Talos Rules 2020-01-22
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-other, indicator-compromise, policy-other, protocol-snmp and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2020-01-22 20:19:12 UTC

Snort Subscriber Rules Update

Date: 2020-01-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52634 <-> DISABLED <-> INDICATOR-COMPROMISE Website defacement via HTTP PUT request attempt (indicator-compromise.rules)
 * 1:52640 <-> DISABLED <-> SERVER-WEBAPP eMerge E3 Access Controller command injection attempt (server-webapp.rules)
 * 1:52639 <-> DISABLED <-> SERVER-WEBAPP eMerge E3 Access Controller command injection attempt (server-webapp.rules)
 * 1:52638 <-> DISABLED <-> SERVER-WEBAPP eMerge E3 Access Controller command injection attempt (server-webapp.rules)
 * 1:52637 <-> DISABLED <-> SERVER-WEBAPP eMerge E3 Access Controller command injection attempt (server-webapp.rules)
 * 1:52636 <-> DISABLED <-> POLICY-OTHER HTTP PUT request for Default.aspx attempt (policy-other.rules)
 * 1:52635 <-> DISABLED <-> INDICATOR-COMPROMISE Website defacement via HTTP PUT request attempt (indicator-compromise.rules)
 * 3:52630 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center LDAP authentication bypass attempt (server-webapp.rules)
 * 3:52629 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center LDAP authentication bypass attempt (server-webapp.rules)
 * 3:52628 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center LDAP authentication bypass attempt (server-webapp.rules)
 * 3:52631 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center LDAP authentication bypass attempt (server-webapp.rules)
 * 3:52646 <-> ENABLED <-> PROTOCOL-SNMP Cisco IOS IS-IS SNMP denial of service attempt (protocol-snmp.rules)
 * 3:52645 <-> ENABLED <-> PROTOCOL-SNMP Cisco IOS IS-IS SNMP denial of service attempt (protocol-snmp.rules)
 * 3:52644 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager denial of service attempt (server-webapp.rules)
 * 3:52643 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager denial of service attempt (server-webapp.rules)
 * 3:52642 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager unauthorized password change attempt (server-webapp.rules)
 * 3:52641 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager unauthorized password change attempt (server-webapp.rules)
 * 3:52633 <-> ENABLED <-> SERVER-OTHER Cisco IOS EVPN NLRI parsing denial of service attempt (server-other.rules)
 * 3:52627 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center LDAP authentication bypass attempt (server-webapp.rules)
 * 3:52647 <-> ENABLED <-> PROTOCOL-SNMP Cisco IOS IS-IS SNMP denial of service attempt (protocol-snmp.rules)
 * 3:52649 <-> ENABLED <-> PROTOCOL-SNMP Cisco IOS IS-IS SNMP denial of service attempt (protocol-snmp.rules)
 * 3:52648 <-> ENABLED <-> PROTOCOL-SNMP Cisco IOS IS-IS SNMP denial of service attempt (protocol-snmp.rules)
 * 3:52632 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center LDAP authentication bypass attempt (server-webapp.rules)

Modified Rules:


 * 1:51805 <-> DISABLED <-> SERVER-WEBAPP Wordpress Admin panel delete action cross site scripting attempt (server-webapp.rules)
 * 1:51806 <-> DISABLED <-> SERVER-WEBAPP Wordpress Admin panel delete action cross site scripting attempt (server-webapp.rules)
 * 1:51807 <-> DISABLED <-> SERVER-WEBAPP Wordpress Admin panel delete action cross site scripting attempt (server-webapp.rules)
 * 1:52132 <-> DISABLED <-> FILE-OTHER Libmspack cabd_sys_read_block off-by-one heap overflow attempt (file-other.rules)
 * 1:52133 <-> DISABLED <-> FILE-OTHER Libmspack cabd_sys_read_block off-by-one heap overflow attempt (file-other.rules)
 * 1:51804 <-> DISABLED <-> SERVER-WEBAPP Wordpress Admin panel delete action cross site scripting attempt (server-webapp.rules)

2020-01-22 20:19:12 UTC

Snort Subscriber Rules Update

Date: 2020-01-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52638 <-> DISABLED <-> SERVER-WEBAPP eMerge E3 Access Controller command injection attempt (server-webapp.rules)
 * 1:52635 <-> DISABLED <-> INDICATOR-COMPROMISE Website defacement via HTTP PUT request attempt (indicator-compromise.rules)
 * 1:52636 <-> DISABLED <-> POLICY-OTHER HTTP PUT request for Default.aspx attempt (policy-other.rules)
 * 1:52637 <-> DISABLED <-> SERVER-WEBAPP eMerge E3 Access Controller command injection attempt (server-webapp.rules)
 * 1:52640 <-> DISABLED <-> SERVER-WEBAPP eMerge E3 Access Controller command injection attempt (server-webapp.rules)
 * 1:52634 <-> DISABLED <-> INDICATOR-COMPROMISE Website defacement via HTTP PUT request attempt (indicator-compromise.rules)
 * 1:52639 <-> DISABLED <-> SERVER-WEBAPP eMerge E3 Access Controller command injection attempt (server-webapp.rules)
 * 3:52629 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center LDAP authentication bypass attempt (server-webapp.rules)
 * 3:52631 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center LDAP authentication bypass attempt (server-webapp.rules)
 * 3:52628 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center LDAP authentication bypass attempt (server-webapp.rules)
 * 3:52641 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager unauthorized password change attempt (server-webapp.rules)
 * 3:52643 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager denial of service attempt (server-webapp.rules)
 * 3:52644 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager denial of service attempt (server-webapp.rules)
 * 3:52630 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center LDAP authentication bypass attempt (server-webapp.rules)
 * 3:52632 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center LDAP authentication bypass attempt (server-webapp.rules)
 * 3:52642 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager unauthorized password change attempt (server-webapp.rules)
 * 3:52649 <-> ENABLED <-> PROTOCOL-SNMP Cisco IOS IS-IS SNMP denial of service attempt (protocol-snmp.rules)
 * 3:52645 <-> ENABLED <-> PROTOCOL-SNMP Cisco IOS IS-IS SNMP denial of service attempt (protocol-snmp.rules)
 * 3:52627 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center LDAP authentication bypass attempt (server-webapp.rules)
 * 3:52647 <-> ENABLED <-> PROTOCOL-SNMP Cisco IOS IS-IS SNMP denial of service attempt (protocol-snmp.rules)
 * 3:52646 <-> ENABLED <-> PROTOCOL-SNMP Cisco IOS IS-IS SNMP denial of service attempt (protocol-snmp.rules)
 * 3:52633 <-> ENABLED <-> SERVER-OTHER Cisco IOS EVPN NLRI parsing denial of service attempt (server-other.rules)
 * 3:52648 <-> ENABLED <-> PROTOCOL-SNMP Cisco IOS IS-IS SNMP denial of service attempt (protocol-snmp.rules)

Modified Rules:


 * 1:51804 <-> DISABLED <-> SERVER-WEBAPP Wordpress Admin panel delete action cross site scripting attempt (server-webapp.rules)
 * 1:51805 <-> DISABLED <-> SERVER-WEBAPP Wordpress Admin panel delete action cross site scripting attempt (server-webapp.rules)
 * 1:51806 <-> DISABLED <-> SERVER-WEBAPP Wordpress Admin panel delete action cross site scripting attempt (server-webapp.rules)
 * 1:51807 <-> DISABLED <-> SERVER-WEBAPP Wordpress Admin panel delete action cross site scripting attempt (server-webapp.rules)
 * 1:52132 <-> DISABLED <-> FILE-OTHER Libmspack cabd_sys_read_block off-by-one heap overflow attempt (file-other.rules)
 * 1:52133 <-> DISABLED <-> FILE-OTHER Libmspack cabd_sys_read_block off-by-one heap overflow attempt (file-other.rules)

2020-01-22 20:19:12 UTC

Snort Subscriber Rules Update

Date: 2020-01-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52639 <-> DISABLED <-> SERVER-WEBAPP eMerge E3 Access Controller command injection attempt (server-webapp.rules)
 * 1:52635 <-> DISABLED <-> INDICATOR-COMPROMISE Website defacement via HTTP PUT request attempt (indicator-compromise.rules)
 * 1:52634 <-> DISABLED <-> INDICATOR-COMPROMISE Website defacement via HTTP PUT request attempt (indicator-compromise.rules)
 * 1:52640 <-> DISABLED <-> SERVER-WEBAPP eMerge E3 Access Controller command injection attempt (server-webapp.rules)
 * 1:52638 <-> DISABLED <-> SERVER-WEBAPP eMerge E3 Access Controller command injection attempt (server-webapp.rules)
 * 1:52636 <-> DISABLED <-> POLICY-OTHER HTTP PUT request for Default.aspx attempt (policy-other.rules)
 * 1:52637 <-> DISABLED <-> SERVER-WEBAPP eMerge E3 Access Controller command injection attempt (server-webapp.rules)
 * 3:52645 <-> ENABLED <-> PROTOCOL-SNMP Cisco IOS IS-IS SNMP denial of service attempt (protocol-snmp.rules)
 * 3:52629 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center LDAP authentication bypass attempt (server-webapp.rules)
 * 3:52644 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager denial of service attempt (server-webapp.rules)
 * 3:52628 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center LDAP authentication bypass attempt (server-webapp.rules)
 * 3:52648 <-> ENABLED <-> PROTOCOL-SNMP Cisco IOS IS-IS SNMP denial of service attempt (protocol-snmp.rules)
 * 3:52627 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center LDAP authentication bypass attempt (server-webapp.rules)
 * 3:52641 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager unauthorized password change attempt (server-webapp.rules)
 * 3:52632 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center LDAP authentication bypass attempt (server-webapp.rules)
 * 3:52647 <-> ENABLED <-> PROTOCOL-SNMP Cisco IOS IS-IS SNMP denial of service attempt (protocol-snmp.rules)
 * 3:52633 <-> ENABLED <-> SERVER-OTHER Cisco IOS EVPN NLRI parsing denial of service attempt (server-other.rules)
 * 3:52649 <-> ENABLED <-> PROTOCOL-SNMP Cisco IOS IS-IS SNMP denial of service attempt (protocol-snmp.rules)
 * 3:52630 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center LDAP authentication bypass attempt (server-webapp.rules)
 * 3:52631 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center LDAP authentication bypass attempt (server-webapp.rules)
 * 3:52643 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager denial of service attempt (server-webapp.rules)
 * 3:52646 <-> ENABLED <-> PROTOCOL-SNMP Cisco IOS IS-IS SNMP denial of service attempt (protocol-snmp.rules)
 * 3:52642 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager unauthorized password change attempt (server-webapp.rules)

Modified Rules:


 * 1:51804 <-> DISABLED <-> SERVER-WEBAPP Wordpress Admin panel delete action cross site scripting attempt (server-webapp.rules)
 * 1:51805 <-> DISABLED <-> SERVER-WEBAPP Wordpress Admin panel delete action cross site scripting attempt (server-webapp.rules)
 * 1:51806 <-> DISABLED <-> SERVER-WEBAPP Wordpress Admin panel delete action cross site scripting attempt (server-webapp.rules)
 * 1:51807 <-> DISABLED <-> SERVER-WEBAPP Wordpress Admin panel delete action cross site scripting attempt (server-webapp.rules)
 * 1:52132 <-> DISABLED <-> FILE-OTHER Libmspack cabd_sys_read_block off-by-one heap overflow attempt (file-other.rules)
 * 1:52133 <-> DISABLED <-> FILE-OTHER Libmspack cabd_sys_read_block off-by-one heap overflow attempt (file-other.rules)

2020-01-22 20:19:12 UTC

Snort Subscriber Rules Update

Date: 2020-01-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52634 <-> DISABLED <-> INDICATOR-COMPROMISE Website defacement via HTTP PUT request attempt (indicator-compromise.rules)
 * 1:52638 <-> DISABLED <-> SERVER-WEBAPP eMerge E3 Access Controller command injection attempt (server-webapp.rules)
 * 1:52640 <-> DISABLED <-> SERVER-WEBAPP eMerge E3 Access Controller command injection attempt (server-webapp.rules)
 * 1:52635 <-> DISABLED <-> INDICATOR-COMPROMISE Website defacement via HTTP PUT request attempt (indicator-compromise.rules)
 * 1:52636 <-> DISABLED <-> POLICY-OTHER HTTP PUT request for Default.aspx attempt (policy-other.rules)
 * 1:52637 <-> DISABLED <-> SERVER-WEBAPP eMerge E3 Access Controller command injection attempt (server-webapp.rules)
 * 1:52639 <-> DISABLED <-> SERVER-WEBAPP eMerge E3 Access Controller command injection attempt (server-webapp.rules)
 * 3:52632 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center LDAP authentication bypass attempt (server-webapp.rules)
 * 3:52641 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager unauthorized password change attempt (server-webapp.rules)
 * 3:52644 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager denial of service attempt (server-webapp.rules)
 * 3:52629 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center LDAP authentication bypass attempt (server-webapp.rules)
 * 3:52627 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center LDAP authentication bypass attempt (server-webapp.rules)
 * 3:52631 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center LDAP authentication bypass attempt (server-webapp.rules)
 * 3:52647 <-> ENABLED <-> PROTOCOL-SNMP Cisco IOS IS-IS SNMP denial of service attempt (protocol-snmp.rules)
 * 3:52630 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center LDAP authentication bypass attempt (server-webapp.rules)
 * 3:52633 <-> ENABLED <-> SERVER-OTHER Cisco IOS EVPN NLRI parsing denial of service attempt (server-other.rules)
 * 3:52648 <-> ENABLED <-> PROTOCOL-SNMP Cisco IOS IS-IS SNMP denial of service attempt (protocol-snmp.rules)
 * 3:52643 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager denial of service attempt (server-webapp.rules)
 * 3:52646 <-> ENABLED <-> PROTOCOL-SNMP Cisco IOS IS-IS SNMP denial of service attempt (protocol-snmp.rules)
 * 3:52642 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager unauthorized password change attempt (server-webapp.rules)
 * 3:52649 <-> ENABLED <-> PROTOCOL-SNMP Cisco IOS IS-IS SNMP denial of service attempt (protocol-snmp.rules)
 * 3:52645 <-> ENABLED <-> PROTOCOL-SNMP Cisco IOS IS-IS SNMP denial of service attempt (protocol-snmp.rules)
 * 3:52628 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center LDAP authentication bypass attempt (server-webapp.rules)

Modified Rules:


 * 1:51805 <-> DISABLED <-> SERVER-WEBAPP Wordpress Admin panel delete action cross site scripting attempt (server-webapp.rules)
 * 1:52132 <-> DISABLED <-> FILE-OTHER Libmspack cabd_sys_read_block off-by-one heap overflow attempt (file-other.rules)
 * 1:51806 <-> DISABLED <-> SERVER-WEBAPP Wordpress Admin panel delete action cross site scripting attempt (server-webapp.rules)
 * 1:52133 <-> DISABLED <-> FILE-OTHER Libmspack cabd_sys_read_block off-by-one heap overflow attempt (file-other.rules)
 * 1:51807 <-> DISABLED <-> SERVER-WEBAPP Wordpress Admin panel delete action cross site scripting attempt (server-webapp.rules)
 * 1:51804 <-> DISABLED <-> SERVER-WEBAPP Wordpress Admin panel delete action cross site scripting attempt (server-webapp.rules)

2020-01-22 20:19:12 UTC

Snort Subscriber Rules Update

Date: 2020-01-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52639 <-> DISABLED <-> SERVER-WEBAPP eMerge E3 Access Controller command injection attempt (server-webapp.rules)
 * 1:52640 <-> DISABLED <-> SERVER-WEBAPP eMerge E3 Access Controller command injection attempt (server-webapp.rules)
 * 1:52635 <-> DISABLED <-> INDICATOR-COMPROMISE Website defacement via HTTP PUT request attempt (indicator-compromise.rules)
 * 1:52634 <-> DISABLED <-> INDICATOR-COMPROMISE Website defacement via HTTP PUT request attempt (indicator-compromise.rules)
 * 1:52636 <-> DISABLED <-> POLICY-OTHER HTTP PUT request for Default.aspx attempt (policy-other.rules)
 * 1:52637 <-> DISABLED <-> SERVER-WEBAPP eMerge E3 Access Controller command injection attempt (server-webapp.rules)
 * 1:52638 <-> DISABLED <-> SERVER-WEBAPP eMerge E3 Access Controller command injection attempt (server-webapp.rules)
 * 3:52632 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center LDAP authentication bypass attempt (server-webapp.rules)
 * 3:52643 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager denial of service attempt (server-webapp.rules)
 * 3:52629 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center LDAP authentication bypass attempt (server-webapp.rules)
 * 3:52649 <-> ENABLED <-> PROTOCOL-SNMP Cisco IOS IS-IS SNMP denial of service attempt (protocol-snmp.rules)
 * 3:52644 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager denial of service attempt (server-webapp.rules)
 * 3:52627 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center LDAP authentication bypass attempt (server-webapp.rules)
 * 3:52641 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager unauthorized password change attempt (server-webapp.rules)
 * 3:52642 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager unauthorized password change attempt (server-webapp.rules)
 * 3:52648 <-> ENABLED <-> PROTOCOL-SNMP Cisco IOS IS-IS SNMP denial of service attempt (protocol-snmp.rules)
 * 3:52647 <-> ENABLED <-> PROTOCOL-SNMP Cisco IOS IS-IS SNMP denial of service attempt (protocol-snmp.rules)
 * 3:52628 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center LDAP authentication bypass attempt (server-webapp.rules)
 * 3:52630 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center LDAP authentication bypass attempt (server-webapp.rules)
 * 3:52633 <-> ENABLED <-> SERVER-OTHER Cisco IOS EVPN NLRI parsing denial of service attempt (server-other.rules)
 * 3:52646 <-> ENABLED <-> PROTOCOL-SNMP Cisco IOS IS-IS SNMP denial of service attempt (protocol-snmp.rules)
 * 3:52631 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center LDAP authentication bypass attempt (server-webapp.rules)
 * 3:52645 <-> ENABLED <-> PROTOCOL-SNMP Cisco IOS IS-IS SNMP denial of service attempt (protocol-snmp.rules)

Modified Rules:


 * 1:51804 <-> DISABLED <-> SERVER-WEBAPP Wordpress Admin panel delete action cross site scripting attempt (server-webapp.rules)
 * 1:51806 <-> DISABLED <-> SERVER-WEBAPP Wordpress Admin panel delete action cross site scripting attempt (server-webapp.rules)
 * 1:52133 <-> DISABLED <-> FILE-OTHER Libmspack cabd_sys_read_block off-by-one heap overflow attempt (file-other.rules)
 * 1:51807 <-> DISABLED <-> SERVER-WEBAPP Wordpress Admin panel delete action cross site scripting attempt (server-webapp.rules)
 * 1:52132 <-> DISABLED <-> FILE-OTHER Libmspack cabd_sys_read_block off-by-one heap overflow attempt (file-other.rules)
 * 1:51805 <-> DISABLED <-> SERVER-WEBAPP Wordpress Admin panel delete action cross site scripting attempt (server-webapp.rules)

2020-01-22 20:19:12 UTC

Snort Subscriber Rules Update

Date: 2020-01-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52634 <-> DISABLED <-> INDICATOR-COMPROMISE Website defacement via HTTP PUT request attempt (snort3-indicator-compromise.rules)
 * 1:52636 <-> DISABLED <-> POLICY-OTHER HTTP PUT request for Default.aspx attempt (snort3-policy-other.rules)
 * 1:52638 <-> DISABLED <-> SERVER-WEBAPP eMerge E3 Access Controller command injection attempt (snort3-server-webapp.rules)
 * 1:52635 <-> DISABLED <-> INDICATOR-COMPROMISE Website defacement via HTTP PUT request attempt (snort3-indicator-compromise.rules)
 * 1:52637 <-> DISABLED <-> SERVER-WEBAPP eMerge E3 Access Controller command injection attempt (snort3-server-webapp.rules)
 * 1:52640 <-> DISABLED <-> SERVER-WEBAPP eMerge E3 Access Controller command injection attempt (snort3-server-webapp.rules)
 * 1:52639 <-> DISABLED <-> SERVER-WEBAPP eMerge E3 Access Controller command injection attempt (snort3-server-webapp.rules)

Modified Rules:


 * 1:52132 <-> DISABLED <-> FILE-OTHER Libmspack cabd_sys_read_block off-by-one heap overflow attempt (snort3-file-other.rules)
 * 1:51804 <-> DISABLED <-> SERVER-WEBAPP Wordpress Admin panel delete action cross site scripting attempt (snort3-server-webapp.rules)
 * 1:52133 <-> DISABLED <-> FILE-OTHER Libmspack cabd_sys_read_block off-by-one heap overflow attempt (snort3-file-other.rules)
 * 1:51805 <-> DISABLED <-> SERVER-WEBAPP Wordpress Admin panel delete action cross site scripting attempt (snort3-server-webapp.rules)
 * 1:51806 <-> DISABLED <-> SERVER-WEBAPP Wordpress Admin panel delete action cross site scripting attempt (snort3-server-webapp.rules)
 * 1:51807 <-> DISABLED <-> SERVER-WEBAPP Wordpress Admin panel delete action cross site scripting attempt (snort3-server-webapp.rules)

2020-01-22 20:19:12 UTC

Snort Subscriber Rules Update

Date: 2020-01-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52634 <-> DISABLED <-> INDICATOR-COMPROMISE Website defacement via HTTP PUT request attempt (indicator-compromise.rules)
 * 1:52635 <-> DISABLED <-> INDICATOR-COMPROMISE Website defacement via HTTP PUT request attempt (indicator-compromise.rules)
 * 1:52639 <-> DISABLED <-> SERVER-WEBAPP eMerge E3 Access Controller command injection attempt (server-webapp.rules)
 * 1:52640 <-> DISABLED <-> SERVER-WEBAPP eMerge E3 Access Controller command injection attempt (server-webapp.rules)
 * 1:52636 <-> DISABLED <-> POLICY-OTHER HTTP PUT request for Default.aspx attempt (policy-other.rules)
 * 1:52637 <-> DISABLED <-> SERVER-WEBAPP eMerge E3 Access Controller command injection attempt (server-webapp.rules)
 * 1:52638 <-> DISABLED <-> SERVER-WEBAPP eMerge E3 Access Controller command injection attempt (server-webapp.rules)
 * 3:52644 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager denial of service attempt (server-webapp.rules)
 * 3:52649 <-> ENABLED <-> PROTOCOL-SNMP Cisco IOS IS-IS SNMP denial of service attempt (protocol-snmp.rules)
 * 3:52643 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager denial of service attempt (server-webapp.rules)
 * 3:52631 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center LDAP authentication bypass attempt (server-webapp.rules)
 * 3:52627 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center LDAP authentication bypass attempt (server-webapp.rules)
 * 3:52641 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager unauthorized password change attempt (server-webapp.rules)
 * 3:52642 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager unauthorized password change attempt (server-webapp.rules)
 * 3:52630 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center LDAP authentication bypass attempt (server-webapp.rules)
 * 3:52632 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center LDAP authentication bypass attempt (server-webapp.rules)
 * 3:52645 <-> ENABLED <-> PROTOCOL-SNMP Cisco IOS IS-IS SNMP denial of service attempt (protocol-snmp.rules)
 * 3:52646 <-> ENABLED <-> PROTOCOL-SNMP Cisco IOS IS-IS SNMP denial of service attempt (protocol-snmp.rules)
 * 3:52647 <-> ENABLED <-> PROTOCOL-SNMP Cisco IOS IS-IS SNMP denial of service attempt (protocol-snmp.rules)
 * 3:52648 <-> ENABLED <-> PROTOCOL-SNMP Cisco IOS IS-IS SNMP denial of service attempt (protocol-snmp.rules)
 * 3:52628 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center LDAP authentication bypass attempt (server-webapp.rules)
 * 3:52633 <-> ENABLED <-> SERVER-OTHER Cisco IOS EVPN NLRI parsing denial of service attempt (server-other.rules)
 * 3:52629 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center LDAP authentication bypass attempt (server-webapp.rules)

Modified Rules:


 * 1:51806 <-> DISABLED <-> SERVER-WEBAPP Wordpress Admin panel delete action cross site scripting attempt (server-webapp.rules)
 * 1:51805 <-> DISABLED <-> SERVER-WEBAPP Wordpress Admin panel delete action cross site scripting attempt (server-webapp.rules)
 * 1:51804 <-> DISABLED <-> SERVER-WEBAPP Wordpress Admin panel delete action cross site scripting attempt (server-webapp.rules)
 * 1:52132 <-> DISABLED <-> FILE-OTHER Libmspack cabd_sys_read_block off-by-one heap overflow attempt (file-other.rules)
 * 1:51807 <-> DISABLED <-> SERVER-WEBAPP Wordpress Admin panel delete action cross site scripting attempt (server-webapp.rules)
 * 1:52133 <-> DISABLED <-> FILE-OTHER Libmspack cabd_sys_read_block off-by-one heap overflow attempt (file-other.rules)