Talos Rules 2019-06-06
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-06-06 11:57:31 UTC

Snort Subscriber Rules Update

Date: 2019-06-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50337 <-> ENABLED <-> SERVER-WEBAPP GoAhead IP Camera set_ftp.cgi command injection attempt (server-webapp.rules)
 * 1:50318 <-> DISABLED <-> SERVER-WEBAPP Asus DSL-N12E_C1 1.1.2.3_345 command injection attempt (server-webapp.rules)
 * 1:50317 <-> DISABLED <-> SERVER-WEBAPP Asus DSL-N12E_C1 1.1.2.3_345 command injection attempt (server-webapp.rules)
 * 1:50316 <-> DISABLED <-> SERVER-WEBAPP Asus DSL-N12E_C1 1.1.2.3_345 command injection attempt (server-webapp.rules)
 * 1:50315 <-> DISABLED <-> SERVER-WEBAPP HooToo tripMate protocol.csp mac parameter command injection attempt (server-webapp.rules)
 * 1:50314 <-> DISABLED <-> SERVER-WEBAPP HooToo tripMate protocol.csp mac parameter command injection attempt (server-webapp.rules)
 * 1:50313 <-> DISABLED <-> SERVER-WEBAPP HooToo tripMate protocol.csp mac parameter command injection attempt (server-webapp.rules)
 * 1:50312 <-> DISABLED <-> SERVER-WEBAPP HooToo tripMate protocol.csp mac parameter command injection attempt (server-webapp.rules)
 * 1:50311 <-> DISABLED <-> SERVER-WEBAPP Dell KACE K1000 command injection attempt (server-webapp.rules)
 * 1:50310 <-> DISABLED <-> SERVER-WEBAPP Dell KACE K1000 command injection attempt (server-webapp.rules)
 * 1:50309 <-> DISABLED <-> SERVER-WEBAPP Dell KACE K1000 command injection attempt (server-webapp.rules)
 * 1:50308 <-> DISABLED <-> SERVER-WEBAPP Dell KACE K1000 command injection attempt (server-webapp.rules)
 * 1:50307 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules)
 * 1:50306 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules)
 * 1:50305 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules)
 * 1:50304 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules)
 * 1:50303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TRITON attack tool outbound connection (malware-cnc.rules)
 * 1:50302 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TRITON attack tool outbound connection (malware-cnc.rules)
 * 1:50301 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TRITON attack tool outbound connection (malware-cnc.rules)
 * 1:50300 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TRITON attack tool outbound connection (malware-cnc.rules)
 * 1:50336 <-> ENABLED <-> SERVER-WEBAPP GoAhead IP Camera set_ftp.cgi command injection attempt (server-webapp.rules)
 * 1:50334 <-> DISABLED <-> SERVER-WEBAPP Asustor ADM command injection attempt (server-webapp.rules)
 * 1:50333 <-> DISABLED <-> SERVER-WEBAPP Asustor ADM command injection attempt (server-webapp.rules)
 * 1:50332 <-> DISABLED <-> SERVER-WEBAPP Asustor ADM command injection attempt (server-webapp.rules)
 * 1:50331 <-> DISABLED <-> SERVER-WEBAPP Asustor ADM command injection attempt (server-webapp.rules)
 * 1:50330 <-> DISABLED <-> SERVER-WEBAPP LG SuperSignEz CMS command injection attempt (server-webapp.rules)
 * 1:50329 <-> DISABLED <-> SERVER-WEBAPP LG SuperSignEz CMS command injection attempt (server-webapp.rules)
 * 1:50328 <-> DISABLED <-> SERVER-WEBAPP LG SuperSignEz CMS command injection attempt (server-webapp.rules)
 * 1:50327 <-> DISABLED <-> SERVER-WEBAPP LG SuperSignEz CMS command injection attempt (server-webapp.rules)
 * 1:50326 <-> DISABLED <-> SERVER-WEBAPP Crestron AM platform command injection attempt (server-webapp.rules)
 * 1:50325 <-> DISABLED <-> SERVER-WEBAPP Crestron AM platform command injection attempt (server-webapp.rules)
 * 1:50324 <-> DISABLED <-> SERVER-WEBAPP Crestron AM platform command injection attempt (server-webapp.rules)
 * 1:50323 <-> DISABLED <-> SERVER-WEBAPP Crestron AM platform command injection attempt (server-webapp.rules)
 * 1:50322 <-> DISABLED <-> SERVER-WEBAPP MiCasaVerde VeraLite remote code execution attempt (server-webapp.rules)
 * 1:50321 <-> DISABLED <-> SERVER-WEBAPP MiCasaVerde VeraLite remote code execution attempt (server-webapp.rules)
 * 1:50319 <-> DISABLED <-> SERVER-WEBAPP Asus DSL-N12E_C1 1.1.2.3_345 command injection attempt (server-webapp.rules)
 * 1:50343 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.Motion Builder command injection attempt (server-webapp.rules)
 * 1:50340 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.Motion Builder command injection attempt (server-webapp.rules)
 * 1:50339 <-> ENABLED <-> SERVER-WEBAPP GoAhead IP Camera set_ftp.cgi command injection attempt (server-webapp.rules)
 * 1:50338 <-> ENABLED <-> SERVER-WEBAPP GoAhead IP Camera set_ftp.cgi command injection attempt (server-webapp.rules)
 * 1:50342 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.Motion Builder command injection attempt (server-webapp.rules)
 * 1:50341 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.Motion Builder command injection attempt (server-webapp.rules)
 * 1:50344 <-> ENABLED <-> SERVER-WEBAPP VMWare NSX SD-WAN Edge command injection attempt (server-webapp.rules)
 * 1:50347 <-> ENABLED <-> SERVER-WEBAPP VMWare NSX SD-WAN Edge command injection attempt (server-webapp.rules)
 * 1:50346 <-> ENABLED <-> SERVER-WEBAPP VMWare NSX SD-WAN Edge command injection attempt (server-webapp.rules)
 * 1:50345 <-> ENABLED <-> SERVER-WEBAPP VMWare NSX SD-WAN Edge command injection attempt (server-webapp.rules)
 * 3:50320 <-> ENABLED <-> SERVER-OTHER Cisco Unified Communications Manager denial of service attempt (server-other.rules)
 * 3:50335 <-> ENABLED <-> SERVER-WEBAPP Cisco Industrial Network Director remote code execution attempt (server-webapp.rules)

Modified Rules:



2019-06-06 11:57:31 UTC

Snort Subscriber Rules Update

Date: 2019-06-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50337 <-> ENABLED <-> SERVER-WEBAPP GoAhead IP Camera set_ftp.cgi command injection attempt (server-webapp.rules)
 * 1:50338 <-> ENABLED <-> SERVER-WEBAPP GoAhead IP Camera set_ftp.cgi command injection attempt (server-webapp.rules)
 * 1:50300 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TRITON attack tool outbound connection (malware-cnc.rules)
 * 1:50301 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TRITON attack tool outbound connection (malware-cnc.rules)
 * 1:50302 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TRITON attack tool outbound connection (malware-cnc.rules)
 * 1:50303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TRITON attack tool outbound connection (malware-cnc.rules)
 * 1:50304 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules)
 * 1:50305 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules)
 * 1:50306 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules)
 * 1:50307 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules)
 * 1:50308 <-> DISABLED <-> SERVER-WEBAPP Dell KACE K1000 command injection attempt (server-webapp.rules)
 * 1:50309 <-> DISABLED <-> SERVER-WEBAPP Dell KACE K1000 command injection attempt (server-webapp.rules)
 * 1:50310 <-> DISABLED <-> SERVER-WEBAPP Dell KACE K1000 command injection attempt (server-webapp.rules)
 * 1:50311 <-> DISABLED <-> SERVER-WEBAPP Dell KACE K1000 command injection attempt (server-webapp.rules)
 * 1:50312 <-> DISABLED <-> SERVER-WEBAPP HooToo tripMate protocol.csp mac parameter command injection attempt (server-webapp.rules)
 * 1:50313 <-> DISABLED <-> SERVER-WEBAPP HooToo tripMate protocol.csp mac parameter command injection attempt (server-webapp.rules)
 * 1:50314 <-> DISABLED <-> SERVER-WEBAPP HooToo tripMate protocol.csp mac parameter command injection attempt (server-webapp.rules)
 * 1:50315 <-> DISABLED <-> SERVER-WEBAPP HooToo tripMate protocol.csp mac parameter command injection attempt (server-webapp.rules)
 * 1:50316 <-> DISABLED <-> SERVER-WEBAPP Asus DSL-N12E_C1 1.1.2.3_345 command injection attempt (server-webapp.rules)
 * 1:50317 <-> DISABLED <-> SERVER-WEBAPP Asus DSL-N12E_C1 1.1.2.3_345 command injection attempt (server-webapp.rules)
 * 1:50318 <-> DISABLED <-> SERVER-WEBAPP Asus DSL-N12E_C1 1.1.2.3_345 command injection attempt (server-webapp.rules)
 * 1:50319 <-> DISABLED <-> SERVER-WEBAPP Asus DSL-N12E_C1 1.1.2.3_345 command injection attempt (server-webapp.rules)
 * 1:50321 <-> DISABLED <-> SERVER-WEBAPP MiCasaVerde VeraLite remote code execution attempt (server-webapp.rules)
 * 1:50322 <-> DISABLED <-> SERVER-WEBAPP MiCasaVerde VeraLite remote code execution attempt (server-webapp.rules)
 * 1:50323 <-> DISABLED <-> SERVER-WEBAPP Crestron AM platform command injection attempt (server-webapp.rules)
 * 1:50324 <-> DISABLED <-> SERVER-WEBAPP Crestron AM platform command injection attempt (server-webapp.rules)
 * 1:50325 <-> DISABLED <-> SERVER-WEBAPP Crestron AM platform command injection attempt (server-webapp.rules)
 * 1:50326 <-> DISABLED <-> SERVER-WEBAPP Crestron AM platform command injection attempt (server-webapp.rules)
 * 1:50327 <-> DISABLED <-> SERVER-WEBAPP LG SuperSignEz CMS command injection attempt (server-webapp.rules)
 * 1:50330 <-> DISABLED <-> SERVER-WEBAPP LG SuperSignEz CMS command injection attempt (server-webapp.rules)
 * 1:50331 <-> DISABLED <-> SERVER-WEBAPP Asustor ADM command injection attempt (server-webapp.rules)
 * 1:50332 <-> DISABLED <-> SERVER-WEBAPP Asustor ADM command injection attempt (server-webapp.rules)
 * 1:50333 <-> DISABLED <-> SERVER-WEBAPP Asustor ADM command injection attempt (server-webapp.rules)
 * 1:50329 <-> DISABLED <-> SERVER-WEBAPP LG SuperSignEz CMS command injection attempt (server-webapp.rules)
 * 1:50328 <-> DISABLED <-> SERVER-WEBAPP LG SuperSignEz CMS command injection attempt (server-webapp.rules)
 * 1:50334 <-> DISABLED <-> SERVER-WEBAPP Asustor ADM command injection attempt (server-webapp.rules)
 * 1:50336 <-> ENABLED <-> SERVER-WEBAPP GoAhead IP Camera set_ftp.cgi command injection attempt (server-webapp.rules)
 * 1:50347 <-> ENABLED <-> SERVER-WEBAPP VMWare NSX SD-WAN Edge command injection attempt (server-webapp.rules)
 * 1:50346 <-> ENABLED <-> SERVER-WEBAPP VMWare NSX SD-WAN Edge command injection attempt (server-webapp.rules)
 * 1:50345 <-> ENABLED <-> SERVER-WEBAPP VMWare NSX SD-WAN Edge command injection attempt (server-webapp.rules)
 * 1:50344 <-> ENABLED <-> SERVER-WEBAPP VMWare NSX SD-WAN Edge command injection attempt (server-webapp.rules)
 * 1:50343 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.Motion Builder command injection attempt (server-webapp.rules)
 * 1:50342 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.Motion Builder command injection attempt (server-webapp.rules)
 * 1:50340 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.Motion Builder command injection attempt (server-webapp.rules)
 * 1:50339 <-> ENABLED <-> SERVER-WEBAPP GoAhead IP Camera set_ftp.cgi command injection attempt (server-webapp.rules)
 * 1:50341 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.Motion Builder command injection attempt (server-webapp.rules)
 * 3:50320 <-> ENABLED <-> SERVER-OTHER Cisco Unified Communications Manager denial of service attempt (server-other.rules)
 * 3:50335 <-> ENABLED <-> SERVER-WEBAPP Cisco Industrial Network Director remote code execution attempt (server-webapp.rules)

Modified Rules:



2019-06-06 11:57:31 UTC

Snort Subscriber Rules Update

Date: 2019-06-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50337 <-> ENABLED <-> SERVER-WEBAPP GoAhead IP Camera set_ftp.cgi command injection attempt (server-webapp.rules)
 * 1:50345 <-> ENABLED <-> SERVER-WEBAPP VMWare NSX SD-WAN Edge command injection attempt (server-webapp.rules)
 * 1:50344 <-> ENABLED <-> SERVER-WEBAPP VMWare NSX SD-WAN Edge command injection attempt (server-webapp.rules)
 * 1:50343 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.Motion Builder command injection attempt (server-webapp.rules)
 * 1:50342 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.Motion Builder command injection attempt (server-webapp.rules)
 * 1:50340 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.Motion Builder command injection attempt (server-webapp.rules)
 * 1:50339 <-> ENABLED <-> SERVER-WEBAPP GoAhead IP Camera set_ftp.cgi command injection attempt (server-webapp.rules)
 * 1:50341 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.Motion Builder command injection attempt (server-webapp.rules)
 * 1:50300 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TRITON attack tool outbound connection (malware-cnc.rules)
 * 1:50301 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TRITON attack tool outbound connection (malware-cnc.rules)
 * 1:50302 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TRITON attack tool outbound connection (malware-cnc.rules)
 * 1:50347 <-> ENABLED <-> SERVER-WEBAPP VMWare NSX SD-WAN Edge command injection attempt (server-webapp.rules)
 * 1:50346 <-> ENABLED <-> SERVER-WEBAPP VMWare NSX SD-WAN Edge command injection attempt (server-webapp.rules)
 * 1:50303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TRITON attack tool outbound connection (malware-cnc.rules)
 * 1:50304 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules)
 * 1:50305 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules)
 * 1:50306 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules)
 * 1:50307 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules)
 * 1:50308 <-> DISABLED <-> SERVER-WEBAPP Dell KACE K1000 command injection attempt (server-webapp.rules)
 * 1:50309 <-> DISABLED <-> SERVER-WEBAPP Dell KACE K1000 command injection attempt (server-webapp.rules)
 * 1:50310 <-> DISABLED <-> SERVER-WEBAPP Dell KACE K1000 command injection attempt (server-webapp.rules)
 * 1:50311 <-> DISABLED <-> SERVER-WEBAPP Dell KACE K1000 command injection attempt (server-webapp.rules)
 * 1:50312 <-> DISABLED <-> SERVER-WEBAPP HooToo tripMate protocol.csp mac parameter command injection attempt (server-webapp.rules)
 * 1:50313 <-> DISABLED <-> SERVER-WEBAPP HooToo tripMate protocol.csp mac parameter command injection attempt (server-webapp.rules)
 * 1:50314 <-> DISABLED <-> SERVER-WEBAPP HooToo tripMate protocol.csp mac parameter command injection attempt (server-webapp.rules)
 * 1:50315 <-> DISABLED <-> SERVER-WEBAPP HooToo tripMate protocol.csp mac parameter command injection attempt (server-webapp.rules)
 * 1:50316 <-> DISABLED <-> SERVER-WEBAPP Asus DSL-N12E_C1 1.1.2.3_345 command injection attempt (server-webapp.rules)
 * 1:50317 <-> DISABLED <-> SERVER-WEBAPP Asus DSL-N12E_C1 1.1.2.3_345 command injection attempt (server-webapp.rules)
 * 1:50318 <-> DISABLED <-> SERVER-WEBAPP Asus DSL-N12E_C1 1.1.2.3_345 command injection attempt (server-webapp.rules)
 * 1:50319 <-> DISABLED <-> SERVER-WEBAPP Asus DSL-N12E_C1 1.1.2.3_345 command injection attempt (server-webapp.rules)
 * 1:50326 <-> DISABLED <-> SERVER-WEBAPP Crestron AM platform command injection attempt (server-webapp.rules)
 * 1:50325 <-> DISABLED <-> SERVER-WEBAPP Crestron AM platform command injection attempt (server-webapp.rules)
 * 1:50321 <-> DISABLED <-> SERVER-WEBAPP MiCasaVerde VeraLite remote code execution attempt (server-webapp.rules)
 * 1:50322 <-> DISABLED <-> SERVER-WEBAPP MiCasaVerde VeraLite remote code execution attempt (server-webapp.rules)
 * 1:50323 <-> DISABLED <-> SERVER-WEBAPP Crestron AM platform command injection attempt (server-webapp.rules)
 * 1:50324 <-> DISABLED <-> SERVER-WEBAPP Crestron AM platform command injection attempt (server-webapp.rules)
 * 1:50327 <-> DISABLED <-> SERVER-WEBAPP LG SuperSignEz CMS command injection attempt (server-webapp.rules)
 * 1:50329 <-> DISABLED <-> SERVER-WEBAPP LG SuperSignEz CMS command injection attempt (server-webapp.rules)
 * 1:50330 <-> DISABLED <-> SERVER-WEBAPP LG SuperSignEz CMS command injection attempt (server-webapp.rules)
 * 1:50331 <-> DISABLED <-> SERVER-WEBAPP Asustor ADM command injection attempt (server-webapp.rules)
 * 1:50332 <-> DISABLED <-> SERVER-WEBAPP Asustor ADM command injection attempt (server-webapp.rules)
 * 1:50333 <-> DISABLED <-> SERVER-WEBAPP Asustor ADM command injection attempt (server-webapp.rules)
 * 1:50334 <-> DISABLED <-> SERVER-WEBAPP Asustor ADM command injection attempt (server-webapp.rules)
 * 1:50336 <-> ENABLED <-> SERVER-WEBAPP GoAhead IP Camera set_ftp.cgi command injection attempt (server-webapp.rules)
 * 1:50338 <-> ENABLED <-> SERVER-WEBAPP GoAhead IP Camera set_ftp.cgi command injection attempt (server-webapp.rules)
 * 1:50328 <-> DISABLED <-> SERVER-WEBAPP LG SuperSignEz CMS command injection attempt (server-webapp.rules)
 * 3:50320 <-> ENABLED <-> SERVER-OTHER Cisco Unified Communications Manager denial of service attempt (server-other.rules)
 * 3:50335 <-> ENABLED <-> SERVER-WEBAPP Cisco Industrial Network Director remote code execution attempt (server-webapp.rules)

Modified Rules:



2019-06-06 11:57:31 UTC

Snort Subscriber Rules Update

Date: 2019-06-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50342 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.Motion Builder command injection attempt (snort3-server-webapp.rules)
 * 1:50338 <-> ENABLED <-> SERVER-WEBAPP GoAhead IP Camera set_ftp.cgi command injection attempt (snort3-server-webapp.rules)
 * 1:50340 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.Motion Builder command injection attempt (snort3-server-webapp.rules)
 * 1:50344 <-> ENABLED <-> SERVER-WEBAPP VMWare NSX SD-WAN Edge command injection attempt (snort3-server-webapp.rules)
 * 1:50339 <-> ENABLED <-> SERVER-WEBAPP GoAhead IP Camera set_ftp.cgi command injection attempt (snort3-server-webapp.rules)
 * 1:50300 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TRITON attack tool outbound connection (snort3-malware-cnc.rules)
 * 1:50301 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TRITON attack tool outbound connection (snort3-malware-cnc.rules)
 * 1:50302 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TRITON attack tool outbound connection (snort3-malware-cnc.rules)
 * 1:50303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TRITON attack tool outbound connection (snort3-malware-cnc.rules)
 * 1:50304 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (snort3-server-webapp.rules)
 * 1:50305 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (snort3-server-webapp.rules)
 * 1:50306 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (snort3-server-webapp.rules)
 * 1:50307 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (snort3-server-webapp.rules)
 * 1:50308 <-> DISABLED <-> SERVER-WEBAPP Dell KACE K1000 command injection attempt (snort3-server-webapp.rules)
 * 1:50309 <-> DISABLED <-> SERVER-WEBAPP Dell KACE K1000 command injection attempt (snort3-server-webapp.rules)
 * 1:50310 <-> DISABLED <-> SERVER-WEBAPP Dell KACE K1000 command injection attempt (snort3-server-webapp.rules)
 * 1:50311 <-> DISABLED <-> SERVER-WEBAPP Dell KACE K1000 command injection attempt (snort3-server-webapp.rules)
 * 1:50312 <-> DISABLED <-> SERVER-WEBAPP HooToo tripMate protocol.csp mac parameter command injection attempt (snort3-server-webapp.rules)
 * 1:50313 <-> DISABLED <-> SERVER-WEBAPP HooToo tripMate protocol.csp mac parameter command injection attempt (snort3-server-webapp.rules)
 * 1:50314 <-> DISABLED <-> SERVER-WEBAPP HooToo tripMate protocol.csp mac parameter command injection attempt (snort3-server-webapp.rules)
 * 1:50315 <-> DISABLED <-> SERVER-WEBAPP HooToo tripMate protocol.csp mac parameter command injection attempt (snort3-server-webapp.rules)
 * 1:50316 <-> DISABLED <-> SERVER-WEBAPP Asus DSL-N12E_C1 1.1.2.3_345 command injection attempt (snort3-server-webapp.rules)
 * 1:50317 <-> DISABLED <-> SERVER-WEBAPP Asus DSL-N12E_C1 1.1.2.3_345 command injection attempt (snort3-server-webapp.rules)
 * 1:50318 <-> DISABLED <-> SERVER-WEBAPP Asus DSL-N12E_C1 1.1.2.3_345 command injection attempt (snort3-server-webapp.rules)
 * 1:50319 <-> DISABLED <-> SERVER-WEBAPP Asus DSL-N12E_C1 1.1.2.3_345 command injection attempt (snort3-server-webapp.rules)
 * 1:50321 <-> DISABLED <-> SERVER-WEBAPP MiCasaVerde VeraLite remote code execution attempt (snort3-server-webapp.rules)
 * 1:50322 <-> DISABLED <-> SERVER-WEBAPP MiCasaVerde VeraLite remote code execution attempt (snort3-server-webapp.rules)
 * 1:50325 <-> DISABLED <-> SERVER-WEBAPP Crestron AM platform command injection attempt (snort3-server-webapp.rules)
 * 1:50326 <-> DISABLED <-> SERVER-WEBAPP Crestron AM platform command injection attempt (snort3-server-webapp.rules)
 * 1:50327 <-> DISABLED <-> SERVER-WEBAPP LG SuperSignEz CMS command injection attempt (snort3-server-webapp.rules)
 * 1:50328 <-> DISABLED <-> SERVER-WEBAPP LG SuperSignEz CMS command injection attempt (snort3-server-webapp.rules)
 * 1:50324 <-> DISABLED <-> SERVER-WEBAPP Crestron AM platform command injection attempt (snort3-server-webapp.rules)
 * 1:50341 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.Motion Builder command injection attempt (snort3-server-webapp.rules)
 * 1:50343 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.Motion Builder command injection attempt (snort3-server-webapp.rules)
 * 1:50323 <-> DISABLED <-> SERVER-WEBAPP Crestron AM platform command injection attempt (snort3-server-webapp.rules)
 * 1:50345 <-> ENABLED <-> SERVER-WEBAPP VMWare NSX SD-WAN Edge command injection attempt (snort3-server-webapp.rules)
 * 1:50329 <-> DISABLED <-> SERVER-WEBAPP LG SuperSignEz CMS command injection attempt (snort3-server-webapp.rules)
 * 1:50330 <-> DISABLED <-> SERVER-WEBAPP LG SuperSignEz CMS command injection attempt (snort3-server-webapp.rules)
 * 1:50331 <-> DISABLED <-> SERVER-WEBAPP Asustor ADM command injection attempt (snort3-server-webapp.rules)
 * 1:50332 <-> DISABLED <-> SERVER-WEBAPP Asustor ADM command injection attempt (snort3-server-webapp.rules)
 * 1:50333 <-> DISABLED <-> SERVER-WEBAPP Asustor ADM command injection attempt (snort3-server-webapp.rules)
 * 1:50334 <-> DISABLED <-> SERVER-WEBAPP Asustor ADM command injection attempt (snort3-server-webapp.rules)
 * 1:50346 <-> ENABLED <-> SERVER-WEBAPP VMWare NSX SD-WAN Edge command injection attempt (snort3-server-webapp.rules)
 * 1:50336 <-> ENABLED <-> SERVER-WEBAPP GoAhead IP Camera set_ftp.cgi command injection attempt (snort3-server-webapp.rules)
 * 1:50347 <-> ENABLED <-> SERVER-WEBAPP VMWare NSX SD-WAN Edge command injection attempt (snort3-server-webapp.rules)
 * 1:50337 <-> ENABLED <-> SERVER-WEBAPP GoAhead IP Camera set_ftp.cgi command injection attempt (snort3-server-webapp.rules)

Modified Rules:



2019-06-06 11:57:31 UTC

Snort Subscriber Rules Update

Date: 2019-06-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50339 <-> ENABLED <-> SERVER-WEBAPP GoAhead IP Camera set_ftp.cgi command injection attempt (server-webapp.rules)
 * 1:50347 <-> ENABLED <-> SERVER-WEBAPP VMWare NSX SD-WAN Edge command injection attempt (server-webapp.rules)
 * 1:50336 <-> ENABLED <-> SERVER-WEBAPP GoAhead IP Camera set_ftp.cgi command injection attempt (server-webapp.rules)
 * 1:50345 <-> ENABLED <-> SERVER-WEBAPP VMWare NSX SD-WAN Edge command injection attempt (server-webapp.rules)
 * 1:50344 <-> ENABLED <-> SERVER-WEBAPP VMWare NSX SD-WAN Edge command injection attempt (server-webapp.rules)
 * 1:50326 <-> DISABLED <-> SERVER-WEBAPP Crestron AM platform command injection attempt (server-webapp.rules)
 * 1:50333 <-> DISABLED <-> SERVER-WEBAPP Asustor ADM command injection attempt (server-webapp.rules)
 * 1:50323 <-> DISABLED <-> SERVER-WEBAPP Crestron AM platform command injection attempt (server-webapp.rules)
 * 1:50338 <-> ENABLED <-> SERVER-WEBAPP GoAhead IP Camera set_ftp.cgi command injection attempt (server-webapp.rules)
 * 1:50340 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.Motion Builder command injection attempt (server-webapp.rules)
 * 1:50343 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.Motion Builder command injection attempt (server-webapp.rules)
 * 1:50337 <-> ENABLED <-> SERVER-WEBAPP GoAhead IP Camera set_ftp.cgi command injection attempt (server-webapp.rules)
 * 1:50300 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TRITON attack tool outbound connection (malware-cnc.rules)
 * 1:50301 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TRITON attack tool outbound connection (malware-cnc.rules)
 * 1:50302 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TRITON attack tool outbound connection (malware-cnc.rules)
 * 1:50303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TRITON attack tool outbound connection (malware-cnc.rules)
 * 1:50304 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules)
 * 1:50305 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules)
 * 1:50306 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules)
 * 1:50307 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules)
 * 1:50308 <-> DISABLED <-> SERVER-WEBAPP Dell KACE K1000 command injection attempt (server-webapp.rules)
 * 1:50309 <-> DISABLED <-> SERVER-WEBAPP Dell KACE K1000 command injection attempt (server-webapp.rules)
 * 1:50310 <-> DISABLED <-> SERVER-WEBAPP Dell KACE K1000 command injection attempt (server-webapp.rules)
 * 1:50311 <-> DISABLED <-> SERVER-WEBAPP Dell KACE K1000 command injection attempt (server-webapp.rules)
 * 1:50312 <-> DISABLED <-> SERVER-WEBAPP HooToo tripMate protocol.csp mac parameter command injection attempt (server-webapp.rules)
 * 1:50313 <-> DISABLED <-> SERVER-WEBAPP HooToo tripMate protocol.csp mac parameter command injection attempt (server-webapp.rules)
 * 1:50314 <-> DISABLED <-> SERVER-WEBAPP HooToo tripMate protocol.csp mac parameter command injection attempt (server-webapp.rules)
 * 1:50315 <-> DISABLED <-> SERVER-WEBAPP HooToo tripMate protocol.csp mac parameter command injection attempt (server-webapp.rules)
 * 1:50316 <-> DISABLED <-> SERVER-WEBAPP Asus DSL-N12E_C1 1.1.2.3_345 command injection attempt (server-webapp.rules)
 * 1:50325 <-> DISABLED <-> SERVER-WEBAPP Crestron AM platform command injection attempt (server-webapp.rules)
 * 1:50322 <-> DISABLED <-> SERVER-WEBAPP MiCasaVerde VeraLite remote code execution attempt (server-webapp.rules)
 * 1:50317 <-> DISABLED <-> SERVER-WEBAPP Asus DSL-N12E_C1 1.1.2.3_345 command injection attempt (server-webapp.rules)
 * 1:50318 <-> DISABLED <-> SERVER-WEBAPP Asus DSL-N12E_C1 1.1.2.3_345 command injection attempt (server-webapp.rules)
 * 1:50319 <-> DISABLED <-> SERVER-WEBAPP Asus DSL-N12E_C1 1.1.2.3_345 command injection attempt (server-webapp.rules)
 * 1:50321 <-> DISABLED <-> SERVER-WEBAPP MiCasaVerde VeraLite remote code execution attempt (server-webapp.rules)
 * 1:50324 <-> DISABLED <-> SERVER-WEBAPP Crestron AM platform command injection attempt (server-webapp.rules)
 * 1:50327 <-> DISABLED <-> SERVER-WEBAPP LG SuperSignEz CMS command injection attempt (server-webapp.rules)
 * 1:50328 <-> DISABLED <-> SERVER-WEBAPP LG SuperSignEz CMS command injection attempt (server-webapp.rules)
 * 1:50329 <-> DISABLED <-> SERVER-WEBAPP LG SuperSignEz CMS command injection attempt (server-webapp.rules)
 * 1:50330 <-> DISABLED <-> SERVER-WEBAPP LG SuperSignEz CMS command injection attempt (server-webapp.rules)
 * 1:50331 <-> DISABLED <-> SERVER-WEBAPP Asustor ADM command injection attempt (server-webapp.rules)
 * 1:50332 <-> DISABLED <-> SERVER-WEBAPP Asustor ADM command injection attempt (server-webapp.rules)
 * 1:50342 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.Motion Builder command injection attempt (server-webapp.rules)
 * 1:50334 <-> DISABLED <-> SERVER-WEBAPP Asustor ADM command injection attempt (server-webapp.rules)
 * 1:50341 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.Motion Builder command injection attempt (server-webapp.rules)
 * 1:50346 <-> ENABLED <-> SERVER-WEBAPP VMWare NSX SD-WAN Edge command injection attempt (server-webapp.rules)
 * 3:50320 <-> ENABLED <-> SERVER-OTHER Cisco Unified Communications Manager denial of service attempt (server-other.rules)
 * 3:50335 <-> ENABLED <-> SERVER-WEBAPP Cisco Industrial Network Director remote code execution attempt (server-webapp.rules)

Modified Rules:



2019-06-06 11:57:31 UTC

Snort Subscriber Rules Update

Date: 2019-06-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50337 <-> ENABLED <-> SERVER-WEBAPP GoAhead IP Camera set_ftp.cgi command injection attempt (server-webapp.rules)
 * 1:50302 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TRITON attack tool outbound connection (malware-cnc.rules)
 * 1:50342 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.Motion Builder command injection attempt (server-webapp.rules)
 * 1:50347 <-> ENABLED <-> SERVER-WEBAPP VMWare NSX SD-WAN Edge command injection attempt (server-webapp.rules)
 * 1:50343 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.Motion Builder command injection attempt (server-webapp.rules)
 * 1:50339 <-> ENABLED <-> SERVER-WEBAPP GoAhead IP Camera set_ftp.cgi command injection attempt (server-webapp.rules)
 * 1:50341 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.Motion Builder command injection attempt (server-webapp.rules)
 * 1:50345 <-> ENABLED <-> SERVER-WEBAPP VMWare NSX SD-WAN Edge command injection attempt (server-webapp.rules)
 * 1:50340 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.Motion Builder command injection attempt (server-webapp.rules)
 * 1:50300 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TRITON attack tool outbound connection (malware-cnc.rules)
 * 1:50344 <-> ENABLED <-> SERVER-WEBAPP VMWare NSX SD-WAN Edge command injection attempt (server-webapp.rules)
 * 1:50303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TRITON attack tool outbound connection (malware-cnc.rules)
 * 1:50304 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules)
 * 1:50305 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules)
 * 1:50306 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules)
 * 1:50307 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules)
 * 1:50308 <-> DISABLED <-> SERVER-WEBAPP Dell KACE K1000 command injection attempt (server-webapp.rules)
 * 1:50309 <-> DISABLED <-> SERVER-WEBAPP Dell KACE K1000 command injection attempt (server-webapp.rules)
 * 1:50310 <-> DISABLED <-> SERVER-WEBAPP Dell KACE K1000 command injection attempt (server-webapp.rules)
 * 1:50311 <-> DISABLED <-> SERVER-WEBAPP Dell KACE K1000 command injection attempt (server-webapp.rules)
 * 1:50312 <-> DISABLED <-> SERVER-WEBAPP HooToo tripMate protocol.csp mac parameter command injection attempt (server-webapp.rules)
 * 1:50313 <-> DISABLED <-> SERVER-WEBAPP HooToo tripMate protocol.csp mac parameter command injection attempt (server-webapp.rules)
 * 1:50314 <-> DISABLED <-> SERVER-WEBAPP HooToo tripMate protocol.csp mac parameter command injection attempt (server-webapp.rules)
 * 1:50315 <-> DISABLED <-> SERVER-WEBAPP HooToo tripMate protocol.csp mac parameter command injection attempt (server-webapp.rules)
 * 1:50316 <-> DISABLED <-> SERVER-WEBAPP Asus DSL-N12E_C1 1.1.2.3_345 command injection attempt (server-webapp.rules)
 * 1:50317 <-> DISABLED <-> SERVER-WEBAPP Asus DSL-N12E_C1 1.1.2.3_345 command injection attempt (server-webapp.rules)
 * 1:50318 <-> DISABLED <-> SERVER-WEBAPP Asus DSL-N12E_C1 1.1.2.3_345 command injection attempt (server-webapp.rules)
 * 1:50319 <-> DISABLED <-> SERVER-WEBAPP Asus DSL-N12E_C1 1.1.2.3_345 command injection attempt (server-webapp.rules)
 * 1:50323 <-> DISABLED <-> SERVER-WEBAPP Crestron AM platform command injection attempt (server-webapp.rules)
 * 1:50324 <-> DISABLED <-> SERVER-WEBAPP Crestron AM platform command injection attempt (server-webapp.rules)
 * 1:50325 <-> DISABLED <-> SERVER-WEBAPP Crestron AM platform command injection attempt (server-webapp.rules)
 * 1:50338 <-> ENABLED <-> SERVER-WEBAPP GoAhead IP Camera set_ftp.cgi command injection attempt (server-webapp.rules)
 * 1:50326 <-> DISABLED <-> SERVER-WEBAPP Crestron AM platform command injection attempt (server-webapp.rules)
 * 1:50322 <-> DISABLED <-> SERVER-WEBAPP MiCasaVerde VeraLite remote code execution attempt (server-webapp.rules)
 * 1:50327 <-> DISABLED <-> SERVER-WEBAPP LG SuperSignEz CMS command injection attempt (server-webapp.rules)
 * 1:50321 <-> DISABLED <-> SERVER-WEBAPP MiCasaVerde VeraLite remote code execution attempt (server-webapp.rules)
 * 1:50328 <-> DISABLED <-> SERVER-WEBAPP LG SuperSignEz CMS command injection attempt (server-webapp.rules)
 * 1:50329 <-> DISABLED <-> SERVER-WEBAPP LG SuperSignEz CMS command injection attempt (server-webapp.rules)
 * 1:50330 <-> DISABLED <-> SERVER-WEBAPP LG SuperSignEz CMS command injection attempt (server-webapp.rules)
 * 1:50331 <-> DISABLED <-> SERVER-WEBAPP Asustor ADM command injection attempt (server-webapp.rules)
 * 1:50332 <-> DISABLED <-> SERVER-WEBAPP Asustor ADM command injection attempt (server-webapp.rules)
 * 1:50334 <-> DISABLED <-> SERVER-WEBAPP Asustor ADM command injection attempt (server-webapp.rules)
 * 1:50333 <-> DISABLED <-> SERVER-WEBAPP Asustor ADM command injection attempt (server-webapp.rules)
 * 1:50346 <-> ENABLED <-> SERVER-WEBAPP VMWare NSX SD-WAN Edge command injection attempt (server-webapp.rules)
 * 1:50336 <-> ENABLED <-> SERVER-WEBAPP GoAhead IP Camera set_ftp.cgi command injection attempt (server-webapp.rules)
 * 1:50301 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TRITON attack tool outbound connection (malware-cnc.rules)
 * 3:50320 <-> ENABLED <-> SERVER-OTHER Cisco Unified Communications Manager denial of service attempt (server-other.rules)
 * 3:50335 <-> ENABLED <-> SERVER-WEBAPP Cisco Industrial Network Director remote code execution attempt (server-webapp.rules)

Modified Rules: