Talos Rules 2020-04-16
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-other, malware-other, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2020-04-16 12:19:18 UTC

Snort Subscriber Rules Update

Date: 2020-04-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53664 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.MedusaLocker malicious executable download attempt (malware-other.rules)
 * 1:53663 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.MedusaLocker malicious executable download attempt (malware-other.rules)
 * 1:53662 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.MedusaLocker malicious executable download attempt (malware-other.rules)
 * 1:53665 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.MedusaLocker malicious executable download attempt (malware-other.rules)
 * 3:53675 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director LargeFileUploadServlet directory traversal attempt (server-webapp.rules)
 * 3:53674 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director REST API directory traversal attempt (server-webapp.rules)
 * 3:53673 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director REST API directory traversal attempt (server-webapp.rules)
 * 3:53672 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director REST API directory traversal attempt (server-webapp.rules)
 * 3:53671 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director authentication bypass attempt (server-webapp.rules)
 * 3:53670 <-> ENABLED <-> SERVER-WEBAPP Cisco IP Phone libHTTPService.so stack buffer overflow attempt (server-webapp.rules)
 * 3:53669 <-> ENABLED <-> SERVER-WEBAPP Cisco IP Phone libHTTPService.so stack buffer overflow attempt (server-webapp.rules)
 * 3:53668 <-> ENABLED <-> SERVER-OTHER Cisco Unified Communications Manager TAPS RMI directory traversal attempt (server-other.rules)
 * 3:53667 <-> ENABLED <-> POLICY-OTHER Cisco Unified Communications Manager TAPS RMI method lookup detected (policy-other.rules)
 * 3:53660 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:53666 <-> ENABLED <-> SERVER-OTHER Cisco Wireless Lan Controller CAPWAP out of bounds access attempt (server-other.rules)
 * 3:53661 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:53685 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1047 attack attempt (file-other.rules)
 * 3:53684 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1047 attack attempt (file-other.rules)
 * 3:53683 <-> ENABLED <-> SERVER-WEBAPP Cisco Mobility Express cross site request forgery attempt (server-webapp.rules)
 * 3:53682 <-> ENABLED <-> SERVER-WEBAPP Cisco Mobility Express cross site request forgery attempt (server-webapp.rules)
 * 3:53681 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director arbitrary JSP file upload attempt (server-webapp.rules)
 * 3:53680 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director filename directory traversal attempt (server-webapp.rules)
 * 3:53679 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director ClientServlet directory traversal attempt (server-webapp.rules)
 * 3:53678 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director ClientServlet directory traversal attempt (server-webapp.rules)
 * 3:53677 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director ClientServlet directory traversal attempt (server-webapp.rules)
 * 3:53676 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director LargeFileUploadServlet directory traversal attempt (server-webapp.rules)

Modified Rules:



2020-04-16 12:19:18 UTC

Snort Subscriber Rules Update

Date: 2020-04-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53663 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.MedusaLocker malicious executable download attempt (malware-other.rules)
 * 1:53662 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.MedusaLocker malicious executable download attempt (malware-other.rules)
 * 1:53665 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.MedusaLocker malicious executable download attempt (malware-other.rules)
 * 1:53664 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.MedusaLocker malicious executable download attempt (malware-other.rules)
 * 3:53679 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director ClientServlet directory traversal attempt (server-webapp.rules)
 * 3:53661 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:53667 <-> ENABLED <-> POLICY-OTHER Cisco Unified Communications Manager TAPS RMI method lookup detected (policy-other.rules)
 * 3:53666 <-> ENABLED <-> SERVER-OTHER Cisco Wireless Lan Controller CAPWAP out of bounds access attempt (server-other.rules)
 * 3:53660 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:53668 <-> ENABLED <-> SERVER-OTHER Cisco Unified Communications Manager TAPS RMI directory traversal attempt (server-other.rules)
 * 3:53680 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director filename directory traversal attempt (server-webapp.rules)
 * 3:53678 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director ClientServlet directory traversal attempt (server-webapp.rules)
 * 3:53685 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1047 attack attempt (file-other.rules)
 * 3:53684 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1047 attack attempt (file-other.rules)
 * 3:53683 <-> ENABLED <-> SERVER-WEBAPP Cisco Mobility Express cross site request forgery attempt (server-webapp.rules)
 * 3:53682 <-> ENABLED <-> SERVER-WEBAPP Cisco Mobility Express cross site request forgery attempt (server-webapp.rules)
 * 3:53681 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director arbitrary JSP file upload attempt (server-webapp.rules)
 * 3:53673 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director REST API directory traversal attempt (server-webapp.rules)
 * 3:53672 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director REST API directory traversal attempt (server-webapp.rules)
 * 3:53670 <-> ENABLED <-> SERVER-WEBAPP Cisco IP Phone libHTTPService.so stack buffer overflow attempt (server-webapp.rules)
 * 3:53671 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director authentication bypass attempt (server-webapp.rules)
 * 3:53669 <-> ENABLED <-> SERVER-WEBAPP Cisco IP Phone libHTTPService.so stack buffer overflow attempt (server-webapp.rules)
 * 3:53677 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director ClientServlet directory traversal attempt (server-webapp.rules)
 * 3:53675 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director LargeFileUploadServlet directory traversal attempt (server-webapp.rules)
 * 3:53674 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director REST API directory traversal attempt (server-webapp.rules)
 * 3:53676 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director LargeFileUploadServlet directory traversal attempt (server-webapp.rules)

Modified Rules:



2020-04-16 12:19:18 UTC

Snort Subscriber Rules Update

Date: 2020-04-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53664 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.MedusaLocker malicious executable download attempt (malware-other.rules)
 * 1:53663 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.MedusaLocker malicious executable download attempt (malware-other.rules)
 * 1:53665 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.MedusaLocker malicious executable download attempt (malware-other.rules)
 * 1:53662 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.MedusaLocker malicious executable download attempt (malware-other.rules)
 * 3:53680 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director filename directory traversal attempt (server-webapp.rules)
 * 3:53684 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1047 attack attempt (file-other.rules)
 * 3:53666 <-> ENABLED <-> SERVER-OTHER Cisco Wireless Lan Controller CAPWAP out of bounds access attempt (server-other.rules)
 * 3:53682 <-> ENABLED <-> SERVER-WEBAPP Cisco Mobility Express cross site request forgery attempt (server-webapp.rules)
 * 3:53661 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:53685 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1047 attack attempt (file-other.rules)
 * 3:53681 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director arbitrary JSP file upload attempt (server-webapp.rules)
 * 3:53683 <-> ENABLED <-> SERVER-WEBAPP Cisco Mobility Express cross site request forgery attempt (server-webapp.rules)
 * 3:53679 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director ClientServlet directory traversal attempt (server-webapp.rules)
 * 3:53671 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director authentication bypass attempt (server-webapp.rules)
 * 3:53660 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:53668 <-> ENABLED <-> SERVER-OTHER Cisco Unified Communications Manager TAPS RMI directory traversal attempt (server-other.rules)
 * 3:53667 <-> ENABLED <-> POLICY-OTHER Cisco Unified Communications Manager TAPS RMI method lookup detected (policy-other.rules)
 * 3:53670 <-> ENABLED <-> SERVER-WEBAPP Cisco IP Phone libHTTPService.so stack buffer overflow attempt (server-webapp.rules)
 * 3:53669 <-> ENABLED <-> SERVER-WEBAPP Cisco IP Phone libHTTPService.so stack buffer overflow attempt (server-webapp.rules)
 * 3:53678 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director ClientServlet directory traversal attempt (server-webapp.rules)
 * 3:53676 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director LargeFileUploadServlet directory traversal attempt (server-webapp.rules)
 * 3:53677 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director ClientServlet directory traversal attempt (server-webapp.rules)
 * 3:53674 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director REST API directory traversal attempt (server-webapp.rules)
 * 3:53675 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director LargeFileUploadServlet directory traversal attempt (server-webapp.rules)
 * 3:53672 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director REST API directory traversal attempt (server-webapp.rules)
 * 3:53673 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director REST API directory traversal attempt (server-webapp.rules)

Modified Rules:



2020-04-16 12:19:18 UTC

Snort Subscriber Rules Update

Date: 2020-04-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53664 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.MedusaLocker malicious executable download attempt (malware-other.rules)
 * 1:53662 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.MedusaLocker malicious executable download attempt (malware-other.rules)
 * 1:53663 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.MedusaLocker malicious executable download attempt (malware-other.rules)
 * 1:53665 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.MedusaLocker malicious executable download attempt (malware-other.rules)
 * 3:53685 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1047 attack attempt (file-other.rules)
 * 3:53661 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:53684 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1047 attack attempt (file-other.rules)
 * 3:53679 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director ClientServlet directory traversal attempt (server-webapp.rules)
 * 3:53680 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director filename directory traversal attempt (server-webapp.rules)
 * 3:53681 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director arbitrary JSP file upload attempt (server-webapp.rules)
 * 3:53682 <-> ENABLED <-> SERVER-WEBAPP Cisco Mobility Express cross site request forgery attempt (server-webapp.rules)
 * 3:53668 <-> ENABLED <-> SERVER-OTHER Cisco Unified Communications Manager TAPS RMI directory traversal attempt (server-other.rules)
 * 3:53670 <-> ENABLED <-> SERVER-WEBAPP Cisco IP Phone libHTTPService.so stack buffer overflow attempt (server-webapp.rules)
 * 3:53669 <-> ENABLED <-> SERVER-WEBAPP Cisco IP Phone libHTTPService.so stack buffer overflow attempt (server-webapp.rules)
 * 3:53672 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director REST API directory traversal attempt (server-webapp.rules)
 * 3:53671 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director authentication bypass attempt (server-webapp.rules)
 * 3:53677 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director ClientServlet directory traversal attempt (server-webapp.rules)
 * 3:53676 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director LargeFileUploadServlet directory traversal attempt (server-webapp.rules)
 * 3:53675 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director LargeFileUploadServlet directory traversal attempt (server-webapp.rules)
 * 3:53683 <-> ENABLED <-> SERVER-WEBAPP Cisco Mobility Express cross site request forgery attempt (server-webapp.rules)
 * 3:53678 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director ClientServlet directory traversal attempt (server-webapp.rules)
 * 3:53666 <-> ENABLED <-> SERVER-OTHER Cisco Wireless Lan Controller CAPWAP out of bounds access attempt (server-other.rules)
 * 3:53667 <-> ENABLED <-> POLICY-OTHER Cisco Unified Communications Manager TAPS RMI method lookup detected (policy-other.rules)
 * 3:53660 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:53673 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director REST API directory traversal attempt (server-webapp.rules)
 * 3:53674 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director REST API directory traversal attempt (server-webapp.rules)

Modified Rules:



2020-04-16 12:19:18 UTC

Snort Subscriber Rules Update

Date: 2020-04-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53665 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.MedusaLocker malicious executable download attempt (malware-other.rules)
 * 1:53664 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.MedusaLocker malicious executable download attempt (malware-other.rules)
 * 1:53662 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.MedusaLocker malicious executable download attempt (malware-other.rules)
 * 1:53663 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.MedusaLocker malicious executable download attempt (malware-other.rules)
 * 3:53684 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1047 attack attempt (file-other.rules)
 * 3:53676 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director LargeFileUploadServlet directory traversal attempt (server-webapp.rules)
 * 3:53685 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1047 attack attempt (file-other.rules)
 * 3:53677 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director ClientServlet directory traversal attempt (server-webapp.rules)
 * 3:53680 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director filename directory traversal attempt (server-webapp.rules)
 * 3:53675 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director LargeFileUploadServlet directory traversal attempt (server-webapp.rules)
 * 3:53661 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:53660 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:53681 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director arbitrary JSP file upload attempt (server-webapp.rules)
 * 3:53682 <-> ENABLED <-> SERVER-WEBAPP Cisco Mobility Express cross site request forgery attempt (server-webapp.rules)
 * 3:53668 <-> ENABLED <-> SERVER-OTHER Cisco Unified Communications Manager TAPS RMI directory traversal attempt (server-other.rules)
 * 3:53683 <-> ENABLED <-> SERVER-WEBAPP Cisco Mobility Express cross site request forgery attempt (server-webapp.rules)
 * 3:53674 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director REST API directory traversal attempt (server-webapp.rules)
 * 3:53670 <-> ENABLED <-> SERVER-WEBAPP Cisco IP Phone libHTTPService.so stack buffer overflow attempt (server-webapp.rules)
 * 3:53672 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director REST API directory traversal attempt (server-webapp.rules)
 * 3:53671 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director authentication bypass attempt (server-webapp.rules)
 * 3:53669 <-> ENABLED <-> SERVER-WEBAPP Cisco IP Phone libHTTPService.so stack buffer overflow attempt (server-webapp.rules)
 * 3:53678 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director ClientServlet directory traversal attempt (server-webapp.rules)
 * 3:53679 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director ClientServlet directory traversal attempt (server-webapp.rules)
 * 3:53666 <-> ENABLED <-> SERVER-OTHER Cisco Wireless Lan Controller CAPWAP out of bounds access attempt (server-other.rules)
 * 3:53667 <-> ENABLED <-> POLICY-OTHER Cisco Unified Communications Manager TAPS RMI method lookup detected (policy-other.rules)
 * 3:53673 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director REST API directory traversal attempt (server-webapp.rules)

Modified Rules:



2020-04-16 12:19:18 UTC

Snort Subscriber Rules Update

Date: 2020-04-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53665 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.MedusaLocker malicious executable download attempt (malware-other.rules)
 * 1:53662 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.MedusaLocker malicious executable download attempt (malware-other.rules)
 * 1:53664 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.MedusaLocker malicious executable download attempt (malware-other.rules)
 * 1:53663 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.MedusaLocker malicious executable download attempt (malware-other.rules)
 * 3:53685 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1047 attack attempt (file-other.rules)
 * 3:53666 <-> ENABLED <-> SERVER-OTHER Cisco Wireless Lan Controller CAPWAP out of bounds access attempt (server-other.rules)
 * 3:53681 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director arbitrary JSP file upload attempt (server-webapp.rules)
 * 3:53660 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:53669 <-> ENABLED <-> SERVER-WEBAPP Cisco IP Phone libHTTPService.so stack buffer overflow attempt (server-webapp.rules)
 * 3:53677 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director ClientServlet directory traversal attempt (server-webapp.rules)
 * 3:53661 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:53679 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director ClientServlet directory traversal attempt (server-webapp.rules)
 * 3:53678 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director ClientServlet directory traversal attempt (server-webapp.rules)
 * 3:53682 <-> ENABLED <-> SERVER-WEBAPP Cisco Mobility Express cross site request forgery attempt (server-webapp.rules)
 * 3:53668 <-> ENABLED <-> SERVER-OTHER Cisco Unified Communications Manager TAPS RMI directory traversal attempt (server-other.rules)
 * 3:53667 <-> ENABLED <-> POLICY-OTHER Cisco Unified Communications Manager TAPS RMI method lookup detected (policy-other.rules)
 * 3:53675 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director LargeFileUploadServlet directory traversal attempt (server-webapp.rules)
 * 3:53676 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director LargeFileUploadServlet directory traversal attempt (server-webapp.rules)
 * 3:53680 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director filename directory traversal attempt (server-webapp.rules)
 * 3:53683 <-> ENABLED <-> SERVER-WEBAPP Cisco Mobility Express cross site request forgery attempt (server-webapp.rules)
 * 3:53673 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director REST API directory traversal attempt (server-webapp.rules)
 * 3:53674 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director REST API directory traversal attempt (server-webapp.rules)
 * 3:53670 <-> ENABLED <-> SERVER-WEBAPP Cisco IP Phone libHTTPService.so stack buffer overflow attempt (server-webapp.rules)
 * 3:53672 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director REST API directory traversal attempt (server-webapp.rules)
 * 3:53671 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director authentication bypass attempt (server-webapp.rules)
 * 3:53684 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1047 attack attempt (file-other.rules)

Modified Rules:



2020-04-16 12:19:18 UTC

Snort Subscriber Rules Update

Date: 2020-04-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53665 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.MedusaLocker malicious executable download attempt (snort3-malware-other.rules)
 * 1:53664 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.MedusaLocker malicious executable download attempt (snort3-malware-other.rules)
 * 1:53663 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.MedusaLocker malicious executable download attempt (snort3-malware-other.rules)
 * 1:53662 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.MedusaLocker malicious executable download attempt (snort3-malware-other.rules)

Modified Rules:



2020-04-16 12:19:18 UTC

Snort Subscriber Rules Update

Date: 2020-04-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53665 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.MedusaLocker malicious executable download attempt (malware-other.rules)
 * 1:53664 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.MedusaLocker malicious executable download attempt (malware-other.rules)
 * 1:53662 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.MedusaLocker malicious executable download attempt (malware-other.rules)
 * 1:53663 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.MedusaLocker malicious executable download attempt (malware-other.rules)
 * 3:53672 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director REST API directory traversal attempt (server-webapp.rules)
 * 3:53673 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director REST API directory traversal attempt (server-webapp.rules)
 * 3:53685 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1047 attack attempt (file-other.rules)
 * 3:53680 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director filename directory traversal attempt (server-webapp.rules)
 * 3:53669 <-> ENABLED <-> SERVER-WEBAPP Cisco IP Phone libHTTPService.so stack buffer overflow attempt (server-webapp.rules)
 * 3:53679 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director ClientServlet directory traversal attempt (server-webapp.rules)
 * 3:53678 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director ClientServlet directory traversal attempt (server-webapp.rules)
 * 3:53681 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director arbitrary JSP file upload attempt (server-webapp.rules)
 * 3:53661 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:53674 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director REST API directory traversal attempt (server-webapp.rules)
 * 3:53670 <-> ENABLED <-> SERVER-WEBAPP Cisco IP Phone libHTTPService.so stack buffer overflow attempt (server-webapp.rules)
 * 3:53671 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director authentication bypass attempt (server-webapp.rules)
 * 3:53675 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director LargeFileUploadServlet directory traversal attempt (server-webapp.rules)
 * 3:53668 <-> ENABLED <-> SERVER-OTHER Cisco Unified Communications Manager TAPS RMI directory traversal attempt (server-other.rules)
 * 3:53666 <-> ENABLED <-> SERVER-OTHER Cisco Wireless Lan Controller CAPWAP out of bounds access attempt (server-other.rules)
 * 3:53682 <-> ENABLED <-> SERVER-WEBAPP Cisco Mobility Express cross site request forgery attempt (server-webapp.rules)
 * 3:53677 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director ClientServlet directory traversal attempt (server-webapp.rules)
 * 3:53676 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director LargeFileUploadServlet directory traversal attempt (server-webapp.rules)
 * 3:53667 <-> ENABLED <-> POLICY-OTHER Cisco Unified Communications Manager TAPS RMI method lookup detected (policy-other.rules)
 * 3:53660 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
 * 3:53683 <-> ENABLED <-> SERVER-WEBAPP Cisco Mobility Express cross site request forgery attempt (server-webapp.rules)
 * 3:53684 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1047 attack attempt (file-other.rules)

Modified Rules: