Talos Rules 2020-09-24
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the app-detect, browser-chrome, browser-other, file-multimedia, file-other, indicator-compromise, indicator-shellcode, malware-backdoor, malware-cnc, malware-other, malware-tools, os-linux, policy-other, protocol-dns, protocol-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2020-09-24 17:16:34 UTC

Snort Subscriber Rules Update

Date: 2020-09-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:55809 <-> DISABLED <-> BROWSER-CHROME Google Chrome AudioArray memory corruption attempt (browser-chrome.rules)
 * 1:55810 <-> DISABLED <-> BROWSER-CHROME Google Chrome AudioArray memory corruption attempt (browser-chrome.rules)
 * 1:55811 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Mekotio variant second stage dropper download attempt (malware-other.rules)
 * 1:55812 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Mekotio variant second stage dropper download attempt (malware-other.rules)
 * 1:55813 <-> DISABLED <-> SERVER-OTHER Symantec Endpoint Protection tamper protection bypass attempt (server-other.rules)
 * 1:55814 <-> DISABLED <-> SERVER-OTHER Symantec Endpoint Protection tamper protection bypass attempt (server-other.rules)
 * 1:55821 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails command injection attempt (server-webapp.rules)
 * 1:55823 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet CnCContactAlertResult SQL injection attempt (server-webapp.rules)
 * 1:55824 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet CnCContactAlertResult SQL injection attempt (server-webapp.rules)
 * 1:55825 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet CnCContactAlertResult SQL injection attempt (server-webapp.rules)
 * 1:55826 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server DlpUtils remote code execution attempt (server-webapp.rules)
 * 1:55827 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:55828 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:55829 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 3:55833 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI restricted character in authentication detected (policy-other.rules)
 * 3:55820 <-> ENABLED <-> PROTOCOL-OTHER Cisco IOS XE Flexible NetFlow denial of service attempt (protocol-other.rules)
 * 3:55830 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP denial of service attempt (server-other.rules)
 * 3:55822 <-> ENABLED <-> PROTOCOL-DNS Cisco IOS XE Umbrella Connector denial of service attempt (protocol-dns.rules)
 * 3:55806 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP denial of service attempt (server-other.rules)
 * 3:55807 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP denial of service attempt (server-other.rules)
 * 3:55808 <-> ENABLED <-> POLICY-OTHER Cisco IOS Software VLPWA file read detected (policy-other.rules)
 * 3:55815 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI administrative access detected (policy-other.rules)
 * 3:55816 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI administrative access detected (policy-other.rules)
 * 3:55817 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI administrative access detected (policy-other.rules)
 * 3:55818 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI administrative access detected (policy-other.rules)
 * 3:55819 <-> ENABLED <-> SERVER-OTHER Cisco IOS Common Open Policy Service denial of service attempt (server-other.rules)
 * 3:55831 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP denial of service attempt (server-other.rules)
 * 3:55832 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE mDNS denial of service attempt (server-other.rules)

Modified Rules:


 * 1:37298 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules)
 * 1:37299 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules)
 * 1:37300 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:37301 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:37303 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header attempt (app-detect.rules)
 * 1:37306 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:37370 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trochulis variant outbound connection (malware-cnc.rules)
 * 1:37524 <-> DISABLED <-> FILE-OTHER ReGet Deluxe wjr file buffer overflow attempt (file-other.rules)
 * 1:37814 <-> DISABLED <-> POLICY-OTHER Polycom Botnet inbound connection attempt (policy-other.rules)
 * 1:37815 <-> DISABLED <-> POLICY-OTHER Polycom Botnet inbound connection attempt (policy-other.rules)
 * 1:38528 <-> DISABLED <-> MALWARE-CNC XBot Command Request get_action (malware-cnc.rules)
 * 1:39893 <-> ENABLED <-> OS-LINUX Linux Kernel USBIP out of bounds write attempt (os-linux.rules)
 * 1:32950 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bladabindi variant outbound connection (malware-cnc.rules)
 * 1:34224 <-> DISABLED <-> INDICATOR-SHELLCODE Metasploit payload cmd_unix_reverse_perl (indicator-shellcode.rules)
 * 1:35101 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dridex variant outbound connection (malware-cnc.rules)
 * 1:39894 <-> ENABLED <-> OS-LINUX Linux Kernel USBIP out of bounds write attempt (os-linux.rules)
 * 1:41162 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Nemucod variant  (malware-cnc.rules)
 * 1:41784 <-> DISABLED <-> INDICATOR-COMPROMISE clorius controls information gathering attempt (indicator-compromise.rules)
 * 1:42067 <-> DISABLED <-> POLICY-OTHER Aviosys IP Power 9258 W2 management.asp information disclosure (policy-other.rules)
 * 1:42068 <-> DISABLED <-> POLICY-OTHER Aviosys IP Power 9258 W2 default login attempt (policy-other.rules)
 * 1:44876 <-> ENABLED <-> MALWARE-CNC Malicious VBA Dropper outbound connection detected (malware-cnc.rules)
 * 1:46960 <-> DISABLED <-> FILE-OTHER Adobe Flash Player AMF0 Shared Object integer overflow attempt (file-other.rules)
 * 1:47525 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Grobios outbound connection (malware-cnc.rules)
 * 1:47526 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Grobios C2 inbound server command (malware-cnc.rules)
 * 1:48146 <-> DISABLED <-> MALWARE-BACKDOOR Rebhip variant runtime detection (malware-backdoor.rules)
 * 1:48569 <-> DISABLED <-> MALWARE-TOOLS JexBoss webshell download (malware-tools.rules)
 * 1:48570 <-> DISABLED <-> MALWARE-TOOLS JexBoss webshell commands sent in X-JEX headers (malware-tools.rules)
 * 1:48571 <-> DISABLED <-> MALWARE-TOOLS JexBoss User-Agent detected (malware-tools.rules)
 * 1:50734 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Anubis variant outbound connection (malware-cnc.rules)
 * 1:50735 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Anubis variant outbound connection (malware-cnc.rules)
 * 1:50736 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Anubis variant outbound connection (malware-cnc.rules)
 * 1:50737 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Anubis variant outbound connection (malware-cnc.rules)
 * 1:51911 <-> DISABLED <-> MALWARE-CNC Andr.Trojan.Gustuff variant outbound cnc connection (malware-cnc.rules)
 * 1:52290 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Agent malicious DLL loader download attempt (malware-other.rules)
 * 1:53632 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious DLL loader attempt (malware-other.rules)
 * 1:53633 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious loader and decryptor attempt (malware-other.rules)
 * 1:53635 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious loader and decryptor attempt (malware-other.rules)
 * 1:53643 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (malware-tools.rules)
 * 1:53645 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (malware-tools.rules)
 * 1:27933 <-> DISABLED <-> APP-DETECT Splashtop streamer download attempt (app-detect.rules)
 * 1:20673 <-> DISABLED <-> FILE-MULTIMEDIA invalid VLC media player SMB URI download attempt (file-multimedia.rules)
 * 1:36628 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Recodler variant outbound connection (malware-cnc.rules)
 * 1:19950 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Defsel inbound connection (malware-cnc.rules)
 * 1:27934 <-> DISABLED <-> APP-DETECT Splashtop personal download attempt (app-detect.rules)
 * 1:31633 <-> DISABLED <-> MALWARE-CNC Noniem.A outbound connection (malware-cnc.rules)
 * 1:32029 <-> DISABLED <-> BROWSER-OTHER Android WebView same origin policy bypass attempt (browser-other.rules)
 * 1:32505 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Kiler attempted outbound connection (malware-cnc.rules)
 * 1:31433 <-> DISABLED <-> MALWARE-CNC MSIL Worm command and control connection (malware-cnc.rules)
 * 1:30000 <-> DISABLED <-> MALWARE-BACKDOOR FireCrotch exploit kit backdoor attempt (malware-backdoor.rules)
 * 1:36610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Panskeg outbound connection (malware-cnc.rules)
 * 1:36541 <-> DISABLED <-> POLICY-OTHER Polycom Botnet inbound connection attempt (policy-other.rules)

2020-09-24 17:16:34 UTC

Snort Subscriber Rules Update

Date: 2020-09-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:55810 <-> DISABLED <-> BROWSER-CHROME Google Chrome AudioArray memory corruption attempt (browser-chrome.rules)
 * 1:55809 <-> DISABLED <-> BROWSER-CHROME Google Chrome AudioArray memory corruption attempt (browser-chrome.rules)
 * 1:55812 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Mekotio variant second stage dropper download attempt (malware-other.rules)
 * 1:55811 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Mekotio variant second stage dropper download attempt (malware-other.rules)
 * 1:55814 <-> DISABLED <-> SERVER-OTHER Symantec Endpoint Protection tamper protection bypass attempt (server-other.rules)
 * 1:55813 <-> DISABLED <-> SERVER-OTHER Symantec Endpoint Protection tamper protection bypass attempt (server-other.rules)
 * 1:55824 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet CnCContactAlertResult SQL injection attempt (server-webapp.rules)
 * 1:55821 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails command injection attempt (server-webapp.rules)
 * 1:55823 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet CnCContactAlertResult SQL injection attempt (server-webapp.rules)
 * 1:55826 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server DlpUtils remote code execution attempt (server-webapp.rules)
 * 1:55825 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet CnCContactAlertResult SQL injection attempt (server-webapp.rules)
 * 1:55828 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:55827 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:55829 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 3:55820 <-> ENABLED <-> PROTOCOL-OTHER Cisco IOS XE Flexible NetFlow denial of service attempt (protocol-other.rules)
 * 3:55831 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP denial of service attempt (server-other.rules)
 * 3:55832 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE mDNS denial of service attempt (server-other.rules)
 * 3:55833 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI restricted character in authentication detected (policy-other.rules)
 * 3:55806 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP denial of service attempt (server-other.rules)
 * 3:55808 <-> ENABLED <-> POLICY-OTHER Cisco IOS Software VLPWA file read detected (policy-other.rules)
 * 3:55816 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI administrative access detected (policy-other.rules)
 * 3:55815 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI administrative access detected (policy-other.rules)
 * 3:55807 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP denial of service attempt (server-other.rules)
 * 3:55817 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI administrative access detected (policy-other.rules)
 * 3:55830 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP denial of service attempt (server-other.rules)
 * 3:55818 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI administrative access detected (policy-other.rules)
 * 3:55822 <-> ENABLED <-> PROTOCOL-DNS Cisco IOS XE Umbrella Connector denial of service attempt (protocol-dns.rules)
 * 3:55819 <-> ENABLED <-> SERVER-OTHER Cisco IOS Common Open Policy Service denial of service attempt (server-other.rules)

Modified Rules:


 * 1:27934 <-> DISABLED <-> APP-DETECT Splashtop personal download attempt (app-detect.rules)
 * 1:31433 <-> DISABLED <-> MALWARE-CNC MSIL Worm command and control connection (malware-cnc.rules)
 * 1:30000 <-> DISABLED <-> MALWARE-BACKDOOR FireCrotch exploit kit backdoor attempt (malware-backdoor.rules)
 * 1:36610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Panskeg outbound connection (malware-cnc.rules)
 * 1:48569 <-> DISABLED <-> MALWARE-TOOLS JexBoss webshell download (malware-tools.rules)
 * 1:36628 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Recodler variant outbound connection (malware-cnc.rules)
 * 1:36541 <-> DISABLED <-> POLICY-OTHER Polycom Botnet inbound connection attempt (policy-other.rules)
 * 1:37815 <-> DISABLED <-> POLICY-OTHER Polycom Botnet inbound connection attempt (policy-other.rules)
 * 1:32029 <-> DISABLED <-> BROWSER-OTHER Android WebView same origin policy bypass attempt (browser-other.rules)
 * 1:19950 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Defsel inbound connection (malware-cnc.rules)
 * 1:32505 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Kiler attempted outbound connection (malware-cnc.rules)
 * 1:48570 <-> DISABLED <-> MALWARE-TOOLS JexBoss webshell commands sent in X-JEX headers (malware-tools.rules)
 * 1:50734 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Anubis variant outbound connection (malware-cnc.rules)
 * 1:50735 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Anubis variant outbound connection (malware-cnc.rules)
 * 1:20673 <-> DISABLED <-> FILE-MULTIMEDIA invalid VLC media player SMB URI download attempt (file-multimedia.rules)
 * 1:50736 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Anubis variant outbound connection (malware-cnc.rules)
 * 1:50737 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Anubis variant outbound connection (malware-cnc.rules)
 * 1:51911 <-> DISABLED <-> MALWARE-CNC Andr.Trojan.Gustuff variant outbound cnc connection (malware-cnc.rules)
 * 1:52290 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Agent malicious DLL loader download attempt (malware-other.rules)
 * 1:53632 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious DLL loader attempt (malware-other.rules)
 * 1:53633 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious loader and decryptor attempt (malware-other.rules)
 * 1:53635 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious loader and decryptor attempt (malware-other.rules)
 * 1:53643 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (malware-tools.rules)
 * 1:53645 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (malware-tools.rules)
 * 1:32950 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bladabindi variant outbound connection (malware-cnc.rules)
 * 1:34224 <-> DISABLED <-> INDICATOR-SHELLCODE Metasploit payload cmd_unix_reverse_perl (indicator-shellcode.rules)
 * 1:37298 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules)
 * 1:37300 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:37299 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules)
 * 1:37303 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header attempt (app-detect.rules)
 * 1:37301 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:37370 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trochulis variant outbound connection (malware-cnc.rules)
 * 1:37306 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:37814 <-> DISABLED <-> POLICY-OTHER Polycom Botnet inbound connection attempt (policy-other.rules)
 * 1:37524 <-> DISABLED <-> FILE-OTHER ReGet Deluxe wjr file buffer overflow attempt (file-other.rules)
 * 1:39893 <-> ENABLED <-> OS-LINUX Linux Kernel USBIP out of bounds write attempt (os-linux.rules)
 * 1:38528 <-> DISABLED <-> MALWARE-CNC XBot Command Request get_action (malware-cnc.rules)
 * 1:31633 <-> DISABLED <-> MALWARE-CNC Noniem.A outbound connection (malware-cnc.rules)
 * 1:48146 <-> DISABLED <-> MALWARE-BACKDOOR Rebhip variant runtime detection (malware-backdoor.rules)
 * 1:27933 <-> DISABLED <-> APP-DETECT Splashtop streamer download attempt (app-detect.rules)
 * 1:47526 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Grobios C2 inbound server command (malware-cnc.rules)
 * 1:46960 <-> DISABLED <-> FILE-OTHER Adobe Flash Player AMF0 Shared Object integer overflow attempt (file-other.rules)
 * 1:35101 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dridex variant outbound connection (malware-cnc.rules)
 * 1:39894 <-> ENABLED <-> OS-LINUX Linux Kernel USBIP out of bounds write attempt (os-linux.rules)
 * 1:41162 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Nemucod variant  (malware-cnc.rules)
 * 1:44876 <-> ENABLED <-> MALWARE-CNC Malicious VBA Dropper outbound connection detected (malware-cnc.rules)
 * 1:41784 <-> DISABLED <-> INDICATOR-COMPROMISE clorius controls information gathering attempt (indicator-compromise.rules)
 * 1:42067 <-> DISABLED <-> POLICY-OTHER Aviosys IP Power 9258 W2 management.asp information disclosure (policy-other.rules)
 * 1:42068 <-> DISABLED <-> POLICY-OTHER Aviosys IP Power 9258 W2 default login attempt (policy-other.rules)
 * 1:48571 <-> DISABLED <-> MALWARE-TOOLS JexBoss User-Agent detected (malware-tools.rules)
 * 1:47525 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Grobios outbound connection (malware-cnc.rules)

2020-09-24 17:16:34 UTC

Snort Subscriber Rules Update

Date: 2020-09-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:55821 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails command injection attempt (server-webapp.rules)
 * 1:55823 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet CnCContactAlertResult SQL injection attempt (server-webapp.rules)
 * 1:55814 <-> DISABLED <-> SERVER-OTHER Symantec Endpoint Protection tamper protection bypass attempt (server-other.rules)
 * 1:55812 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Mekotio variant second stage dropper download attempt (malware-other.rules)
 * 1:55827 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:55809 <-> DISABLED <-> BROWSER-CHROME Google Chrome AudioArray memory corruption attempt (browser-chrome.rules)
 * 1:55811 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Mekotio variant second stage dropper download attempt (malware-other.rules)
 * 1:55825 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet CnCContactAlertResult SQL injection attempt (server-webapp.rules)
 * 1:55824 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet CnCContactAlertResult SQL injection attempt (server-webapp.rules)
 * 1:55826 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server DlpUtils remote code execution attempt (server-webapp.rules)
 * 1:55828 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:55829 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:55813 <-> DISABLED <-> SERVER-OTHER Symantec Endpoint Protection tamper protection bypass attempt (server-other.rules)
 * 1:55810 <-> DISABLED <-> BROWSER-CHROME Google Chrome AudioArray memory corruption attempt (browser-chrome.rules)
 * 3:55822 <-> ENABLED <-> PROTOCOL-DNS Cisco IOS XE Umbrella Connector denial of service attempt (protocol-dns.rules)
 * 3:55806 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP denial of service attempt (server-other.rules)
 * 3:55807 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP denial of service attempt (server-other.rules)
 * 3:55819 <-> ENABLED <-> SERVER-OTHER Cisco IOS Common Open Policy Service denial of service attempt (server-other.rules)
 * 3:55815 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI administrative access detected (policy-other.rules)
 * 3:55808 <-> ENABLED <-> POLICY-OTHER Cisco IOS Software VLPWA file read detected (policy-other.rules)
 * 3:55816 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI administrative access detected (policy-other.rules)
 * 3:55817 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI administrative access detected (policy-other.rules)
 * 3:55818 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI administrative access detected (policy-other.rules)
 * 3:55831 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP denial of service attempt (server-other.rules)
 * 3:55832 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE mDNS denial of service attempt (server-other.rules)
 * 3:55833 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI restricted character in authentication detected (policy-other.rules)
 * 3:55830 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP denial of service attempt (server-other.rules)
 * 3:55820 <-> ENABLED <-> PROTOCOL-OTHER Cisco IOS XE Flexible NetFlow denial of service attempt (protocol-other.rules)

Modified Rules:


 * 1:27933 <-> DISABLED <-> APP-DETECT Splashtop streamer download attempt (app-detect.rules)
 * 1:50736 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Anubis variant outbound connection (malware-cnc.rules)
 * 1:32950 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bladabindi variant outbound connection (malware-cnc.rules)
 * 1:48146 <-> DISABLED <-> MALWARE-BACKDOOR Rebhip variant runtime detection (malware-backdoor.rules)
 * 1:51911 <-> DISABLED <-> MALWARE-CNC Andr.Trojan.Gustuff variant outbound cnc connection (malware-cnc.rules)
 * 1:50737 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Anubis variant outbound connection (malware-cnc.rules)
 * 1:53632 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious DLL loader attempt (malware-other.rules)
 * 1:52290 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Agent malicious DLL loader download attempt (malware-other.rules)
 * 1:53635 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious loader and decryptor attempt (malware-other.rules)
 * 1:53633 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious loader and decryptor attempt (malware-other.rules)
 * 1:53643 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (malware-tools.rules)
 * 1:53645 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (malware-tools.rules)
 * 1:20673 <-> DISABLED <-> FILE-MULTIMEDIA invalid VLC media player SMB URI download attempt (file-multimedia.rules)
 * 1:37306 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:37524 <-> DISABLED <-> FILE-OTHER ReGet Deluxe wjr file buffer overflow attempt (file-other.rules)
 * 1:37370 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trochulis variant outbound connection (malware-cnc.rules)
 * 1:37814 <-> DISABLED <-> POLICY-OTHER Polycom Botnet inbound connection attempt (policy-other.rules)
 * 1:38528 <-> DISABLED <-> MALWARE-CNC XBot Command Request get_action (malware-cnc.rules)
 * 1:32029 <-> DISABLED <-> BROWSER-OTHER Android WebView same origin policy bypass attempt (browser-other.rules)
 * 1:31633 <-> DISABLED <-> MALWARE-CNC Noniem.A outbound connection (malware-cnc.rules)
 * 1:19950 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Defsel inbound connection (malware-cnc.rules)
 * 1:32505 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Kiler attempted outbound connection (malware-cnc.rules)
 * 1:36541 <-> DISABLED <-> POLICY-OTHER Polycom Botnet inbound connection attempt (policy-other.rules)
 * 1:37298 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules)
 * 1:37299 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules)
 * 1:37300 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:48570 <-> DISABLED <-> MALWARE-TOOLS JexBoss webshell commands sent in X-JEX headers (malware-tools.rules)
 * 1:47526 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Grobios C2 inbound server command (malware-cnc.rules)
 * 1:27934 <-> DISABLED <-> APP-DETECT Splashtop personal download attempt (app-detect.rules)
 * 1:30000 <-> DISABLED <-> MALWARE-BACKDOOR FireCrotch exploit kit backdoor attempt (malware-backdoor.rules)
 * 1:31433 <-> DISABLED <-> MALWARE-CNC MSIL Worm command and control connection (malware-cnc.rules)
 * 1:36610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Panskeg outbound connection (malware-cnc.rules)
 * 1:36628 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Recodler variant outbound connection (malware-cnc.rules)
 * 1:37301 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:37815 <-> DISABLED <-> POLICY-OTHER Polycom Botnet inbound connection attempt (policy-other.rules)
 * 1:39893 <-> ENABLED <-> OS-LINUX Linux Kernel USBIP out of bounds write attempt (os-linux.rules)
 * 1:48569 <-> DISABLED <-> MALWARE-TOOLS JexBoss webshell download (malware-tools.rules)
 * 1:37303 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header attempt (app-detect.rules)
 * 1:50734 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Anubis variant outbound connection (malware-cnc.rules)
 * 1:48571 <-> DISABLED <-> MALWARE-TOOLS JexBoss User-Agent detected (malware-tools.rules)
 * 1:34224 <-> DISABLED <-> INDICATOR-SHELLCODE Metasploit payload cmd_unix_reverse_perl (indicator-shellcode.rules)
 * 1:35101 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dridex variant outbound connection (malware-cnc.rules)
 * 1:50735 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Anubis variant outbound connection (malware-cnc.rules)
 * 1:39894 <-> ENABLED <-> OS-LINUX Linux Kernel USBIP out of bounds write attempt (os-linux.rules)
 * 1:41162 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Nemucod variant  (malware-cnc.rules)
 * 1:41784 <-> DISABLED <-> INDICATOR-COMPROMISE clorius controls information gathering attempt (indicator-compromise.rules)
 * 1:42067 <-> DISABLED <-> POLICY-OTHER Aviosys IP Power 9258 W2 management.asp information disclosure (policy-other.rules)
 * 1:42068 <-> DISABLED <-> POLICY-OTHER Aviosys IP Power 9258 W2 default login attempt (policy-other.rules)
 * 1:44876 <-> ENABLED <-> MALWARE-CNC Malicious VBA Dropper outbound connection detected (malware-cnc.rules)
 * 1:46960 <-> DISABLED <-> FILE-OTHER Adobe Flash Player AMF0 Shared Object integer overflow attempt (file-other.rules)
 * 1:47525 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Grobios outbound connection (malware-cnc.rules)

2020-09-24 17:16:34 UTC

Snort Subscriber Rules Update

Date: 2020-09-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:55824 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet CnCContactAlertResult SQL injection attempt (server-webapp.rules)
 * 1:55825 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet CnCContactAlertResult SQL injection attempt (server-webapp.rules)
 * 1:55809 <-> DISABLED <-> BROWSER-CHROME Google Chrome AudioArray memory corruption attempt (browser-chrome.rules)
 * 1:55829 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:55826 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server DlpUtils remote code execution attempt (server-webapp.rules)
 * 1:55828 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:55827 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:55814 <-> DISABLED <-> SERVER-OTHER Symantec Endpoint Protection tamper protection bypass attempt (server-other.rules)
 * 1:55811 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Mekotio variant second stage dropper download attempt (malware-other.rules)
 * 1:55810 <-> DISABLED <-> BROWSER-CHROME Google Chrome AudioArray memory corruption attempt (browser-chrome.rules)
 * 1:55813 <-> DISABLED <-> SERVER-OTHER Symantec Endpoint Protection tamper protection bypass attempt (server-other.rules)
 * 1:55812 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Mekotio variant second stage dropper download attempt (malware-other.rules)
 * 1:55821 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails command injection attempt (server-webapp.rules)
 * 1:55823 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet CnCContactAlertResult SQL injection attempt (server-webapp.rules)
 * 3:55822 <-> ENABLED <-> PROTOCOL-DNS Cisco IOS XE Umbrella Connector denial of service attempt (protocol-dns.rules)
 * 3:55817 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI administrative access detected (policy-other.rules)
 * 3:55806 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP denial of service attempt (server-other.rules)
 * 3:55831 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP denial of service attempt (server-other.rules)
 * 3:55832 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE mDNS denial of service attempt (server-other.rules)
 * 3:55833 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI restricted character in authentication detected (policy-other.rules)
 * 3:55808 <-> ENABLED <-> POLICY-OTHER Cisco IOS Software VLPWA file read detected (policy-other.rules)
 * 3:55818 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI administrative access detected (policy-other.rules)
 * 3:55807 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP denial of service attempt (server-other.rules)
 * 3:55815 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI administrative access detected (policy-other.rules)
 * 3:55819 <-> ENABLED <-> SERVER-OTHER Cisco IOS Common Open Policy Service denial of service attempt (server-other.rules)
 * 3:55820 <-> ENABLED <-> PROTOCOL-OTHER Cisco IOS XE Flexible NetFlow denial of service attempt (protocol-other.rules)
 * 3:55830 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP denial of service attempt (server-other.rules)
 * 3:55816 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI administrative access detected (policy-other.rules)

Modified Rules:


 * 1:50735 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Anubis variant outbound connection (malware-cnc.rules)
 * 1:53643 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (malware-tools.rules)
 * 1:53645 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (malware-tools.rules)
 * 1:50734 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Anubis variant outbound connection (malware-cnc.rules)
 * 1:37524 <-> DISABLED <-> FILE-OTHER ReGet Deluxe wjr file buffer overflow attempt (file-other.rules)
 * 1:37298 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules)
 * 1:36541 <-> DISABLED <-> POLICY-OTHER Polycom Botnet inbound connection attempt (policy-other.rules)
 * 1:50737 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Anubis variant outbound connection (malware-cnc.rules)
 * 1:31633 <-> DISABLED <-> MALWARE-CNC Noniem.A outbound connection (malware-cnc.rules)
 * 1:48146 <-> DISABLED <-> MALWARE-BACKDOOR Rebhip variant runtime detection (malware-backdoor.rules)
 * 1:20673 <-> DISABLED <-> FILE-MULTIMEDIA invalid VLC media player SMB URI download attempt (file-multimedia.rules)
 * 1:38528 <-> DISABLED <-> MALWARE-CNC XBot Command Request get_action (malware-cnc.rules)
 * 1:27934 <-> DISABLED <-> APP-DETECT Splashtop personal download attempt (app-detect.rules)
 * 1:31433 <-> DISABLED <-> MALWARE-CNC MSIL Worm command and control connection (malware-cnc.rules)
 * 1:30000 <-> DISABLED <-> MALWARE-BACKDOOR FireCrotch exploit kit backdoor attempt (malware-backdoor.rules)
 * 1:36610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Panskeg outbound connection (malware-cnc.rules)
 * 1:36628 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Recodler variant outbound connection (malware-cnc.rules)
 * 1:32029 <-> DISABLED <-> BROWSER-OTHER Android WebView same origin policy bypass attempt (browser-other.rules)
 * 1:47526 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Grobios C2 inbound server command (malware-cnc.rules)
 * 1:50736 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Anubis variant outbound connection (malware-cnc.rules)
 * 1:37814 <-> DISABLED <-> POLICY-OTHER Polycom Botnet inbound connection attempt (policy-other.rules)
 * 1:37815 <-> DISABLED <-> POLICY-OTHER Polycom Botnet inbound connection attempt (policy-other.rules)
 * 1:37299 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules)
 * 1:37300 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:37301 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:37370 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trochulis variant outbound connection (malware-cnc.rules)
 * 1:37303 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header attempt (app-detect.rules)
 * 1:39893 <-> ENABLED <-> OS-LINUX Linux Kernel USBIP out of bounds write attempt (os-linux.rules)
 * 1:19950 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Defsel inbound connection (malware-cnc.rules)
 * 1:53633 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious loader and decryptor attempt (malware-other.rules)
 * 1:48569 <-> DISABLED <-> MALWARE-TOOLS JexBoss webshell download (malware-tools.rules)
 * 1:32505 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Kiler attempted outbound connection (malware-cnc.rules)
 * 1:32950 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bladabindi variant outbound connection (malware-cnc.rules)
 * 1:35101 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dridex variant outbound connection (malware-cnc.rules)
 * 1:27933 <-> DISABLED <-> APP-DETECT Splashtop streamer download attempt (app-detect.rules)
 * 1:48571 <-> DISABLED <-> MALWARE-TOOLS JexBoss User-Agent detected (malware-tools.rules)
 * 1:37306 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:39894 <-> ENABLED <-> OS-LINUX Linux Kernel USBIP out of bounds write attempt (os-linux.rules)
 * 1:51911 <-> DISABLED <-> MALWARE-CNC Andr.Trojan.Gustuff variant outbound cnc connection (malware-cnc.rules)
 * 1:41162 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Nemucod variant  (malware-cnc.rules)
 * 1:53635 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious loader and decryptor attempt (malware-other.rules)
 * 1:41784 <-> DISABLED <-> INDICATOR-COMPROMISE clorius controls information gathering attempt (indicator-compromise.rules)
 * 1:42067 <-> DISABLED <-> POLICY-OTHER Aviosys IP Power 9258 W2 management.asp information disclosure (policy-other.rules)
 * 1:42068 <-> DISABLED <-> POLICY-OTHER Aviosys IP Power 9258 W2 default login attempt (policy-other.rules)
 * 1:44876 <-> ENABLED <-> MALWARE-CNC Malicious VBA Dropper outbound connection detected (malware-cnc.rules)
 * 1:46960 <-> DISABLED <-> FILE-OTHER Adobe Flash Player AMF0 Shared Object integer overflow attempt (file-other.rules)
 * 1:47525 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Grobios outbound connection (malware-cnc.rules)
 * 1:34224 <-> DISABLED <-> INDICATOR-SHELLCODE Metasploit payload cmd_unix_reverse_perl (indicator-shellcode.rules)
 * 1:53632 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious DLL loader attempt (malware-other.rules)
 * 1:48570 <-> DISABLED <-> MALWARE-TOOLS JexBoss webshell commands sent in X-JEX headers (malware-tools.rules)
 * 1:52290 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Agent malicious DLL loader download attempt (malware-other.rules)

2020-09-24 17:16:34 UTC

Snort Subscriber Rules Update

Date: 2020-09-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:55813 <-> DISABLED <-> SERVER-OTHER Symantec Endpoint Protection tamper protection bypass attempt (server-other.rules)
 * 1:55823 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet CnCContactAlertResult SQL injection attempt (server-webapp.rules)
 * 1:55814 <-> DISABLED <-> SERVER-OTHER Symantec Endpoint Protection tamper protection bypass attempt (server-other.rules)
 * 1:55809 <-> DISABLED <-> BROWSER-CHROME Google Chrome AudioArray memory corruption attempt (browser-chrome.rules)
 * 1:55828 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:55829 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:55811 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Mekotio variant second stage dropper download attempt (malware-other.rules)
 * 1:55827 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:55812 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Mekotio variant second stage dropper download attempt (malware-other.rules)
 * 1:55810 <-> DISABLED <-> BROWSER-CHROME Google Chrome AudioArray memory corruption attempt (browser-chrome.rules)
 * 1:55824 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet CnCContactAlertResult SQL injection attempt (server-webapp.rules)
 * 1:55821 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails command injection attempt (server-webapp.rules)
 * 1:55825 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet CnCContactAlertResult SQL injection attempt (server-webapp.rules)
 * 1:55826 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server DlpUtils remote code execution attempt (server-webapp.rules)
 * 3:55833 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI restricted character in authentication detected (policy-other.rules)
 * 3:55832 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE mDNS denial of service attempt (server-other.rules)
 * 3:55831 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP denial of service attempt (server-other.rules)
 * 3:55818 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI administrative access detected (policy-other.rules)
 * 3:55808 <-> ENABLED <-> POLICY-OTHER Cisco IOS Software VLPWA file read detected (policy-other.rules)
 * 3:55806 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP denial of service attempt (server-other.rules)
 * 3:55807 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP denial of service attempt (server-other.rules)
 * 3:55830 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP denial of service attempt (server-other.rules)
 * 3:55822 <-> ENABLED <-> PROTOCOL-DNS Cisco IOS XE Umbrella Connector denial of service attempt (protocol-dns.rules)
 * 3:55820 <-> ENABLED <-> PROTOCOL-OTHER Cisco IOS XE Flexible NetFlow denial of service attempt (protocol-other.rules)
 * 3:55816 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI administrative access detected (policy-other.rules)
 * 3:55815 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI administrative access detected (policy-other.rules)
 * 3:55819 <-> ENABLED <-> SERVER-OTHER Cisco IOS Common Open Policy Service denial of service attempt (server-other.rules)
 * 3:55817 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI administrative access detected (policy-other.rules)

Modified Rules:


 * 1:50735 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Anubis variant outbound connection (malware-cnc.rules)
 * 1:48146 <-> DISABLED <-> MALWARE-BACKDOOR Rebhip variant runtime detection (malware-backdoor.rules)
 * 1:48570 <-> DISABLED <-> MALWARE-TOOLS JexBoss webshell commands sent in X-JEX headers (malware-tools.rules)
 * 1:36541 <-> DISABLED <-> POLICY-OTHER Polycom Botnet inbound connection attempt (policy-other.rules)
 * 1:48571 <-> DISABLED <-> MALWARE-TOOLS JexBoss User-Agent detected (malware-tools.rules)
 * 1:37524 <-> DISABLED <-> FILE-OTHER ReGet Deluxe wjr file buffer overflow attempt (file-other.rules)
 * 1:48569 <-> DISABLED <-> MALWARE-TOOLS JexBoss webshell download (malware-tools.rules)
 * 1:50737 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Anubis variant outbound connection (malware-cnc.rules)
 * 1:20673 <-> DISABLED <-> FILE-MULTIMEDIA invalid VLC media player SMB URI download attempt (file-multimedia.rules)
 * 1:51911 <-> DISABLED <-> MALWARE-CNC Andr.Trojan.Gustuff variant outbound cnc connection (malware-cnc.rules)
 * 1:52290 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Agent malicious DLL loader download attempt (malware-other.rules)
 * 1:53633 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious loader and decryptor attempt (malware-other.rules)
 * 1:53645 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (malware-tools.rules)
 * 1:53635 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious loader and decryptor attempt (malware-other.rules)
 * 1:37298 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules)
 * 1:37299 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules)
 * 1:37300 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:27934 <-> DISABLED <-> APP-DETECT Splashtop personal download attempt (app-detect.rules)
 * 1:30000 <-> DISABLED <-> MALWARE-BACKDOOR FireCrotch exploit kit backdoor attempt (malware-backdoor.rules)
 * 1:31433 <-> DISABLED <-> MALWARE-CNC MSIL Worm command and control connection (malware-cnc.rules)
 * 1:36610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Panskeg outbound connection (malware-cnc.rules)
 * 1:36628 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Recodler variant outbound connection (malware-cnc.rules)
 * 1:32029 <-> DISABLED <-> BROWSER-OTHER Android WebView same origin policy bypass attempt (browser-other.rules)
 * 1:47526 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Grobios C2 inbound server command (malware-cnc.rules)
 * 1:50736 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Anubis variant outbound connection (malware-cnc.rules)
 * 1:32950 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bladabindi variant outbound connection (malware-cnc.rules)
 * 1:35101 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dridex variant outbound connection (malware-cnc.rules)
 * 1:37301 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:37306 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:31633 <-> DISABLED <-> MALWARE-CNC Noniem.A outbound connection (malware-cnc.rules)
 * 1:37303 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header attempt (app-detect.rules)
 * 1:34224 <-> DISABLED <-> INDICATOR-SHELLCODE Metasploit payload cmd_unix_reverse_perl (indicator-shellcode.rules)
 * 1:37814 <-> DISABLED <-> POLICY-OTHER Polycom Botnet inbound connection attempt (policy-other.rules)
 * 1:37370 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trochulis variant outbound connection (malware-cnc.rules)
 * 1:53632 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious DLL loader attempt (malware-other.rules)
 * 1:53643 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (malware-tools.rules)
 * 1:50734 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Anubis variant outbound connection (malware-cnc.rules)
 * 1:37815 <-> DISABLED <-> POLICY-OTHER Polycom Botnet inbound connection attempt (policy-other.rules)
 * 1:19950 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Defsel inbound connection (malware-cnc.rules)
 * 1:39893 <-> ENABLED <-> OS-LINUX Linux Kernel USBIP out of bounds write attempt (os-linux.rules)
 * 1:32505 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Kiler attempted outbound connection (malware-cnc.rules)
 * 1:27933 <-> DISABLED <-> APP-DETECT Splashtop streamer download attempt (app-detect.rules)
 * 1:39894 <-> ENABLED <-> OS-LINUX Linux Kernel USBIP out of bounds write attempt (os-linux.rules)
 * 1:41162 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Nemucod variant  (malware-cnc.rules)
 * 1:41784 <-> DISABLED <-> INDICATOR-COMPROMISE clorius controls information gathering attempt (indicator-compromise.rules)
 * 1:42067 <-> DISABLED <-> POLICY-OTHER Aviosys IP Power 9258 W2 management.asp information disclosure (policy-other.rules)
 * 1:42068 <-> DISABLED <-> POLICY-OTHER Aviosys IP Power 9258 W2 default login attempt (policy-other.rules)
 * 1:44876 <-> ENABLED <-> MALWARE-CNC Malicious VBA Dropper outbound connection detected (malware-cnc.rules)
 * 1:38528 <-> DISABLED <-> MALWARE-CNC XBot Command Request get_action (malware-cnc.rules)
 * 1:46960 <-> DISABLED <-> FILE-OTHER Adobe Flash Player AMF0 Shared Object integer overflow attempt (file-other.rules)
 * 1:47525 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Grobios outbound connection (malware-cnc.rules)

2020-09-24 17:16:34 UTC

Snort Subscriber Rules Update

Date: 2020-09-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:55823 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet CnCContactAlertResult SQL injection attempt (server-webapp.rules)
 * 1:55811 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Mekotio variant second stage dropper download attempt (malware-other.rules)
 * 1:55810 <-> DISABLED <-> BROWSER-CHROME Google Chrome AudioArray memory corruption attempt (browser-chrome.rules)
 * 1:55813 <-> DISABLED <-> SERVER-OTHER Symantec Endpoint Protection tamper protection bypass attempt (server-other.rules)
 * 1:55821 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails command injection attempt (server-webapp.rules)
 * 1:55824 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet CnCContactAlertResult SQL injection attempt (server-webapp.rules)
 * 1:55827 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:55809 <-> DISABLED <-> BROWSER-CHROME Google Chrome AudioArray memory corruption attempt (browser-chrome.rules)
 * 1:55828 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:55814 <-> DISABLED <-> SERVER-OTHER Symantec Endpoint Protection tamper protection bypass attempt (server-other.rules)
 * 1:55812 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Mekotio variant second stage dropper download attempt (malware-other.rules)
 * 1:55825 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet CnCContactAlertResult SQL injection attempt (server-webapp.rules)
 * 1:55826 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server DlpUtils remote code execution attempt (server-webapp.rules)
 * 1:55829 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 3:55817 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI administrative access detected (policy-other.rules)
 * 3:55808 <-> ENABLED <-> POLICY-OTHER Cisco IOS Software VLPWA file read detected (policy-other.rules)
 * 3:55816 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI administrative access detected (policy-other.rules)
 * 3:55806 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP denial of service attempt (server-other.rules)
 * 3:55807 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP denial of service attempt (server-other.rules)
 * 3:55819 <-> ENABLED <-> SERVER-OTHER Cisco IOS Common Open Policy Service denial of service attempt (server-other.rules)
 * 3:55818 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI administrative access detected (policy-other.rules)
 * 3:55815 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI administrative access detected (policy-other.rules)
 * 3:55831 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP denial of service attempt (server-other.rules)
 * 3:55833 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI restricted character in authentication detected (policy-other.rules)
 * 3:55832 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE mDNS denial of service attempt (server-other.rules)
 * 3:55822 <-> ENABLED <-> PROTOCOL-DNS Cisco IOS XE Umbrella Connector denial of service attempt (protocol-dns.rules)
 * 3:55820 <-> ENABLED <-> PROTOCOL-OTHER Cisco IOS XE Flexible NetFlow denial of service attempt (protocol-other.rules)
 * 3:55830 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP denial of service attempt (server-other.rules)

Modified Rules:


 * 1:48570 <-> DISABLED <-> MALWARE-TOOLS JexBoss webshell commands sent in X-JEX headers (malware-tools.rules)
 * 1:50734 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Anubis variant outbound connection (malware-cnc.rules)
 * 1:37300 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:48569 <-> DISABLED <-> MALWARE-TOOLS JexBoss webshell download (malware-tools.rules)
 * 1:37814 <-> DISABLED <-> POLICY-OTHER Polycom Botnet inbound connection attempt (policy-other.rules)
 * 1:39893 <-> ENABLED <-> OS-LINUX Linux Kernel USBIP out of bounds write attempt (os-linux.rules)
 * 1:37306 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:37524 <-> DISABLED <-> FILE-OTHER ReGet Deluxe wjr file buffer overflow attempt (file-other.rules)
 * 1:30000 <-> DISABLED <-> MALWARE-BACKDOOR FireCrotch exploit kit backdoor attempt (malware-backdoor.rules)
 * 1:36610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Panskeg outbound connection (malware-cnc.rules)
 * 1:53645 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (malware-tools.rules)
 * 1:48571 <-> DISABLED <-> MALWARE-TOOLS JexBoss User-Agent detected (malware-tools.rules)
 * 1:31633 <-> DISABLED <-> MALWARE-CNC Noniem.A outbound connection (malware-cnc.rules)
 * 1:32029 <-> DISABLED <-> BROWSER-OTHER Android WebView same origin policy bypass attempt (browser-other.rules)
 * 1:19950 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Defsel inbound connection (malware-cnc.rules)
 * 1:32505 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Kiler attempted outbound connection (malware-cnc.rules)
 * 1:37815 <-> DISABLED <-> POLICY-OTHER Polycom Botnet inbound connection attempt (policy-other.rules)
 * 1:35101 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dridex variant outbound connection (malware-cnc.rules)
 * 1:34224 <-> DISABLED <-> INDICATOR-SHELLCODE Metasploit payload cmd_unix_reverse_perl (indicator-shellcode.rules)
 * 1:41162 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Nemucod variant  (malware-cnc.rules)
 * 1:39894 <-> ENABLED <-> OS-LINUX Linux Kernel USBIP out of bounds write attempt (os-linux.rules)
 * 1:41784 <-> DISABLED <-> INDICATOR-COMPROMISE clorius controls information gathering attempt (indicator-compromise.rules)
 * 1:44876 <-> ENABLED <-> MALWARE-CNC Malicious VBA Dropper outbound connection detected (malware-cnc.rules)
 * 1:42068 <-> DISABLED <-> POLICY-OTHER Aviosys IP Power 9258 W2 default login attempt (policy-other.rules)
 * 1:42067 <-> DISABLED <-> POLICY-OTHER Aviosys IP Power 9258 W2 management.asp information disclosure (policy-other.rules)
 * 1:46960 <-> DISABLED <-> FILE-OTHER Adobe Flash Player AMF0 Shared Object integer overflow attempt (file-other.rules)
 * 1:47526 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Grobios C2 inbound server command (malware-cnc.rules)
 * 1:47525 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Grobios outbound connection (malware-cnc.rules)
 * 1:37298 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules)
 * 1:50736 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Anubis variant outbound connection (malware-cnc.rules)
 * 1:36541 <-> DISABLED <-> POLICY-OTHER Polycom Botnet inbound connection attempt (policy-other.rules)
 * 1:32950 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bladabindi variant outbound connection (malware-cnc.rules)
 * 1:38528 <-> DISABLED <-> MALWARE-CNC XBot Command Request get_action (malware-cnc.rules)
 * 1:37299 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules)
 * 1:37303 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header attempt (app-detect.rules)
 * 1:48146 <-> DISABLED <-> MALWARE-BACKDOOR Rebhip variant runtime detection (malware-backdoor.rules)
 * 1:51911 <-> DISABLED <-> MALWARE-CNC Andr.Trojan.Gustuff variant outbound cnc connection (malware-cnc.rules)
 * 1:53635 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious loader and decryptor attempt (malware-other.rules)
 * 1:50737 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Anubis variant outbound connection (malware-cnc.rules)
 * 1:37370 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trochulis variant outbound connection (malware-cnc.rules)
 * 1:20673 <-> DISABLED <-> FILE-MULTIMEDIA invalid VLC media player SMB URI download attempt (file-multimedia.rules)
 * 1:53632 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious DLL loader attempt (malware-other.rules)
 * 1:36628 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Recodler variant outbound connection (malware-cnc.rules)
 * 1:50735 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Anubis variant outbound connection (malware-cnc.rules)
 * 1:53633 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious loader and decryptor attempt (malware-other.rules)
 * 1:52290 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Agent malicious DLL loader download attempt (malware-other.rules)
 * 1:53643 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (malware-tools.rules)
 * 1:27934 <-> DISABLED <-> APP-DETECT Splashtop personal download attempt (app-detect.rules)
 * 1:27933 <-> DISABLED <-> APP-DETECT Splashtop streamer download attempt (app-detect.rules)
 * 1:37301 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:31433 <-> DISABLED <-> MALWARE-CNC MSIL Worm command and control connection (malware-cnc.rules)

2020-09-24 17:16:34 UTC

Snort Subscriber Rules Update

Date: 2020-09-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:55823 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet CnCContactAlertResult SQL injection attempt (server-webapp.rules)
 * 1:55824 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet CnCContactAlertResult SQL injection attempt (server-webapp.rules)
 * 1:55825 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet CnCContactAlertResult SQL injection attempt (server-webapp.rules)
 * 1:55826 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server DlpUtils remote code execution attempt (server-webapp.rules)
 * 1:55828 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:55827 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:55821 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails command injection attempt (server-webapp.rules)
 * 1:55813 <-> DISABLED <-> SERVER-OTHER Symantec Endpoint Protection tamper protection bypass attempt (server-other.rules)
 * 1:55812 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Mekotio variant second stage dropper download attempt (malware-other.rules)
 * 1:55811 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Mekotio variant second stage dropper download attempt (malware-other.rules)
 * 1:55809 <-> DISABLED <-> BROWSER-CHROME Google Chrome AudioArray memory corruption attempt (browser-chrome.rules)
 * 1:55814 <-> DISABLED <-> SERVER-OTHER Symantec Endpoint Protection tamper protection bypass attempt (server-other.rules)
 * 1:55810 <-> DISABLED <-> BROWSER-CHROME Google Chrome AudioArray memory corruption attempt (browser-chrome.rules)
 * 1:55829 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 3:55817 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI administrative access detected (policy-other.rules)
 * 3:55818 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI administrative access detected (policy-other.rules)
 * 3:55808 <-> ENABLED <-> POLICY-OTHER Cisco IOS Software VLPWA file read detected (policy-other.rules)
 * 3:55815 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI administrative access detected (policy-other.rules)
 * 3:55819 <-> ENABLED <-> SERVER-OTHER Cisco IOS Common Open Policy Service denial of service attempt (server-other.rules)
 * 3:55806 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP denial of service attempt (server-other.rules)
 * 3:55822 <-> ENABLED <-> PROTOCOL-DNS Cisco IOS XE Umbrella Connector denial of service attempt (protocol-dns.rules)
 * 3:55807 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP denial of service attempt (server-other.rules)
 * 3:55830 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP denial of service attempt (server-other.rules)
 * 3:55816 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI administrative access detected (policy-other.rules)
 * 3:55831 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP denial of service attempt (server-other.rules)
 * 3:55820 <-> ENABLED <-> PROTOCOL-OTHER Cisco IOS XE Flexible NetFlow denial of service attempt (protocol-other.rules)
 * 3:55832 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE mDNS denial of service attempt (server-other.rules)
 * 3:55833 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI restricted character in authentication detected (policy-other.rules)

Modified Rules:


 * 1:37814 <-> DISABLED <-> POLICY-OTHER Polycom Botnet inbound connection attempt (policy-other.rules)
 * 1:50734 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Anubis variant outbound connection (malware-cnc.rules)
 * 1:31633 <-> DISABLED <-> MALWARE-CNC Noniem.A outbound connection (malware-cnc.rules)
 * 1:36628 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Recodler variant outbound connection (malware-cnc.rules)
 * 1:32029 <-> DISABLED <-> BROWSER-OTHER Android WebView same origin policy bypass attempt (browser-other.rules)
 * 1:53633 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious loader and decryptor attempt (malware-other.rules)
 * 1:53632 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious DLL loader attempt (malware-other.rules)
 * 1:48570 <-> DISABLED <-> MALWARE-TOOLS JexBoss webshell commands sent in X-JEX headers (malware-tools.rules)
 * 1:48146 <-> DISABLED <-> MALWARE-BACKDOOR Rebhip variant runtime detection (malware-backdoor.rules)
 * 1:47526 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Grobios C2 inbound server command (malware-cnc.rules)
 * 1:48571 <-> DISABLED <-> MALWARE-TOOLS JexBoss User-Agent detected (malware-tools.rules)
 * 1:31433 <-> DISABLED <-> MALWARE-CNC MSIL Worm command and control connection (malware-cnc.rules)
 * 1:20673 <-> DISABLED <-> FILE-MULTIMEDIA invalid VLC media player SMB URI download attempt (file-multimedia.rules)
 * 1:37524 <-> DISABLED <-> FILE-OTHER ReGet Deluxe wjr file buffer overflow attempt (file-other.rules)
 * 1:39893 <-> ENABLED <-> OS-LINUX Linux Kernel USBIP out of bounds write attempt (os-linux.rules)
 * 1:32950 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bladabindi variant outbound connection (malware-cnc.rules)
 * 1:34224 <-> DISABLED <-> INDICATOR-SHELLCODE Metasploit payload cmd_unix_reverse_perl (indicator-shellcode.rules)
 * 1:38528 <-> DISABLED <-> MALWARE-CNC XBot Command Request get_action (malware-cnc.rules)
 * 1:37815 <-> DISABLED <-> POLICY-OTHER Polycom Botnet inbound connection attempt (policy-other.rules)
 * 1:53635 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious loader and decryptor attempt (malware-other.rules)
 * 1:51911 <-> DISABLED <-> MALWARE-CNC Andr.Trojan.Gustuff variant outbound cnc connection (malware-cnc.rules)
 * 1:37298 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules)
 * 1:37370 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trochulis variant outbound connection (malware-cnc.rules)
 * 1:37299 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules)
 * 1:37300 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:37301 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:19950 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Defsel inbound connection (malware-cnc.rules)
 * 1:32505 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Kiler attempted outbound connection (malware-cnc.rules)
 * 1:53645 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (malware-tools.rules)
 * 1:35101 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dridex variant outbound connection (malware-cnc.rules)
 * 1:48569 <-> DISABLED <-> MALWARE-TOOLS JexBoss webshell download (malware-tools.rules)
 * 1:39894 <-> ENABLED <-> OS-LINUX Linux Kernel USBIP out of bounds write attempt (os-linux.rules)
 * 1:37303 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header attempt (app-detect.rules)
 * 1:36541 <-> DISABLED <-> POLICY-OTHER Polycom Botnet inbound connection attempt (policy-other.rules)
 * 1:27934 <-> DISABLED <-> APP-DETECT Splashtop personal download attempt (app-detect.rules)
 * 1:50736 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Anubis variant outbound connection (malware-cnc.rules)
 * 1:41162 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Nemucod variant  (malware-cnc.rules)
 * 1:41784 <-> DISABLED <-> INDICATOR-COMPROMISE clorius controls information gathering attempt (indicator-compromise.rules)
 * 1:42067 <-> DISABLED <-> POLICY-OTHER Aviosys IP Power 9258 W2 management.asp information disclosure (policy-other.rules)
 * 1:42068 <-> DISABLED <-> POLICY-OTHER Aviosys IP Power 9258 W2 default login attempt (policy-other.rules)
 * 1:50735 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Anubis variant outbound connection (malware-cnc.rules)
 * 1:27933 <-> DISABLED <-> APP-DETECT Splashtop streamer download attempt (app-detect.rules)
 * 1:44876 <-> ENABLED <-> MALWARE-CNC Malicious VBA Dropper outbound connection detected (malware-cnc.rules)
 * 1:37306 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:46960 <-> DISABLED <-> FILE-OTHER Adobe Flash Player AMF0 Shared Object integer overflow attempt (file-other.rules)
 * 1:47525 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Grobios outbound connection (malware-cnc.rules)
 * 1:30000 <-> DISABLED <-> MALWARE-BACKDOOR FireCrotch exploit kit backdoor attempt (malware-backdoor.rules)
 * 1:52290 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Agent malicious DLL loader download attempt (malware-other.rules)
 * 1:53643 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (malware-tools.rules)
 * 1:36610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Panskeg outbound connection (malware-cnc.rules)
 * 1:50737 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Anubis variant outbound connection (malware-cnc.rules)

2020-09-24 17:16:34 UTC

Snort Subscriber Rules Update

Date: 2020-09-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:55811 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Mekotio variant second stage dropper download attempt (snort3-malware-other.rules)
 * 1:55813 <-> DISABLED <-> SERVER-OTHER Symantec Endpoint Protection tamper protection bypass attempt (snort3-server-other.rules)
 * 1:55823 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet CnCContactAlertResult SQL injection attempt (snort3-server-webapp.rules)
 * 1:55824 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet CnCContactAlertResult SQL injection attempt (snort3-server-webapp.rules)
 * 1:55825 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet CnCContactAlertResult SQL injection attempt (snort3-server-webapp.rules)
 * 1:55826 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server DlpUtils remote code execution attempt (snort3-server-webapp.rules)
 * 1:55821 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails command injection attempt (snort3-server-webapp.rules)
 * 1:55827 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (snort3-server-webapp.rules)
 * 1:55828 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (snort3-server-webapp.rules)
 * 1:55829 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (snort3-server-webapp.rules)
 * 1:55814 <-> DISABLED <-> SERVER-OTHER Symantec Endpoint Protection tamper protection bypass attempt (snort3-server-other.rules)
 * 1:55812 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Mekotio variant second stage dropper download attempt (snort3-malware-other.rules)
 * 1:55809 <-> DISABLED <-> BROWSER-CHROME Google Chrome AudioArray memory corruption attempt (snort3-browser-chrome.rules)
 * 1:55810 <-> DISABLED <-> BROWSER-CHROME Google Chrome AudioArray memory corruption attempt (snort3-browser-chrome.rules)

Modified Rules:


 * 1:19950 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Defsel inbound connection (snort3-malware-cnc.rules)
 * 1:37299 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (snort3-app-detect.rules)
 * 1:37298 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (snort3-app-detect.rules)
 * 1:47526 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Grobios C2 inbound server command (snort3-malware-cnc.rules)
 * 1:39893 <-> ENABLED <-> OS-LINUX Linux Kernel USBIP out of bounds write attempt (snort3-os-linux.rules)
 * 1:42068 <-> DISABLED <-> POLICY-OTHER Aviosys IP Power 9258 W2 default login attempt (snort3-policy-other.rules)
 * 1:44876 <-> ENABLED <-> MALWARE-CNC Malicious VBA Dropper outbound connection detected (snort3-malware-cnc.rules)
 * 1:37814 <-> DISABLED <-> POLICY-OTHER Polycom Botnet inbound connection attempt (snort3-policy-other.rules)
 * 1:32505 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Kiler attempted outbound connection (snort3-malware-cnc.rules)
 * 1:37524 <-> DISABLED <-> FILE-OTHER ReGet Deluxe wjr file buffer overflow attempt (snort3-file-other.rules)
 * 1:41162 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Nemucod variant  (snort3-malware-cnc.rules)
 * 1:37815 <-> DISABLED <-> POLICY-OTHER Polycom Botnet inbound connection attempt (snort3-policy-other.rules)
 * 1:20673 <-> DISABLED <-> FILE-MULTIMEDIA invalid VLC media player SMB URI download attempt (snort3-file-multimedia.rules)
 * 1:53632 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious DLL loader attempt (snort3-malware-other.rules)
 * 1:53633 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious loader and decryptor attempt (snort3-malware-other.rules)
 * 1:53643 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (snort3-malware-tools.rules)
 * 1:48570 <-> DISABLED <-> MALWARE-TOOLS JexBoss webshell commands sent in X-JEX headers (snort3-malware-tools.rules)
 * 1:36541 <-> DISABLED <-> POLICY-OTHER Polycom Botnet inbound connection attempt (snort3-policy-other.rules)
 * 1:32950 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bladabindi variant outbound connection (snort3-malware-cnc.rules)
 * 1:53635 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious loader and decryptor attempt (snort3-malware-other.rules)
 * 1:27934 <-> DISABLED <-> APP-DETECT Splashtop personal download attempt (snort3-app-detect.rules)
 * 1:50736 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Anubis variant outbound connection (snort3-malware-cnc.rules)
 * 1:38528 <-> DISABLED <-> MALWARE-CNC XBot Command Request get_action (snort3-malware-cnc.rules)
 * 1:48146 <-> DISABLED <-> MALWARE-BACKDOOR Rebhip variant runtime detection (snort3-malware-backdoor.rules)
 * 1:37303 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header attempt (snort3-app-detect.rules)
 * 1:36628 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Recodler variant outbound connection (snort3-malware-cnc.rules)
 * 1:39894 <-> ENABLED <-> OS-LINUX Linux Kernel USBIP out of bounds write attempt (snort3-os-linux.rules)
 * 1:52290 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Agent malicious DLL loader download attempt (snort3-malware-other.rules)
 * 1:34224 <-> DISABLED <-> INDICATOR-SHELLCODE Metasploit payload cmd_unix_reverse_perl (snort3-indicator-shellcode.rules)
 * 1:50737 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Anubis variant outbound connection (snort3-malware-cnc.rules)
 * 1:46960 <-> DISABLED <-> FILE-OTHER Adobe Flash Player AMF0 Shared Object integer overflow attempt (snort3-file-other.rules)
 * 1:32029 <-> DISABLED <-> BROWSER-OTHER Android WebView same origin policy bypass attempt (snort3-browser-other.rules)
 * 1:37370 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trochulis variant outbound connection (snort3-malware-cnc.rules)
 * 1:37306 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (snort3-app-detect.rules)
 * 1:41784 <-> DISABLED <-> INDICATOR-COMPROMISE clorius controls information gathering attempt (snort3-indicator-compromise.rules)
 * 1:53645 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (snort3-malware-tools.rules)
 * 1:30000 <-> DISABLED <-> MALWARE-BACKDOOR FireCrotch exploit kit backdoor attempt (snort3-malware-backdoor.rules)
 * 1:37300 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (snort3-app-detect.rules)
 * 1:35101 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dridex variant outbound connection (snort3-malware-cnc.rules)
 * 1:51911 <-> DISABLED <-> MALWARE-CNC Andr.Trojan.Gustuff variant outbound cnc connection (snort3-malware-cnc.rules)
 * 1:50735 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Anubis variant outbound connection (snort3-malware-cnc.rules)
 * 1:36610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Panskeg outbound connection (snort3-malware-cnc.rules)
 * 1:47525 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Grobios outbound connection (snort3-malware-cnc.rules)
 * 1:31433 <-> DISABLED <-> MALWARE-CNC MSIL Worm command and control connection (snort3-malware-cnc.rules)
 * 1:37301 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (snort3-app-detect.rules)
 * 1:31633 <-> DISABLED <-> MALWARE-CNC Noniem.A outbound connection (snort3-malware-cnc.rules)
 * 1:50734 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Anubis variant outbound connection (snort3-malware-cnc.rules)
 * 1:42067 <-> DISABLED <-> POLICY-OTHER Aviosys IP Power 9258 W2 management.asp information disclosure (snort3-policy-other.rules)
 * 1:27933 <-> DISABLED <-> APP-DETECT Splashtop streamer download attempt (snort3-app-detect.rules)
 * 1:48571 <-> DISABLED <-> MALWARE-TOOLS JexBoss User-Agent detected (snort3-malware-tools.rules)
 * 1:48569 <-> DISABLED <-> MALWARE-TOOLS JexBoss webshell download (snort3-malware-tools.rules)

2020-09-24 17:16:34 UTC

Snort Subscriber Rules Update

Date: 2020-09-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:55823 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet CnCContactAlertResult SQL injection attempt (server-webapp.rules)
 * 1:55810 <-> DISABLED <-> BROWSER-CHROME Google Chrome AudioArray memory corruption attempt (browser-chrome.rules)
 * 1:55827 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:55814 <-> DISABLED <-> SERVER-OTHER Symantec Endpoint Protection tamper protection bypass attempt (server-other.rules)
 * 1:55825 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet CnCContactAlertResult SQL injection attempt (server-webapp.rules)
 * 1:55811 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Mekotio variant second stage dropper download attempt (malware-other.rules)
 * 1:55813 <-> DISABLED <-> SERVER-OTHER Symantec Endpoint Protection tamper protection bypass attempt (server-other.rules)
 * 1:55826 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server DlpUtils remote code execution attempt (server-webapp.rules)
 * 1:55824 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet CnCContactAlertResult SQL injection attempt (server-webapp.rules)
 * 1:55828 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:55809 <-> DISABLED <-> BROWSER-CHROME Google Chrome AudioArray memory corruption attempt (browser-chrome.rules)
 * 1:55812 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Mekotio variant second stage dropper download attempt (malware-other.rules)
 * 1:55829 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:55821 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails command injection attempt (server-webapp.rules)
 * 3:55820 <-> ENABLED <-> PROTOCOL-OTHER Cisco IOS XE Flexible NetFlow denial of service attempt (protocol-other.rules)
 * 3:55817 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI administrative access detected (policy-other.rules)
 * 3:55807 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP denial of service attempt (server-other.rules)
 * 3:55818 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI administrative access detected (policy-other.rules)
 * 3:55806 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP denial of service attempt (server-other.rules)
 * 3:55808 <-> ENABLED <-> POLICY-OTHER Cisco IOS Software VLPWA file read detected (policy-other.rules)
 * 3:55830 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP denial of service attempt (server-other.rules)
 * 3:55833 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI restricted character in authentication detected (policy-other.rules)
 * 3:55832 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE mDNS denial of service attempt (server-other.rules)
 * 3:55815 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI administrative access detected (policy-other.rules)
 * 3:55819 <-> ENABLED <-> SERVER-OTHER Cisco IOS Common Open Policy Service denial of service attempt (server-other.rules)
 * 3:55816 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI administrative access detected (policy-other.rules)
 * 3:55831 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP denial of service attempt (server-other.rules)
 * 3:55822 <-> ENABLED <-> PROTOCOL-DNS Cisco IOS XE Umbrella Connector denial of service attempt (protocol-dns.rules)

Modified Rules:


 * 1:44876 <-> ENABLED <-> MALWARE-CNC Malicious VBA Dropper outbound connection detected (malware-cnc.rules)
 * 1:38528 <-> DISABLED <-> MALWARE-CNC XBot Command Request get_action (malware-cnc.rules)
 * 1:51911 <-> DISABLED <-> MALWARE-CNC Andr.Trojan.Gustuff variant outbound cnc connection (malware-cnc.rules)
 * 1:48146 <-> DISABLED <-> MALWARE-BACKDOOR Rebhip variant runtime detection (malware-backdoor.rules)
 * 1:37306 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:53643 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (malware-tools.rules)
 * 1:27933 <-> DISABLED <-> APP-DETECT Splashtop streamer download attempt (app-detect.rules)
 * 1:48571 <-> DISABLED <-> MALWARE-TOOLS JexBoss User-Agent detected (malware-tools.rules)
 * 1:46960 <-> DISABLED <-> FILE-OTHER Adobe Flash Player AMF0 Shared Object integer overflow attempt (file-other.rules)
 * 1:47525 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Grobios outbound connection (malware-cnc.rules)
 * 1:32950 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bladabindi variant outbound connection (malware-cnc.rules)
 * 1:48569 <-> DISABLED <-> MALWARE-TOOLS JexBoss webshell download (malware-tools.rules)
 * 1:52290 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Agent malicious DLL loader download attempt (malware-other.rules)
 * 1:37814 <-> DISABLED <-> POLICY-OTHER Polycom Botnet inbound connection attempt (policy-other.rules)
 * 1:50736 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Anubis variant outbound connection (malware-cnc.rules)
 * 1:53633 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious loader and decryptor attempt (malware-other.rules)
 * 1:27934 <-> DISABLED <-> APP-DETECT Splashtop personal download attempt (app-detect.rules)
 * 1:31433 <-> DISABLED <-> MALWARE-CNC MSIL Worm command and control connection (malware-cnc.rules)
 * 1:50734 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Anubis variant outbound connection (malware-cnc.rules)
 * 1:47526 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Grobios C2 inbound server command (malware-cnc.rules)
 * 1:37298 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules)
 * 1:53645 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Panda file loader and decryptor attempt (malware-tools.rules)
 * 1:41162 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Nemucod variant  (malware-cnc.rules)
 * 1:36610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Panskeg outbound connection (malware-cnc.rules)
 * 1:36628 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Recodler variant outbound connection (malware-cnc.rules)
 * 1:42068 <-> DISABLED <-> POLICY-OTHER Aviosys IP Power 9258 W2 default login attempt (policy-other.rules)
 * 1:37524 <-> DISABLED <-> FILE-OTHER ReGet Deluxe wjr file buffer overflow attempt (file-other.rules)
 * 1:36541 <-> DISABLED <-> POLICY-OTHER Polycom Botnet inbound connection attempt (policy-other.rules)
 * 1:50737 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Anubis variant outbound connection (malware-cnc.rules)
 * 1:34224 <-> DISABLED <-> INDICATOR-SHELLCODE Metasploit payload cmd_unix_reverse_perl (indicator-shellcode.rules)
 * 1:37301 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:32029 <-> DISABLED <-> BROWSER-OTHER Android WebView same origin policy bypass attempt (browser-other.rules)
 * 1:37370 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trochulis variant outbound connection (malware-cnc.rules)
 * 1:37299 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules)
 * 1:37815 <-> DISABLED <-> POLICY-OTHER Polycom Botnet inbound connection attempt (policy-other.rules)
 * 1:37303 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header attempt (app-detect.rules)
 * 1:35101 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dridex variant outbound connection (malware-cnc.rules)
 * 1:50735 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Anubis variant outbound connection (malware-cnc.rules)
 * 1:30000 <-> DISABLED <-> MALWARE-BACKDOOR FireCrotch exploit kit backdoor attempt (malware-backdoor.rules)
 * 1:19950 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Defsel inbound connection (malware-cnc.rules)
 * 1:32505 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Kiler attempted outbound connection (malware-cnc.rules)
 * 1:37300 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules)
 * 1:42067 <-> DISABLED <-> POLICY-OTHER Aviosys IP Power 9258 W2 management.asp information disclosure (policy-other.rules)
 * 1:53632 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious DLL loader attempt (malware-other.rules)
 * 1:31633 <-> DISABLED <-> MALWARE-CNC Noniem.A outbound connection (malware-cnc.rules)
 * 1:41784 <-> DISABLED <-> INDICATOR-COMPROMISE clorius controls information gathering attempt (indicator-compromise.rules)
 * 1:48570 <-> DISABLED <-> MALWARE-TOOLS JexBoss webshell commands sent in X-JEX headers (malware-tools.rules)
 * 1:53635 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Panda malicious loader and decryptor attempt (malware-other.rules)
 * 1:39893 <-> ENABLED <-> OS-LINUX Linux Kernel USBIP out of bounds write attempt (os-linux.rules)
 * 1:20673 <-> DISABLED <-> FILE-MULTIMEDIA invalid VLC media player SMB URI download attempt (file-multimedia.rules)
 * 1:39894 <-> ENABLED <-> OS-LINUX Linux Kernel USBIP out of bounds write attempt (os-linux.rules)