Talos Rules 2020-10-01
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the malware-backdoor, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2020-10-01 12:22:10 UTC

Snort Subscriber Rules Update

Date: 2020-10-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:55846 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Delf-9768673-0 download attempt (malware-other.rules)
 * 1:55847 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Delf-9768673-0 download attempt (malware-other.rules)
 * 1:55848 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Delf-9768956-0 download attempt (malware-other.rules)
 * 1:55849 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Delf-9768956-0 download attempt (malware-other.rules)
 * 1:55850 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Auqyqcbi-9769106-0 download attempt (malware-other.rules)
 * 1:55851 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Auqyqcbi-9769106-0 download attempt (malware-other.rules)
 * 1:55852 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Magania-9769241-0 download attempt (malware-other.rules)
 * 1:55853 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Magania-9769241-0 download attempt (malware-other.rules)
 * 1:55854 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-9769405-0 download attempt (malware-other.rules)
 * 1:55855 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-9769405-0 download attempt (malware-other.rules)
 * 1:55856 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Ulise-9769434-0 download attempt (malware-other.rules)
 * 1:55857 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Ulise-9769434-0 download attempt (malware-other.rules)
 * 1:55858 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Agen-9769447-0 download attempt (malware-other.rules)
 * 1:55859 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Agen-9769447-0 download attempt (malware-other.rules)
 * 1:55860 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Gamarue-9769424-0 download attempt (malware-other.rules)
 * 1:55861 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Gamarue-9769424-0 download attempt (malware-other.rules)
 * 1:55862 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (server-webapp.rules)

Modified Rules:


 * 1:48983 <-> DISABLED <-> MALWARE-CNC Win.Ransomware.MongoLock inbound connection (malware-cnc.rules)
 * 1:49215 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules)
 * 1:49216 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules)
 * 1:49217 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules)
 * 1:49218 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules)
 * 1:49861 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (server-webapp.rules)
 * 1:50277 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules)
 * 1:52256 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant outbound connection (malware-cnc.rules)
 * 1:55743 <-> DISABLED <-> SERVER-OTHER Rockwell Automation FactoryTalk Diagnostics remote code execution attempt (server-other.rules)

2020-10-01 12:22:10 UTC

Snort Subscriber Rules Update

Date: 2020-10-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:55861 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Gamarue-9769424-0 download attempt (malware-other.rules)
 * 1:55860 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Gamarue-9769424-0 download attempt (malware-other.rules)
 * 1:55851 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Auqyqcbi-9769106-0 download attempt (malware-other.rules)
 * 1:55856 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Ulise-9769434-0 download attempt (malware-other.rules)
 * 1:55857 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Ulise-9769434-0 download attempt (malware-other.rules)
 * 1:55849 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Delf-9768956-0 download attempt (malware-other.rules)
 * 1:55846 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Delf-9768673-0 download attempt (malware-other.rules)
 * 1:55847 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Delf-9768673-0 download attempt (malware-other.rules)
 * 1:55848 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Delf-9768956-0 download attempt (malware-other.rules)
 * 1:55852 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Magania-9769241-0 download attempt (malware-other.rules)
 * 1:55853 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Magania-9769241-0 download attempt (malware-other.rules)
 * 1:55862 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (server-webapp.rules)
 * 1:55854 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-9769405-0 download attempt (malware-other.rules)
 * 1:55859 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Agen-9769447-0 download attempt (malware-other.rules)
 * 1:55858 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Agen-9769447-0 download attempt (malware-other.rules)
 * 1:55855 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-9769405-0 download attempt (malware-other.rules)
 * 1:55850 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Auqyqcbi-9769106-0 download attempt (malware-other.rules)

Modified Rules:


 * 1:52256 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant outbound connection (malware-cnc.rules)
 * 1:49215 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules)
 * 1:49216 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules)
 * 1:49217 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules)
 * 1:49218 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules)
 * 1:55743 <-> DISABLED <-> SERVER-OTHER Rockwell Automation FactoryTalk Diagnostics remote code execution attempt (server-other.rules)
 * 1:50277 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules)
 * 1:49861 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (server-webapp.rules)
 * 1:48983 <-> DISABLED <-> MALWARE-CNC Win.Ransomware.MongoLock inbound connection (malware-cnc.rules)

2020-10-01 12:22:10 UTC

Snort Subscriber Rules Update

Date: 2020-10-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:55846 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Delf-9768673-0 download attempt (malware-other.rules)
 * 1:55850 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Auqyqcbi-9769106-0 download attempt (malware-other.rules)
 * 1:55852 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Magania-9769241-0 download attempt (malware-other.rules)
 * 1:55849 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Delf-9768956-0 download attempt (malware-other.rules)
 * 1:55853 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Magania-9769241-0 download attempt (malware-other.rules)
 * 1:55862 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (server-webapp.rules)
 * 1:55847 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Delf-9768673-0 download attempt (malware-other.rules)
 * 1:55855 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-9769405-0 download attempt (malware-other.rules)
 * 1:55848 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Delf-9768956-0 download attempt (malware-other.rules)
 * 1:55851 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Auqyqcbi-9769106-0 download attempt (malware-other.rules)
 * 1:55858 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Agen-9769447-0 download attempt (malware-other.rules)
 * 1:55857 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Ulise-9769434-0 download attempt (malware-other.rules)
 * 1:55860 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Gamarue-9769424-0 download attempt (malware-other.rules)
 * 1:55854 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-9769405-0 download attempt (malware-other.rules)
 * 1:55859 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Agen-9769447-0 download attempt (malware-other.rules)
 * 1:55856 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Ulise-9769434-0 download attempt (malware-other.rules)
 * 1:55861 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Gamarue-9769424-0 download attempt (malware-other.rules)

Modified Rules:


 * 1:49218 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules)
 * 1:49215 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules)
 * 1:49861 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (server-webapp.rules)
 * 1:50277 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules)
 * 1:55743 <-> DISABLED <-> SERVER-OTHER Rockwell Automation FactoryTalk Diagnostics remote code execution attempt (server-other.rules)
 * 1:52256 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant outbound connection (malware-cnc.rules)
 * 1:49216 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules)
 * 1:48983 <-> DISABLED <-> MALWARE-CNC Win.Ransomware.MongoLock inbound connection (malware-cnc.rules)
 * 1:49217 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules)

2020-10-01 12:22:10 UTC

Snort Subscriber Rules Update

Date: 2020-10-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:55854 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-9769405-0 download attempt (malware-other.rules)
 * 1:55852 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Magania-9769241-0 download attempt (malware-other.rules)
 * 1:55856 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Ulise-9769434-0 download attempt (malware-other.rules)
 * 1:55849 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Delf-9768956-0 download attempt (malware-other.rules)
 * 1:55850 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Auqyqcbi-9769106-0 download attempt (malware-other.rules)
 * 1:55848 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Delf-9768956-0 download attempt (malware-other.rules)
 * 1:55862 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (server-webapp.rules)
 * 1:55857 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Ulise-9769434-0 download attempt (malware-other.rules)
 * 1:55859 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Agen-9769447-0 download attempt (malware-other.rules)
 * 1:55860 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Gamarue-9769424-0 download attempt (malware-other.rules)
 * 1:55853 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Magania-9769241-0 download attempt (malware-other.rules)
 * 1:55847 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Delf-9768673-0 download attempt (malware-other.rules)
 * 1:55851 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Auqyqcbi-9769106-0 download attempt (malware-other.rules)
 * 1:55855 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-9769405-0 download attempt (malware-other.rules)
 * 1:55861 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Gamarue-9769424-0 download attempt (malware-other.rules)
 * 1:55846 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Delf-9768673-0 download attempt (malware-other.rules)
 * 1:55858 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Agen-9769447-0 download attempt (malware-other.rules)

Modified Rules:


 * 1:49216 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules)
 * 1:48983 <-> DISABLED <-> MALWARE-CNC Win.Ransomware.MongoLock inbound connection (malware-cnc.rules)
 * 1:50277 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules)
 * 1:55743 <-> DISABLED <-> SERVER-OTHER Rockwell Automation FactoryTalk Diagnostics remote code execution attempt (server-other.rules)
 * 1:49218 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules)
 * 1:49217 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules)
 * 1:49861 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (server-webapp.rules)
 * 1:52256 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant outbound connection (malware-cnc.rules)
 * 1:49215 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules)

2020-10-01 12:22:10 UTC

Snort Subscriber Rules Update

Date: 2020-10-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:55852 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Magania-9769241-0 download attempt (malware-other.rules)
 * 1:55855 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-9769405-0 download attempt (malware-other.rules)
 * 1:55861 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Gamarue-9769424-0 download attempt (malware-other.rules)
 * 1:55856 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Ulise-9769434-0 download attempt (malware-other.rules)
 * 1:55849 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Delf-9768956-0 download attempt (malware-other.rules)
 * 1:55862 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (server-webapp.rules)
 * 1:55859 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Agen-9769447-0 download attempt (malware-other.rules)
 * 1:55860 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Gamarue-9769424-0 download attempt (malware-other.rules)
 * 1:55858 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Agen-9769447-0 download attempt (malware-other.rules)
 * 1:55853 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Magania-9769241-0 download attempt (malware-other.rules)
 * 1:55847 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Delf-9768673-0 download attempt (malware-other.rules)
 * 1:55854 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-9769405-0 download attempt (malware-other.rules)
 * 1:55846 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Delf-9768673-0 download attempt (malware-other.rules)
 * 1:55848 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Delf-9768956-0 download attempt (malware-other.rules)
 * 1:55857 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Ulise-9769434-0 download attempt (malware-other.rules)
 * 1:55850 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Auqyqcbi-9769106-0 download attempt (malware-other.rules)
 * 1:55851 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Auqyqcbi-9769106-0 download attempt (malware-other.rules)

Modified Rules:


 * 1:52256 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant outbound connection (malware-cnc.rules)
 * 1:49215 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules)
 * 1:48983 <-> DISABLED <-> MALWARE-CNC Win.Ransomware.MongoLock inbound connection (malware-cnc.rules)
 * 1:49216 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules)
 * 1:49217 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules)
 * 1:49218 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules)
 * 1:55743 <-> DISABLED <-> SERVER-OTHER Rockwell Automation FactoryTalk Diagnostics remote code execution attempt (server-other.rules)
 * 1:49861 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (server-webapp.rules)
 * 1:50277 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules)

2020-10-01 12:22:10 UTC

Snort Subscriber Rules Update

Date: 2020-10-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:55861 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Gamarue-9769424-0 download attempt (malware-other.rules)
 * 1:55852 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Magania-9769241-0 download attempt (malware-other.rules)
 * 1:55856 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Ulise-9769434-0 download attempt (malware-other.rules)
 * 1:55857 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Ulise-9769434-0 download attempt (malware-other.rules)
 * 1:55850 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Auqyqcbi-9769106-0 download attempt (malware-other.rules)
 * 1:55855 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-9769405-0 download attempt (malware-other.rules)
 * 1:55851 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Auqyqcbi-9769106-0 download attempt (malware-other.rules)
 * 1:55862 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (server-webapp.rules)
 * 1:55859 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Agen-9769447-0 download attempt (malware-other.rules)
 * 1:55860 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Gamarue-9769424-0 download attempt (malware-other.rules)
 * 1:55853 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Magania-9769241-0 download attempt (malware-other.rules)
 * 1:55846 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Delf-9768673-0 download attempt (malware-other.rules)
 * 1:55847 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Delf-9768673-0 download attempt (malware-other.rules)
 * 1:55854 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-9769405-0 download attempt (malware-other.rules)
 * 1:55848 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Delf-9768956-0 download attempt (malware-other.rules)
 * 1:55858 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Agen-9769447-0 download attempt (malware-other.rules)
 * 1:55849 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Delf-9768956-0 download attempt (malware-other.rules)

Modified Rules:


 * 1:52256 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant outbound connection (malware-cnc.rules)
 * 1:49861 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (server-webapp.rules)
 * 1:49217 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules)
 * 1:55743 <-> DISABLED <-> SERVER-OTHER Rockwell Automation FactoryTalk Diagnostics remote code execution attempt (server-other.rules)
 * 1:49218 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules)
 * 1:48983 <-> DISABLED <-> MALWARE-CNC Win.Ransomware.MongoLock inbound connection (malware-cnc.rules)
 * 1:50277 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules)
 * 1:49215 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules)
 * 1:49216 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules)

2020-10-01 12:22:10 UTC

Snort Subscriber Rules Update

Date: 2020-10-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:55862 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (server-webapp.rules)
 * 1:55852 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Magania-9769241-0 download attempt (malware-other.rules)
 * 1:55856 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Ulise-9769434-0 download attempt (malware-other.rules)
 * 1:55850 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Auqyqcbi-9769106-0 download attempt (malware-other.rules)
 * 1:55859 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Agen-9769447-0 download attempt (malware-other.rules)
 * 1:55847 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Delf-9768673-0 download attempt (malware-other.rules)
 * 1:55849 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Delf-9768956-0 download attempt (malware-other.rules)
 * 1:55860 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Gamarue-9769424-0 download attempt (malware-other.rules)
 * 1:55851 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Auqyqcbi-9769106-0 download attempt (malware-other.rules)
 * 1:55853 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Magania-9769241-0 download attempt (malware-other.rules)
 * 1:55858 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Agen-9769447-0 download attempt (malware-other.rules)
 * 1:55857 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Ulise-9769434-0 download attempt (malware-other.rules)
 * 1:55846 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Delf-9768673-0 download attempt (malware-other.rules)
 * 1:55854 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-9769405-0 download attempt (malware-other.rules)
 * 1:55848 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Delf-9768956-0 download attempt (malware-other.rules)
 * 1:55861 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Gamarue-9769424-0 download attempt (malware-other.rules)
 * 1:55855 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-9769405-0 download attempt (malware-other.rules)

Modified Rules:


 * 1:49218 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules)
 * 1:55743 <-> DISABLED <-> SERVER-OTHER Rockwell Automation FactoryTalk Diagnostics remote code execution attempt (server-other.rules)
 * 1:49217 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules)
 * 1:52256 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant outbound connection (malware-cnc.rules)
 * 1:50277 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules)
 * 1:49861 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (server-webapp.rules)
 * 1:49215 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules)
 * 1:49216 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules)
 * 1:48983 <-> DISABLED <-> MALWARE-CNC Win.Ransomware.MongoLock inbound connection (malware-cnc.rules)

2020-10-01 12:22:10 UTC

Snort Subscriber Rules Update

Date: 2020-10-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:55859 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Agen-9769447-0 download attempt (snort3-malware-other.rules)
 * 1:55850 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Auqyqcbi-9769106-0 download attempt (snort3-malware-other.rules)
 * 1:55851 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Auqyqcbi-9769106-0 download attempt (snort3-malware-other.rules)
 * 1:55852 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Magania-9769241-0 download attempt (snort3-malware-other.rules)
 * 1:55856 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Ulise-9769434-0 download attempt (snort3-malware-other.rules)
 * 1:55846 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Delf-9768673-0 download attempt (snort3-malware-other.rules)
 * 1:55862 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (snort3-server-webapp.rules)
 * 1:55858 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Agen-9769447-0 download attempt (snort3-malware-other.rules)
 * 1:55849 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Delf-9768956-0 download attempt (snort3-malware-other.rules)
 * 1:55857 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Ulise-9769434-0 download attempt (snort3-malware-other.rules)
 * 1:55860 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Gamarue-9769424-0 download attempt (snort3-malware-other.rules)
 * 1:55853 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Magania-9769241-0 download attempt (snort3-malware-other.rules)
 * 1:55847 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Delf-9768673-0 download attempt (snort3-malware-other.rules)
 * 1:55854 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-9769405-0 download attempt (snort3-malware-other.rules)
 * 1:55848 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Delf-9768956-0 download attempt (snort3-malware-other.rules)
 * 1:55855 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-9769405-0 download attempt (snort3-malware-other.rules)
 * 1:55861 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Gamarue-9769424-0 download attempt (snort3-malware-other.rules)

Modified Rules:


 * 1:49216 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (snort3-malware-cnc.rules)
 * 1:50277 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (snort3-malware-backdoor.rules)
 * 1:48983 <-> DISABLED <-> MALWARE-CNC Win.Ransomware.MongoLock inbound connection (snort3-malware-cnc.rules)
 * 1:49861 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (snort3-server-webapp.rules)
 * 1:49215 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (snort3-malware-cnc.rules)
 * 1:55743 <-> DISABLED <-> SERVER-OTHER Rockwell Automation FactoryTalk Diagnostics remote code execution attempt (snort3-server-other.rules)
 * 1:49218 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (snort3-malware-cnc.rules)
 * 1:52256 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant outbound connection (snort3-malware-cnc.rules)
 * 1:49217 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (snort3-malware-cnc.rules)

2020-10-01 12:22:10 UTC

Snort Subscriber Rules Update

Date: 2020-10-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:55852 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Magania-9769241-0 download attempt (malware-other.rules)
 * 1:55856 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Ulise-9769434-0 download attempt (malware-other.rules)
 * 1:55858 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Agen-9769447-0 download attempt (malware-other.rules)
 * 1:55846 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Delf-9768673-0 download attempt (malware-other.rules)
 * 1:55854 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-9769405-0 download attempt (malware-other.rules)
 * 1:55862 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (server-webapp.rules)
 * 1:55850 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Auqyqcbi-9769106-0 download attempt (malware-other.rules)
 * 1:55848 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Delf-9768956-0 download attempt (malware-other.rules)
 * 1:55861 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Gamarue-9769424-0 download attempt (malware-other.rules)
 * 1:55860 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Gamarue-9769424-0 download attempt (malware-other.rules)
 * 1:55851 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Auqyqcbi-9769106-0 download attempt (malware-other.rules)
 * 1:55859 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Agen-9769447-0 download attempt (malware-other.rules)
 * 1:55853 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Magania-9769241-0 download attempt (malware-other.rules)
 * 1:55847 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Delf-9768673-0 download attempt (malware-other.rules)
 * 1:55857 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Ulise-9769434-0 download attempt (malware-other.rules)
 * 1:55849 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Delf-9768956-0 download attempt (malware-other.rules)
 * 1:55855 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-9769405-0 download attempt (malware-other.rules)

Modified Rules:


 * 1:49218 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules)
 * 1:49217 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules)
 * 1:49215 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules)
 * 1:49861 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (server-webapp.rules)
 * 1:55743 <-> DISABLED <-> SERVER-OTHER Rockwell Automation FactoryTalk Diagnostics remote code execution attempt (server-other.rules)
 * 1:50277 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules)
 * 1:52256 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant outbound connection (malware-cnc.rules)
 * 1:48983 <-> DISABLED <-> MALWARE-CNC Win.Ransomware.MongoLock inbound connection (malware-cnc.rules)
 * 1:49216 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules)