Talos Rules 2020-09-29
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-other, file-pdf, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2020-09-29 13:31:20 UTC

Snort Subscriber Rules Update

Date: 2020-09-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:55834 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme cross site scripting attempt (server-webapp.rules)
 * 1:55835 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme cross site scripting attempt (server-webapp.rules)
 * 1:55836 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules)
 * 1:55837 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules)
 * 1:55838 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules)
 * 1:55839 <-> ENABLED <-> SERVER-WEBAPP Multiple products DVR admin password leak attempt (server-webapp.rules)
 * 1:55840 <-> DISABLED <-> SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt (server-webapp.rules)
 * 1:55841 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (malware-cnc.rules)
 * 3:55842 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1156 attack attempt (file-pdf.rules)
 * 3:55843 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1156 attack attempt (file-pdf.rules)
 * 3:55844 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1155 attack attempt (file-other.rules)
 * 3:55845 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1155 attack attempt (file-other.rules)

Modified Rules:


 * 1:48804 <-> DISABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules)
 * 1:46724 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules)
 * 1:46723 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules)
 * 1:48299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telebot variant outbound connection (malware-cnc.rules)
 * 1:48822 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (malware-cnc.rules)
 * 1:46826 <-> DISABLED <-> SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt (server-webapp.rules)
 * 1:48505 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif outbound connection attempt (malware-cnc.rules)
 * 1:46825 <-> ENABLED <-> SERVER-WEBAPP Multiple products DVR admin password leak attempt (server-webapp.rules)
 * 1:49076 <-> ENABLED <-> FILE-OTHER Microsoft Windows device metadata file directory traversal attempt (file-other.rules)
 * 1:49080 <-> ENABLED <-> FILE-OTHER Microsoft Windows device metadata file directory traversal attempt (file-other.rules)
 * 1:50049 <-> ENABLED <-> MALWARE-CNC Win.Dropper.FormBook variant outbound connection (malware-cnc.rules)
 * 1:50092 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Filensfer connection attempt (malware-cnc.rules)
 * 1:51548 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51549 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51551 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51550 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51552 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51553 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51554 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:52620 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt (server-webapp.rules)
 * 3:53563 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1031 attack attempt (file-pdf.rules)
 * 3:53564 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1031 attack attempt (file-pdf.rules)

2020-09-29 13:31:20 UTC

Snort Subscriber Rules Update

Date: 2020-09-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:55835 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme cross site scripting attempt (server-webapp.rules)
 * 1:55836 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules)
 * 1:55839 <-> ENABLED <-> SERVER-WEBAPP Multiple products DVR admin password leak attempt (server-webapp.rules)
 * 1:55834 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme cross site scripting attempt (server-webapp.rules)
 * 1:55840 <-> DISABLED <-> SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt (server-webapp.rules)
 * 1:55837 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules)
 * 1:55838 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules)
 * 1:55841 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (malware-cnc.rules)
 * 3:55842 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1156 attack attempt (file-pdf.rules)
 * 3:55843 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1156 attack attempt (file-pdf.rules)
 * 3:55844 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1155 attack attempt (file-other.rules)
 * 3:55845 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1155 attack attempt (file-other.rules)

Modified Rules:


 * 1:46826 <-> DISABLED <-> SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt (server-webapp.rules)
 * 1:48804 <-> DISABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules)
 * 1:51549 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:48299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telebot variant outbound connection (malware-cnc.rules)
 * 1:46825 <-> ENABLED <-> SERVER-WEBAPP Multiple products DVR admin password leak attempt (server-webapp.rules)
 * 1:46724 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules)
 * 1:46723 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules)
 * 1:51553 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:48505 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif outbound connection attempt (malware-cnc.rules)
 * 1:48822 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (malware-cnc.rules)
 * 1:49076 <-> ENABLED <-> FILE-OTHER Microsoft Windows device metadata file directory traversal attempt (file-other.rules)
 * 1:49080 <-> ENABLED <-> FILE-OTHER Microsoft Windows device metadata file directory traversal attempt (file-other.rules)
 * 1:51551 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51550 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:50049 <-> ENABLED <-> MALWARE-CNC Win.Dropper.FormBook variant outbound connection (malware-cnc.rules)
 * 1:50092 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Filensfer connection attempt (malware-cnc.rules)
 * 1:51548 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51552 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51554 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:52620 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt (server-webapp.rules)
 * 3:53564 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1031 attack attempt (file-pdf.rules)
 * 3:53563 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1031 attack attempt (file-pdf.rules)

2020-09-29 13:31:20 UTC

Snort Subscriber Rules Update

Date: 2020-09-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:55840 <-> DISABLED <-> SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt (server-webapp.rules)
 * 1:55836 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules)
 * 1:55839 <-> ENABLED <-> SERVER-WEBAPP Multiple products DVR admin password leak attempt (server-webapp.rules)
 * 1:55838 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules)
 * 1:55834 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme cross site scripting attempt (server-webapp.rules)
 * 1:55835 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme cross site scripting attempt (server-webapp.rules)
 * 1:55841 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (malware-cnc.rules)
 * 1:55837 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules)
 * 3:55842 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1156 attack attempt (file-pdf.rules)
 * 3:55843 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1156 attack attempt (file-pdf.rules)
 * 3:55844 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1155 attack attempt (file-other.rules)
 * 3:55845 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1155 attack attempt (file-other.rules)

Modified Rules:


 * 1:51549 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:49080 <-> ENABLED <-> FILE-OTHER Microsoft Windows device metadata file directory traversal attempt (file-other.rules)
 * 1:49076 <-> ENABLED <-> FILE-OTHER Microsoft Windows device metadata file directory traversal attempt (file-other.rules)
 * 1:50092 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Filensfer connection attempt (malware-cnc.rules)
 * 1:50049 <-> ENABLED <-> MALWARE-CNC Win.Dropper.FormBook variant outbound connection (malware-cnc.rules)
 * 1:51548 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51551 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:48822 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (malware-cnc.rules)
 * 1:48505 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif outbound connection attempt (malware-cnc.rules)
 * 1:46826 <-> DISABLED <-> SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt (server-webapp.rules)
 * 1:46724 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules)
 * 1:46723 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules)
 * 1:48299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telebot variant outbound connection (malware-cnc.rules)
 * 1:46825 <-> ENABLED <-> SERVER-WEBAPP Multiple products DVR admin password leak attempt (server-webapp.rules)
 * 1:52620 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt (server-webapp.rules)
 * 1:51552 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51554 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:48804 <-> DISABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules)
 * 1:51553 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51550 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 3:53563 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1031 attack attempt (file-pdf.rules)
 * 3:53564 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1031 attack attempt (file-pdf.rules)

2020-09-29 13:31:20 UTC

Snort Subscriber Rules Update

Date: 2020-09-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:55834 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme cross site scripting attempt (server-webapp.rules)
 * 1:55837 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules)
 * 1:55841 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (malware-cnc.rules)
 * 1:55840 <-> DISABLED <-> SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt (server-webapp.rules)
 * 1:55839 <-> ENABLED <-> SERVER-WEBAPP Multiple products DVR admin password leak attempt (server-webapp.rules)
 * 1:55838 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules)
 * 1:55835 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme cross site scripting attempt (server-webapp.rules)
 * 1:55836 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules)
 * 3:55844 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1155 attack attempt (file-other.rules)
 * 3:55845 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1155 attack attempt (file-other.rules)
 * 3:55843 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1156 attack attempt (file-pdf.rules)
 * 3:55842 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1156 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:46826 <-> DISABLED <-> SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt (server-webapp.rules)
 * 1:51550 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51553 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51554 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:46724 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules)
 * 1:48505 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif outbound connection attempt (malware-cnc.rules)
 * 1:48822 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (malware-cnc.rules)
 * 1:48299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telebot variant outbound connection (malware-cnc.rules)
 * 1:51551 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:46723 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules)
 * 1:51549 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:50092 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Filensfer connection attempt (malware-cnc.rules)
 * 1:49080 <-> ENABLED <-> FILE-OTHER Microsoft Windows device metadata file directory traversal attempt (file-other.rules)
 * 1:51552 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:52620 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt (server-webapp.rules)
 * 1:48804 <-> DISABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules)
 * 1:51548 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:49076 <-> ENABLED <-> FILE-OTHER Microsoft Windows device metadata file directory traversal attempt (file-other.rules)
 * 1:46825 <-> ENABLED <-> SERVER-WEBAPP Multiple products DVR admin password leak attempt (server-webapp.rules)
 * 1:50049 <-> ENABLED <-> MALWARE-CNC Win.Dropper.FormBook variant outbound connection (malware-cnc.rules)
 * 3:53563 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1031 attack attempt (file-pdf.rules)
 * 3:53564 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1031 attack attempt (file-pdf.rules)

2020-09-29 13:31:20 UTC

Snort Subscriber Rules Update

Date: 2020-09-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:55834 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme cross site scripting attempt (server-webapp.rules)
 * 1:55835 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme cross site scripting attempt (server-webapp.rules)
 * 1:55840 <-> DISABLED <-> SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt (server-webapp.rules)
 * 1:55837 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules)
 * 1:55841 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (malware-cnc.rules)
 * 1:55838 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules)
 * 1:55836 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules)
 * 1:55839 <-> ENABLED <-> SERVER-WEBAPP Multiple products DVR admin password leak attempt (server-webapp.rules)
 * 3:55845 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1155 attack attempt (file-other.rules)
 * 3:55842 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1156 attack attempt (file-pdf.rules)
 * 3:55843 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1156 attack attempt (file-pdf.rules)
 * 3:55844 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1155 attack attempt (file-other.rules)

Modified Rules:


 * 1:48299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telebot variant outbound connection (malware-cnc.rules)
 * 1:50049 <-> ENABLED <-> MALWARE-CNC Win.Dropper.FormBook variant outbound connection (malware-cnc.rules)
 * 1:51549 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:49076 <-> ENABLED <-> FILE-OTHER Microsoft Windows device metadata file directory traversal attempt (file-other.rules)
 * 1:52620 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt (server-webapp.rules)
 * 1:46723 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules)
 * 1:46724 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules)
 * 1:46825 <-> ENABLED <-> SERVER-WEBAPP Multiple products DVR admin password leak attempt (server-webapp.rules)
 * 1:51548 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51551 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:49080 <-> ENABLED <-> FILE-OTHER Microsoft Windows device metadata file directory traversal attempt (file-other.rules)
 * 1:48505 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif outbound connection attempt (malware-cnc.rules)
 * 1:48804 <-> DISABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules)
 * 1:48822 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (malware-cnc.rules)
 * 1:51554 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:46826 <-> DISABLED <-> SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt (server-webapp.rules)
 * 1:51553 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:50092 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Filensfer connection attempt (malware-cnc.rules)
 * 1:51552 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51550 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 3:53563 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1031 attack attempt (file-pdf.rules)
 * 3:53564 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1031 attack attempt (file-pdf.rules)

2020-09-29 13:31:20 UTC

Snort Subscriber Rules Update

Date: 2020-09-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:55834 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme cross site scripting attempt (server-webapp.rules)
 * 1:55840 <-> DISABLED <-> SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt (server-webapp.rules)
 * 1:55835 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme cross site scripting attempt (server-webapp.rules)
 * 1:55837 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules)
 * 1:55841 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (malware-cnc.rules)
 * 1:55836 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules)
 * 1:55839 <-> ENABLED <-> SERVER-WEBAPP Multiple products DVR admin password leak attempt (server-webapp.rules)
 * 1:55838 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules)
 * 3:55844 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1155 attack attempt (file-other.rules)
 * 3:55842 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1156 attack attempt (file-pdf.rules)
 * 3:55845 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1155 attack attempt (file-other.rules)
 * 3:55843 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1156 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:51553 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51549 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51552 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:52620 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt (server-webapp.rules)
 * 1:51551 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:50049 <-> ENABLED <-> MALWARE-CNC Win.Dropper.FormBook variant outbound connection (malware-cnc.rules)
 * 1:46825 <-> ENABLED <-> SERVER-WEBAPP Multiple products DVR admin password leak attempt (server-webapp.rules)
 * 1:46724 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules)
 * 1:48299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telebot variant outbound connection (malware-cnc.rules)
 * 1:49076 <-> ENABLED <-> FILE-OTHER Microsoft Windows device metadata file directory traversal attempt (file-other.rules)
 * 1:49080 <-> ENABLED <-> FILE-OTHER Microsoft Windows device metadata file directory traversal attempt (file-other.rules)
 * 1:48505 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif outbound connection attempt (malware-cnc.rules)
 * 1:48822 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (malware-cnc.rules)
 * 1:48804 <-> DISABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules)
 * 1:50092 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Filensfer connection attempt (malware-cnc.rules)
 * 1:51548 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51554 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:46826 <-> DISABLED <-> SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt (server-webapp.rules)
 * 1:46723 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules)
 * 1:51550 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 3:53563 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1031 attack attempt (file-pdf.rules)
 * 3:53564 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1031 attack attempt (file-pdf.rules)

2020-09-29 13:31:20 UTC

Snort Subscriber Rules Update

Date: 2020-09-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:55834 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme cross site scripting attempt (server-webapp.rules)
 * 1:55837 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules)
 * 1:55841 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (malware-cnc.rules)
 * 1:55840 <-> DISABLED <-> SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt (server-webapp.rules)
 * 1:55835 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme cross site scripting attempt (server-webapp.rules)
 * 1:55839 <-> ENABLED <-> SERVER-WEBAPP Multiple products DVR admin password leak attempt (server-webapp.rules)
 * 1:55836 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules)
 * 1:55838 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules)
 * 3:55843 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1156 attack attempt (file-pdf.rules)
 * 3:55845 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1155 attack attempt (file-other.rules)
 * 3:55842 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1156 attack attempt (file-pdf.rules)
 * 3:55844 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1155 attack attempt (file-other.rules)

Modified Rules:


 * 1:49076 <-> ENABLED <-> FILE-OTHER Microsoft Windows device metadata file directory traversal attempt (file-other.rules)
 * 1:48299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telebot variant outbound connection (malware-cnc.rules)
 * 1:51548 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:50092 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Filensfer connection attempt (malware-cnc.rules)
 * 1:51549 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51554 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51552 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:52620 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt (server-webapp.rules)
 * 1:46825 <-> ENABLED <-> SERVER-WEBAPP Multiple products DVR admin password leak attempt (server-webapp.rules)
 * 1:46724 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules)
 * 1:48505 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif outbound connection attempt (malware-cnc.rules)
 * 1:48822 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (malware-cnc.rules)
 * 1:51551 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:46723 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules)
 * 1:51550 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:49080 <-> ENABLED <-> FILE-OTHER Microsoft Windows device metadata file directory traversal attempt (file-other.rules)
 * 1:50049 <-> ENABLED <-> MALWARE-CNC Win.Dropper.FormBook variant outbound connection (malware-cnc.rules)
 * 1:46826 <-> DISABLED <-> SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt (server-webapp.rules)
 * 1:51553 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:48804 <-> DISABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules)
 * 3:53564 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1031 attack attempt (file-pdf.rules)
 * 3:53563 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1031 attack attempt (file-pdf.rules)

2020-09-29 13:31:20 UTC

Snort Subscriber Rules Update

Date: 2020-09-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:55838 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (snort3-server-webapp.rules)
 * 1:55836 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (snort3-server-webapp.rules)
 * 1:55839 <-> ENABLED <-> SERVER-WEBAPP Multiple products DVR admin password leak attempt (snort3-server-webapp.rules)
 * 1:55840 <-> DISABLED <-> SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt (snort3-server-webapp.rules)
 * 1:55835 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme cross site scripting attempt (snort3-server-webapp.rules)
 * 1:55837 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (snort3-server-webapp.rules)
 * 1:55834 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme cross site scripting attempt (snort3-server-webapp.rules)
 * 1:55841 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (snort3-malware-cnc.rules)

Modified Rules:


 * 1:46825 <-> ENABLED <-> SERVER-WEBAPP Multiple products DVR admin password leak attempt (snort3-server-webapp.rules)
 * 1:48804 <-> DISABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (snort3-malware-other.rules)
 * 1:51548 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (snort3-malware-cnc.rules)
 * 1:51553 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (snort3-malware-cnc.rules)
 * 1:48299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telebot variant outbound connection (snort3-malware-cnc.rules)
 * 1:48505 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif outbound connection attempt (snort3-malware-cnc.rules)
 * 1:52620 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt (snort3-server-webapp.rules)
 * 1:51550 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (snort3-malware-cnc.rules)
 * 1:50092 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Filensfer connection attempt (snort3-malware-cnc.rules)
 * 1:46724 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (snort3-file-pdf.rules)
 * 1:46826 <-> DISABLED <-> SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt (snort3-server-webapp.rules)
 * 1:51549 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (snort3-malware-cnc.rules)
 * 1:51554 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (snort3-malware-cnc.rules)
 * 1:51551 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (snort3-malware-cnc.rules)
 * 1:46723 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (snort3-file-pdf.rules)
 * 1:48822 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (snort3-malware-cnc.rules)
 * 1:49080 <-> ENABLED <-> FILE-OTHER Microsoft Windows device metadata file directory traversal attempt (snort3-file-other.rules)
 * 1:51552 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (snort3-malware-cnc.rules)
 * 1:50049 <-> ENABLED <-> MALWARE-CNC Win.Dropper.FormBook variant outbound connection (snort3-malware-cnc.rules)
 * 1:49076 <-> ENABLED <-> FILE-OTHER Microsoft Windows device metadata file directory traversal attempt (snort3-file-other.rules)

2020-09-29 13:31:20 UTC

Snort Subscriber Rules Update

Date: 2020-09-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:55834 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme cross site scripting attempt (server-webapp.rules)
 * 1:55835 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme cross site scripting attempt (server-webapp.rules)
 * 1:55836 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules)
 * 1:55837 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules)
 * 1:55838 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules)
 * 1:55839 <-> ENABLED <-> SERVER-WEBAPP Multiple products DVR admin password leak attempt (server-webapp.rules)
 * 1:55840 <-> DISABLED <-> SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt (server-webapp.rules)
 * 1:55841 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (malware-cnc.rules)
 * 3:55843 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1156 attack attempt (file-pdf.rules)
 * 3:55842 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1156 attack attempt (file-pdf.rules)
 * 3:55844 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1155 attack attempt (file-other.rules)
 * 3:55845 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1155 attack attempt (file-other.rules)

Modified Rules:


 * 1:50092 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Filensfer connection attempt (malware-cnc.rules)
 * 1:51550 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:50049 <-> ENABLED <-> MALWARE-CNC Win.Dropper.FormBook variant outbound connection (malware-cnc.rules)
 * 1:51554 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51552 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:46825 <-> ENABLED <-> SERVER-WEBAPP Multiple products DVR admin password leak attempt (server-webapp.rules)
 * 1:46723 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules)
 * 1:51553 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:51549 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:48804 <-> DISABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules)
 * 1:51551 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:46826 <-> DISABLED <-> SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt (server-webapp.rules)
 * 1:49076 <-> ENABLED <-> FILE-OTHER Microsoft Windows device metadata file directory traversal attempt (file-other.rules)
 * 1:48505 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif outbound connection attempt (malware-cnc.rules)
 * 1:48822 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (malware-cnc.rules)
 * 1:51548 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules)
 * 1:52620 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt (server-webapp.rules)
 * 1:46724 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules)
 * 1:49080 <-> ENABLED <-> FILE-OTHER Microsoft Windows device metadata file directory traversal attempt (file-other.rules)
 * 1:48299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telebot variant outbound connection (malware-cnc.rules)
 * 3:53564 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1031 attack attempt (file-pdf.rules)
 * 3:53563 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1031 attack attempt (file-pdf.rules)