Talos Rules 2021-04-27
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the app-detect, browser-ie, browser-other, exploit-kit, file-pdf, malware-cnc, malware-other, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2021-04-27 12:36:09 UTC

Snort Subscriber Rules Update

Date: 2021-04-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57470 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Agent malicious script payload download attempt (malware-other.rules)
 * 1:57469 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Agent malicious script payload download attempt (malware-other.rules)
 * 1:57471 <-> ENABLED <-> MALWARE-OTHER Win.Malware.LemonDuck variant payload download attempt (malware-other.rules)
 * 1:57472 <-> ENABLED <-> MALWARE-OTHER Win.Malware.LemonDuck variant payload download attempt (malware-other.rules)
 * 1:57473 <-> ENABLED <-> MALWARE-OTHER Win.Malware.LemonDuck variant payload download attempt (malware-other.rules)
 * 1:57474 <-> ENABLED <-> MALWARE-CNC Win.Malware.LemonDuck variant outbound cnc connection (malware-cnc.rules)
 * 3:57478 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1281 attack attempt (server-webapp.rules)
 * 3:57480 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1287 attack attempt (file-pdf.rules)
 * 3:57479 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1287 attack attempt (file-pdf.rules)
 * 3:57476 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2021-1284 attack attempt (server-other.rules)
 * 3:57475 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1284 attack attempt (server-webapp.rules)
 * 3:57477 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2021-1282 attack attempt (policy-other.rules)

Modified Rules:


 * 1:25540 <-> ENABLED <-> EXPLOIT-KIT Red Dot executable retrieval attempt (exploit-kit.rules)
 * 1:15468 <-> ENABLED <-> BROWSER-IE Apple Safari-Internet Explorer SearchPath blended threat dll request (browser-ie.rules)
 * 1:27885 <-> ENABLED <-> EXPLOIT-KIT Teletubbies exploit kit payload download (exploit-kit.rules)
 * 1:15462 <-> DISABLED <-> BROWSER-OTHER Multiple web browsers HTTP chunked transfer-encoding memory corruption attempt (browser-other.rules)
 * 1:26891 <-> ENABLED <-> EXPLOIT-KIT Flashpack/Safe/CritX exploit kit executable download (exploit-kit.rules)
 * 1:26377 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit java exploit request (exploit-kit.rules)
 * 1:28246 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response (app-detect.rules)
 * 1:42958 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules)
 * 1:42959 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules)
 * 1:45302 <-> DISABLED <-> BROWSER-OTHER Multiple browser long unicode string denial of service attempt (browser-other.rules)
 * 1:27891 <-> ENABLED <-> EXPLOIT-KIT Teletubbies exploit kit secondary payload (exploit-kit.rules)
 * 1:27922 <-> DISABLED <-> APP-DETECT Splashtop outbound connection attempt (app-detect.rules)

2021-04-27 12:36:09 UTC

Snort Subscriber Rules Update

Date: 2021-04-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57470 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Agent malicious script payload download attempt (malware-other.rules)
 * 1:57469 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Agent malicious script payload download attempt (malware-other.rules)
 * 1:57471 <-> ENABLED <-> MALWARE-OTHER Win.Malware.LemonDuck variant payload download attempt (malware-other.rules)
 * 1:57474 <-> ENABLED <-> MALWARE-CNC Win.Malware.LemonDuck variant outbound cnc connection (malware-cnc.rules)
 * 1:57472 <-> ENABLED <-> MALWARE-OTHER Win.Malware.LemonDuck variant payload download attempt (malware-other.rules)
 * 1:57473 <-> ENABLED <-> MALWARE-OTHER Win.Malware.LemonDuck variant payload download attempt (malware-other.rules)
 * 3:57480 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1287 attack attempt (file-pdf.rules)
 * 3:57478 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1281 attack attempt (server-webapp.rules)
 * 3:57479 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1287 attack attempt (file-pdf.rules)
 * 3:57476 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2021-1284 attack attempt (server-other.rules)
 * 3:57475 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1284 attack attempt (server-webapp.rules)
 * 3:57477 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2021-1282 attack attempt (policy-other.rules)

Modified Rules:


 * 1:25540 <-> ENABLED <-> EXPLOIT-KIT Red Dot executable retrieval attempt (exploit-kit.rules)
 * 1:15468 <-> ENABLED <-> BROWSER-IE Apple Safari-Internet Explorer SearchPath blended threat dll request (browser-ie.rules)
 * 1:26377 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit java exploit request (exploit-kit.rules)
 * 1:15462 <-> DISABLED <-> BROWSER-OTHER Multiple web browsers HTTP chunked transfer-encoding memory corruption attempt (browser-other.rules)
 * 1:27922 <-> DISABLED <-> APP-DETECT Splashtop outbound connection attempt (app-detect.rules)
 * 1:42958 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules)
 * 1:27891 <-> ENABLED <-> EXPLOIT-KIT Teletubbies exploit kit secondary payload (exploit-kit.rules)
 * 1:28246 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response (app-detect.rules)
 * 1:26891 <-> ENABLED <-> EXPLOIT-KIT Flashpack/Safe/CritX exploit kit executable download (exploit-kit.rules)
 * 1:27885 <-> ENABLED <-> EXPLOIT-KIT Teletubbies exploit kit payload download (exploit-kit.rules)
 * 1:42959 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules)
 * 1:45302 <-> DISABLED <-> BROWSER-OTHER Multiple browser long unicode string denial of service attempt (browser-other.rules)

2021-04-27 12:36:09 UTC

Snort Subscriber Rules Update

Date: 2021-04-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57469 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Agent malicious script payload download attempt (malware-other.rules)
 * 1:57471 <-> ENABLED <-> MALWARE-OTHER Win.Malware.LemonDuck variant payload download attempt (malware-other.rules)
 * 1:57470 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Agent malicious script payload download attempt (malware-other.rules)
 * 1:57473 <-> ENABLED <-> MALWARE-OTHER Win.Malware.LemonDuck variant payload download attempt (malware-other.rules)
 * 1:57474 <-> ENABLED <-> MALWARE-CNC Win.Malware.LemonDuck variant outbound cnc connection (malware-cnc.rules)
 * 1:57472 <-> ENABLED <-> MALWARE-OTHER Win.Malware.LemonDuck variant payload download attempt (malware-other.rules)
 * 3:57478 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1281 attack attempt (server-webapp.rules)
 * 3:57480 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1287 attack attempt (file-pdf.rules)
 * 3:57477 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2021-1282 attack attempt (policy-other.rules)
 * 3:57476 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2021-1284 attack attempt (server-other.rules)
 * 3:57475 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1284 attack attempt (server-webapp.rules)
 * 3:57479 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1287 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:25540 <-> ENABLED <-> EXPLOIT-KIT Red Dot executable retrieval attempt (exploit-kit.rules)
 * 1:27891 <-> ENABLED <-> EXPLOIT-KIT Teletubbies exploit kit secondary payload (exploit-kit.rules)
 * 1:15468 <-> ENABLED <-> BROWSER-IE Apple Safari-Internet Explorer SearchPath blended threat dll request (browser-ie.rules)
 * 1:27885 <-> ENABLED <-> EXPLOIT-KIT Teletubbies exploit kit payload download (exploit-kit.rules)
 * 1:15462 <-> DISABLED <-> BROWSER-OTHER Multiple web browsers HTTP chunked transfer-encoding memory corruption attempt (browser-other.rules)
 * 1:27922 <-> DISABLED <-> APP-DETECT Splashtop outbound connection attempt (app-detect.rules)
 * 1:26377 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit java exploit request (exploit-kit.rules)
 * 1:26891 <-> ENABLED <-> EXPLOIT-KIT Flashpack/Safe/CritX exploit kit executable download (exploit-kit.rules)
 * 1:42959 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules)
 * 1:45302 <-> DISABLED <-> BROWSER-OTHER Multiple browser long unicode string denial of service attempt (browser-other.rules)
 * 1:28246 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response (app-detect.rules)
 * 1:42958 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules)

2021-04-27 12:36:09 UTC

Snort Subscriber Rules Update

Date: 2021-04-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57470 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Agent malicious script payload download attempt (malware-other.rules)
 * 1:57472 <-> ENABLED <-> MALWARE-OTHER Win.Malware.LemonDuck variant payload download attempt (malware-other.rules)
 * 1:57473 <-> ENABLED <-> MALWARE-OTHER Win.Malware.LemonDuck variant payload download attempt (malware-other.rules)
 * 1:57471 <-> ENABLED <-> MALWARE-OTHER Win.Malware.LemonDuck variant payload download attempt (malware-other.rules)
 * 1:57469 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Agent malicious script payload download attempt (malware-other.rules)
 * 1:57474 <-> ENABLED <-> MALWARE-CNC Win.Malware.LemonDuck variant outbound cnc connection (malware-cnc.rules)
 * 3:57479 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1287 attack attempt (file-pdf.rules)
 * 3:57478 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1281 attack attempt (server-webapp.rules)
 * 3:57480 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1287 attack attempt (file-pdf.rules)
 * 3:57476 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2021-1284 attack attempt (server-other.rules)
 * 3:57477 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2021-1282 attack attempt (policy-other.rules)
 * 3:57475 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1284 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:25540 <-> ENABLED <-> EXPLOIT-KIT Red Dot executable retrieval attempt (exploit-kit.rules)
 * 1:15468 <-> ENABLED <-> BROWSER-IE Apple Safari-Internet Explorer SearchPath blended threat dll request (browser-ie.rules)
 * 1:15462 <-> DISABLED <-> BROWSER-OTHER Multiple web browsers HTTP chunked transfer-encoding memory corruption attempt (browser-other.rules)
 * 1:45302 <-> DISABLED <-> BROWSER-OTHER Multiple browser long unicode string denial of service attempt (browser-other.rules)
 * 1:42958 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules)
 * 1:27922 <-> DISABLED <-> APP-DETECT Splashtop outbound connection attempt (app-detect.rules)
 * 1:27891 <-> ENABLED <-> EXPLOIT-KIT Teletubbies exploit kit secondary payload (exploit-kit.rules)
 * 1:42959 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules)
 * 1:27885 <-> ENABLED <-> EXPLOIT-KIT Teletubbies exploit kit payload download (exploit-kit.rules)
 * 1:26377 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit java exploit request (exploit-kit.rules)
 * 1:26891 <-> ENABLED <-> EXPLOIT-KIT Flashpack/Safe/CritX exploit kit executable download (exploit-kit.rules)
 * 1:28246 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response (app-detect.rules)

2021-04-27 12:36:09 UTC

Snort Subscriber Rules Update

Date: 2021-04-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57469 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Agent malicious script payload download attempt (malware-other.rules)
 * 1:57473 <-> ENABLED <-> MALWARE-OTHER Win.Malware.LemonDuck variant payload download attempt (malware-other.rules)
 * 1:57471 <-> ENABLED <-> MALWARE-OTHER Win.Malware.LemonDuck variant payload download attempt (malware-other.rules)
 * 1:57470 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Agent malicious script payload download attempt (malware-other.rules)
 * 1:57472 <-> ENABLED <-> MALWARE-OTHER Win.Malware.LemonDuck variant payload download attempt (malware-other.rules)
 * 1:57474 <-> ENABLED <-> MALWARE-CNC Win.Malware.LemonDuck variant outbound cnc connection (malware-cnc.rules)
 * 3:57478 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1281 attack attempt (server-webapp.rules)
 * 3:57480 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1287 attack attempt (file-pdf.rules)
 * 3:57477 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2021-1282 attack attempt (policy-other.rules)
 * 3:57475 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1284 attack attempt (server-webapp.rules)
 * 3:57476 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2021-1284 attack attempt (server-other.rules)
 * 3:57479 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1287 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:25540 <-> ENABLED <-> EXPLOIT-KIT Red Dot executable retrieval attempt (exploit-kit.rules)
 * 1:15468 <-> ENABLED <-> BROWSER-IE Apple Safari-Internet Explorer SearchPath blended threat dll request (browser-ie.rules)
 * 1:15462 <-> DISABLED <-> BROWSER-OTHER Multiple web browsers HTTP chunked transfer-encoding memory corruption attempt (browser-other.rules)
 * 1:27922 <-> DISABLED <-> APP-DETECT Splashtop outbound connection attempt (app-detect.rules)
 * 1:27885 <-> ENABLED <-> EXPLOIT-KIT Teletubbies exploit kit payload download (exploit-kit.rules)
 * 1:26377 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit java exploit request (exploit-kit.rules)
 * 1:26891 <-> ENABLED <-> EXPLOIT-KIT Flashpack/Safe/CritX exploit kit executable download (exploit-kit.rules)
 * 1:28246 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response (app-detect.rules)
 * 1:42958 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules)
 * 1:27891 <-> ENABLED <-> EXPLOIT-KIT Teletubbies exploit kit secondary payload (exploit-kit.rules)
 * 1:42959 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules)
 * 1:45302 <-> DISABLED <-> BROWSER-OTHER Multiple browser long unicode string denial of service attempt (browser-other.rules)

2021-04-27 12:36:09 UTC

Snort Subscriber Rules Update

Date: 2021-04-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57469 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Agent malicious script payload download attempt (malware-other.rules)
 * 1:57470 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Agent malicious script payload download attempt (malware-other.rules)
 * 1:57471 <-> ENABLED <-> MALWARE-OTHER Win.Malware.LemonDuck variant payload download attempt (malware-other.rules)
 * 1:57472 <-> ENABLED <-> MALWARE-OTHER Win.Malware.LemonDuck variant payload download attempt (malware-other.rules)
 * 1:57474 <-> ENABLED <-> MALWARE-CNC Win.Malware.LemonDuck variant outbound cnc connection (malware-cnc.rules)
 * 1:57473 <-> ENABLED <-> MALWARE-OTHER Win.Malware.LemonDuck variant payload download attempt (malware-other.rules)
 * 3:57478 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1281 attack attempt (server-webapp.rules)
 * 3:57480 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1287 attack attempt (file-pdf.rules)
 * 3:57475 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1284 attack attempt (server-webapp.rules)
 * 3:57476 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2021-1284 attack attempt (server-other.rules)
 * 3:57479 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1287 attack attempt (file-pdf.rules)
 * 3:57477 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2021-1282 attack attempt (policy-other.rules)

Modified Rules:


 * 1:15462 <-> DISABLED <-> BROWSER-OTHER Multiple web browsers HTTP chunked transfer-encoding memory corruption attempt (browser-other.rules)
 * 1:25540 <-> ENABLED <-> EXPLOIT-KIT Red Dot executable retrieval attempt (exploit-kit.rules)
 * 1:42958 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules)
 * 1:27922 <-> DISABLED <-> APP-DETECT Splashtop outbound connection attempt (app-detect.rules)
 * 1:27885 <-> ENABLED <-> EXPLOIT-KIT Teletubbies exploit kit payload download (exploit-kit.rules)
 * 1:26891 <-> ENABLED <-> EXPLOIT-KIT Flashpack/Safe/CritX exploit kit executable download (exploit-kit.rules)
 * 1:27891 <-> ENABLED <-> EXPLOIT-KIT Teletubbies exploit kit secondary payload (exploit-kit.rules)
 * 1:26377 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit java exploit request (exploit-kit.rules)
 * 1:15468 <-> ENABLED <-> BROWSER-IE Apple Safari-Internet Explorer SearchPath blended threat dll request (browser-ie.rules)
 * 1:45302 <-> DISABLED <-> BROWSER-OTHER Multiple browser long unicode string denial of service attempt (browser-other.rules)
 * 1:42959 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules)
 * 1:28246 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response (app-detect.rules)

2021-04-27 12:36:09 UTC

Snort Subscriber Rules Update

Date: 2021-04-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57471 <-> ENABLED <-> MALWARE-OTHER Win.Malware.LemonDuck variant payload download attempt (malware-other.rules)
 * 1:57470 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Agent malicious script payload download attempt (malware-other.rules)
 * 1:57472 <-> ENABLED <-> MALWARE-OTHER Win.Malware.LemonDuck variant payload download attempt (malware-other.rules)
 * 1:57474 <-> ENABLED <-> MALWARE-CNC Win.Malware.LemonDuck variant outbound cnc connection (malware-cnc.rules)
 * 1:57473 <-> ENABLED <-> MALWARE-OTHER Win.Malware.LemonDuck variant payload download attempt (malware-other.rules)
 * 1:57469 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Agent malicious script payload download attempt (malware-other.rules)
 * 3:57477 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2021-1282 attack attempt (policy-other.rules)
 * 3:57480 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1287 attack attempt (file-pdf.rules)
 * 3:57475 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1284 attack attempt (server-webapp.rules)
 * 3:57479 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1287 attack attempt (file-pdf.rules)
 * 3:57476 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2021-1284 attack attempt (server-other.rules)
 * 3:57478 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1281 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:25540 <-> ENABLED <-> EXPLOIT-KIT Red Dot executable retrieval attempt (exploit-kit.rules)
 * 1:27891 <-> ENABLED <-> EXPLOIT-KIT Teletubbies exploit kit secondary payload (exploit-kit.rules)
 * 1:15462 <-> DISABLED <-> BROWSER-OTHER Multiple web browsers HTTP chunked transfer-encoding memory corruption attempt (browser-other.rules)
 * 1:15468 <-> ENABLED <-> BROWSER-IE Apple Safari-Internet Explorer SearchPath blended threat dll request (browser-ie.rules)
 * 1:26377 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit java exploit request (exploit-kit.rules)
 * 1:27885 <-> ENABLED <-> EXPLOIT-KIT Teletubbies exploit kit payload download (exploit-kit.rules)
 * 1:42958 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules)
 * 1:28246 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response (app-detect.rules)
 * 1:42959 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules)
 * 1:45302 <-> DISABLED <-> BROWSER-OTHER Multiple browser long unicode string denial of service attempt (browser-other.rules)
 * 1:27922 <-> DISABLED <-> APP-DETECT Splashtop outbound connection attempt (app-detect.rules)
 * 1:26891 <-> ENABLED <-> EXPLOIT-KIT Flashpack/Safe/CritX exploit kit executable download (exploit-kit.rules)

2021-04-27 12:36:09 UTC

Snort Subscriber Rules Update

Date: 2021-04-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57471 <-> ENABLED <-> MALWARE-OTHER Win.Malware.LemonDuck variant payload download attempt (malware-other.rules)
 * 1:57473 <-> ENABLED <-> MALWARE-OTHER Win.Malware.LemonDuck variant payload download attempt (malware-other.rules)
 * 1:57474 <-> ENABLED <-> MALWARE-CNC Win.Malware.LemonDuck variant outbound cnc connection (malware-cnc.rules)
 * 1:57469 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Agent malicious script payload download attempt (malware-other.rules)
 * 1:57470 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Agent malicious script payload download attempt (malware-other.rules)
 * 1:57472 <-> ENABLED <-> MALWARE-OTHER Win.Malware.LemonDuck variant payload download attempt (malware-other.rules)
 * 3:57478 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1281 attack attempt (server-webapp.rules)
 * 3:57480 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1287 attack attempt (file-pdf.rules)
 * 3:57477 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2021-1282 attack attempt (policy-other.rules)
 * 3:57475 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1284 attack attempt (server-webapp.rules)
 * 3:57476 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2021-1284 attack attempt (server-other.rules)
 * 3:57479 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1287 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:26891 <-> ENABLED <-> EXPLOIT-KIT Flashpack/Safe/CritX exploit kit executable download (exploit-kit.rules)
 * 1:28246 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response (app-detect.rules)
 * 1:27922 <-> DISABLED <-> APP-DETECT Splashtop outbound connection attempt (app-detect.rules)
 * 1:42958 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules)
 * 1:45302 <-> DISABLED <-> BROWSER-OTHER Multiple browser long unicode string denial of service attempt (browser-other.rules)
 * 1:15462 <-> DISABLED <-> BROWSER-OTHER Multiple web browsers HTTP chunked transfer-encoding memory corruption attempt (browser-other.rules)
 * 1:26377 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit java exploit request (exploit-kit.rules)
 * 1:25540 <-> ENABLED <-> EXPLOIT-KIT Red Dot executable retrieval attempt (exploit-kit.rules)
 * 1:27891 <-> ENABLED <-> EXPLOIT-KIT Teletubbies exploit kit secondary payload (exploit-kit.rules)
 * 1:27885 <-> ENABLED <-> EXPLOIT-KIT Teletubbies exploit kit payload download (exploit-kit.rules)
 * 1:42959 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules)
 * 1:15468 <-> ENABLED <-> BROWSER-IE Apple Safari-Internet Explorer SearchPath blended threat dll request (browser-ie.rules)

2021-04-27 12:36:09 UTC

Snort Subscriber Rules Update

Date: 2021-04-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57471 <-> ENABLED <-> MALWARE-OTHER Win.Malware.LemonDuck variant payload download attempt (malware-other.rules)
 * 1:57469 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Agent malicious script payload download attempt (malware-other.rules)
 * 1:57472 <-> ENABLED <-> MALWARE-OTHER Win.Malware.LemonDuck variant payload download attempt (malware-other.rules)
 * 1:57474 <-> ENABLED <-> MALWARE-CNC Win.Malware.LemonDuck variant outbound cnc connection (malware-cnc.rules)
 * 1:57473 <-> ENABLED <-> MALWARE-OTHER Win.Malware.LemonDuck variant payload download attempt (malware-other.rules)
 * 1:57470 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Agent malicious script payload download attempt (malware-other.rules)
 * 3:57479 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1287 attack attempt (file-pdf.rules)
 * 3:57477 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2021-1282 attack attempt (policy-other.rules)
 * 3:57475 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1284 attack attempt (server-webapp.rules)
 * 3:57478 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1281 attack attempt (server-webapp.rules)
 * 3:57476 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2021-1284 attack attempt (server-other.rules)
 * 3:57480 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1287 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:26377 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit java exploit request (exploit-kit.rules)
 * 1:45302 <-> DISABLED <-> BROWSER-OTHER Multiple browser long unicode string denial of service attempt (browser-other.rules)
 * 1:26891 <-> ENABLED <-> EXPLOIT-KIT Flashpack/Safe/CritX exploit kit executable download (exploit-kit.rules)
 * 1:27891 <-> ENABLED <-> EXPLOIT-KIT Teletubbies exploit kit secondary payload (exploit-kit.rules)
 * 1:25540 <-> ENABLED <-> EXPLOIT-KIT Red Dot executable retrieval attempt (exploit-kit.rules)
 * 1:15462 <-> DISABLED <-> BROWSER-OTHER Multiple web browsers HTTP chunked transfer-encoding memory corruption attempt (browser-other.rules)
 * 1:27885 <-> ENABLED <-> EXPLOIT-KIT Teletubbies exploit kit payload download (exploit-kit.rules)
 * 1:28246 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response (app-detect.rules)
 * 1:27922 <-> DISABLED <-> APP-DETECT Splashtop outbound connection attempt (app-detect.rules)
 * 1:42959 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules)
 * 1:15468 <-> ENABLED <-> BROWSER-IE Apple Safari-Internet Explorer SearchPath blended threat dll request (browser-ie.rules)
 * 1:42958 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules)

2021-04-27 12:36:09 UTC

Snort Subscriber Rules Update

Date: 2021-04-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57473 <-> ENABLED <-> MALWARE-OTHER Win.Malware.LemonDuck variant payload download attempt (snort3-malware-other.rules)
 * 1:57470 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Agent malicious script payload download attempt (snort3-malware-other.rules)
 * 1:57472 <-> ENABLED <-> MALWARE-OTHER Win.Malware.LemonDuck variant payload download attempt (snort3-malware-other.rules)
 * 1:57471 <-> ENABLED <-> MALWARE-OTHER Win.Malware.LemonDuck variant payload download attempt (snort3-malware-other.rules)
 * 1:57469 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Agent malicious script payload download attempt (snort3-malware-other.rules)
 * 1:57474 <-> ENABLED <-> MALWARE-CNC Win.Malware.LemonDuck variant outbound cnc connection (snort3-malware-cnc.rules)

Modified Rules:


 * 1:45302 <-> DISABLED <-> BROWSER-OTHER Multiple browser long unicode string denial of service attempt (snort3-browser-other.rules)
 * 1:42958 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (snort3-server-webapp.rules)
 * 1:15468 <-> ENABLED <-> BROWSER-IE Apple Safari-Internet Explorer SearchPath blended threat dll request (snort3-browser-ie.rules)
 * 1:26891 <-> ENABLED <-> EXPLOIT-KIT Flashpack/Safe/CritX exploit kit executable download (snort3-exploit-kit.rules)
 * 1:26377 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit java exploit request (snort3-exploit-kit.rules)
 * 1:28246 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response (snort3-app-detect.rules)
 * 1:15462 <-> DISABLED <-> BROWSER-OTHER Multiple web browsers HTTP chunked transfer-encoding memory corruption attempt (snort3-browser-other.rules)
 * 1:27885 <-> ENABLED <-> EXPLOIT-KIT Teletubbies exploit kit payload download (snort3-exploit-kit.rules)
 * 1:27891 <-> ENABLED <-> EXPLOIT-KIT Teletubbies exploit kit secondary payload (snort3-exploit-kit.rules)
 * 1:42959 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (snort3-server-webapp.rules)
 * 1:25540 <-> ENABLED <-> EXPLOIT-KIT Red Dot executable retrieval attempt (snort3-exploit-kit.rules)
 * 1:27922 <-> DISABLED <-> APP-DETECT Splashtop outbound connection attempt (snort3-app-detect.rules)

2021-04-27 12:36:09 UTC

Snort Subscriber Rules Update

Date: 2021-04-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57470 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Agent malicious script payload download attempt (malware-other.rules)
 * 1:57471 <-> ENABLED <-> MALWARE-OTHER Win.Malware.LemonDuck variant payload download attempt (malware-other.rules)
 * 1:57469 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Agent malicious script payload download attempt (malware-other.rules)
 * 1:57473 <-> ENABLED <-> MALWARE-OTHER Win.Malware.LemonDuck variant payload download attempt (malware-other.rules)
 * 1:57474 <-> ENABLED <-> MALWARE-CNC Win.Malware.LemonDuck variant outbound cnc connection (malware-cnc.rules)
 * 1:57472 <-> ENABLED <-> MALWARE-OTHER Win.Malware.LemonDuck variant payload download attempt (malware-other.rules)
 * 3:57476 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2021-1284 attack attempt (server-other.rules)
 * 3:57480 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1287 attack attempt (file-pdf.rules)
 * 3:57477 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2021-1282 attack attempt (policy-other.rules)
 * 3:57475 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1284 attack attempt (server-webapp.rules)
 * 3:57479 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1287 attack attempt (file-pdf.rules)
 * 3:57478 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1281 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:27891 <-> ENABLED <-> EXPLOIT-KIT Teletubbies exploit kit secondary payload (exploit-kit.rules)
 * 1:15462 <-> DISABLED <-> BROWSER-OTHER Multiple web browsers HTTP chunked transfer-encoding memory corruption attempt (browser-other.rules)
 * 1:42958 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules)
 * 1:27922 <-> DISABLED <-> APP-DETECT Splashtop outbound connection attempt (app-detect.rules)
 * 1:28246 <-> DISABLED <-> APP-DETECT Bizhi Sogou Wallpaper application download schema response (app-detect.rules)
 * 1:15468 <-> ENABLED <-> BROWSER-IE Apple Safari-Internet Explorer SearchPath blended threat dll request (browser-ie.rules)
 * 1:26891 <-> ENABLED <-> EXPLOIT-KIT Flashpack/Safe/CritX exploit kit executable download (exploit-kit.rules)
 * 1:27885 <-> ENABLED <-> EXPLOIT-KIT Teletubbies exploit kit payload download (exploit-kit.rules)
 * 1:26377 <-> ENABLED <-> EXPLOIT-KIT Redkit exploit kit java exploit request (exploit-kit.rules)
 * 1:25540 <-> ENABLED <-> EXPLOIT-KIT Red Dot executable retrieval attempt (exploit-kit.rules)
 * 1:42959 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules)
 * 1:45302 <-> DISABLED <-> BROWSER-OTHER Multiple browser long unicode string denial of service attempt (browser-other.rules)