon-9763906-0 download attempt (malware-other.rules)
 * 1:55796 <-> DISABLED <-> MALWARE-OTHER PUA.Unix.Adware.Cimpli-9764278-0 download attempt (malware-other.rules)
 * 1:55795 <-> DISABLED <-> MALWARE-OTHER PUA.Unix.Adware.Cimpli-9764278-0 download attempt (malware-other.rules)
 * 1:55798 <-> DISABLED <-> FILE-OTHER Apple Safari WebKit HTMLFrameElementBase isURLAllowed Subframe exploit attempt (file-other.rules)
 * 1:55797 <-> DISABLED <-> SERVER-WEBAPP Wordpress plugin WP Database Reset database reset attempt (server-webapp.rules)
 * 1:55792 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Farfli-9763835-0 download attempt (malware-other.rules)
 * 1:55799 <-> DISABLED <-> FILE-OTHER Apple Safari WebKit HTMLFrameElementBase isURLAllowed Subframe exploit attempt (file-other.rules)
 * 1:55800 <-> DISABLED <-> SERVER-WEBAPP Apache Tomcat HTTP/2 denial of service attempt (server-webapp.rules)
 * 1:55801 <-> DISABLED <-> SERVER-WEBAPP Apache Tomcat HTTP/2 denial of service attempt (server-webapp.rules)

Modified Rules:



2020-09-22 20:12:46 UTC

Snort Subscriber Rules Update

Date: 2020-09-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:55803 <-> DISABLED <-> SERVER-OTHER Redis replication arbitrary code execution attempt (server-other.rules)
 * 1:55802 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NetrServerReqChallenge RPC transport sign and seal disabling attempt (os-windows.rules)
 * 1:55792 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Farfli-9763835-0 download attempt (malware-other.rules)
 * 1:55794 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Hupigon-9763906-0 download attempt (malware-other.rules)
 * 1:55793 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Hupigon-9763906-0 download attempt (malware-other.rules)
 * 1:55796 <-> DISABLED <-> MALWARE-OTHER PUA.Unix.Adware.Cimpli-9764278-0 download attempt (malware-other.rules)
 * 1:55798 <-> DISABLED <-> FILE-OTHER Apple Safari WebKit HTMLFrameElementBase isURLAllowed Subframe exploit attempt (file-other.rules)
 * 1:55797 <-> DISABLED <-> SERVER-WEBAPP Wordpress plugin WP Database Reset database reset attempt (server-webapp.rules)
 * 1:55800 <-> DISABLED <-> SERVER-WEBAPP Apache Tomcat HTTP/2 denial of service attempt (server-webapp.rules)
 * 1:55791 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Farfli-9763835-0 download attempt (malware-other.rules)
 * 1:55801 <-> DISABLED <-> SERVER-WEBAPP Apache Tomcat HTTP/2 denial of service attempt (server-webapp.rules)
 * 1:55795 <-> DISABLED <-> MALWARE-OTHER PUA.Unix.Adware.Cimpli-9764278-0 download attempt (malware-other.rules)
 * 1:55799 <-> DISABLED <-> FILE-OTHER Apple Safari WebKit HTMLFrameElementBase isURLAllowed Subframe exploit attempt (file-other.rules)
 * 1:55805 <-> DISABLED <-> SERVER-OTHER Redis replication arbitrary code execution attempt (server-other.rules)
 * 1:55804 <-> DISABLED <-> SERVER-OTHER Redis replication arbitrary code execution attempt (server-other.rules)

Modified Rules:



2020-09-22 20:12:46 UTC

Snort Subscriber Rules Update

Date: 2020-09-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:55803 <-> DISABLED <-> SERVER-OTHER Redis replication arbitrary code execution attempt (server-other.rules)
 * 1:55802 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NetrServerReqChallenge RPC transport sign and seal disabling attempt (os-windows.rules)
 * 1:55794 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Hupigon-9763906-0 download attempt (malware-other.rules)
 * 1:55792 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Farfli-9763835-0 download attempt (malware-other.rules)
 * 1:55796 <-> DISABLED <-> MALWARE-OTHER PUA.Unix.Adware.Cimpli-9764278-0 download attempt (malware-other.rules)
 * 1:55791 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Farfli-9763835-0 download attempt (malware-other.rules)
 * 1:55798 <-> DISABLED <-> FILE-OTHER Apple Safari WebKit HTMLFrameElementBase isURLAllowed Subframe exploit attempt (file-other.rules)
 * 1:55800 <-> DISABLED <-> SERVER-WEBAPP Apache Tomcat HTTP/2 denial of service attempt (server-webapp.rules)
 * 1:55795 <-> DISABLED <-> MALWARE-OTHER PUA.Unix.Adware.Cimpli-9764278-0 download attempt (malware-other.rules)
 * 1:55793 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Hupigon-9763906-0 download attempt (malware-other.rules)
 * 1:55799 <-> DISABLED <-> FILE-OTHER Apple Safari WebKit HTMLFrameElementBase isURLAllowed Subframe exploit attempt (file-other.rules)
 * 1:55797 <-> DISABLED <-> SERVER-WEBAPP Wordpress plugin WP Database Reset database reset attempt (server-webapp.rules)
 * 1:55801 <-> DISABLED <-> SERVER-WEBAPP Apache Tomcat HTTP/2 denial of service attempt (server-webapp.rules)
 * 1:55805 <-> DISABLED <-> SERVER-OTHER Redis replication arbitrary code execution attempt (server-other.rules)
 * 1:55804 <-> DISABLED <-> SERVER-OTHER Redis replication arbitrary code execution attempt (server-other.rules)

Modified Rules:



2020-09-22 20:12:46 UTC

Snort Subscriber Rules Update

Date: 2020-09-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:55802 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NetrServerReqChallenge RPC transport sign and seal disabling attempt (os-windows.rules)
 * 1:55805 <-> DISABLED <-> SERVER-OTHER Redis replication arbitrary code execution attempt (server-other.rules)
 * 1:55796 <-> DISABLED <-> MALWARE-OTHER PUA.Unix.Adware.Cimpli-9764278-0 download attempt (malware-other.rules)
 * 1:55803 <-> DISABLED <-> SERVER-OTHER Redis replication arbitrary code execution attempt (server-other.rules)
 * 1:55804 <-> DISABLED <-> SERVER-OTHER Redis replication arbitrary code execution attempt (server-other.rules)
 * 1:55792 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Farfli-9763835-0 download attempt (malware-other.rules)
 * 1:55801 <-> DISABLED <-> SERVER-WEBAPP Apache Tomcat HTTP/2 denial of service attempt (server-webapp.rules)
 * 1:55798 <-> DISABLED <-> FILE-OTHER Apple Safari WebKit HTMLFrameElementBase isURLAllowed Subframe exploit attempt (file-other.rules)
 * 1:55800 <-> DISABLED <-> SERVER-WEBAPP Apache Tomcat HTTP/2 denial of service attempt (server-webapp.rules)
 * 1:55793 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Hupigon-9763906-0 download attempt (malware-other.rules)
 * 1:55795 <-> DISABLED <-> MALWARE-OTHER PUA.Unix.Adware.Cimpli-9764278-0 download attempt (malware-other.rules)
 * 1:55797 <-> DISABLED <-> SERVER-WEBAPP Wordpress plugin WP Database Reset database reset attempt (server-webapp.rules)
 * 1:55799 <-> DISABLED <-> FILE-OTHER Apple Safari WebKit HTMLFrameElementBase isURLAllowed Subframe exploit attempt (file-other.rules)
 * 1:55791 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Farfli-9763835-0 download attempt (malware-other.rules)
 * 1:55794 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Hupigon-9763906-0 download attempt (malware-other.rules)

Modified Rules:



2020-09-22 20:12:46 UTC

Snort Subscriber Rules Update

Date: 2020-09-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:55803 <-> DISABLED <-> SERVER-OTHER Redis replication arbitrary code execution attempt (snort3-server-other.rules)
 * 1:55796 <-> DISABLED <-> MALWARE-OTHER PUA.Unix.Adware.Cimpli-9764278-0 download attempt (snort3-malware-other.rules)
 * 1:55805 <-> DISABLED <-> SERVER-OTHER Redis replication arbitrary code execution attempt (snort3-server-other.rules)
 * 1:55802 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NetrServerReqChallenge RPC transport sign and seal disabling attempt (snort3-os-windows.rules)
 * 1:55794 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Hupigon-9763906-0 download attempt (snort3-malware-other.rules)
 * 1:55798 <-> DISABLED <-> FILE-OTHER Apple Safari WebKit HTMLFrameElementBase isURLAllowed Subframe exploit attempt (snort3-file-other.rules)
 * 1:55793 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Hupigon-9763906-0 download attempt (snort3-malware-other.rules)
 * 1:55804 <-> DISABLED <-> SERVER-OTHER Redis replication arbitrary code execution attempt (snort3-server-other.rules)
 * 1:55791 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Farfli-9763835-0 download attempt (snort3-malware-other.rules)
 * 1:55795 <-> DISABLED <-> MALWARE-OTHER PUA.Unix.Adware.Cimpli-9764278-0 download attempt (snort3-malware-other.rules)
 * 1:55797 <-> DISABLED <-> SERVER-WEBAPP Wordpress plugin WP Database Reset database reset attempt (snort3-server-webapp.rules)
 * 1:55799 <-> DISABLED <-> FILE-OTHER Apple Safari WebKit HTMLFrameElementBase isURLAllowed Subframe exploit attempt (snort3-file-other.rules)
 * 1:55801 <-> DISABLED <-> SERVER-WEBAPP Apache Tomcat HTTP/2 denial of service attempt (snort3-server-webapp.rules)
 * 1:55792 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Farfli-9763835-0 download attempt (snort3-malware-other.rules)
 * 1:55800 <-> DISABLED <-> SERVER-WEBAPP Apache Tomcat HTTP/2 denial of service attempt (snort3-server-webapp.rules)

Modified Rules:



2020-09-22 20:12:46 UTC

Snort Subscriber Rules Update

Date: 2020-09-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:55805 <-> DISABLED <-> SERVER-OTHER Redis replication arbitrary code execution attempt (server-other.rules)
 * 1:55803 <-> DISABLED <-> SERVER-OTHER Redis replication arbitrary code execution attempt (server-other.rules)
 * 1:55802 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NetrServerReqChallenge RPC transport sign and seal disabling attempt (os-windows.rules)
 * 1:55792 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Farfli-9763835-0 download attempt (malware-other.rules)
 * 1:55796 <-> DISABLED <-> MALWARE-OTHER PUA.Unix.Adware.Cimpli-9764278-0 download attempt (malware-other.rules)
 * 1:55798 <-> DISABLED <-> FILE-OTHER Apple Safari WebKit HTMLFrameElementBase isURLAllowed Subframe exploit attempt (file-other.rules)
 * 1:55794 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Hupigon-9763906-0 download attempt (malware-other.rules)
 * 1:55795 <-> DISABLED <-> MALWARE-OTHER PUA.Unix.Adware.Cimpli-9764278-0 download attempt (malware-other.rules)
 * 1:55799 <-> DISABLED <-> FILE-OTHER Apple Safari WebKit HTMLFrameElementBase isURLAllowed Subframe exploit attempt (file-other.rules)
 * 1:55793 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Hupigon-9763906-0 download attempt (malware-other.rules)
 * 1:55797 <-> DISABLED <-> SERVER-WEBAPP Wordpress plugin WP Database Reset database reset attempt (server-webapp.rules)
 * 1:55801 <-> DISABLED <-> SERVER-WEBAPP Apache Tomcat HTTP/2 denial of service attempt (server-webapp.rules)
 * 1:55800 <-> DISABLED <-> SERVER-WEBAPP Apache Tomcat HTTP/2 denial of service attempt (server-webapp.rules)
 * 1:55804 <-> DISABLED <-> SERVER-OTHER Redis replication arbitrary code execution attempt (server-other.rules)
 * 1:55791 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Farfli-9763835-0 download attempt (malware-other.rules)

Modified Rules: