Talos Rules 2020-11-02
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-office, file-other, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2020-11-03 00:24:37 UTC

Snort Subscriber Rules Update

Date: 2020-11-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56197 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qbot-9785980-0 download attempt (malware-other.rules)
 * 1:56198 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qbot-9785980-0 download attempt (malware-other.rules)
 * 1:56200 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server command injection attempt (server-webapp.rules)
 * 1:56201 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server command injection attempt (server-webapp.rules)
 * 1:56202 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server command injection attempt (server-webapp.rules)
 * 1:56203 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server command injection attempt (server-webapp.rules)
 * 1:56204 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Kimsuky variant outbound connection (malware-cnc.rules)
 * 1:56205 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kimsuky variant outbound connection (malware-cnc.rules)
 * 1:56206 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Kimsuky variant outbound connection (malware-cnc.rules)
 * 1:56207 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Kimsuky variant outbound connection (malware-cnc.rules)
 * 1:56168 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Komodia-9784770-0 download attempt (malware-other.rules)
 * 1:56169 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Komodia-9784770-0 download attempt (malware-other.rules)
 * 1:56170 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Emotet-9784823-0 download attempt (malware-other.rules)
 * 1:56171 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Emotet-9784823-0 download attempt (malware-other.rules)
 * 1:56172 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Komodia-9784896-0 download attempt (malware-other.rules)
 * 1:56173 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Komodia-9784896-0 download attempt (malware-other.rules)
 * 1:56174 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Addlyrics-9784897-0 download attempt (malware-other.rules)
 * 1:56175 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Addlyrics-9784897-0 download attempt (malware-other.rules)
 * 1:56176 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Addlyrics-9784898-0 download attempt (malware-other.rules)
 * 1:56177 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Addlyrics-9784898-0 download attempt (malware-other.rules)
 * 1:56178 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9784988-0 download attempt (malware-other.rules)
 * 1:56179 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9784988-0 download attempt (malware-other.rules)
 * 1:56180 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9784989-0 download attempt (malware-other.rules)
 * 1:56181 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9784989-0 download attempt (malware-other.rules)
 * 1:56182 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9785115-0 download attempt (malware-other.rules)
 * 1:56183 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9785115-0 download attempt (malware-other.rules)
 * 1:56184 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Banload-9785270-0 download attempt (malware-other.rules)
 * 1:56185 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Banload-9785270-0 download attempt (malware-other.rules)
 * 1:56186 <-> DISABLED <-> FILE-OTHER Citrix Gateway executable search order hijack attempt (file-other.rules)
 * 1:56187 <-> DISABLED <-> FILE-OTHER Citrix Gateway executable search order hijack attempt (file-other.rules)
 * 1:56188 <-> DISABLED <-> FILE-OTHER Citrix Gateway executable search order hijack attempt (file-other.rules)
 * 1:56189 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785657-0 download attempt (malware-other.rules)
 * 1:56190 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785657-0 download attempt (malware-other.rules)
 * 1:56191 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785658-0 download attempt (malware-other.rules)
 * 1:56192 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785658-0 download attempt (malware-other.rules)
 * 1:56193 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785801-0 download attempt (malware-other.rules)
 * 1:56194 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785801-0 download attempt (malware-other.rules)
 * 1:56195 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9785971-0 download attempt (malware-other.rules)
 * 1:56196 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9785971-0 download attempt (malware-other.rules)
 * 3:56199 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1193 attack attempt (server-webapp.rules)
 * 3:56208 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1184 attack attempt (protocol-scada.rules)
 * 3:56209 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1192 attack attempt (file-office.rules)
 * 3:56210 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1192 attack attempt (file-office.rules)
 * 3:56211 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1185 attack attempt (server-webapp.rules)
 * 3:56212 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1191 attack attempt (file-office.rules)
 * 3:56213 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1191 attack attempt (file-office.rules)

Modified Rules:



2020-11-03 00:24:37 UTC

Snort Subscriber Rules Update

Date: 2020-11-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56170 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Emotet-9784823-0 download attempt (malware-other.rules)
 * 1:56172 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Komodia-9784896-0 download attempt (malware-other.rules)
 * 1:56200 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server command injection attempt (server-webapp.rules)
 * 1:56201 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server command injection attempt (server-webapp.rules)
 * 1:56202 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server command injection attempt (server-webapp.rules)
 * 1:56203 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server command injection attempt (server-webapp.rules)
 * 1:56204 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Kimsuky variant outbound connection (malware-cnc.rules)
 * 1:56205 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kimsuky variant outbound connection (malware-cnc.rules)
 * 1:56206 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Kimsuky variant outbound connection (malware-cnc.rules)
 * 1:56207 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Kimsuky variant outbound connection (malware-cnc.rules)
 * 1:56171 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Emotet-9784823-0 download attempt (malware-other.rules)
 * 1:56197 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qbot-9785980-0 download attempt (malware-other.rules)
 * 1:56198 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qbot-9785980-0 download attempt (malware-other.rules)
 * 1:56169 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Komodia-9784770-0 download attempt (malware-other.rules)
 * 1:56173 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Komodia-9784896-0 download attempt (malware-other.rules)
 * 1:56174 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Addlyrics-9784897-0 download attempt (malware-other.rules)
 * 1:56175 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Addlyrics-9784897-0 download attempt (malware-other.rules)
 * 1:56176 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Addlyrics-9784898-0 download attempt (malware-other.rules)
 * 1:56177 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Addlyrics-9784898-0 download attempt (malware-other.rules)
 * 1:56179 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9784988-0 download attempt (malware-other.rules)
 * 1:56178 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9784988-0 download attempt (malware-other.rules)
 * 1:56180 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9784989-0 download attempt (malware-other.rules)
 * 1:56181 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9784989-0 download attempt (malware-other.rules)
 * 1:56182 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9785115-0 download attempt (malware-other.rules)
 * 1:56183 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9785115-0 download attempt (malware-other.rules)
 * 1:56184 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Banload-9785270-0 download attempt (malware-other.rules)
 * 1:56185 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Banload-9785270-0 download attempt (malware-other.rules)
 * 1:56186 <-> DISABLED <-> FILE-OTHER Citrix Gateway executable search order hijack attempt (file-other.rules)
 * 1:56187 <-> DISABLED <-> FILE-OTHER Citrix Gateway executable search order hijack attempt (file-other.rules)
 * 1:56188 <-> DISABLED <-> FILE-OTHER Citrix Gateway executable search order hijack attempt (file-other.rules)
 * 1:56189 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785657-0 download attempt (malware-other.rules)
 * 1:56190 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785657-0 download attempt (malware-other.rules)
 * 1:56191 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785658-0 download attempt (malware-other.rules)
 * 1:56192 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785658-0 download attempt (malware-other.rules)
 * 1:56193 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785801-0 download attempt (malware-other.rules)
 * 1:56194 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785801-0 download attempt (malware-other.rules)
 * 1:56195 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9785971-0 download attempt (malware-other.rules)
 * 1:56196 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9785971-0 download attempt (malware-other.rules)
 * 1:56168 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Komodia-9784770-0 download attempt (malware-other.rules)
 * 3:56199 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1193 attack attempt (server-webapp.rules)
 * 3:56208 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1184 attack attempt (protocol-scada.rules)
 * 3:56209 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1192 attack attempt (file-office.rules)
 * 3:56210 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1192 attack attempt (file-office.rules)
 * 3:56211 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1185 attack attempt (server-webapp.rules)
 * 3:56212 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1191 attack attempt (file-office.rules)
 * 3:56213 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1191 attack attempt (file-office.rules)

Modified Rules:



2020-11-03 00:24:37 UTC

Snort Subscriber Rules Update

Date: 2020-11-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56176 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Addlyrics-9784898-0 download attempt (malware-other.rules)
 * 1:56170 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Emotet-9784823-0 download attempt (malware-other.rules)
 * 1:56173 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Komodia-9784896-0 download attempt (malware-other.rules)
 * 1:56174 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Addlyrics-9784897-0 download attempt (malware-other.rules)
 * 1:56195 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9785971-0 download attempt (malware-other.rules)
 * 1:56180 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9784989-0 download attempt (malware-other.rules)
 * 1:56182 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9785115-0 download attempt (malware-other.rules)
 * 1:56181 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9784989-0 download attempt (malware-other.rules)
 * 1:56184 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Banload-9785270-0 download attempt (malware-other.rules)
 * 1:56183 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9785115-0 download attempt (malware-other.rules)
 * 1:56186 <-> DISABLED <-> FILE-OTHER Citrix Gateway executable search order hijack attempt (file-other.rules)
 * 1:56185 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Banload-9785270-0 download attempt (malware-other.rules)
 * 1:56187 <-> DISABLED <-> FILE-OTHER Citrix Gateway executable search order hijack attempt (file-other.rules)
 * 1:56188 <-> DISABLED <-> FILE-OTHER Citrix Gateway executable search order hijack attempt (file-other.rules)
 * 1:56190 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785657-0 download attempt (malware-other.rules)
 * 1:56189 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785657-0 download attempt (malware-other.rules)
 * 1:56192 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785658-0 download attempt (malware-other.rules)
 * 1:56191 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785658-0 download attempt (malware-other.rules)
 * 1:56194 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785801-0 download attempt (malware-other.rules)
 * 1:56193 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785801-0 download attempt (malware-other.rules)
 * 1:56175 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Addlyrics-9784897-0 download attempt (malware-other.rules)
 * 1:56172 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Komodia-9784896-0 download attempt (malware-other.rules)
 * 1:56169 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Komodia-9784770-0 download attempt (malware-other.rules)
 * 1:56196 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9785971-0 download attempt (malware-other.rules)
 * 1:56197 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qbot-9785980-0 download attempt (malware-other.rules)
 * 1:56168 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Komodia-9784770-0 download attempt (malware-other.rules)
 * 1:56198 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qbot-9785980-0 download attempt (malware-other.rules)
 * 1:56203 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server command injection attempt (server-webapp.rules)
 * 1:56202 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server command injection attempt (server-webapp.rules)
 * 1:56201 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server command injection attempt (server-webapp.rules)
 * 1:56204 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Kimsuky variant outbound connection (malware-cnc.rules)
 * 1:56171 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Emotet-9784823-0 download attempt (malware-other.rules)
 * 1:56205 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kimsuky variant outbound connection (malware-cnc.rules)
 * 1:56206 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Kimsuky variant outbound connection (malware-cnc.rules)
 * 1:56207 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Kimsuky variant outbound connection (malware-cnc.rules)
 * 1:56177 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Addlyrics-9784898-0 download attempt (malware-other.rules)
 * 1:56178 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9784988-0 download attempt (malware-other.rules)
 * 1:56179 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9784988-0 download attempt (malware-other.rules)
 * 1:56200 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server command injection attempt (server-webapp.rules)
 * 3:56199 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1193 attack attempt (server-webapp.rules)
 * 3:56208 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1184 attack attempt (protocol-scada.rules)
 * 3:56209 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1192 attack attempt (file-office.rules)
 * 3:56210 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1192 attack attempt (file-office.rules)
 * 3:56211 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1185 attack attempt (server-webapp.rules)
 * 3:56212 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1191 attack attempt (file-office.rules)
 * 3:56213 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1191 attack attempt (file-office.rules)

Modified Rules:



2020-11-03 00:24:37 UTC

Snort Subscriber Rules Update

Date: 2020-11-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56203 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server command injection attempt (server-webapp.rules)
 * 1:56202 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server command injection attempt (server-webapp.rules)
 * 1:56204 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Kimsuky variant outbound connection (malware-cnc.rules)
 * 1:56170 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Emotet-9784823-0 download attempt (malware-other.rules)
 * 1:56172 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Komodia-9784896-0 download attempt (malware-other.rules)
 * 1:56180 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9784989-0 download attempt (malware-other.rules)
 * 1:56182 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9785115-0 download attempt (malware-other.rules)
 * 1:56184 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Banload-9785270-0 download attempt (malware-other.rules)
 * 1:56183 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9785115-0 download attempt (malware-other.rules)
 * 1:56186 <-> DISABLED <-> FILE-OTHER Citrix Gateway executable search order hijack attempt (file-other.rules)
 * 1:56181 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9784989-0 download attempt (malware-other.rules)
 * 1:56188 <-> DISABLED <-> FILE-OTHER Citrix Gateway executable search order hijack attempt (file-other.rules)
 * 1:56187 <-> DISABLED <-> FILE-OTHER Citrix Gateway executable search order hijack attempt (file-other.rules)
 * 1:56190 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785657-0 download attempt (malware-other.rules)
 * 1:56185 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Banload-9785270-0 download attempt (malware-other.rules)
 * 1:56192 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785658-0 download attempt (malware-other.rules)
 * 1:56191 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785658-0 download attempt (malware-other.rules)
 * 1:56194 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785801-0 download attempt (malware-other.rules)
 * 1:56189 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785657-0 download attempt (malware-other.rules)
 * 1:56196 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9785971-0 download attempt (malware-other.rules)
 * 1:56195 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9785971-0 download attempt (malware-other.rules)
 * 1:56193 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785801-0 download attempt (malware-other.rules)
 * 1:56197 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qbot-9785980-0 download attempt (malware-other.rules)
 * 1:56169 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Komodia-9784770-0 download attempt (malware-other.rules)
 * 1:56201 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server command injection attempt (server-webapp.rules)
 * 1:56205 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kimsuky variant outbound connection (malware-cnc.rules)
 * 1:56168 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Komodia-9784770-0 download attempt (malware-other.rules)
 * 1:56198 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qbot-9785980-0 download attempt (malware-other.rules)
 * 1:56207 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Kimsuky variant outbound connection (malware-cnc.rules)
 * 1:56200 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server command injection attempt (server-webapp.rules)
 * 1:56206 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Kimsuky variant outbound connection (malware-cnc.rules)
 * 1:56171 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Emotet-9784823-0 download attempt (malware-other.rules)
 * 1:56173 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Komodia-9784896-0 download attempt (malware-other.rules)
 * 1:56174 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Addlyrics-9784897-0 download attempt (malware-other.rules)
 * 1:56175 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Addlyrics-9784897-0 download attempt (malware-other.rules)
 * 1:56177 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Addlyrics-9784898-0 download attempt (malware-other.rules)
 * 1:56176 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Addlyrics-9784898-0 download attempt (malware-other.rules)
 * 1:56179 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9784988-0 download attempt (malware-other.rules)
 * 1:56178 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9784988-0 download attempt (malware-other.rules)
 * 3:56199 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1193 attack attempt (server-webapp.rules)
 * 3:56208 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1184 attack attempt (protocol-scada.rules)
 * 3:56209 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1192 attack attempt (file-office.rules)
 * 3:56210 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1192 attack attempt (file-office.rules)
 * 3:56211 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1185 attack attempt (server-webapp.rules)
 * 3:56212 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1191 attack attempt (file-office.rules)
 * 3:56213 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1191 attack attempt (file-office.rules)

Modified Rules:



2020-11-03 00:24:37 UTC

Snort Subscriber Rules Update

Date: 2020-11-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56198 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qbot-9785980-0 download attempt (malware-other.rules)
 * 1:56207 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Kimsuky variant outbound connection (malware-cnc.rules)
 * 1:56201 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server command injection attempt (server-webapp.rules)
 * 1:56204 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Kimsuky variant outbound connection (malware-cnc.rules)
 * 1:56180 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9784989-0 download attempt (malware-other.rules)
 * 1:56182 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9785115-0 download attempt (malware-other.rules)
 * 1:56181 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9784989-0 download attempt (malware-other.rules)
 * 1:56184 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Banload-9785270-0 download attempt (malware-other.rules)
 * 1:56183 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9785115-0 download attempt (malware-other.rules)
 * 1:56186 <-> DISABLED <-> FILE-OTHER Citrix Gateway executable search order hijack attempt (file-other.rules)
 * 1:56188 <-> DISABLED <-> FILE-OTHER Citrix Gateway executable search order hijack attempt (file-other.rules)
 * 1:56190 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785657-0 download attempt (malware-other.rules)
 * 1:56185 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Banload-9785270-0 download attempt (malware-other.rules)
 * 1:56192 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785658-0 download attempt (malware-other.rules)
 * 1:56187 <-> DISABLED <-> FILE-OTHER Citrix Gateway executable search order hijack attempt (file-other.rules)
 * 1:56194 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785801-0 download attempt (malware-other.rules)
 * 1:56189 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785657-0 download attempt (malware-other.rules)
 * 1:56191 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785658-0 download attempt (malware-other.rules)
 * 1:56196 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9785971-0 download attempt (malware-other.rules)
 * 1:56193 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785801-0 download attempt (malware-other.rules)
 * 1:56195 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9785971-0 download attempt (malware-other.rules)
 * 1:56197 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qbot-9785980-0 download attempt (malware-other.rules)
 * 1:56169 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Komodia-9784770-0 download attempt (malware-other.rules)
 * 1:56175 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Addlyrics-9784897-0 download attempt (malware-other.rules)
 * 1:56171 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Emotet-9784823-0 download attempt (malware-other.rules)
 * 1:56206 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Kimsuky variant outbound connection (malware-cnc.rules)
 * 1:56205 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kimsuky variant outbound connection (malware-cnc.rules)
 * 1:56179 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9784988-0 download attempt (malware-other.rules)
 * 1:56203 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server command injection attempt (server-webapp.rules)
 * 1:56202 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server command injection attempt (server-webapp.rules)
 * 1:56176 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Addlyrics-9784898-0 download attempt (malware-other.rules)
 * 1:56174 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Addlyrics-9784897-0 download attempt (malware-other.rules)
 * 1:56178 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9784988-0 download attempt (malware-other.rules)
 * 1:56177 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Addlyrics-9784898-0 download attempt (malware-other.rules)
 * 1:56172 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Komodia-9784896-0 download attempt (malware-other.rules)
 * 1:56168 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Komodia-9784770-0 download attempt (malware-other.rules)
 * 1:56173 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Komodia-9784896-0 download attempt (malware-other.rules)
 * 1:56170 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Emotet-9784823-0 download attempt (malware-other.rules)
 * 1:56200 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server command injection attempt (server-webapp.rules)
 * 3:56199 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1193 attack attempt (server-webapp.rules)
 * 3:56208 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1184 attack attempt (protocol-scada.rules)
 * 3:56209 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1192 attack attempt (file-office.rules)
 * 3:56210 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1192 attack attempt (file-office.rules)
 * 3:56211 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1185 attack attempt (server-webapp.rules)
 * 3:56212 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1191 attack attempt (file-office.rules)
 * 3:56213 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1191 attack attempt (file-office.rules)

Modified Rules:



2020-11-03 00:24:37 UTC

Snort Subscriber Rules Update

Date: 2020-11-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56207 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Kimsuky variant outbound connection (malware-cnc.rules)
 * 1:56173 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Komodia-9784896-0 download attempt (malware-other.rules)
 * 1:56170 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Emotet-9784823-0 download attempt (malware-other.rules)
 * 1:56201 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server command injection attempt (server-webapp.rules)
 * 1:56180 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9784989-0 download attempt (malware-other.rules)
 * 1:56182 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9785115-0 download attempt (malware-other.rules)
 * 1:56184 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Banload-9785270-0 download attempt (malware-other.rules)
 * 1:56183 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9785115-0 download attempt (malware-other.rules)
 * 1:56186 <-> DISABLED <-> FILE-OTHER Citrix Gateway executable search order hijack attempt (file-other.rules)
 * 1:56181 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9784989-0 download attempt (malware-other.rules)
 * 1:56188 <-> DISABLED <-> FILE-OTHER Citrix Gateway executable search order hijack attempt (file-other.rules)
 * 1:56187 <-> DISABLED <-> FILE-OTHER Citrix Gateway executable search order hijack attempt (file-other.rules)
 * 1:56190 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785657-0 download attempt (malware-other.rules)
 * 1:56185 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Banload-9785270-0 download attempt (malware-other.rules)
 * 1:56192 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785658-0 download attempt (malware-other.rules)
 * 1:56191 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785658-0 download attempt (malware-other.rules)
 * 1:56194 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785801-0 download attempt (malware-other.rules)
 * 1:56189 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785657-0 download attempt (malware-other.rules)
 * 1:56196 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9785971-0 download attempt (malware-other.rules)
 * 1:56195 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9785971-0 download attempt (malware-other.rules)
 * 1:56193 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785801-0 download attempt (malware-other.rules)
 * 1:56197 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qbot-9785980-0 download attempt (malware-other.rules)
 * 1:56169 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Komodia-9784770-0 download attempt (malware-other.rules)
 * 1:56205 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kimsuky variant outbound connection (malware-cnc.rules)
 * 1:56171 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Emotet-9784823-0 download attempt (malware-other.rules)
 * 1:56206 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Kimsuky variant outbound connection (malware-cnc.rules)
 * 1:56175 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Addlyrics-9784897-0 download attempt (malware-other.rules)
 * 1:56177 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Addlyrics-9784898-0 download attempt (malware-other.rules)
 * 1:56203 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server command injection attempt (server-webapp.rules)
 * 1:56204 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Kimsuky variant outbound connection (malware-cnc.rules)
 * 1:56168 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Komodia-9784770-0 download attempt (malware-other.rules)
 * 1:56202 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server command injection attempt (server-webapp.rules)
 * 1:56178 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9784988-0 download attempt (malware-other.rules)
 * 1:56198 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qbot-9785980-0 download attempt (malware-other.rules)
 * 1:56172 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Komodia-9784896-0 download attempt (malware-other.rules)
 * 1:56174 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Addlyrics-9784897-0 download attempt (malware-other.rules)
 * 1:56176 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Addlyrics-9784898-0 download attempt (malware-other.rules)
 * 1:56179 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9784988-0 download attempt (malware-other.rules)
 * 1:56200 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server command injection attempt (server-webapp.rules)
 * 3:56199 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1193 attack attempt (server-webapp.rules)
 * 3:56208 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1184 attack attempt (protocol-scada.rules)
 * 3:56209 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1192 attack attempt (file-office.rules)
 * 3:56210 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1192 attack attempt (file-office.rules)
 * 3:56211 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1185 attack attempt (server-webapp.rules)
 * 3:56212 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1191 attack attempt (file-office.rules)
 * 3:56213 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1191 attack attempt (file-office.rules)

Modified Rules:



2020-11-03 00:24:37 UTC

Snort Subscriber Rules Update

Date: 2020-11-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56200 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server command injection attempt (server-webapp.rules)
 * 1:56170 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Emotet-9784823-0 download attempt (malware-other.rules)
 * 1:56187 <-> DISABLED <-> FILE-OTHER Citrix Gateway executable search order hijack attempt (file-other.rules)
 * 1:56196 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9785971-0 download attempt (malware-other.rules)
 * 1:56189 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785657-0 download attempt (malware-other.rules)
 * 1:56207 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Kimsuky variant outbound connection (malware-cnc.rules)
 * 1:56191 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785658-0 download attempt (malware-other.rules)
 * 1:56193 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785801-0 download attempt (malware-other.rules)
 * 1:56195 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9785971-0 download attempt (malware-other.rules)
 * 1:56201 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server command injection attempt (server-webapp.rules)
 * 1:56175 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Addlyrics-9784897-0 download attempt (malware-other.rules)
 * 1:56169 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Komodia-9784770-0 download attempt (malware-other.rules)
 * 1:56173 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Komodia-9784896-0 download attempt (malware-other.rules)
 * 1:56171 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Emotet-9784823-0 download attempt (malware-other.rules)
 * 1:56206 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Kimsuky variant outbound connection (malware-cnc.rules)
 * 1:56205 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kimsuky variant outbound connection (malware-cnc.rules)
 * 1:56174 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Addlyrics-9784897-0 download attempt (malware-other.rules)
 * 1:56179 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9784988-0 download attempt (malware-other.rules)
 * 1:56177 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Addlyrics-9784898-0 download attempt (malware-other.rules)
 * 1:56176 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Addlyrics-9784898-0 download attempt (malware-other.rules)
 * 1:56203 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server command injection attempt (server-webapp.rules)
 * 1:56204 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Kimsuky variant outbound connection (malware-cnc.rules)
 * 1:56172 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Komodia-9784896-0 download attempt (malware-other.rules)
 * 1:56168 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Komodia-9784770-0 download attempt (malware-other.rules)
 * 1:56178 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9784988-0 download attempt (malware-other.rules)
 * 1:56198 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qbot-9785980-0 download attempt (malware-other.rules)
 * 1:56197 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qbot-9785980-0 download attempt (malware-other.rules)
 * 1:56202 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server command injection attempt (server-webapp.rules)
 * 1:56180 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9784989-0 download attempt (malware-other.rules)
 * 1:56182 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9785115-0 download attempt (malware-other.rules)
 * 1:56184 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Banload-9785270-0 download attempt (malware-other.rules)
 * 1:56186 <-> DISABLED <-> FILE-OTHER Citrix Gateway executable search order hijack attempt (file-other.rules)
 * 1:56188 <-> DISABLED <-> FILE-OTHER Citrix Gateway executable search order hijack attempt (file-other.rules)
 * 1:56181 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9784989-0 download attempt (malware-other.rules)
 * 1:56190 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785657-0 download attempt (malware-other.rules)
 * 1:56183 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9785115-0 download attempt (malware-other.rules)
 * 1:56192 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785658-0 download attempt (malware-other.rules)
 * 1:56185 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Banload-9785270-0 download attempt (malware-other.rules)
 * 1:56194 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785801-0 download attempt (malware-other.rules)
 * 3:56199 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1193 attack attempt (server-webapp.rules)
 * 3:56208 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1184 attack attempt (protocol-scada.rules)
 * 3:56209 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1192 attack attempt (file-office.rules)
 * 3:56210 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1192 attack attempt (file-office.rules)
 * 3:56211 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1185 attack attempt (server-webapp.rules)
 * 3:56212 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1191 attack attempt (file-office.rules)
 * 3:56213 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1191 attack attempt (file-office.rules)

Modified Rules:



2020-11-03 00:24:37 UTC

Snort Subscriber Rules Update

Date: 2020-11-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56179 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9784988-0 download attempt (snort3-malware-other.rules)
 * 1:56174 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Addlyrics-9784897-0 download attempt (snort3-malware-other.rules)
 * 1:56180 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9784989-0 download attempt (snort3-malware-other.rules)
 * 1:56168 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Komodia-9784770-0 download attempt (snort3-malware-other.rules)
 * 1:56170 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Emotet-9784823-0 download attempt (snort3-malware-other.rules)
 * 1:56171 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Emotet-9784823-0 download attempt (snort3-malware-other.rules)
 * 1:56206 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Kimsuky variant outbound connection (snort3-malware-cnc.rules)
 * 1:56172 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Komodia-9784896-0 download attempt (snort3-malware-other.rules)
 * 1:56176 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Addlyrics-9784898-0 download attempt (snort3-malware-other.rules)
 * 1:56181 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9784989-0 download attempt (snort3-malware-other.rules)
 * 1:56183 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9785115-0 download attempt (snort3-malware-other.rules)
 * 1:56184 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Banload-9785270-0 download attempt (snort3-malware-other.rules)
 * 1:56207 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Kimsuky variant outbound connection (snort3-malware-cnc.rules)
 * 1:56178 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9784988-0 download attempt (snort3-malware-other.rules)
 * 1:56169 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Komodia-9784770-0 download attempt (snort3-malware-other.rules)
 * 1:56185 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Banload-9785270-0 download attempt (snort3-malware-other.rules)
 * 1:56173 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Komodia-9784896-0 download attempt (snort3-malware-other.rules)
 * 1:56186 <-> DISABLED <-> FILE-OTHER Citrix Gateway executable search order hijack attempt (snort3-file-other.rules)
 * 1:56187 <-> DISABLED <-> FILE-OTHER Citrix Gateway executable search order hijack attempt (snort3-file-other.rules)
 * 1:56182 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9785115-0 download attempt (snort3-malware-other.rules)
 * 1:56203 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server command injection attempt (snort3-server-webapp.rules)
 * 1:56204 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Kimsuky variant outbound connection (snort3-malware-cnc.rules)
 * 1:56188 <-> DISABLED <-> FILE-OTHER Citrix Gateway executable search order hijack attempt (snort3-file-other.rules)
 * 1:56177 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Addlyrics-9784898-0 download attempt (snort3-malware-other.rules)
 * 1:56205 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kimsuky variant outbound connection (snort3-malware-cnc.rules)
 * 1:56189 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785657-0 download attempt (snort3-malware-other.rules)
 * 1:56175 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Addlyrics-9784897-0 download attempt (snort3-malware-other.rules)
 * 1:56190 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785657-0 download attempt (snort3-malware-other.rules)
 * 1:56191 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785658-0 download attempt (snort3-malware-other.rules)
 * 1:56192 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785658-0 download attempt (snort3-malware-other.rules)
 * 1:56193 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785801-0 download attempt (snort3-malware-other.rules)
 * 1:56194 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785801-0 download attempt (snort3-malware-other.rules)
 * 1:56195 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9785971-0 download attempt (snort3-malware-other.rules)
 * 1:56196 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9785971-0 download attempt (snort3-malware-other.rules)
 * 1:56197 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qbot-9785980-0 download attempt (snort3-malware-other.rules)
 * 1:56198 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qbot-9785980-0 download attempt (snort3-malware-other.rules)
 * 1:56200 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server command injection attempt (snort3-server-webapp.rules)
 * 1:56201 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server command injection attempt (snort3-server-webapp.rules)
 * 1:56202 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server command injection attempt (snort3-server-webapp.rules)

Modified Rules:



2020-11-03 00:24:37 UTC

Snort Subscriber Rules Update

Date: 2020-11-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56201 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server command injection attempt (server-webapp.rules)
 * 1:56175 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Addlyrics-9784897-0 download attempt (malware-other.rules)
 * 1:56189 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785657-0 download attempt (malware-other.rules)
 * 1:56191 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785658-0 download attempt (malware-other.rules)
 * 1:56177 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Addlyrics-9784898-0 download attempt (malware-other.rules)
 * 1:56169 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Komodia-9784770-0 download attempt (malware-other.rules)
 * 1:56193 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785801-0 download attempt (malware-other.rules)
 * 1:56202 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server command injection attempt (server-webapp.rules)
 * 1:56204 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Kimsuky variant outbound connection (malware-cnc.rules)
 * 1:56168 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Komodia-9784770-0 download attempt (malware-other.rules)
 * 1:56198 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qbot-9785980-0 download attempt (malware-other.rules)
 * 1:56200 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server command injection attempt (server-webapp.rules)
 * 1:56206 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Kimsuky variant outbound connection (malware-cnc.rules)
 * 1:56182 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9785115-0 download attempt (malware-other.rules)
 * 1:56180 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9784989-0 download attempt (malware-other.rules)
 * 1:56196 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9785971-0 download attempt (malware-other.rules)
 * 1:56176 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Addlyrics-9784898-0 download attempt (malware-other.rules)
 * 1:56207 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Kimsuky variant outbound connection (malware-cnc.rules)
 * 1:56170 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Emotet-9784823-0 download attempt (malware-other.rules)
 * 1:56187 <-> DISABLED <-> FILE-OTHER Citrix Gateway executable search order hijack attempt (file-other.rules)
 * 1:56205 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kimsuky variant outbound connection (malware-cnc.rules)
 * 1:56195 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9785971-0 download attempt (malware-other.rules)
 * 1:56194 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785801-0 download attempt (malware-other.rules)
 * 1:56197 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Qbot-9785980-0 download attempt (malware-other.rules)
 * 1:56172 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Komodia-9784896-0 download attempt (malware-other.rules)
 * 1:56179 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9784988-0 download attempt (malware-other.rules)
 * 1:56203 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server command injection attempt (server-webapp.rules)
 * 1:56171 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Emotet-9784823-0 download attempt (malware-other.rules)
 * 1:56174 <-> DISABLED <-> MALWARE-OTHER PUA.Win.Adware.Addlyrics-9784897-0 download attempt (malware-other.rules)
 * 1:56181 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9784989-0 download attempt (malware-other.rules)
 * 1:56184 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Banload-9785270-0 download attempt (malware-other.rules)
 * 1:56186 <-> DISABLED <-> FILE-OTHER Citrix Gateway executable search order hijack attempt (file-other.rules)
 * 1:56173 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Komodia-9784896-0 download attempt (malware-other.rules)
 * 1:56188 <-> DISABLED <-> FILE-OTHER Citrix Gateway executable search order hijack attempt (file-other.rules)
 * 1:56178 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9784988-0 download attempt (malware-other.rules)
 * 1:56190 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785657-0 download attempt (malware-other.rules)
 * 1:56183 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ursu-9785115-0 download attempt (malware-other.rules)
 * 1:56192 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Upatre-9785658-0 download attempt (malware-other.rules)
 * 1:56185 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Banload-9785270-0 download attempt (malware-other.rules)
 * 3:56199 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1193 attack attempt (server-webapp.rules)
 * 3:56208 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1184 attack attempt (protocol-scada.rules)
 * 3:56209 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1192 attack attempt (file-office.rules)
 * 3:56210 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1192 attack attempt (file-office.rules)
 * 3:56211 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1185 attack attempt (server-webapp.rules)
 * 3:56212 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1191 attack attempt (file-office.rules)
 * 3:56213 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1191 attack attempt (file-office.rules)

Modified Rules: