Talos Rules 2020-12-30
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the malware-cnc, malware-other, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2020-12-30 22:18:20 UTC

Snort Subscriber Rules Update

Date: 2020-12-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56804 <-> DISABLED <-> SERVER-IIS Microsoft ASP.NET bad request denial of service attempt (server-iis.rules)
 * 1:56805 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Yddld-9815757-0 download attempt (malware-other.rules)
 * 1:56806 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Yddld-9815757-0 download attempt (malware-other.rules)
 * 1:56807 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ulise-9815758-0 download attempt (malware-other.rules)
 * 1:56808 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ulise-9815758-0 download attempt (malware-other.rules)
 * 1:56809 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Yddld-9816553-0 download attempt (malware-other.rules)
 * 1:56810 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Yddld-9816553-0 download attempt (malware-other.rules)
 * 1:56811 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Bladabindi-9816601-0 download attempt (malware-other.rules)
 * 1:56812 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Bladabindi-9816601-0 download attempt (malware-other.rules)
 * 1:56813 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Qbot-9817504-0 download attempt (malware-other.rules)
 * 1:56814 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Qbot-9817504-0 download attempt (malware-other.rules)
 * 1:56815 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Trojanx-9818175-0 download attempt (malware-other.rules)
 * 1:56816 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Trojanx-9818175-0 download attempt (malware-other.rules)
 * 1:56817 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Quchispy-9818300-0 download attempt (malware-other.rules)
 * 1:56818 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Quchispy-9818300-0 download attempt (malware-other.rules)
 * 1:56819 <-> DISABLED <-> MALWARE-OTHER Unix.Miner.PGMiner variant exploit attempt (malware-other.rules)
 * 1:56820 <-> DISABLED <-> MALWARE-OTHER Unix.Miner.PGMiner variant dropped bash script (malware-other.rules)
 * 1:56821 <-> DISABLED <-> MALWARE-OTHER Unix.Miner.PGMiner variant exploit attempt (malware-other.rules)
 * 1:56822 <-> DISABLED <-> SERVER-WEBAPP Grafana Labs Grafana denial of service attempt (server-webapp.rules)
 * 1:56823 <-> DISABLED <-> SERVER-WEBAPP Citrix CakePHP command injection attempt (server-webapp.rules)
 * 1:56824 <-> DISABLED <-> SERVER-WEBAPP Citrix CakePHP command injection attempt (server-webapp.rules)
 * 1:56825 <-> DISABLED <-> POLICY-OTHER SolarWinds Orion version lookup attempt (policy-other.rules)
 * 1:56826 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56827 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56828 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56829 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)

Modified Rules:


 * 1:30290 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bruterdep variant outbound connection (malware-cnc.rules)
 * 1:47576 <-> DISABLED <-> SERVER-WEBAPP Cobub Razor channel name SQL injection attempt (server-webapp.rules)
 * 1:54357 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sarwent variant outbound connection  (malware-cnc.rules)

2020-12-30 22:18:20 UTC

Snort Subscriber Rules Update

Date: 2020-12-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56806 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Yddld-9815757-0 download attempt (malware-other.rules)
 * 1:56807 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ulise-9815758-0 download attempt (malware-other.rules)
 * 1:56823 <-> DISABLED <-> SERVER-WEBAPP Citrix CakePHP command injection attempt (server-webapp.rules)
 * 1:56824 <-> DISABLED <-> SERVER-WEBAPP Citrix CakePHP command injection attempt (server-webapp.rules)
 * 1:56804 <-> DISABLED <-> SERVER-IIS Microsoft ASP.NET bad request denial of service attempt (server-iis.rules)
 * 1:56808 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ulise-9815758-0 download attempt (malware-other.rules)
 * 1:56809 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Yddld-9816553-0 download attempt (malware-other.rules)
 * 1:56810 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Yddld-9816553-0 download attempt (malware-other.rules)
 * 1:56811 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Bladabindi-9816601-0 download attempt (malware-other.rules)
 * 1:56812 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Bladabindi-9816601-0 download attempt (malware-other.rules)
 * 1:56813 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Qbot-9817504-0 download attempt (malware-other.rules)
 * 1:56814 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Qbot-9817504-0 download attempt (malware-other.rules)
 * 1:56815 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Trojanx-9818175-0 download attempt (malware-other.rules)
 * 1:56816 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Trojanx-9818175-0 download attempt (malware-other.rules)
 * 1:56817 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Quchispy-9818300-0 download attempt (malware-other.rules)
 * 1:56818 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Quchispy-9818300-0 download attempt (malware-other.rules)
 * 1:56819 <-> DISABLED <-> MALWARE-OTHER Unix.Miner.PGMiner variant exploit attempt (malware-other.rules)
 * 1:56820 <-> DISABLED <-> MALWARE-OTHER Unix.Miner.PGMiner variant dropped bash script (malware-other.rules)
 * 1:56821 <-> DISABLED <-> MALWARE-OTHER Unix.Miner.PGMiner variant exploit attempt (malware-other.rules)
 * 1:56822 <-> DISABLED <-> SERVER-WEBAPP Grafana Labs Grafana denial of service attempt (server-webapp.rules)
 * 1:56826 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56825 <-> DISABLED <-> POLICY-OTHER SolarWinds Orion version lookup attempt (policy-other.rules)
 * 1:56827 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56805 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Yddld-9815757-0 download attempt (malware-other.rules)
 * 1:56828 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56829 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)

Modified Rules:


 * 1:47576 <-> DISABLED <-> SERVER-WEBAPP Cobub Razor channel name SQL injection attempt (server-webapp.rules)
 * 1:30290 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bruterdep variant outbound connection (malware-cnc.rules)
 * 1:54357 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sarwent variant outbound connection  (malware-cnc.rules)

2020-12-30 22:18:20 UTC

Snort Subscriber Rules Update

Date: 2020-12-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56825 <-> DISABLED <-> POLICY-OTHER SolarWinds Orion version lookup attempt (policy-other.rules)
 * 1:56808 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ulise-9815758-0 download attempt (malware-other.rules)
 * 1:56819 <-> DISABLED <-> MALWARE-OTHER Unix.Miner.PGMiner variant exploit attempt (malware-other.rules)
 * 1:56824 <-> DISABLED <-> SERVER-WEBAPP Citrix CakePHP command injection attempt (server-webapp.rules)
 * 1:56826 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56804 <-> DISABLED <-> SERVER-IIS Microsoft ASP.NET bad request denial of service attempt (server-iis.rules)
 * 1:56806 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Yddld-9815757-0 download attempt (malware-other.rules)
 * 1:56827 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56828 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56807 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ulise-9815758-0 download attempt (malware-other.rules)
 * 1:56829 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56805 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Yddld-9815757-0 download attempt (malware-other.rules)
 * 1:56809 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Yddld-9816553-0 download attempt (malware-other.rules)
 * 1:56810 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Yddld-9816553-0 download attempt (malware-other.rules)
 * 1:56811 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Bladabindi-9816601-0 download attempt (malware-other.rules)
 * 1:56812 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Bladabindi-9816601-0 download attempt (malware-other.rules)
 * 1:56813 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Qbot-9817504-0 download attempt (malware-other.rules)
 * 1:56814 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Qbot-9817504-0 download attempt (malware-other.rules)
 * 1:56815 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Trojanx-9818175-0 download attempt (malware-other.rules)
 * 1:56816 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Trojanx-9818175-0 download attempt (malware-other.rules)
 * 1:56817 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Quchispy-9818300-0 download attempt (malware-other.rules)
 * 1:56818 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Quchispy-9818300-0 download attempt (malware-other.rules)
 * 1:56821 <-> DISABLED <-> MALWARE-OTHER Unix.Miner.PGMiner variant exploit attempt (malware-other.rules)
 * 1:56820 <-> DISABLED <-> MALWARE-OTHER Unix.Miner.PGMiner variant dropped bash script (malware-other.rules)
 * 1:56823 <-> DISABLED <-> SERVER-WEBAPP Citrix CakePHP command injection attempt (server-webapp.rules)
 * 1:56822 <-> DISABLED <-> SERVER-WEBAPP Grafana Labs Grafana denial of service attempt (server-webapp.rules)

Modified Rules:


 * 1:30290 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bruterdep variant outbound connection (malware-cnc.rules)
 * 1:47576 <-> DISABLED <-> SERVER-WEBAPP Cobub Razor channel name SQL injection attempt (server-webapp.rules)
 * 1:54357 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sarwent variant outbound connection  (malware-cnc.rules)

2020-12-30 22:18:20 UTC

Snort Subscriber Rules Update

Date: 2020-12-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56805 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Yddld-9815757-0 download attempt (malware-other.rules)
 * 1:56809 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Yddld-9816553-0 download attempt (malware-other.rules)
 * 1:56823 <-> DISABLED <-> SERVER-WEBAPP Citrix CakePHP command injection attempt (server-webapp.rules)
 * 1:56813 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Qbot-9817504-0 download attempt (malware-other.rules)
 * 1:56815 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Trojanx-9818175-0 download attempt (malware-other.rules)
 * 1:56814 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Qbot-9817504-0 download attempt (malware-other.rules)
 * 1:56816 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Trojanx-9818175-0 download attempt (malware-other.rules)
 * 1:56818 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Quchispy-9818300-0 download attempt (malware-other.rules)
 * 1:56817 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Quchispy-9818300-0 download attempt (malware-other.rules)
 * 1:56820 <-> DISABLED <-> MALWARE-OTHER Unix.Miner.PGMiner variant dropped bash script (malware-other.rules)
 * 1:56819 <-> DISABLED <-> MALWARE-OTHER Unix.Miner.PGMiner variant exploit attempt (malware-other.rules)
 * 1:56821 <-> DISABLED <-> MALWARE-OTHER Unix.Miner.PGMiner variant exploit attempt (malware-other.rules)
 * 1:56806 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Yddld-9815757-0 download attempt (malware-other.rules)
 * 1:56822 <-> DISABLED <-> SERVER-WEBAPP Grafana Labs Grafana denial of service attempt (server-webapp.rules)
 * 1:56824 <-> DISABLED <-> SERVER-WEBAPP Citrix CakePHP command injection attempt (server-webapp.rules)
 * 1:56825 <-> DISABLED <-> POLICY-OTHER SolarWinds Orion version lookup attempt (policy-other.rules)
 * 1:56828 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56807 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ulise-9815758-0 download attempt (malware-other.rules)
 * 1:56808 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ulise-9815758-0 download attempt (malware-other.rules)
 * 1:56810 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Yddld-9816553-0 download attempt (malware-other.rules)
 * 1:56827 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56826 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56829 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56811 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Bladabindi-9816601-0 download attempt (malware-other.rules)
 * 1:56804 <-> DISABLED <-> SERVER-IIS Microsoft ASP.NET bad request denial of service attempt (server-iis.rules)
 * 1:56812 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Bladabindi-9816601-0 download attempt (malware-other.rules)

Modified Rules:


 * 1:47576 <-> DISABLED <-> SERVER-WEBAPP Cobub Razor channel name SQL injection attempt (server-webapp.rules)
 * 1:30290 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bruterdep variant outbound connection (malware-cnc.rules)
 * 1:54357 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sarwent variant outbound connection  (malware-cnc.rules)

2020-12-30 22:18:20 UTC

Snort Subscriber Rules Update

Date: 2020-12-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56812 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Bladabindi-9816601-0 download attempt (malware-other.rules)
 * 1:56811 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Bladabindi-9816601-0 download attempt (malware-other.rules)
 * 1:56810 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Yddld-9816553-0 download attempt (malware-other.rules)
 * 1:56804 <-> DISABLED <-> SERVER-IIS Microsoft ASP.NET bad request denial of service attempt (server-iis.rules)
 * 1:56816 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Trojanx-9818175-0 download attempt (malware-other.rules)
 * 1:56815 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Trojanx-9818175-0 download attempt (malware-other.rules)
 * 1:56814 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Qbot-9817504-0 download attempt (malware-other.rules)
 * 1:56813 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Qbot-9817504-0 download attempt (malware-other.rules)
 * 1:56820 <-> DISABLED <-> MALWARE-OTHER Unix.Miner.PGMiner variant dropped bash script (malware-other.rules)
 * 1:56819 <-> DISABLED <-> MALWARE-OTHER Unix.Miner.PGMiner variant exploit attempt (malware-other.rules)
 * 1:56818 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Quchispy-9818300-0 download attempt (malware-other.rules)
 * 1:56817 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Quchispy-9818300-0 download attempt (malware-other.rules)
 * 1:56823 <-> DISABLED <-> SERVER-WEBAPP Citrix CakePHP command injection attempt (server-webapp.rules)
 * 1:56822 <-> DISABLED <-> SERVER-WEBAPP Grafana Labs Grafana denial of service attempt (server-webapp.rules)
 * 1:56821 <-> DISABLED <-> MALWARE-OTHER Unix.Miner.PGMiner variant exploit attempt (malware-other.rules)
 * 1:56827 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56805 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Yddld-9815757-0 download attempt (malware-other.rules)
 * 1:56809 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Yddld-9816553-0 download attempt (malware-other.rules)
 * 1:56826 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56825 <-> DISABLED <-> POLICY-OTHER SolarWinds Orion version lookup attempt (policy-other.rules)
 * 1:56824 <-> DISABLED <-> SERVER-WEBAPP Citrix CakePHP command injection attempt (server-webapp.rules)
 * 1:56828 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56806 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Yddld-9815757-0 download attempt (malware-other.rules)
 * 1:56807 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ulise-9815758-0 download attempt (malware-other.rules)
 * 1:56808 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ulise-9815758-0 download attempt (malware-other.rules)
 * 1:56829 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)

Modified Rules:


 * 1:30290 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bruterdep variant outbound connection (malware-cnc.rules)
 * 1:47576 <-> DISABLED <-> SERVER-WEBAPP Cobub Razor channel name SQL injection attempt (server-webapp.rules)
 * 1:54357 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sarwent variant outbound connection  (malware-cnc.rules)

2020-12-30 22:18:20 UTC

Snort Subscriber Rules Update

Date: 2020-12-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56827 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56823 <-> DISABLED <-> SERVER-WEBAPP Citrix CakePHP command injection attempt (server-webapp.rules)
 * 1:56807 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ulise-9815758-0 download attempt (malware-other.rules)
 * 1:56808 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ulise-9815758-0 download attempt (malware-other.rules)
 * 1:56812 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Bladabindi-9816601-0 download attempt (malware-other.rules)
 * 1:56810 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Yddld-9816553-0 download attempt (malware-other.rules)
 * 1:56815 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Trojanx-9818175-0 download attempt (malware-other.rules)
 * 1:56828 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56804 <-> DISABLED <-> SERVER-IIS Microsoft ASP.NET bad request denial of service attempt (server-iis.rules)
 * 1:56829 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56820 <-> DISABLED <-> MALWARE-OTHER Unix.Miner.PGMiner variant dropped bash script (malware-other.rules)
 * 1:56826 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56824 <-> DISABLED <-> SERVER-WEBAPP Citrix CakePHP command injection attempt (server-webapp.rules)
 * 1:56818 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Quchispy-9818300-0 download attempt (malware-other.rules)
 * 1:56806 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Yddld-9815757-0 download attempt (malware-other.rules)
 * 1:56811 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Bladabindi-9816601-0 download attempt (malware-other.rules)
 * 1:56819 <-> DISABLED <-> MALWARE-OTHER Unix.Miner.PGMiner variant exploit attempt (malware-other.rules)
 * 1:56814 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Qbot-9817504-0 download attempt (malware-other.rules)
 * 1:56822 <-> DISABLED <-> SERVER-WEBAPP Grafana Labs Grafana denial of service attempt (server-webapp.rules)
 * 1:56813 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Qbot-9817504-0 download attempt (malware-other.rules)
 * 1:56816 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Trojanx-9818175-0 download attempt (malware-other.rules)
 * 1:56817 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Quchispy-9818300-0 download attempt (malware-other.rules)
 * 1:56821 <-> DISABLED <-> MALWARE-OTHER Unix.Miner.PGMiner variant exploit attempt (malware-other.rules)
 * 1:56825 <-> DISABLED <-> POLICY-OTHER SolarWinds Orion version lookup attempt (policy-other.rules)
 * 1:56805 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Yddld-9815757-0 download attempt (malware-other.rules)
 * 1:56809 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Yddld-9816553-0 download attempt (malware-other.rules)

Modified Rules:


 * 1:54357 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sarwent variant outbound connection  (malware-cnc.rules)
 * 1:47576 <-> DISABLED <-> SERVER-WEBAPP Cobub Razor channel name SQL injection attempt (server-webapp.rules)
 * 1:30290 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bruterdep variant outbound connection (malware-cnc.rules)

2020-12-30 22:18:20 UTC

Snort Subscriber Rules Update

Date: 2020-12-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56829 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56825 <-> DISABLED <-> POLICY-OTHER SolarWinds Orion version lookup attempt (policy-other.rules)
 * 1:56828 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56806 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Yddld-9815757-0 download attempt (malware-other.rules)
 * 1:56805 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Yddld-9815757-0 download attempt (malware-other.rules)
 * 1:56809 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Yddld-9816553-0 download attempt (malware-other.rules)
 * 1:56826 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56807 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ulise-9815758-0 download attempt (malware-other.rules)
 * 1:56827 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56808 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ulise-9815758-0 download attempt (malware-other.rules)
 * 1:56824 <-> DISABLED <-> SERVER-WEBAPP Citrix CakePHP command injection attempt (server-webapp.rules)
 * 1:56810 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Yddld-9816553-0 download attempt (malware-other.rules)
 * 1:56804 <-> DISABLED <-> SERVER-IIS Microsoft ASP.NET bad request denial of service attempt (server-iis.rules)
 * 1:56814 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Qbot-9817504-0 download attempt (malware-other.rules)
 * 1:56811 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Bladabindi-9816601-0 download attempt (malware-other.rules)
 * 1:56813 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Qbot-9817504-0 download attempt (malware-other.rules)
 * 1:56818 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Quchispy-9818300-0 download attempt (malware-other.rules)
 * 1:56815 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Trojanx-9818175-0 download attempt (malware-other.rules)
 * 1:56812 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Bladabindi-9816601-0 download attempt (malware-other.rules)
 * 1:56817 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Quchispy-9818300-0 download attempt (malware-other.rules)
 * 1:56822 <-> DISABLED <-> SERVER-WEBAPP Grafana Labs Grafana denial of service attempt (server-webapp.rules)
 * 1:56819 <-> DISABLED <-> MALWARE-OTHER Unix.Miner.PGMiner variant exploit attempt (malware-other.rules)
 * 1:56816 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Trojanx-9818175-0 download attempt (malware-other.rules)
 * 1:56821 <-> DISABLED <-> MALWARE-OTHER Unix.Miner.PGMiner variant exploit attempt (malware-other.rules)
 * 1:56823 <-> DISABLED <-> SERVER-WEBAPP Citrix CakePHP command injection attempt (server-webapp.rules)
 * 1:56820 <-> DISABLED <-> MALWARE-OTHER Unix.Miner.PGMiner variant dropped bash script (malware-other.rules)

Modified Rules:


 * 1:54357 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sarwent variant outbound connection  (malware-cnc.rules)
 * 1:47576 <-> DISABLED <-> SERVER-WEBAPP Cobub Razor channel name SQL injection attempt (server-webapp.rules)
 * 1:30290 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bruterdep variant outbound connection (malware-cnc.rules)

2020-12-30 22:18:20 UTC

Snort Subscriber Rules Update

Date: 2020-12-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56826 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56806 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Yddld-9815757-0 download attempt (malware-other.rules)
 * 1:56807 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ulise-9815758-0 download attempt (malware-other.rules)
 * 1:56824 <-> DISABLED <-> SERVER-WEBAPP Citrix CakePHP command injection attempt (server-webapp.rules)
 * 1:56827 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56808 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ulise-9815758-0 download attempt (malware-other.rules)
 * 1:56812 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Bladabindi-9816601-0 download attempt (malware-other.rules)
 * 1:56805 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Yddld-9815757-0 download attempt (malware-other.rules)
 * 1:56809 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Yddld-9816553-0 download attempt (malware-other.rules)
 * 1:56825 <-> DISABLED <-> POLICY-OTHER SolarWinds Orion version lookup attempt (policy-other.rules)
 * 1:56811 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Bladabindi-9816601-0 download attempt (malware-other.rules)
 * 1:56810 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Yddld-9816553-0 download attempt (malware-other.rules)
 * 1:56815 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Trojanx-9818175-0 download attempt (malware-other.rules)
 * 1:56804 <-> DISABLED <-> SERVER-IIS Microsoft ASP.NET bad request denial of service attempt (server-iis.rules)
 * 1:56814 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Qbot-9817504-0 download attempt (malware-other.rules)
 * 1:56819 <-> DISABLED <-> MALWARE-OTHER Unix.Miner.PGMiner variant exploit attempt (malware-other.rules)
 * 1:56816 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Trojanx-9818175-0 download attempt (malware-other.rules)
 * 1:56813 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Qbot-9817504-0 download attempt (malware-other.rules)
 * 1:56818 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Quchispy-9818300-0 download attempt (malware-other.rules)
 * 1:56823 <-> DISABLED <-> SERVER-WEBAPP Citrix CakePHP command injection attempt (server-webapp.rules)
 * 1:56820 <-> DISABLED <-> MALWARE-OTHER Unix.Miner.PGMiner variant dropped bash script (malware-other.rules)
 * 1:56817 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Quchispy-9818300-0 download attempt (malware-other.rules)
 * 1:56822 <-> DISABLED <-> SERVER-WEBAPP Grafana Labs Grafana denial of service attempt (server-webapp.rules)
 * 1:56829 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56821 <-> DISABLED <-> MALWARE-OTHER Unix.Miner.PGMiner variant exploit attempt (malware-other.rules)
 * 1:56828 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)

Modified Rules:


 * 1:30290 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bruterdep variant outbound connection (malware-cnc.rules)
 * 1:47576 <-> DISABLED <-> SERVER-WEBAPP Cobub Razor channel name SQL injection attempt (server-webapp.rules)
 * 1:54357 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sarwent variant outbound connection  (malware-cnc.rules)

2020-12-30 22:18:20 UTC

Snort Subscriber Rules Update

Date: 2020-12-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56825 <-> DISABLED <-> POLICY-OTHER SolarWinds Orion version lookup attempt (snort3-policy-other.rules)
 * 1:56812 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Bladabindi-9816601-0 download attempt (snort3-malware-other.rules)
 * 1:56809 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Yddld-9816553-0 download attempt (snort3-malware-other.rules)
 * 1:56806 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Yddld-9815757-0 download attempt (snort3-malware-other.rules)
 * 1:56820 <-> DISABLED <-> MALWARE-OTHER Unix.Miner.PGMiner variant dropped bash script (snort3-malware-other.rules)
 * 1:56807 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ulise-9815758-0 download attempt (snort3-malware-other.rules)
 * 1:56808 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ulise-9815758-0 download attempt (snort3-malware-other.rules)
 * 1:56814 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Qbot-9817504-0 download attempt (snort3-malware-other.rules)
 * 1:56811 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Bladabindi-9816601-0 download attempt (snort3-malware-other.rules)
 * 1:56824 <-> DISABLED <-> SERVER-WEBAPP Citrix CakePHP command injection attempt (snort3-server-webapp.rules)
 * 1:56829 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (snort3-server-webapp.rules)
 * 1:56817 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Quchispy-9818300-0 download attempt (snort3-malware-other.rules)
 * 1:56823 <-> DISABLED <-> SERVER-WEBAPP Citrix CakePHP command injection attempt (snort3-server-webapp.rules)
 * 1:56810 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Yddld-9816553-0 download attempt (snort3-malware-other.rules)
 * 1:56826 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (snort3-server-webapp.rules)
 * 1:56821 <-> DISABLED <-> MALWARE-OTHER Unix.Miner.PGMiner variant exploit attempt (snort3-malware-other.rules)
 * 1:56828 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (snort3-server-webapp.rules)
 * 1:56805 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Yddld-9815757-0 download attempt (snort3-malware-other.rules)
 * 1:56827 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (snort3-server-webapp.rules)
 * 1:56816 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Trojanx-9818175-0 download attempt (snort3-malware-other.rules)
 * 1:56822 <-> DISABLED <-> SERVER-WEBAPP Grafana Labs Grafana denial of service attempt (snort3-server-webapp.rules)
 * 1:56804 <-> DISABLED <-> SERVER-IIS Microsoft ASP.NET bad request denial of service attempt (snort3-server-iis.rules)
 * 1:56813 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Qbot-9817504-0 download attempt (snort3-malware-other.rules)
 * 1:56818 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Quchispy-9818300-0 download attempt (snort3-malware-other.rules)
 * 1:56819 <-> DISABLED <-> MALWARE-OTHER Unix.Miner.PGMiner variant exploit attempt (snort3-malware-other.rules)
 * 1:56815 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Trojanx-9818175-0 download attempt (snort3-malware-other.rules)

Modified Rules:


 * 1:30290 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bruterdep variant outbound connection (snort3-malware-cnc.rules)
 * 1:47576 <-> DISABLED <-> SERVER-WEBAPP Cobub Razor channel name SQL injection attempt (snort3-server-webapp.rules)
 * 1:54357 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sarwent variant outbound connection  (snort3-malware-cnc.rules)

2020-12-30 22:18:20 UTC

Snort Subscriber Rules Update

Date: 2020-12-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56821 <-> DISABLED <-> MALWARE-OTHER Unix.Miner.PGMiner variant exploit attempt (malware-other.rules)
 * 1:56809 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Yddld-9816553-0 download attempt (malware-other.rules)
 * 1:56806 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Yddld-9815757-0 download attempt (malware-other.rules)
 * 1:56826 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56807 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ulise-9815758-0 download attempt (malware-other.rules)
 * 1:56808 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Ulise-9815758-0 download attempt (malware-other.rules)
 * 1:56805 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Yddld-9815757-0 download attempt (malware-other.rules)
 * 1:56804 <-> DISABLED <-> SERVER-IIS Microsoft ASP.NET bad request denial of service attempt (server-iis.rules)
 * 1:56827 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56810 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Yddld-9816553-0 download attempt (malware-other.rules)
 * 1:56828 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56818 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Quchispy-9818300-0 download attempt (malware-other.rules)
 * 1:56817 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Quchispy-9818300-0 download attempt (malware-other.rules)
 * 1:56813 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Qbot-9817504-0 download attempt (malware-other.rules)
 * 1:56822 <-> DISABLED <-> SERVER-WEBAPP Grafana Labs Grafana denial of service attempt (server-webapp.rules)
 * 1:56819 <-> DISABLED <-> MALWARE-OTHER Unix.Miner.PGMiner variant exploit attempt (malware-other.rules)
 * 1:56811 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Bladabindi-9816601-0 download attempt (malware-other.rules)
 * 1:56823 <-> DISABLED <-> SERVER-WEBAPP Citrix CakePHP command injection attempt (server-webapp.rules)
 * 1:56825 <-> DISABLED <-> POLICY-OTHER SolarWinds Orion version lookup attempt (policy-other.rules)
 * 1:56815 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Trojanx-9818175-0 download attempt (malware-other.rules)
 * 1:56820 <-> DISABLED <-> MALWARE-OTHER Unix.Miner.PGMiner variant dropped bash script (malware-other.rules)
 * 1:56829 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56812 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Bladabindi-9816601-0 download attempt (malware-other.rules)
 * 1:56816 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Trojanx-9818175-0 download attempt (malware-other.rules)
 * 1:56824 <-> DISABLED <-> SERVER-WEBAPP Citrix CakePHP command injection attempt (server-webapp.rules)
 * 1:56814 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Qbot-9817504-0 download attempt (malware-other.rules)

Modified Rules:


 * 1:54357 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sarwent variant outbound connection  (malware-cnc.rules)
 * 1:47576 <-> DISABLED <-> SERVER-WEBAPP Cobub Razor channel name SQL injection attempt (server-webapp.rules)
 * 1:30290 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bruterdep variant outbound connection (malware-cnc.rules)