Talos Rules 2021-07-26
This release adds and modifies rules in several categories.

Today Talos is releasing coverage to detect exploitation attempts of NTLM Relay Attacks on Active Directory Certificate Services AKA SeriousSAM. Coverage is being released as SIDs 57965-57966.

Talos has added and modified multiple rules in the exploit-kit, malware-cnc, os-other, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2021-07-26 22:47:07 UTC

Snort Subscriber Rules Update

Date: 2021-07-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091800.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57940 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Raccoon outbound communication attempt (malware-cnc.rules)
 * 1:57941 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Raccoon binary download attempt (malware-cnc.rules)
 * 1:57942 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57943 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57944 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57945 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57946 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57947 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57948 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt (malware-cnc.rules)
 * 1:57949 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt (malware-cnc.rules)
 * 1:57950 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt (malware-cnc.rules)
 * 1:57951 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SAM database improper ACLs elevation of privilege attempt (os-windows.rules)
 * 1:57952 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SAM database improper ACLs elevation of privilege attempt (os-windows.rules)
 * 1:57954 <-> DISABLED <-> SERVER-WEBAPP Velocloud VMware SD-WAN Orchestrator SQL injection attempt (server-webapp.rules)
 * 1:57955 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57956 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57957 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57958 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57959 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57960 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57961 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57962 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57965 <-> ENABLED <-> OS-WINDOWS Microsoft Windows EFSRPC bind detected (os-windows.rules)
 * 1:57966 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NTLM relay attack attempt (os-windows.rules)
 * 3:57953 <-> ENABLED <-> PROTOCOL-DNS ISC BIND RRSIG response processing denial of service attempt (protocol-dns.rules)
 * 3:57963 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1347 attack attempt (os-other.rules)
 * 3:57964 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1347 attack attempt (os-other.rules)

Modified Rules:


 * 1:54156 <-> ENABLED <-> POLICY-OTHER LDAP bind success (policy-other.rules)
 * 1:32639 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit jar file requested on defined port (exploit-kit.rules)

2021-07-26 22:47:07 UTC

Snort Subscriber Rules Update

Date: 2021-07-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57941 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Raccoon binary download attempt (malware-cnc.rules)
 * 1:57965 <-> ENABLED <-> OS-WINDOWS Microsoft Windows EFSRPC bind detected (os-windows.rules)
 * 1:57940 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Raccoon outbound communication attempt (malware-cnc.rules)
 * 1:57945 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57948 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt (malware-cnc.rules)
 * 1:57949 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt (malware-cnc.rules)
 * 1:57950 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt (malware-cnc.rules)
 * 1:57951 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SAM database improper ACLs elevation of privilege attempt (os-windows.rules)
 * 1:57952 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SAM database improper ACLs elevation of privilege attempt (os-windows.rules)
 * 1:57954 <-> DISABLED <-> SERVER-WEBAPP Velocloud VMware SD-WAN Orchestrator SQL injection attempt (server-webapp.rules)
 * 1:57955 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57956 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57957 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57958 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57959 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57960 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57944 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57942 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57966 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NTLM relay attack attempt (os-windows.rules)
 * 1:57943 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57962 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57946 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57947 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57961 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 3:57963 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1347 attack attempt (os-other.rules)
 * 3:57964 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1347 attack attempt (os-other.rules)
 * 3:57953 <-> ENABLED <-> PROTOCOL-DNS ISC BIND RRSIG response processing denial of service attempt (protocol-dns.rules)

Modified Rules:


 * 1:54156 <-> ENABLED <-> POLICY-OTHER LDAP bind success (policy-other.rules)
 * 1:32639 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit jar file requested on defined port (exploit-kit.rules)

2021-07-26 22:47:07 UTC

Snort Subscriber Rules Update

Date: 2021-07-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57941 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Raccoon binary download attempt (malware-cnc.rules)
 * 1:57966 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NTLM relay attack attempt (os-windows.rules)
 * 1:57965 <-> ENABLED <-> OS-WINDOWS Microsoft Windows EFSRPC bind detected (os-windows.rules)
 * 1:57961 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57962 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57960 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57940 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Raccoon outbound communication attempt (malware-cnc.rules)
 * 1:57959 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57942 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57943 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57944 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57945 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57946 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57947 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57948 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt (malware-cnc.rules)
 * 1:57949 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt (malware-cnc.rules)
 * 1:57950 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt (malware-cnc.rules)
 * 1:57951 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SAM database improper ACLs elevation of privilege attempt (os-windows.rules)
 * 1:57952 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SAM database improper ACLs elevation of privilege attempt (os-windows.rules)
 * 1:57954 <-> DISABLED <-> SERVER-WEBAPP Velocloud VMware SD-WAN Orchestrator SQL injection attempt (server-webapp.rules)
 * 1:57955 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57956 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57958 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57957 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 3:57963 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1347 attack attempt (os-other.rules)
 * 3:57964 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1347 attack attempt (os-other.rules)
 * 3:57953 <-> ENABLED <-> PROTOCOL-DNS ISC BIND RRSIG response processing denial of service attempt (protocol-dns.rules)

Modified Rules:


 * 1:32639 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit jar file requested on defined port (exploit-kit.rules)
 * 1:54156 <-> ENABLED <-> POLICY-OTHER LDAP bind success (policy-other.rules)

2021-07-26 22:47:07 UTC

Snort Subscriber Rules Update

Date: 2021-07-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57959 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57943 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57942 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57941 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Raccoon binary download attempt (malware-cnc.rules)
 * 1:57966 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NTLM relay attack attempt (os-windows.rules)
 * 1:57961 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57962 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57944 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57945 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57946 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57947 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57948 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt (malware-cnc.rules)
 * 1:57949 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt (malware-cnc.rules)
 * 1:57950 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt (malware-cnc.rules)
 * 1:57951 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SAM database improper ACLs elevation of privilege attempt (os-windows.rules)
 * 1:57952 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SAM database improper ACLs elevation of privilege attempt (os-windows.rules)
 * 1:57954 <-> DISABLED <-> SERVER-WEBAPP Velocloud VMware SD-WAN Orchestrator SQL injection attempt (server-webapp.rules)
 * 1:57955 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57956 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57940 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Raccoon outbound communication attempt (malware-cnc.rules)
 * 1:57957 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57958 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57965 <-> ENABLED <-> OS-WINDOWS Microsoft Windows EFSRPC bind detected (os-windows.rules)
 * 1:57960 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 3:57963 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1347 attack attempt (os-other.rules)
 * 3:57964 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1347 attack attempt (os-other.rules)
 * 3:57953 <-> ENABLED <-> PROTOCOL-DNS ISC BIND RRSIG response processing denial of service attempt (protocol-dns.rules)

Modified Rules:


 * 1:54156 <-> ENABLED <-> POLICY-OTHER LDAP bind success (policy-other.rules)
 * 1:32639 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit jar file requested on defined port (exploit-kit.rules)

2021-07-26 22:47:07 UTC

Snort Subscriber Rules Update

Date: 2021-07-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57965 <-> ENABLED <-> OS-WINDOWS Microsoft Windows EFSRPC bind detected (os-windows.rules)
 * 1:57959 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57957 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57958 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57940 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Raccoon outbound communication attempt (malware-cnc.rules)
 * 1:57942 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57960 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57961 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57962 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57941 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Raccoon binary download attempt (malware-cnc.rules)
 * 1:57944 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57955 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57956 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57945 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57947 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57951 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SAM database improper ACLs elevation of privilege attempt (os-windows.rules)
 * 1:57946 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57954 <-> DISABLED <-> SERVER-WEBAPP Velocloud VMware SD-WAN Orchestrator SQL injection attempt (server-webapp.rules)
 * 1:57952 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SAM database improper ACLs elevation of privilege attempt (os-windows.rules)
 * 1:57950 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt (malware-cnc.rules)
 * 1:57943 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57948 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt (malware-cnc.rules)
 * 1:57966 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NTLM relay attack attempt (os-windows.rules)
 * 1:57949 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt (malware-cnc.rules)
 * 3:57963 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1347 attack attempt (os-other.rules)
 * 3:57953 <-> ENABLED <-> PROTOCOL-DNS ISC BIND RRSIG response processing denial of service attempt (protocol-dns.rules)
 * 3:57964 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1347 attack attempt (os-other.rules)

Modified Rules:


 * 1:32639 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit jar file requested on defined port (exploit-kit.rules)
 * 1:54156 <-> ENABLED <-> POLICY-OTHER LDAP bind success (policy-other.rules)

2021-07-26 22:47:07 UTC

Snort Subscriber Rules Update

Date: 2021-07-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57940 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Raccoon outbound communication attempt (malware-cnc.rules)
 * 1:57961 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57966 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NTLM relay attack attempt (os-windows.rules)
 * 1:57962 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57945 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57944 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57947 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57943 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57942 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57960 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57948 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt (malware-cnc.rules)
 * 1:57949 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt (malware-cnc.rules)
 * 1:57950 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt (malware-cnc.rules)
 * 1:57951 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SAM database improper ACLs elevation of privilege attempt (os-windows.rules)
 * 1:57952 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SAM database improper ACLs elevation of privilege attempt (os-windows.rules)
 * 1:57954 <-> DISABLED <-> SERVER-WEBAPP Velocloud VMware SD-WAN Orchestrator SQL injection attempt (server-webapp.rules)
 * 1:57955 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57956 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57957 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57958 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57959 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57941 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Raccoon binary download attempt (malware-cnc.rules)
 * 1:57965 <-> ENABLED <-> OS-WINDOWS Microsoft Windows EFSRPC bind detected (os-windows.rules)
 * 1:57946 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 3:57953 <-> ENABLED <-> PROTOCOL-DNS ISC BIND RRSIG response processing denial of service attempt (protocol-dns.rules)
 * 3:57963 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1347 attack attempt (os-other.rules)
 * 3:57964 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1347 attack attempt (os-other.rules)

Modified Rules:


 * 1:32639 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit jar file requested on defined port (exploit-kit.rules)
 * 1:54156 <-> ENABLED <-> POLICY-OTHER LDAP bind success (policy-other.rules)

2021-07-26 22:47:07 UTC

Snort Subscriber Rules Update

Date: 2021-07-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57966 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NTLM relay attack attempt (os-windows.rules)
 * 1:57958 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57940 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Raccoon outbound communication attempt (malware-cnc.rules)
 * 1:57941 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Raccoon binary download attempt (malware-cnc.rules)
 * 1:57965 <-> ENABLED <-> OS-WINDOWS Microsoft Windows EFSRPC bind detected (os-windows.rules)
 * 1:57959 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57944 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57945 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57948 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt (malware-cnc.rules)
 * 1:57949 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt (malware-cnc.rules)
 * 1:57947 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57952 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SAM database improper ACLs elevation of privilege attempt (os-windows.rules)
 * 1:57954 <-> DISABLED <-> SERVER-WEBAPP Velocloud VMware SD-WAN Orchestrator SQL injection attempt (server-webapp.rules)
 * 1:57960 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57951 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SAM database improper ACLs elevation of privilege attempt (os-windows.rules)
 * 1:57957 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57946 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57956 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57950 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt (malware-cnc.rules)
 * 1:57943 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57955 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57961 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57942 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57962 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 3:57963 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1347 attack attempt (os-other.rules)
 * 3:57953 <-> ENABLED <-> PROTOCOL-DNS ISC BIND RRSIG response processing denial of service attempt (protocol-dns.rules)
 * 3:57964 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1347 attack attempt (os-other.rules)

Modified Rules:


 * 1:54156 <-> ENABLED <-> POLICY-OTHER LDAP bind success (policy-other.rules)
 * 1:32639 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit jar file requested on defined port (exploit-kit.rules)

2021-07-26 22:47:07 UTC

Snort Subscriber Rules Update

Date: 2021-07-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57962 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57943 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57958 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57944 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57966 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NTLM relay attack attempt (os-windows.rules)
 * 1:57940 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Raccoon outbound communication attempt (malware-cnc.rules)
 * 1:57941 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Raccoon binary download attempt (malware-cnc.rules)
 * 1:57945 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57946 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57965 <-> ENABLED <-> OS-WINDOWS Microsoft Windows EFSRPC bind detected (os-windows.rules)
 * 1:57942 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57961 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57956 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57959 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57949 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt (malware-cnc.rules)
 * 1:57954 <-> DISABLED <-> SERVER-WEBAPP Velocloud VMware SD-WAN Orchestrator SQL injection attempt (server-webapp.rules)
 * 1:57952 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SAM database improper ACLs elevation of privilege attempt (os-windows.rules)
 * 1:57948 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt (malware-cnc.rules)
 * 1:57955 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57957 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57947 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57950 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt (malware-cnc.rules)
 * 1:57960 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57951 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SAM database improper ACLs elevation of privilege attempt (os-windows.rules)
 * 3:57964 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1347 attack attempt (os-other.rules)
 * 3:57963 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1347 attack attempt (os-other.rules)
 * 3:57953 <-> ENABLED <-> PROTOCOL-DNS ISC BIND RRSIG response processing denial of service attempt (protocol-dns.rules)

Modified Rules:


 * 1:54156 <-> ENABLED <-> POLICY-OTHER LDAP bind success (policy-other.rules)
 * 1:32639 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit jar file requested on defined port (exploit-kit.rules)

2021-07-26 22:47:07 UTC

Snort Subscriber Rules Update

Date: 2021-07-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57960 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57959 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57962 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57966 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NTLM relay attack attempt (os-windows.rules)
 * 1:57942 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57941 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Raccoon binary download attempt (malware-cnc.rules)
 * 1:57965 <-> ENABLED <-> OS-WINDOWS Microsoft Windows EFSRPC bind detected (os-windows.rules)
 * 1:57944 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57945 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57940 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Raccoon outbound communication attempt (malware-cnc.rules)
 * 1:57957 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57946 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57947 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57948 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt (malware-cnc.rules)
 * 1:57949 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt (malware-cnc.rules)
 * 1:57950 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt (malware-cnc.rules)
 * 1:57951 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SAM database improper ACLs elevation of privilege attempt (os-windows.rules)
 * 1:57952 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SAM database improper ACLs elevation of privilege attempt (os-windows.rules)
 * 1:57954 <-> DISABLED <-> SERVER-WEBAPP Velocloud VMware SD-WAN Orchestrator SQL injection attempt (server-webapp.rules)
 * 1:57943 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57955 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57956 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57958 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57961 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 3:57963 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1347 attack attempt (os-other.rules)
 * 3:57953 <-> ENABLED <-> PROTOCOL-DNS ISC BIND RRSIG response processing denial of service attempt (protocol-dns.rules)
 * 3:57964 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1347 attack attempt (os-other.rules)

Modified Rules:


 * 1:54156 <-> ENABLED <-> POLICY-OTHER LDAP bind success (policy-other.rules)
 * 1:32639 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit jar file requested on defined port (exploit-kit.rules)

2021-07-26 22:47:07 UTC

Snort Subscriber Rules Update

Date: 2021-07-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57950 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt (snort3-malware-cnc.rules)
 * 1:57946 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (snort3-malware-cnc.rules)
 * 1:57945 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (snort3-malware-cnc.rules)
 * 1:57951 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SAM database improper ACLs elevation of privilege attempt (snort3-os-windows.rules)
 * 1:57943 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (snort3-malware-cnc.rules)
 * 1:57962 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (snort3-malware-cnc.rules)
 * 1:57948 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt (snort3-malware-cnc.rules)
 * 1:57965 <-> ENABLED <-> OS-WINDOWS Microsoft Windows EFSRPC bind detected (snort3-os-windows.rules)
 * 1:57961 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (snort3-malware-cnc.rules)
 * 1:57949 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt (snort3-malware-cnc.rules)
 * 1:57944 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (snort3-malware-cnc.rules)
 * 1:57941 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Raccoon binary download attempt (snort3-malware-cnc.rules)
 * 1:57958 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (snort3-malware-cnc.rules)
 * 1:57954 <-> DISABLED <-> SERVER-WEBAPP Velocloud VMware SD-WAN Orchestrator SQL injection attempt (snort3-server-webapp.rules)
 * 1:57966 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NTLM relay attack attempt (snort3-os-windows.rules)
 * 1:57955 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (snort3-malware-cnc.rules)
 * 1:57942 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (snort3-malware-cnc.rules)
 * 1:57956 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (snort3-malware-cnc.rules)
 * 1:57960 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (snort3-malware-cnc.rules)
 * 1:57947 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (snort3-malware-cnc.rules)
 * 1:57957 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (snort3-malware-cnc.rules)
 * 1:57940 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Raccoon outbound communication attempt (snort3-malware-cnc.rules)
 * 1:57959 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (snort3-malware-cnc.rules)
 * 1:57952 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SAM database improper ACLs elevation of privilege attempt (snort3-os-windows.rules)

Modified Rules:


 * 1:32639 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit jar file requested on defined port (snort3-exploit-kit.rules)
 * 1:54156 <-> ENABLED <-> POLICY-OTHER LDAP bind success (snort3-policy-other.rules)

2021-07-26 22:47:07 UTC

Snort Subscriber Rules Update

Date: 2021-07-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57959 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57966 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NTLM relay attack attempt (os-windows.rules)
 * 1:57940 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Raccoon outbound communication attempt (malware-cnc.rules)
 * 1:57965 <-> ENABLED <-> OS-WINDOWS Microsoft Windows EFSRPC bind detected (os-windows.rules)
 * 1:57956 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57941 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Raccoon binary download attempt (malware-cnc.rules)
 * 1:57943 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57944 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57946 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57948 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt (malware-cnc.rules)
 * 1:57945 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57958 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57949 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt (malware-cnc.rules)
 * 1:57955 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57951 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SAM database improper ACLs elevation of privilege attempt (os-windows.rules)
 * 1:57954 <-> DISABLED <-> SERVER-WEBAPP Velocloud VMware SD-WAN Orchestrator SQL injection attempt (server-webapp.rules)
 * 1:57962 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57957 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57942 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57960 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57947 <-> ENABLED <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt (malware-cnc.rules)
 * 1:57950 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt (malware-cnc.rules)
 * 1:57961 <-> ENABLED <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt (malware-cnc.rules)
 * 1:57952 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SAM database improper ACLs elevation of privilege attempt (os-windows.rules)

Modified Rules:


 * 1:32639 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit jar file requested on defined port (exploit-kit.rules)
 * 1:54156 <-> ENABLED <-> POLICY-OTHER LDAP bind success (policy-other.rules)

2021-07-26 22:50:28 UTC

Snort Subscriber Rules Update

Date: 2021-07-26-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:57940 <-> MALWARE-CNC Win.Trojan.Raccoon outbound communication attempt
* 1:57941 <-> MALWARE-CNC Win.Trojan.Raccoon binary download attempt
* 1:57942 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57943 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57944 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57945 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57946 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57947 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57948 <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt
* 1:57949 <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt
* 1:57950 <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt
* 1:57951 <-> OS-WINDOWS Microsoft Windows SAM database improper ACLs elevation of privilege attempt
* 1:57952 <-> OS-WINDOWS Microsoft Windows SAM database improper ACLs elevation of privilege attempt
* 3:57953 <-> PROTOCOL-DNS ISC BIND RRSIG response processing denial of service attempt
* 1:57954 <-> SERVER-WEBAPP Velocloud VMware SD-WAN Orchestrator SQL injection attempt
* 1:57955 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57956 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57957 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57958 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57959 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57960 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57961 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57962 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57965 <-> OS-WINDOWS Microsoft Windows EFSRPC bind detected
* 1:57966 <-> OS-WINDOWS Microsoft Windows NTLM relay attack attempt

Modified Rules:

* 1:32639 <-> EXPLOIT-KIT Sweet Orange exploit kit jar file requested on defined port
* 1:54156 <-> POLICY-OTHER LDAP bind success


2021-07-26 22:50:28 UTC

Snort Subscriber Rules Update

Date: 2021-07-26-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.4.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:57940 <-> MALWARE-CNC Win.Trojan.Raccoon outbound communication attempt
* 1:57941 <-> MALWARE-CNC Win.Trojan.Raccoon binary download attempt
* 1:57942 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57943 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57944 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57945 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57946 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57947 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57948 <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt
* 1:57949 <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt
* 1:57950 <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt
* 1:57951 <-> OS-WINDOWS Microsoft Windows SAM database improper ACLs elevation of privilege attempt
* 1:57952 <-> OS-WINDOWS Microsoft Windows SAM database improper ACLs elevation of privilege attempt
* 3:57953 <-> PROTOCOL-DNS ISC BIND RRSIG response processing denial of service attempt
* 1:57954 <-> SERVER-WEBAPP Velocloud VMware SD-WAN Orchestrator SQL injection attempt
* 1:57955 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57956 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57957 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57958 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57959 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57960 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57961 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57962 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57965 <-> OS-WINDOWS Microsoft Windows EFSRPC bind detected
* 1:57966 <-> OS-WINDOWS Microsoft Windows NTLM relay attack attempt

Modified Rules:

* 1:32639 <-> EXPLOIT-KIT Sweet Orange exploit kit jar file requested on defined port
* 1:54156 <-> POLICY-OTHER LDAP bind success


2021-07-26 22:50:28 UTC

Snort Subscriber Rules Update

Date: 2021-07-26-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:57940 <-> MALWARE-CNC Win.Trojan.Raccoon outbound communication attempt
* 1:57941 <-> MALWARE-CNC Win.Trojan.Raccoon binary download attempt
* 1:57942 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57943 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57944 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57945 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57946 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57947 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57948 <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt
* 1:57949 <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt
* 1:57950 <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt
* 1:57951 <-> OS-WINDOWS Microsoft Windows SAM database improper ACLs elevation of privilege attempt
* 1:57952 <-> OS-WINDOWS Microsoft Windows SAM database improper ACLs elevation of privilege attempt
* 3:57953 <-> PROTOCOL-DNS ISC BIND RRSIG response processing denial of service attempt
* 1:57954 <-> SERVER-WEBAPP Velocloud VMware SD-WAN Orchestrator SQL injection attempt
* 1:57955 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57956 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57957 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57958 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57959 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57960 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57961 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57962 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57965 <-> OS-WINDOWS Microsoft Windows EFSRPC bind detected
* 1:57966 <-> OS-WINDOWS Microsoft Windows NTLM relay attack attempt

Modified Rules:

* 1:32639 <-> EXPLOIT-KIT Sweet Orange exploit kit jar file requested on defined port
* 1:54156 <-> POLICY-OTHER LDAP bind success


2021-07-26 22:50:28 UTC

Snort Subscriber Rules Update

Date: 2021-07-26-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:57940 <-> MALWARE-CNC Win.Trojan.Raccoon outbound communication attempt
* 1:57941 <-> MALWARE-CNC Win.Trojan.Raccoon binary download attempt
* 1:57942 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57943 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57944 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57945 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57946 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57947 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57948 <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt
* 1:57949 <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt
* 1:57950 <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt
* 1:57951 <-> OS-WINDOWS Microsoft Windows SAM database improper ACLs elevation of privilege attempt
* 1:57952 <-> OS-WINDOWS Microsoft Windows SAM database improper ACLs elevation of privilege attempt
* 3:57953 <-> PROTOCOL-DNS ISC BIND RRSIG response processing denial of service attempt
* 1:57954 <-> SERVER-WEBAPP Velocloud VMware SD-WAN Orchestrator SQL injection attempt
* 1:57955 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57956 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57957 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57958 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57959 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57960 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57961 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57962 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57965 <-> OS-WINDOWS Microsoft Windows EFSRPC bind detected
* 1:57966 <-> OS-WINDOWS Microsoft Windows NTLM relay attack attempt

Modified Rules:

* 1:32639 <-> EXPLOIT-KIT Sweet Orange exploit kit jar file requested on defined port
* 1:54156 <-> POLICY-OTHER LDAP bind success


2021-07-26 22:50:28 UTC

Snort Subscriber Rules Update

Date: 2021-07-26-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.1.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:57940 <-> MALWARE-CNC Win.Trojan.Raccoon outbound communication attempt
* 1:57941 <-> MALWARE-CNC Win.Trojan.Raccoon binary download attempt
* 1:57942 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57943 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57944 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57945 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57946 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57947 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57948 <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt
* 1:57949 <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt
* 1:57950 <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt
* 1:57951 <-> OS-WINDOWS Microsoft Windows SAM database improper ACLs elevation of privilege attempt
* 1:57952 <-> OS-WINDOWS Microsoft Windows SAM database improper ACLs elevation of privilege attempt
* 3:57953 <-> PROTOCOL-DNS ISC BIND RRSIG response processing denial of service attempt
* 1:57954 <-> SERVER-WEBAPP Velocloud VMware SD-WAN Orchestrator SQL injection attempt
* 1:57955 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57956 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57957 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57958 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57959 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57960 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57961 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57962 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57965 <-> OS-WINDOWS Microsoft Windows EFSRPC bind detected
* 1:57966 <-> OS-WINDOWS Microsoft Windows NTLM relay attack attempt

Modified Rules:

* 1:32639 <-> EXPLOIT-KIT Sweet Orange exploit kit jar file requested on defined port
* 1:54156 <-> POLICY-OTHER LDAP bind success


2021-07-26 22:50:28 UTC

Snort Subscriber Rules Update

Date: 2021-07-26-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.3.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:57940 <-> MALWARE-CNC Win.Trojan.Raccoon outbound communication attempt
* 1:57941 <-> MALWARE-CNC Win.Trojan.Raccoon binary download attempt
* 1:57942 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57943 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57944 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57945 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57946 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57947 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57948 <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt
* 1:57949 <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt
* 1:57950 <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt
* 1:57951 <-> OS-WINDOWS Microsoft Windows SAM database improper ACLs elevation of privilege attempt
* 1:57952 <-> OS-WINDOWS Microsoft Windows SAM database improper ACLs elevation of privilege attempt
* 3:57953 <-> PROTOCOL-DNS ISC BIND RRSIG response processing denial of service attempt
* 1:57954 <-> SERVER-WEBAPP Velocloud VMware SD-WAN Orchestrator SQL injection attempt
* 1:57955 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57956 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57957 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57958 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57959 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57960 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57961 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57962 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57965 <-> OS-WINDOWS Microsoft Windows EFSRPC bind detected
* 1:57966 <-> OS-WINDOWS Microsoft Windows NTLM relay attack attempt

Modified Rules:

* 1:32639 <-> EXPLOIT-KIT Sweet Orange exploit kit jar file requested on defined port
* 1:54156 <-> POLICY-OTHER LDAP bind success


2021-07-26 22:50:28 UTC

Snort Subscriber Rules Update

Date: 2021-07-26-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.4.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:57940 <-> MALWARE-CNC Win.Trojan.Raccoon outbound communication attempt
* 1:57941 <-> MALWARE-CNC Win.Trojan.Raccoon binary download attempt
* 1:57942 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57943 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57944 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57945 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57946 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57947 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57948 <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt
* 1:57949 <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt
* 1:57950 <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt
* 1:57951 <-> OS-WINDOWS Microsoft Windows SAM database improper ACLs elevation of privilege attempt
* 1:57952 <-> OS-WINDOWS Microsoft Windows SAM database improper ACLs elevation of privilege attempt
* 3:57953 <-> PROTOCOL-DNS ISC BIND RRSIG response processing denial of service attempt
* 1:57954 <-> SERVER-WEBAPP Velocloud VMware SD-WAN Orchestrator SQL injection attempt
* 1:57955 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57956 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57957 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57958 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57959 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57960 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57961 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57962 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57965 <-> OS-WINDOWS Microsoft Windows EFSRPC bind detected
* 1:57966 <-> OS-WINDOWS Microsoft Windows NTLM relay attack attempt

Modified Rules:

* 1:32639 <-> EXPLOIT-KIT Sweet Orange exploit kit jar file requested on defined port
* 1:54156 <-> POLICY-OTHER LDAP bind success


2021-07-26 22:50:28 UTC

Snort Subscriber Rules Update

Date: 2021-07-26-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.5.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:57940 <-> MALWARE-CNC Win.Trojan.Raccoon outbound communication attempt
* 1:57941 <-> MALWARE-CNC Win.Trojan.Raccoon binary download attempt
* 1:57942 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57943 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57944 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57945 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57946 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57947 <-> MALWARE-CNC Php.Webshell.C99 inbound connection attempt
* 1:57948 <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt
* 1:57949 <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt
* 1:57950 <-> MALWARE-CNC Win.Trojan.Trickbot VNC module outbound connection attempt
* 1:57951 <-> OS-WINDOWS Microsoft Windows SAM database improper ACLs elevation of privilege attempt
* 1:57952 <-> OS-WINDOWS Microsoft Windows SAM database improper ACLs elevation of privilege attempt
* 3:57953 <-> PROTOCOL-DNS ISC BIND RRSIG response processing denial of service attempt
* 1:57954 <-> SERVER-WEBAPP Velocloud VMware SD-WAN Orchestrator SQL injection attempt
* 1:57955 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57956 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57957 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57958 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57959 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57960 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57961 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57962 <-> MALWARE-CNC Aspx.Webshell.Caterpillar inbound connection attempt
* 1:57965 <-> OS-WINDOWS Microsoft Windows EFSRPC bind detected
* 1:57966 <-> OS-WINDOWS Microsoft Windows NTLM relay attack attempt

Modified Rules:

* 1:32639 <-> EXPLOIT-KIT Sweet Orange exploit kit jar file requested on defined port
* 1:54156 <-> POLICY-OTHER LDAP bind success