Talos Rules 2021-04-15
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-chrome, file-pdf, indicator-obfuscation, malware-backdoor, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2021-04-15 13:32:38 UTC

Snort Subscriber Rules Update

Date: 2021-04-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57415 <-> DISABLED <-> SERVER-WEBAPP Adobe Magento DownloadCss.php cross site scripting attempt (server-webapp.rules)
 * 1:57416 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Raindrop variant outbound connection attempt (malware-cnc.rules)
 * 1:57417 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Raindrop variant outbound connection attempt (malware-cnc.rules)
 * 1:57418 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Raindrop variant outbound connection attempt (malware-cnc.rules)
 * 1:57419 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Raindrop variant outbound connection attempt (malware-cnc.rules)
 * 1:57420 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine integer overflow attempt (browser-chrome.rules)
 * 1:57421 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine integer overflow attempt (browser-chrome.rules)
 * 1:57423 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules)
 * 1:57424 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules)
 * 1:57425 <-> ENABLED <-> MALWARE-BACKDOOR Php.Malware.Matamu inbound connection attempt (malware-backdoor.rules)
 * 1:57426 <-> DISABLED <-> SERVER-WEBAPP Zend and laminas-http frameworks streamName PHP object injection attempt (server-webapp.rules)
 * 1:57429 <-> DISABLED <-> BROWSER-CHROME Google Chrome Math.max memory corruption attempt (browser-chrome.rules)
 * 1:57430 <-> DISABLED <-> BROWSER-CHROME Google Chrome Math.max memory corruption attempt (browser-chrome.rules)
 * 3:57427 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1157 attack attempt (file-pdf.rules)
 * 3:57428 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1157 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:56826 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:31896 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Magnetor vairant outbound connection (malware-cnc.rules)
 * 1:56827 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56828 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56829 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:38641 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid header line evasion attempt (indicator-obfuscation.rules)
 * 1:15152 <-> DISABLED <-> PUA-OTHER Jive Software Openfire Jabber Server setup-index Authentication bypass attempt (pua-other.rules)

2021-04-15 13:32:38 UTC

Snort Subscriber Rules Update

Date: 2021-04-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57429 <-> DISABLED <-> BROWSER-CHROME Google Chrome Math.max memory corruption attempt (browser-chrome.rules)
 * 1:57426 <-> DISABLED <-> SERVER-WEBAPP Zend and laminas-http frameworks streamName PHP object injection attempt (server-webapp.rules)
 * 1:57416 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Raindrop variant outbound connection attempt (malware-cnc.rules)
 * 1:57415 <-> DISABLED <-> SERVER-WEBAPP Adobe Magento DownloadCss.php cross site scripting attempt (server-webapp.rules)
 * 1:57421 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine integer overflow attempt (browser-chrome.rules)
 * 1:57417 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Raindrop variant outbound connection attempt (malware-cnc.rules)
 * 1:57419 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Raindrop variant outbound connection attempt (malware-cnc.rules)
 * 1:57423 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules)
 * 1:57425 <-> ENABLED <-> MALWARE-BACKDOOR Php.Malware.Matamu inbound connection attempt (malware-backdoor.rules)
 * 1:57424 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules)
 * 1:57430 <-> DISABLED <-> BROWSER-CHROME Google Chrome Math.max memory corruption attempt (browser-chrome.rules)
 * 1:57418 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Raindrop variant outbound connection attempt (malware-cnc.rules)
 * 1:57420 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine integer overflow attempt (browser-chrome.rules)
 * 3:57428 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1157 attack attempt (file-pdf.rules)
 * 3:57427 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1157 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:56827 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:31896 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Magnetor vairant outbound connection (malware-cnc.rules)
 * 1:56828 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:38641 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid header line evasion attempt (indicator-obfuscation.rules)
 * 1:56829 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56826 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:15152 <-> DISABLED <-> PUA-OTHER Jive Software Openfire Jabber Server setup-index Authentication bypass attempt (pua-other.rules)

2021-04-15 13:32:38 UTC

Snort Subscriber Rules Update

Date: 2021-04-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57425 <-> ENABLED <-> MALWARE-BACKDOOR Php.Malware.Matamu inbound connection attempt (malware-backdoor.rules)
 * 1:57419 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Raindrop variant outbound connection attempt (malware-cnc.rules)
 * 1:57417 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Raindrop variant outbound connection attempt (malware-cnc.rules)
 * 1:57423 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules)
 * 1:57418 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Raindrop variant outbound connection attempt (malware-cnc.rules)
 * 1:57416 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Raindrop variant outbound connection attempt (malware-cnc.rules)
 * 1:57430 <-> DISABLED <-> BROWSER-CHROME Google Chrome Math.max memory corruption attempt (browser-chrome.rules)
 * 1:57429 <-> DISABLED <-> BROWSER-CHROME Google Chrome Math.max memory corruption attempt (browser-chrome.rules)
 * 1:57415 <-> DISABLED <-> SERVER-WEBAPP Adobe Magento DownloadCss.php cross site scripting attempt (server-webapp.rules)
 * 1:57421 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine integer overflow attempt (browser-chrome.rules)
 * 1:57420 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine integer overflow attempt (browser-chrome.rules)
 * 1:57426 <-> DISABLED <-> SERVER-WEBAPP Zend and laminas-http frameworks streamName PHP object injection attempt (server-webapp.rules)
 * 1:57424 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules)
 * 3:57428 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1157 attack attempt (file-pdf.rules)
 * 3:57427 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1157 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:56827 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56826 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:31896 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Magnetor vairant outbound connection (malware-cnc.rules)
 * 1:38641 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid header line evasion attempt (indicator-obfuscation.rules)
 * 1:15152 <-> DISABLED <-> PUA-OTHER Jive Software Openfire Jabber Server setup-index Authentication bypass attempt (pua-other.rules)
 * 1:56828 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56829 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)

2021-04-15 13:32:38 UTC

Snort Subscriber Rules Update

Date: 2021-04-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57425 <-> ENABLED <-> MALWARE-BACKDOOR Php.Malware.Matamu inbound connection attempt (malware-backdoor.rules)
 * 1:57424 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules)
 * 1:57419 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Raindrop variant outbound connection attempt (malware-cnc.rules)
 * 1:57426 <-> DISABLED <-> SERVER-WEBAPP Zend and laminas-http frameworks streamName PHP object injection attempt (server-webapp.rules)
 * 1:57420 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine integer overflow attempt (browser-chrome.rules)
 * 1:57415 <-> DISABLED <-> SERVER-WEBAPP Adobe Magento DownloadCss.php cross site scripting attempt (server-webapp.rules)
 * 1:57416 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Raindrop variant outbound connection attempt (malware-cnc.rules)
 * 1:57430 <-> DISABLED <-> BROWSER-CHROME Google Chrome Math.max memory corruption attempt (browser-chrome.rules)
 * 1:57417 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Raindrop variant outbound connection attempt (malware-cnc.rules)
 * 1:57418 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Raindrop variant outbound connection attempt (malware-cnc.rules)
 * 1:57423 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules)
 * 1:57429 <-> DISABLED <-> BROWSER-CHROME Google Chrome Math.max memory corruption attempt (browser-chrome.rules)
 * 1:57421 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine integer overflow attempt (browser-chrome.rules)
 * 3:57427 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1157 attack attempt (file-pdf.rules)
 * 3:57428 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1157 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:31896 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Magnetor vairant outbound connection (malware-cnc.rules)
 * 1:38641 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid header line evasion attempt (indicator-obfuscation.rules)
 * 1:15152 <-> DISABLED <-> PUA-OTHER Jive Software Openfire Jabber Server setup-index Authentication bypass attempt (pua-other.rules)
 * 1:56827 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56828 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56826 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56829 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)

2021-04-15 13:32:38 UTC

Snort Subscriber Rules Update

Date: 2021-04-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57430 <-> DISABLED <-> BROWSER-CHROME Google Chrome Math.max memory corruption attempt (browser-chrome.rules)
 * 1:57420 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine integer overflow attempt (browser-chrome.rules)
 * 1:57423 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules)
 * 1:57418 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Raindrop variant outbound connection attempt (malware-cnc.rules)
 * 1:57419 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Raindrop variant outbound connection attempt (malware-cnc.rules)
 * 1:57417 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Raindrop variant outbound connection attempt (malware-cnc.rules)
 * 1:57416 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Raindrop variant outbound connection attempt (malware-cnc.rules)
 * 1:57425 <-> ENABLED <-> MALWARE-BACKDOOR Php.Malware.Matamu inbound connection attempt (malware-backdoor.rules)
 * 1:57424 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules)
 * 1:57426 <-> DISABLED <-> SERVER-WEBAPP Zend and laminas-http frameworks streamName PHP object injection attempt (server-webapp.rules)
 * 1:57421 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine integer overflow attempt (browser-chrome.rules)
 * 1:57415 <-> DISABLED <-> SERVER-WEBAPP Adobe Magento DownloadCss.php cross site scripting attempt (server-webapp.rules)
 * 1:57429 <-> DISABLED <-> BROWSER-CHROME Google Chrome Math.max memory corruption attempt (browser-chrome.rules)
 * 3:57427 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1157 attack attempt (file-pdf.rules)
 * 3:57428 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1157 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:38641 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid header line evasion attempt (indicator-obfuscation.rules)
 * 1:31896 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Magnetor vairant outbound connection (malware-cnc.rules)
 * 1:15152 <-> DISABLED <-> PUA-OTHER Jive Software Openfire Jabber Server setup-index Authentication bypass attempt (pua-other.rules)
 * 1:56826 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56828 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56829 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56827 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)

2021-04-15 13:32:38 UTC

Snort Subscriber Rules Update

Date: 2021-04-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57430 <-> DISABLED <-> BROWSER-CHROME Google Chrome Math.max memory corruption attempt (browser-chrome.rules)
 * 1:57420 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine integer overflow attempt (browser-chrome.rules)
 * 1:57426 <-> DISABLED <-> SERVER-WEBAPP Zend and laminas-http frameworks streamName PHP object injection attempt (server-webapp.rules)
 * 1:57423 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules)
 * 1:57416 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Raindrop variant outbound connection attempt (malware-cnc.rules)
 * 1:57415 <-> DISABLED <-> SERVER-WEBAPP Adobe Magento DownloadCss.php cross site scripting attempt (server-webapp.rules)
 * 1:57417 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Raindrop variant outbound connection attempt (malware-cnc.rules)
 * 1:57421 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine integer overflow attempt (browser-chrome.rules)
 * 1:57429 <-> DISABLED <-> BROWSER-CHROME Google Chrome Math.max memory corruption attempt (browser-chrome.rules)
 * 1:57424 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules)
 * 1:57425 <-> ENABLED <-> MALWARE-BACKDOOR Php.Malware.Matamu inbound connection attempt (malware-backdoor.rules)
 * 1:57419 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Raindrop variant outbound connection attempt (malware-cnc.rules)
 * 1:57418 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Raindrop variant outbound connection attempt (malware-cnc.rules)
 * 3:57428 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1157 attack attempt (file-pdf.rules)
 * 3:57427 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1157 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:56826 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:15152 <-> DISABLED <-> PUA-OTHER Jive Software Openfire Jabber Server setup-index Authentication bypass attempt (pua-other.rules)
 * 1:31896 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Magnetor vairant outbound connection (malware-cnc.rules)
 * 1:56828 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56829 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:38641 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid header line evasion attempt (indicator-obfuscation.rules)
 * 1:56827 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)

2021-04-15 13:32:38 UTC

Snort Subscriber Rules Update

Date: 2021-04-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57416 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Raindrop variant outbound connection attempt (malware-cnc.rules)
 * 1:57430 <-> DISABLED <-> BROWSER-CHROME Google Chrome Math.max memory corruption attempt (browser-chrome.rules)
 * 1:57425 <-> ENABLED <-> MALWARE-BACKDOOR Php.Malware.Matamu inbound connection attempt (malware-backdoor.rules)
 * 1:57429 <-> DISABLED <-> BROWSER-CHROME Google Chrome Math.max memory corruption attempt (browser-chrome.rules)
 * 1:57426 <-> DISABLED <-> SERVER-WEBAPP Zend and laminas-http frameworks streamName PHP object injection attempt (server-webapp.rules)
 * 1:57417 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Raindrop variant outbound connection attempt (malware-cnc.rules)
 * 1:57424 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules)
 * 1:57419 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Raindrop variant outbound connection attempt (malware-cnc.rules)
 * 1:57420 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine integer overflow attempt (browser-chrome.rules)
 * 1:57415 <-> DISABLED <-> SERVER-WEBAPP Adobe Magento DownloadCss.php cross site scripting attempt (server-webapp.rules)
 * 1:57421 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine integer overflow attempt (browser-chrome.rules)
 * 1:57423 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules)
 * 1:57418 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Raindrop variant outbound connection attempt (malware-cnc.rules)
 * 3:57427 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1157 attack attempt (file-pdf.rules)
 * 3:57428 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1157 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:56826 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:31896 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Magnetor vairant outbound connection (malware-cnc.rules)
 * 1:15152 <-> DISABLED <-> PUA-OTHER Jive Software Openfire Jabber Server setup-index Authentication bypass attempt (pua-other.rules)
 * 1:56828 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56827 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:38641 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid header line evasion attempt (indicator-obfuscation.rules)
 * 1:56829 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)

2021-04-15 13:32:38 UTC

Snort Subscriber Rules Update

Date: 2021-04-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57423 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules)
 * 1:57417 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Raindrop variant outbound connection attempt (malware-cnc.rules)
 * 1:57420 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine integer overflow attempt (browser-chrome.rules)
 * 1:57426 <-> DISABLED <-> SERVER-WEBAPP Zend and laminas-http frameworks streamName PHP object injection attempt (server-webapp.rules)
 * 1:57430 <-> DISABLED <-> BROWSER-CHROME Google Chrome Math.max memory corruption attempt (browser-chrome.rules)
 * 1:57421 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine integer overflow attempt (browser-chrome.rules)
 * 1:57429 <-> DISABLED <-> BROWSER-CHROME Google Chrome Math.max memory corruption attempt (browser-chrome.rules)
 * 1:57415 <-> DISABLED <-> SERVER-WEBAPP Adobe Magento DownloadCss.php cross site scripting attempt (server-webapp.rules)
 * 1:57425 <-> ENABLED <-> MALWARE-BACKDOOR Php.Malware.Matamu inbound connection attempt (malware-backdoor.rules)
 * 1:57418 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Raindrop variant outbound connection attempt (malware-cnc.rules)
 * 1:57424 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules)
 * 1:57419 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Raindrop variant outbound connection attempt (malware-cnc.rules)
 * 1:57416 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Raindrop variant outbound connection attempt (malware-cnc.rules)
 * 3:57428 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1157 attack attempt (file-pdf.rules)
 * 3:57427 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1157 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:15152 <-> DISABLED <-> PUA-OTHER Jive Software Openfire Jabber Server setup-index Authentication bypass attempt (pua-other.rules)
 * 1:31896 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Magnetor vairant outbound connection (malware-cnc.rules)
 * 1:56827 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56826 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56828 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56829 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:38641 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid header line evasion attempt (indicator-obfuscation.rules)

2021-04-15 13:32:38 UTC

Snort Subscriber Rules Update

Date: 2021-04-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57418 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Raindrop variant outbound connection attempt (malware-cnc.rules)
 * 1:57423 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules)
 * 1:57417 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Raindrop variant outbound connection attempt (malware-cnc.rules)
 * 1:57425 <-> ENABLED <-> MALWARE-BACKDOOR Php.Malware.Matamu inbound connection attempt (malware-backdoor.rules)
 * 1:57424 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules)
 * 1:57416 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Raindrop variant outbound connection attempt (malware-cnc.rules)
 * 1:57430 <-> DISABLED <-> BROWSER-CHROME Google Chrome Math.max memory corruption attempt (browser-chrome.rules)
 * 1:57429 <-> DISABLED <-> BROWSER-CHROME Google Chrome Math.max memory corruption attempt (browser-chrome.rules)
 * 1:57419 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Raindrop variant outbound connection attempt (malware-cnc.rules)
 * 1:57415 <-> DISABLED <-> SERVER-WEBAPP Adobe Magento DownloadCss.php cross site scripting attempt (server-webapp.rules)
 * 1:57426 <-> DISABLED <-> SERVER-WEBAPP Zend and laminas-http frameworks streamName PHP object injection attempt (server-webapp.rules)
 * 1:57421 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine integer overflow attempt (browser-chrome.rules)
 * 1:57420 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine integer overflow attempt (browser-chrome.rules)
 * 3:57428 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1157 attack attempt (file-pdf.rules)
 * 3:57427 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1157 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:56826 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:15152 <-> DISABLED <-> PUA-OTHER Jive Software Openfire Jabber Server setup-index Authentication bypass attempt (pua-other.rules)
 * 1:38641 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid header line evasion attempt (indicator-obfuscation.rules)
 * 1:31896 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Magnetor vairant outbound connection (malware-cnc.rules)
 * 1:56828 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56829 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56827 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)

2021-04-15 13:32:38 UTC

Snort Subscriber Rules Update

Date: 2021-04-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57429 <-> DISABLED <-> BROWSER-CHROME Google Chrome Math.max memory corruption attempt (snort3-browser-chrome.rules)
 * 1:57424 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (snort3-browser-chrome.rules)
 * 1:57418 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Raindrop variant outbound connection attempt (snort3-malware-cnc.rules)
 * 1:57430 <-> DISABLED <-> BROWSER-CHROME Google Chrome Math.max memory corruption attempt (snort3-browser-chrome.rules)
 * 1:57415 <-> DISABLED <-> SERVER-WEBAPP Adobe Magento DownloadCss.php cross site scripting attempt (snort3-server-webapp.rules)
 * 1:57425 <-> ENABLED <-> MALWARE-BACKDOOR Php.Malware.Matamu inbound connection attempt (snort3-malware-backdoor.rules)
 * 1:57419 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Raindrop variant outbound connection attempt (snort3-malware-cnc.rules)
 * 1:57417 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Raindrop variant outbound connection attempt (snort3-malware-cnc.rules)
 * 1:57420 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine integer overflow attempt (snort3-browser-chrome.rules)
 * 1:57423 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (snort3-browser-chrome.rules)
 * 1:57421 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine integer overflow attempt (snort3-browser-chrome.rules)
 * 1:57426 <-> DISABLED <-> SERVER-WEBAPP Zend and laminas-http frameworks streamName PHP object injection attempt (snort3-server-webapp.rules)
 * 1:57416 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Raindrop variant outbound connection attempt (snort3-malware-cnc.rules)

Modified Rules:


 * 1:15152 <-> DISABLED <-> PUA-OTHER Jive Software Openfire Jabber Server setup-index Authentication bypass attempt (snort3-pua-other.rules)
 * 1:31896 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Magnetor vairant outbound connection (snort3-malware-cnc.rules)
 * 1:38641 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid header line evasion attempt (snort3-indicator-obfuscation.rules)
 * 1:56826 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (snort3-server-webapp.rules)
 * 1:56827 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (snort3-server-webapp.rules)
 * 1:56828 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (snort3-server-webapp.rules)
 * 1:56829 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (snort3-server-webapp.rules)

2021-04-15 13:32:38 UTC

Snort Subscriber Rules Update

Date: 2021-04-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57421 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine integer overflow attempt (browser-chrome.rules)
 * 1:57417 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Raindrop variant outbound connection attempt (malware-cnc.rules)
 * 1:57418 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Raindrop variant outbound connection attempt (malware-cnc.rules)
 * 1:57416 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Raindrop variant outbound connection attempt (malware-cnc.rules)
 * 1:57415 <-> DISABLED <-> SERVER-WEBAPP Adobe Magento DownloadCss.php cross site scripting attempt (server-webapp.rules)
 * 1:57424 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules)
 * 1:57423 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules)
 * 1:57426 <-> DISABLED <-> SERVER-WEBAPP Zend and laminas-http frameworks streamName PHP object injection attempt (server-webapp.rules)
 * 1:57425 <-> ENABLED <-> MALWARE-BACKDOOR Php.Malware.Matamu inbound connection attempt (malware-backdoor.rules)
 * 1:57430 <-> DISABLED <-> BROWSER-CHROME Google Chrome Math.max memory corruption attempt (browser-chrome.rules)
 * 1:57419 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Raindrop variant outbound connection attempt (malware-cnc.rules)
 * 1:57420 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine integer overflow attempt (browser-chrome.rules)
 * 1:57429 <-> DISABLED <-> BROWSER-CHROME Google Chrome Math.max memory corruption attempt (browser-chrome.rules)
 * 3:57428 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1157 attack attempt (file-pdf.rules)
 * 3:57427 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1157 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:38641 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid header line evasion attempt (indicator-obfuscation.rules)
 * 1:31896 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Magnetor vairant outbound connection (malware-cnc.rules)
 * 1:56827 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56828 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56829 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:56826 <-> ENABLED <-> SERVER-WEBAPP SolarWinds Orion authentication bypass attempt (server-webapp.rules)
 * 1:15152 <-> DISABLED <-> PUA-OTHER Jive Software Openfire Jabber Server setup-index Authentication bypass attempt (pua-other.rules)