Talos Rules 2021-04-22
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the and server-other rule sets to provide coverage for emerging threats from these technologies.

Change logs

2021-04-22 16:06:36 UTC

Snort Subscriber Rules Update

Date: 2021-04-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57460 <-> DISABLED <-> SERVER-OTHER dnsmasq PX record response heap overflow attempt (server-other.rules)
 * 1:57461 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.PULSECHECK variant cnc connection (malware-backdoor.rules)
 * 1:57462 <-> DISABLED <-> MALWARE-BACKDOOR Perl.Backdoor.STEADYPULSE webshell variant access (malware-backdoor.rules)
 * 1:57463 <-> DISABLED <-> MALWARE-BACKDOOR Perl.Backdoor.STEADYPULSE webshell variant access (malware-backdoor.rules)
 * 1:57464 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.HARDPULSE variant inbound cnc connection (malware-backdoor.rules)
 * 1:57465 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.STEADYPULSE variant inbound cnc connection (malware-backdoor.rules)
 * 1:57466 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.ATRIUM variant inbound cnc connection (malware-backdoor.rules)
 * 1:57467 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.SLIGHTPULSE variant inbound cnc connection (malware-backdoor.rules)
 * 1:57468 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.SLIGHTPULSE variant inbound cnc connection (malware-backdoor.rules)

Modified Rules:



2021-04-22 16:06:36 UTC

Snort Subscriber Rules Update

Date: 2021-04-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57466 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.ATRIUM variant inbound cnc connection (malware-backdoor.rules)
 * 1:57467 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.SLIGHTPULSE variant inbound cnc connection (malware-backdoor.rules)
 * 1:57460 <-> DISABLED <-> SERVER-OTHER dnsmasq PX record response heap overflow attempt (server-other.rules)
 * 1:57461 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.PULSECHECK variant cnc connection (malware-backdoor.rules)
 * 1:57462 <-> DISABLED <-> MALWARE-BACKDOOR Perl.Backdoor.STEADYPULSE webshell variant access (malware-backdoor.rules)
 * 1:57463 <-> DISABLED <-> MALWARE-BACKDOOR Perl.Backdoor.STEADYPULSE webshell variant access (malware-backdoor.rules)
 * 1:57464 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.HARDPULSE variant inbound cnc connection (malware-backdoor.rules)
 * 1:57468 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.SLIGHTPULSE variant inbound cnc connection (malware-backdoor.rules)
 * 1:57465 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.STEADYPULSE variant inbound cnc connection (malware-backdoor.rules)

Modified Rules:



2021-04-22 16:06:36 UTC

Snort Subscriber Rules Update

Date: 2021-04-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57466 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.ATRIUM variant inbound cnc connection (malware-backdoor.rules)
 * 1:57460 <-> DISABLED <-> SERVER-OTHER dnsmasq PX record response heap overflow attempt (server-other.rules)
 * 1:57468 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.SLIGHTPULSE variant inbound cnc connection (malware-backdoor.rules)
 * 1:57467 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.SLIGHTPULSE variant inbound cnc connection (malware-backdoor.rules)
 * 1:57462 <-> DISABLED <-> MALWARE-BACKDOOR Perl.Backdoor.STEADYPULSE webshell variant access (malware-backdoor.rules)
 * 1:57464 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.HARDPULSE variant inbound cnc connection (malware-backdoor.rules)
 * 1:57463 <-> DISABLED <-> MALWARE-BACKDOOR Perl.Backdoor.STEADYPULSE webshell variant access (malware-backdoor.rules)
 * 1:57465 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.STEADYPULSE variant inbound cnc connection (malware-backdoor.rules)
 * 1:57461 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.PULSECHECK variant cnc connection (malware-backdoor.rules)

Modified Rules:



2021-04-22 16:06:36 UTC

Snort Subscriber Rules Update

Date: 2021-04-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57466 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.ATRIUM variant inbound cnc connection (malware-backdoor.rules)
 * 1:57468 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.SLIGHTPULSE variant inbound cnc connection (malware-backdoor.rules)
 * 1:57465 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.STEADYPULSE variant inbound cnc connection (malware-backdoor.rules)
 * 1:57467 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.SLIGHTPULSE variant inbound cnc connection (malware-backdoor.rules)
 * 1:57460 <-> DISABLED <-> SERVER-OTHER dnsmasq PX record response heap overflow attempt (server-other.rules)
 * 1:57461 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.PULSECHECK variant cnc connection (malware-backdoor.rules)
 * 1:57462 <-> DISABLED <-> MALWARE-BACKDOOR Perl.Backdoor.STEADYPULSE webshell variant access (malware-backdoor.rules)
 * 1:57463 <-> DISABLED <-> MALWARE-BACKDOOR Perl.Backdoor.STEADYPULSE webshell variant access (malware-backdoor.rules)
 * 1:57464 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.HARDPULSE variant inbound cnc connection (malware-backdoor.rules)

Modified Rules:



2021-04-22 16:06:36 UTC

Snort Subscriber Rules Update

Date: 2021-04-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57461 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.PULSECHECK variant cnc connection (malware-backdoor.rules)
 * 1:57460 <-> DISABLED <-> SERVER-OTHER dnsmasq PX record response heap overflow attempt (server-other.rules)
 * 1:57464 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.HARDPULSE variant inbound cnc connection (malware-backdoor.rules)
 * 1:57465 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.STEADYPULSE variant inbound cnc connection (malware-backdoor.rules)
 * 1:57462 <-> DISABLED <-> MALWARE-BACKDOOR Perl.Backdoor.STEADYPULSE webshell variant access (malware-backdoor.rules)
 * 1:57463 <-> DISABLED <-> MALWARE-BACKDOOR Perl.Backdoor.STEADYPULSE webshell variant access (malware-backdoor.rules)
 * 1:57467 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.SLIGHTPULSE variant inbound cnc connection (malware-backdoor.rules)
 * 1:57466 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.ATRIUM variant inbound cnc connection (malware-backdoor.rules)
 * 1:57468 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.SLIGHTPULSE variant inbound cnc connection (malware-backdoor.rules)

Modified Rules:



2021-04-22 16:06:36 UTC

Snort Subscriber Rules Update

Date: 2021-04-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57463 <-> DISABLED <-> MALWARE-BACKDOOR Perl.Backdoor.STEADYPULSE webshell variant access (malware-backdoor.rules)
 * 1:57468 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.SLIGHTPULSE variant inbound cnc connection (malware-backdoor.rules)
 * 1:57467 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.SLIGHTPULSE variant inbound cnc connection (malware-backdoor.rules)
 * 1:57464 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.HARDPULSE variant inbound cnc connection (malware-backdoor.rules)
 * 1:57461 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.PULSECHECK variant cnc connection (malware-backdoor.rules)
 * 1:57466 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.ATRIUM variant inbound cnc connection (malware-backdoor.rules)
 * 1:57460 <-> DISABLED <-> SERVER-OTHER dnsmasq PX record response heap overflow attempt (server-other.rules)
 * 1:57462 <-> DISABLED <-> MALWARE-BACKDOOR Perl.Backdoor.STEADYPULSE webshell variant access (malware-backdoor.rules)
 * 1:57465 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.STEADYPULSE variant inbound cnc connection (malware-backdoor.rules)

Modified Rules:



2021-04-22 16:06:36 UTC

Snort Subscriber Rules Update

Date: 2021-04-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57460 <-> DISABLED <-> SERVER-OTHER dnsmasq PX record response heap overflow attempt (server-other.rules)
 * 1:57466 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.ATRIUM variant inbound cnc connection (malware-backdoor.rules)
 * 1:57468 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.SLIGHTPULSE variant inbound cnc connection (malware-backdoor.rules)
 * 1:57467 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.SLIGHTPULSE variant inbound cnc connection (malware-backdoor.rules)
 * 1:57464 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.HARDPULSE variant inbound cnc connection (malware-backdoor.rules)
 * 1:57461 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.PULSECHECK variant cnc connection (malware-backdoor.rules)
 * 1:57463 <-> DISABLED <-> MALWARE-BACKDOOR Perl.Backdoor.STEADYPULSE webshell variant access (malware-backdoor.rules)
 * 1:57465 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.STEADYPULSE variant inbound cnc connection (malware-backdoor.rules)
 * 1:57462 <-> DISABLED <-> MALWARE-BACKDOOR Perl.Backdoor.STEADYPULSE webshell variant access (malware-backdoor.rules)

Modified Rules:



2021-04-22 16:06:36 UTC

Snort Subscriber Rules Update

Date: 2021-04-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57468 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.SLIGHTPULSE variant inbound cnc connection (malware-backdoor.rules)
 * 1:57462 <-> DISABLED <-> MALWARE-BACKDOOR Perl.Backdoor.STEADYPULSE webshell variant access (malware-backdoor.rules)
 * 1:57467 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.SLIGHTPULSE variant inbound cnc connection (malware-backdoor.rules)
 * 1:57464 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.HARDPULSE variant inbound cnc connection (malware-backdoor.rules)
 * 1:57465 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.STEADYPULSE variant inbound cnc connection (malware-backdoor.rules)
 * 1:57461 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.PULSECHECK variant cnc connection (malware-backdoor.rules)
 * 1:57460 <-> DISABLED <-> SERVER-OTHER dnsmasq PX record response heap overflow attempt (server-other.rules)
 * 1:57463 <-> DISABLED <-> MALWARE-BACKDOOR Perl.Backdoor.STEADYPULSE webshell variant access (malware-backdoor.rules)
 * 1:57466 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.ATRIUM variant inbound cnc connection (malware-backdoor.rules)

Modified Rules:



2021-04-22 16:06:36 UTC

Snort Subscriber Rules Update

Date: 2021-04-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57468 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.SLIGHTPULSE variant inbound cnc connection (malware-backdoor.rules)
 * 1:57467 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.SLIGHTPULSE variant inbound cnc connection (malware-backdoor.rules)
 * 1:57460 <-> DISABLED <-> SERVER-OTHER dnsmasq PX record response heap overflow attempt (server-other.rules)
 * 1:57461 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.PULSECHECK variant cnc connection (malware-backdoor.rules)
 * 1:57462 <-> DISABLED <-> MALWARE-BACKDOOR Perl.Backdoor.STEADYPULSE webshell variant access (malware-backdoor.rules)
 * 1:57463 <-> DISABLED <-> MALWARE-BACKDOOR Perl.Backdoor.STEADYPULSE webshell variant access (malware-backdoor.rules)
 * 1:57466 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.ATRIUM variant inbound cnc connection (malware-backdoor.rules)
 * 1:57464 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.HARDPULSE variant inbound cnc connection (malware-backdoor.rules)
 * 1:57465 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.STEADYPULSE variant inbound cnc connection (malware-backdoor.rules)

Modified Rules:



2021-04-22 16:06:36 UTC

Snort Subscriber Rules Update

Date: 2021-04-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57460 <-> DISABLED <-> SERVER-OTHER dnsmasq PX record response heap overflow attempt (snort3-server-other.rules)
 * 1:57467 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.SLIGHTPULSE variant inbound cnc connection (snort3-malware-backdoor.rules)
 * 1:57463 <-> DISABLED <-> MALWARE-BACKDOOR Perl.Backdoor.STEADYPULSE webshell variant access (snort3-malware-backdoor.rules)
 * 1:57464 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.HARDPULSE variant inbound cnc connection (snort3-malware-backdoor.rules)
 * 1:57468 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.SLIGHTPULSE variant inbound cnc connection (snort3-malware-backdoor.rules)
 * 1:57462 <-> DISABLED <-> MALWARE-BACKDOOR Perl.Backdoor.STEADYPULSE webshell variant access (snort3-malware-backdoor.rules)
 * 1:57466 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.ATRIUM variant inbound cnc connection (snort3-malware-backdoor.rules)
 * 1:57461 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.PULSECHECK variant cnc connection (snort3-malware-backdoor.rules)
 * 1:57465 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.STEADYPULSE variant inbound cnc connection (snort3-malware-backdoor.rules)

Modified Rules:



2021-04-22 16:06:36 UTC

Snort Subscriber Rules Update

Date: 2021-04-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57461 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.PULSECHECK variant cnc connection (malware-backdoor.rules)
 * 1:57468 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.SLIGHTPULSE variant inbound cnc connection (malware-backdoor.rules)
 * 1:57464 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.HARDPULSE variant inbound cnc connection (malware-backdoor.rules)
 * 1:57466 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.ATRIUM variant inbound cnc connection (malware-backdoor.rules)
 * 1:57463 <-> DISABLED <-> MALWARE-BACKDOOR Perl.Backdoor.STEADYPULSE webshell variant access (malware-backdoor.rules)
 * 1:57460 <-> DISABLED <-> SERVER-OTHER dnsmasq PX record response heap overflow attempt (server-other.rules)
 * 1:57465 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.STEADYPULSE variant inbound cnc connection (malware-backdoor.rules)
 * 1:57462 <-> DISABLED <-> MALWARE-BACKDOOR Perl.Backdoor.STEADYPULSE webshell variant access (malware-backdoor.rules)
 * 1:57467 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.SLIGHTPULSE variant inbound cnc connection (malware-backdoor.rules)

Modified Rules: