Talos Rules 2021-07-22
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-chrome, file-other, file-pdf, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2021-07-22 12:41:29 UTC

Snort Subscriber Rules Update

Date: 2021-07-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091800.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57919 <-> DISABLED <-> MALWARE-CNC Osx.Trojan.Shlayer second stage download attempt (malware-cnc.rules)
 * 1:57920 <-> DISABLED <-> MALWARE-CNC Osx.Trojan.Shlayer second stage download attempt (malware-cnc.rules)
 * 1:57921 <-> DISABLED <-> SERVER-WEBAPP Apache OFBiz XMLRPC unsafe deserialization attempt (server-webapp.rules)
 * 1:57922 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57923 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57924 <-> DISABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57925 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57926 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57927 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57928 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57929 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57930 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt (malware-cnc.rules)
 * 1:57931 <-> ENABLED <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt (file-other.rules)
 * 1:57932 <-> DISABLED <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt (file-other.rules)
 * 1:57933 <-> DISABLED <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt (file-other.rules)
 * 1:57936 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Raccoon malicious file download attempt (malware-other.rules)
 * 1:57937 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Raccoon malicious file download attempt (malware-other.rules)
 * 3:57934 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1342 attack attempt (os-other.rules)
 * 3:57935 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1342 attack attempt (os-other.rules)
 * 3:57938 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1348 attack attempt (browser-chrome.rules)
 * 3:57939 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1348 attack attempt (browser-chrome.rules)

Modified Rules:


 * 1:57566 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57567 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)

2021-07-22 12:41:29 UTC

Snort Subscriber Rules Update

Date: 2021-07-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57923 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57919 <-> DISABLED <-> MALWARE-CNC Osx.Trojan.Shlayer second stage download attempt (malware-cnc.rules)
 * 1:57921 <-> DISABLED <-> SERVER-WEBAPP Apache OFBiz XMLRPC unsafe deserialization attempt (server-webapp.rules)
 * 1:57932 <-> DISABLED <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt (file-other.rules)
 * 1:57922 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57925 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57926 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57927 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57928 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57929 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57930 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt (malware-cnc.rules)
 * 1:57931 <-> ENABLED <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt (file-other.rules)
 * 1:57933 <-> DISABLED <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt (file-other.rules)
 * 1:57936 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Raccoon malicious file download attempt (malware-other.rules)
 * 1:57937 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Raccoon malicious file download attempt (malware-other.rules)
 * 1:57920 <-> DISABLED <-> MALWARE-CNC Osx.Trojan.Shlayer second stage download attempt (malware-cnc.rules)
 * 1:57924 <-> DISABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 3:57938 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1348 attack attempt (browser-chrome.rules)
 * 3:57939 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1348 attack attempt (browser-chrome.rules)
 * 3:57935 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1342 attack attempt (os-other.rules)
 * 3:57934 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1342 attack attempt (os-other.rules)

Modified Rules:


 * 1:57566 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57567 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)

2021-07-22 12:41:29 UTC

Snort Subscriber Rules Update

Date: 2021-07-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57921 <-> DISABLED <-> SERVER-WEBAPP Apache OFBiz XMLRPC unsafe deserialization attempt (server-webapp.rules)
 * 1:57923 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57924 <-> DISABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57922 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57931 <-> ENABLED <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt (file-other.rules)
 * 1:57933 <-> DISABLED <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt (file-other.rules)
 * 1:57932 <-> DISABLED <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt (file-other.rules)
 * 1:57936 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Raccoon malicious file download attempt (malware-other.rules)
 * 1:57926 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57937 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Raccoon malicious file download attempt (malware-other.rules)
 * 1:57919 <-> DISABLED <-> MALWARE-CNC Osx.Trojan.Shlayer second stage download attempt (malware-cnc.rules)
 * 1:57927 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57928 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57929 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57930 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt (malware-cnc.rules)
 * 1:57920 <-> DISABLED <-> MALWARE-CNC Osx.Trojan.Shlayer second stage download attempt (malware-cnc.rules)
 * 1:57925 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 3:57938 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1348 attack attempt (browser-chrome.rules)
 * 3:57939 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1348 attack attempt (browser-chrome.rules)
 * 3:57934 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1342 attack attempt (os-other.rules)
 * 3:57935 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1342 attack attempt (os-other.rules)

Modified Rules:


 * 1:57566 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57567 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)

2021-07-22 12:41:29 UTC

Snort Subscriber Rules Update

Date: 2021-07-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57933 <-> DISABLED <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt (file-other.rules)
 * 1:57932 <-> DISABLED <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt (file-other.rules)
 * 1:57929 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57920 <-> DISABLED <-> MALWARE-CNC Osx.Trojan.Shlayer second stage download attempt (malware-cnc.rules)
 * 1:57936 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Raccoon malicious file download attempt (malware-other.rules)
 * 1:57931 <-> ENABLED <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt (file-other.rules)
 * 1:57919 <-> DISABLED <-> MALWARE-CNC Osx.Trojan.Shlayer second stage download attempt (malware-cnc.rules)
 * 1:57924 <-> DISABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57937 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Raccoon malicious file download attempt (malware-other.rules)
 * 1:57921 <-> DISABLED <-> SERVER-WEBAPP Apache OFBiz XMLRPC unsafe deserialization attempt (server-webapp.rules)
 * 1:57925 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57922 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57923 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57926 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57928 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57927 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57930 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt (malware-cnc.rules)
 * 3:57934 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1342 attack attempt (os-other.rules)
 * 3:57938 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1348 attack attempt (browser-chrome.rules)
 * 3:57939 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1348 attack attempt (browser-chrome.rules)
 * 3:57935 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1342 attack attempt (os-other.rules)

Modified Rules:


 * 1:57566 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57567 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)

2021-07-22 12:41:29 UTC

Snort Subscriber Rules Update

Date: 2021-07-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57919 <-> DISABLED <-> MALWARE-CNC Osx.Trojan.Shlayer second stage download attempt (malware-cnc.rules)
 * 1:57926 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57924 <-> DISABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57930 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt (malware-cnc.rules)
 * 1:57925 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57923 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57921 <-> DISABLED <-> SERVER-WEBAPP Apache OFBiz XMLRPC unsafe deserialization attempt (server-webapp.rules)
 * 1:57922 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57927 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57937 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Raccoon malicious file download attempt (malware-other.rules)
 * 1:57928 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57920 <-> DISABLED <-> MALWARE-CNC Osx.Trojan.Shlayer second stage download attempt (malware-cnc.rules)
 * 1:57932 <-> DISABLED <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt (file-other.rules)
 * 1:57931 <-> ENABLED <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt (file-other.rules)
 * 1:57936 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Raccoon malicious file download attempt (malware-other.rules)
 * 1:57933 <-> DISABLED <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt (file-other.rules)
 * 1:57929 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 3:57938 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1348 attack attempt (browser-chrome.rules)
 * 3:57939 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1348 attack attempt (browser-chrome.rules)
 * 3:57934 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1342 attack attempt (os-other.rules)
 * 3:57935 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1342 attack attempt (os-other.rules)

Modified Rules:


 * 1:57566 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57567 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)

2021-07-22 12:41:29 UTC

Snort Subscriber Rules Update

Date: 2021-07-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57931 <-> ENABLED <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt (file-other.rules)
 * 1:57926 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57930 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt (malware-cnc.rules)
 * 1:57929 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57920 <-> DISABLED <-> MALWARE-CNC Osx.Trojan.Shlayer second stage download attempt (malware-cnc.rules)
 * 1:57932 <-> DISABLED <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt (file-other.rules)
 * 1:57936 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Raccoon malicious file download attempt (malware-other.rules)
 * 1:57921 <-> DISABLED <-> SERVER-WEBAPP Apache OFBiz XMLRPC unsafe deserialization attempt (server-webapp.rules)
 * 1:57919 <-> DISABLED <-> MALWARE-CNC Osx.Trojan.Shlayer second stage download attempt (malware-cnc.rules)
 * 1:57933 <-> DISABLED <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt (file-other.rules)
 * 1:57924 <-> DISABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57923 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57922 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57925 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57927 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57937 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Raccoon malicious file download attempt (malware-other.rules)
 * 1:57928 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 3:57934 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1342 attack attempt (os-other.rules)
 * 3:57935 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1342 attack attempt (os-other.rules)
 * 3:57939 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1348 attack attempt (browser-chrome.rules)
 * 3:57938 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1348 attack attempt (browser-chrome.rules)

Modified Rules:


 * 1:57566 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57567 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)

2021-07-22 12:41:29 UTC

Snort Subscriber Rules Update

Date: 2021-07-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57933 <-> DISABLED <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt (file-other.rules)
 * 1:57919 <-> DISABLED <-> MALWARE-CNC Osx.Trojan.Shlayer second stage download attempt (malware-cnc.rules)
 * 1:57920 <-> DISABLED <-> MALWARE-CNC Osx.Trojan.Shlayer second stage download attempt (malware-cnc.rules)
 * 1:57921 <-> DISABLED <-> SERVER-WEBAPP Apache OFBiz XMLRPC unsafe deserialization attempt (server-webapp.rules)
 * 1:57932 <-> DISABLED <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt (file-other.rules)
 * 1:57924 <-> DISABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57925 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57937 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Raccoon malicious file download attempt (malware-other.rules)
 * 1:57926 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57923 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57929 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57928 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57930 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt (malware-cnc.rules)
 * 1:57931 <-> ENABLED <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt (file-other.rules)
 * 1:57922 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57927 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57936 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Raccoon malicious file download attempt (malware-other.rules)
 * 3:57939 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1348 attack attempt (browser-chrome.rules)
 * 3:57934 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1342 attack attempt (os-other.rules)
 * 3:57935 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1342 attack attempt (os-other.rules)
 * 3:57938 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1348 attack attempt (browser-chrome.rules)

Modified Rules:


 * 1:57566 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57567 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)

2021-07-22 12:41:29 UTC

Snort Subscriber Rules Update

Date: 2021-07-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57921 <-> DISABLED <-> SERVER-WEBAPP Apache OFBiz XMLRPC unsafe deserialization attempt (server-webapp.rules)
 * 1:57933 <-> DISABLED <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt (file-other.rules)
 * 1:57937 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Raccoon malicious file download attempt (malware-other.rules)
 * 1:57931 <-> ENABLED <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt (file-other.rules)
 * 1:57919 <-> DISABLED <-> MALWARE-CNC Osx.Trojan.Shlayer second stage download attempt (malware-cnc.rules)
 * 1:57922 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57925 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57928 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57926 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57924 <-> DISABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57920 <-> DISABLED <-> MALWARE-CNC Osx.Trojan.Shlayer second stage download attempt (malware-cnc.rules)
 * 1:57932 <-> DISABLED <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt (file-other.rules)
 * 1:57929 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57930 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt (malware-cnc.rules)
 * 1:57936 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Raccoon malicious file download attempt (malware-other.rules)
 * 1:57923 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57927 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 3:57939 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1348 attack attempt (browser-chrome.rules)
 * 3:57934 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1342 attack attempt (os-other.rules)
 * 3:57938 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1348 attack attempt (browser-chrome.rules)
 * 3:57935 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1342 attack attempt (os-other.rules)

Modified Rules:


 * 1:57566 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57567 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)

2021-07-22 12:41:29 UTC

Snort Subscriber Rules Update

Date: 2021-07-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57923 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57936 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Raccoon malicious file download attempt (malware-other.rules)
 * 1:57921 <-> DISABLED <-> SERVER-WEBAPP Apache OFBiz XMLRPC unsafe deserialization attempt (server-webapp.rules)
 * 1:57932 <-> DISABLED <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt (file-other.rules)
 * 1:57922 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57925 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57933 <-> DISABLED <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt (file-other.rules)
 * 1:57924 <-> DISABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57929 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57937 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Raccoon malicious file download attempt (malware-other.rules)
 * 1:57930 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt (malware-cnc.rules)
 * 1:57928 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57927 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57919 <-> DISABLED <-> MALWARE-CNC Osx.Trojan.Shlayer second stage download attempt (malware-cnc.rules)
 * 1:57920 <-> DISABLED <-> MALWARE-CNC Osx.Trojan.Shlayer second stage download attempt (malware-cnc.rules)
 * 1:57931 <-> ENABLED <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt (file-other.rules)
 * 1:57926 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 3:57935 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1342 attack attempt (os-other.rules)
 * 3:57934 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1342 attack attempt (os-other.rules)
 * 3:57939 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1348 attack attempt (browser-chrome.rules)
 * 3:57938 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1348 attack attempt (browser-chrome.rules)

Modified Rules:


 * 1:57566 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57567 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)

2021-07-22 12:41:29 UTC

Snort Subscriber Rules Update

Date: 2021-07-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57920 <-> DISABLED <-> MALWARE-CNC Osx.Trojan.Shlayer second stage download attempt (snort3-malware-cnc.rules)
 * 1:57922 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (snort3-malware-cnc.rules)
 * 1:57924 <-> DISABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (snort3-malware-cnc.rules)
 * 1:57923 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (snort3-malware-cnc.rules)
 * 1:57937 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Raccoon malicious file download attempt (snort3-malware-other.rules)
 * 1:57919 <-> DISABLED <-> MALWARE-CNC Osx.Trojan.Shlayer second stage download attempt (snort3-malware-cnc.rules)
 * 1:57928 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (snort3-malware-cnc.rules)
 * 1:57927 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (snort3-malware-cnc.rules)
 * 1:57931 <-> ENABLED <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt (snort3-file-other.rules)
 * 1:57921 <-> DISABLED <-> SERVER-WEBAPP Apache OFBiz XMLRPC unsafe deserialization attempt (snort3-server-webapp.rules)
 * 1:57930 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt (snort3-malware-cnc.rules)
 * 1:57929 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (snort3-malware-cnc.rules)
 * 1:57926 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (snort3-malware-cnc.rules)
 * 1:57933 <-> DISABLED <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt (snort3-file-other.rules)
 * 1:57932 <-> DISABLED <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt (snort3-file-other.rules)
 * 1:57925 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (snort3-malware-cnc.rules)
 * 1:57936 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Raccoon malicious file download attempt (snort3-malware-other.rules)

Modified Rules:


 * 1:57566 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (snort3-file-pdf.rules)
 * 1:57567 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (snort3-file-pdf.rules)

2021-07-22 12:41:29 UTC

Snort Subscriber Rules Update

Date: 2021-07-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57936 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Raccoon malicious file download attempt (malware-other.rules)
 * 1:57937 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Raccoon malicious file download attempt (malware-other.rules)
 * 1:57932 <-> DISABLED <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt (file-other.rules)
 * 1:57919 <-> DISABLED <-> MALWARE-CNC Osx.Trojan.Shlayer second stage download attempt (malware-cnc.rules)
 * 1:57933 <-> DISABLED <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt (file-other.rules)
 * 1:57921 <-> DISABLED <-> SERVER-WEBAPP Apache OFBiz XMLRPC unsafe deserialization attempt (server-webapp.rules)
 * 1:57923 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57927 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57922 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57930 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt (malware-cnc.rules)
 * 1:57920 <-> DISABLED <-> MALWARE-CNC Osx.Trojan.Shlayer second stage download attempt (malware-cnc.rules)
 * 1:57931 <-> ENABLED <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt (file-other.rules)
 * 1:57929 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57928 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57926 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57924 <-> DISABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)
 * 1:57925 <-> ENABLED <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt  (malware-cnc.rules)

Modified Rules:


 * 1:57566 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57567 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)

2021-07-22 12:44:02 UTC

Snort Subscriber Rules Update

Date: 2021-07-21-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300047 <-> MALWARE-OTHER Win.Dropper.Raccoon malicious file download attempt
* 1:57919 <-> MALWARE-CNC Osx.Trojan.Shlayer second stage download attempt
* 1:57920 <-> MALWARE-CNC Osx.Trojan.Shlayer second stage download attempt
* 1:57921 <-> SERVER-WEBAPP Apache OFBiz XMLRPC unsafe deserialization attempt
* 1:57922 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57923 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57924 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57925 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57926 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57927 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57928 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57929 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57930 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt
* 1:57931 <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt
* 1:57932 <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt
* 1:57933 <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt
* 1:57936 <-> MALWARE-OTHER Win.Dropper.Raccoon malicious file download attempt
* 1:57937 <-> MALWARE-OTHER Win.Dropper.Raccoon malicious file download attempt

Modified Rules:

* 1:57566 <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt
* 1:57567 <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt


2021-07-22 12:44:02 UTC

Snort Subscriber Rules Update

Date: 2021-07-21-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.4.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300047 <-> MALWARE-OTHER Win.Dropper.Raccoon malicious file download attempt
* 1:57919 <-> MALWARE-CNC Osx.Trojan.Shlayer second stage download attempt
* 1:57920 <-> MALWARE-CNC Osx.Trojan.Shlayer second stage download attempt
* 1:57921 <-> SERVER-WEBAPP Apache OFBiz XMLRPC unsafe deserialization attempt
* 1:57922 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57923 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57924 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57925 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57926 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57927 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57928 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57929 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57930 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt
* 1:57931 <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt
* 1:57932 <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt
* 1:57933 <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt
* 1:57936 <-> MALWARE-OTHER Win.Dropper.Raccoon malicious file download attempt
* 1:57937 <-> MALWARE-OTHER Win.Dropper.Raccoon malicious file download attempt

Modified Rules:

* 1:57566 <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt
* 1:57567 <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt


2021-07-22 12:44:02 UTC

Snort Subscriber Rules Update

Date: 2021-07-21-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300047 <-> MALWARE-OTHER Win.Dropper.Raccoon malicious file download attempt
* 1:57919 <-> MALWARE-CNC Osx.Trojan.Shlayer second stage download attempt
* 1:57920 <-> MALWARE-CNC Osx.Trojan.Shlayer second stage download attempt
* 1:57921 <-> SERVER-WEBAPP Apache OFBiz XMLRPC unsafe deserialization attempt
* 1:57922 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57923 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57924 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57925 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57926 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57927 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57928 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57929 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57930 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt
* 1:57931 <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt
* 1:57932 <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt
* 1:57933 <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt
* 1:57936 <-> MALWARE-OTHER Win.Dropper.Raccoon malicious file download attempt
* 1:57937 <-> MALWARE-OTHER Win.Dropper.Raccoon malicious file download attempt

Modified Rules:

* 1:57566 <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt
* 1:57567 <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt


2021-07-22 12:44:02 UTC

Snort Subscriber Rules Update

Date: 2021-07-21-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300047 <-> MALWARE-OTHER Win.Dropper.Raccoon malicious file download attempt
* 1:57919 <-> MALWARE-CNC Osx.Trojan.Shlayer second stage download attempt
* 1:57920 <-> MALWARE-CNC Osx.Trojan.Shlayer second stage download attempt
* 1:57921 <-> SERVER-WEBAPP Apache OFBiz XMLRPC unsafe deserialization attempt
* 1:57922 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57923 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57924 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57925 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57926 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57927 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57928 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57929 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57930 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt
* 1:57931 <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt
* 1:57932 <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt
* 1:57933 <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt
* 1:57936 <-> MALWARE-OTHER Win.Dropper.Raccoon malicious file download attempt
* 1:57937 <-> MALWARE-OTHER Win.Dropper.Raccoon malicious file download attempt

Modified Rules:

* 1:57566 <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt
* 1:57567 <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt


2021-07-22 12:44:02 UTC

Snort Subscriber Rules Update

Date: 2021-07-21-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.1.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300047 <-> MALWARE-OTHER Win.Dropper.Raccoon malicious file download attempt
* 1:57919 <-> MALWARE-CNC Osx.Trojan.Shlayer second stage download attempt
* 1:57920 <-> MALWARE-CNC Osx.Trojan.Shlayer second stage download attempt
* 1:57921 <-> SERVER-WEBAPP Apache OFBiz XMLRPC unsafe deserialization attempt
* 1:57922 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57923 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57924 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57925 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57926 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57927 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57928 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57929 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57930 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt
* 1:57931 <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt
* 1:57932 <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt
* 1:57933 <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt
* 1:57936 <-> MALWARE-OTHER Win.Dropper.Raccoon malicious file download attempt
* 1:57937 <-> MALWARE-OTHER Win.Dropper.Raccoon malicious file download attempt

Modified Rules:

* 1:57566 <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt
* 1:57567 <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt


2021-07-22 12:44:02 UTC

Snort Subscriber Rules Update

Date: 2021-07-21-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.3.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300047 <-> MALWARE-OTHER Win.Dropper.Raccoon malicious file download attempt
* 1:57919 <-> MALWARE-CNC Osx.Trojan.Shlayer second stage download attempt
* 1:57920 <-> MALWARE-CNC Osx.Trojan.Shlayer second stage download attempt
* 1:57921 <-> SERVER-WEBAPP Apache OFBiz XMLRPC unsafe deserialization attempt
* 1:57922 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57923 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57924 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57925 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57926 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57927 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57928 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57929 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57930 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt
* 1:57931 <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt
* 1:57932 <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt
* 1:57933 <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt
* 1:57936 <-> MALWARE-OTHER Win.Dropper.Raccoon malicious file download attempt
* 1:57937 <-> MALWARE-OTHER Win.Dropper.Raccoon malicious file download attempt

Modified Rules:

* 1:57566 <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt
* 1:57567 <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt


2021-07-22 12:44:02 UTC

Snort Subscriber Rules Update

Date: 2021-07-21-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.4.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300047 <-> MALWARE-OTHER Win.Dropper.Raccoon malicious file download attempt
* 1:57919 <-> MALWARE-CNC Osx.Trojan.Shlayer second stage download attempt
* 1:57920 <-> MALWARE-CNC Osx.Trojan.Shlayer second stage download attempt
* 1:57921 <-> SERVER-WEBAPP Apache OFBiz XMLRPC unsafe deserialization attempt
* 1:57922 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57923 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57924 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57925 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57926 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57927 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57928 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57929 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57930 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt
* 1:57931 <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt
* 1:57932 <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt
* 1:57933 <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt
* 1:57936 <-> MALWARE-OTHER Win.Dropper.Raccoon malicious file download attempt
* 1:57937 <-> MALWARE-OTHER Win.Dropper.Raccoon malicious file download attempt

Modified Rules:

* 1:57566 <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt
* 1:57567 <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt


2021-07-22 12:44:02 UTC

Snort Subscriber Rules Update

Date: 2021-07-21-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.5.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300047 <-> MALWARE-OTHER Win.Dropper.Raccoon malicious file download attempt
* 1:57919 <-> MALWARE-CNC Osx.Trojan.Shlayer second stage download attempt
* 1:57920 <-> MALWARE-CNC Osx.Trojan.Shlayer second stage download attempt
* 1:57921 <-> SERVER-WEBAPP Apache OFBiz XMLRPC unsafe deserialization attempt
* 1:57922 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57923 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57924 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57925 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57926 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57927 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57928 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57929 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt 
* 1:57930 <-> MALWARE-CNC Html.Webshell.ASPXSpy inbound connection attempt
* 1:57931 <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt
* 1:57932 <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt
* 1:57933 <-> FILE-OTHER ExifTool DjVu metadata command injection injection attempt
* 1:57936 <-> MALWARE-OTHER Win.Dropper.Raccoon malicious file download attempt
* 1:57937 <-> MALWARE-OTHER Win.Dropper.Raccoon malicious file download attempt

Modified Rules:

* 1:57566 <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt
* 1:57567 <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt