Talos Rules 2021-01-12
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2021-1647: A coding deficiency exists in Microsoft Defender that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 56857 through 56860.

Microsoft Vulnerability CVE-2021-1707: A coding deficiency exists in Microsoft SharePoint that may lead to remote code execution.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 56865.

Microsoft Vulnerability CVE-2021-1709: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 56849 through 56856.

Talos also has added and modified multiple rules in the browser-other, content-replace, file-executable, file-other, malware-cnc, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2021-01-12 18:40:11 UTC

Snort Subscriber Rules Update

Date: 2021-01-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56845 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber protocol cross-site scripting attempt (browser-other.rules)
 * 1:56846 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber protocol cross-site scripting attempt (browser-other.rules)
 * 1:56849 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56850 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56851 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56852 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56853 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56854 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56855 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56856 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56857 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Defender buffer overflow attempt (file-executable.rules)
 * 1:56858 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Defender buffer overflow attempt (file-executable.rules)
 * 1:56859 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Defender buffer overflow attempt (file-executable.rules)
 * 1:56860 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Defender buffer overflow attempt (file-executable.rules)
 * 1:56862 <-> ENABLED <-> MALWARE-CNC MultiOS.Malware.GORAT outbound communication attempt (malware-cnc.rules)
 * 1:56863 <-> ENABLED <-> MALWARE-CNC MultiOS.Malware.GORAT command and control response attempt (malware-cnc.rules)
 * 1:56864 <-> ENABLED <-> MALWARE-CNC MultiOS.Malware.GORAT command and control SSL certificate (malware-cnc.rules)
 * 1:56865 <-> ENABLED <-> SERVER-OTHER Microsoft Sharepoint Server remote code execution attempt (server-other.rules)
 * 3:56847 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1222 attack attempt (file-other.rules)
 * 3:56848 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1222 attack attempt (file-other.rules)

Modified Rules:


 * 1:15416 <-> DISABLED <-> CONTENT-REPLACE ICQ deny http proxy login (content-replace.rules)
 * 1:24098 <-> DISABLED <-> CONTENT-REPLACE Teamviewer remote connection attempt (content-replace.rules)
 * 1:24096 <-> DISABLED <-> CONTENT-REPLACE Teamviewer remote connection attempt (content-replace.rules)
 * 1:24097 <-> DISABLED <-> CONTENT-REPLACE Teamviewer remote connection attempt (content-replace.rules)
 * 1:36197 <-> DISABLED <-> SERVER-WEBAPP nginx SMTP proxy STARTTLS plaintext command injection attempt (server-webapp.rules)
 * 1:43693 <-> DISABLED <-> SERVER-WEBAPP Mantis Bug Tracker password reset attempt (server-webapp.rules)
 * 1:50876 <-> DISABLED <-> SERVER-WEBAPP WordPress Statistics cross site scripting attempt (server-webapp.rules)
 * 1:50877 <-> DISABLED <-> SERVER-WEBAPP WordPress Statistics cross site scripting attempt (server-webapp.rules)
 * 1:50878 <-> DISABLED <-> SERVER-WEBAPP WordPress Statistics cross site scripting attempt (server-webapp.rules)
 * 1:50879 <-> DISABLED <-> SERVER-WEBAPP WordPress Statistics cross site scripting attempt (server-webapp.rules)

2021-01-12 18:40:11 UTC

Snort Subscriber Rules Update

Date: 2021-01-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56862 <-> ENABLED <-> MALWARE-CNC MultiOS.Malware.GORAT outbound communication attempt (malware-cnc.rules)
 * 1:56863 <-> ENABLED <-> MALWARE-CNC MultiOS.Malware.GORAT command and control response attempt (malware-cnc.rules)
 * 1:56864 <-> ENABLED <-> MALWARE-CNC MultiOS.Malware.GORAT command and control SSL certificate (malware-cnc.rules)
 * 1:56856 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56865 <-> ENABLED <-> SERVER-OTHER Microsoft Sharepoint Server remote code execution attempt (server-other.rules)
 * 1:56857 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Defender buffer overflow attempt (file-executable.rules)
 * 1:56853 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56859 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Defender buffer overflow attempt (file-executable.rules)
 * 1:56854 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56845 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber protocol cross-site scripting attempt (browser-other.rules)
 * 1:56846 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber protocol cross-site scripting attempt (browser-other.rules)
 * 1:56849 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56850 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56851 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56852 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56855 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56860 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Defender buffer overflow attempt (file-executable.rules)
 * 1:56858 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Defender buffer overflow attempt (file-executable.rules)
 * 3:56848 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1222 attack attempt (file-other.rules)
 * 3:56847 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1222 attack attempt (file-other.rules)

Modified Rules:


 * 1:24096 <-> DISABLED <-> CONTENT-REPLACE Teamviewer remote connection attempt (content-replace.rules)
 * 1:36197 <-> DISABLED <-> SERVER-WEBAPP nginx SMTP proxy STARTTLS plaintext command injection attempt (server-webapp.rules)
 * 1:24097 <-> DISABLED <-> CONTENT-REPLACE Teamviewer remote connection attempt (content-replace.rules)
 * 1:50877 <-> DISABLED <-> SERVER-WEBAPP WordPress Statistics cross site scripting attempt (server-webapp.rules)
 * 1:50878 <-> DISABLED <-> SERVER-WEBAPP WordPress Statistics cross site scripting attempt (server-webapp.rules)
 * 1:50879 <-> DISABLED <-> SERVER-WEBAPP WordPress Statistics cross site scripting attempt (server-webapp.rules)
 * 1:50876 <-> DISABLED <-> SERVER-WEBAPP WordPress Statistics cross site scripting attempt (server-webapp.rules)
 * 1:43693 <-> DISABLED <-> SERVER-WEBAPP Mantis Bug Tracker password reset attempt (server-webapp.rules)
 * 1:15416 <-> DISABLED <-> CONTENT-REPLACE ICQ deny http proxy login (content-replace.rules)
 * 1:24098 <-> DISABLED <-> CONTENT-REPLACE Teamviewer remote connection attempt (content-replace.rules)

2021-01-12 18:40:11 UTC

Snort Subscriber Rules Update

Date: 2021-01-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56859 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Defender buffer overflow attempt (file-executable.rules)
 * 1:56863 <-> ENABLED <-> MALWARE-CNC MultiOS.Malware.GORAT command and control response attempt (malware-cnc.rules)
 * 1:56851 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56852 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56854 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56860 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Defender buffer overflow attempt (file-executable.rules)
 * 1:56845 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber protocol cross-site scripting attempt (browser-other.rules)
 * 1:56855 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56846 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber protocol cross-site scripting attempt (browser-other.rules)
 * 1:56857 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Defender buffer overflow attempt (file-executable.rules)
 * 1:56849 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56858 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Defender buffer overflow attempt (file-executable.rules)
 * 1:56865 <-> ENABLED <-> SERVER-OTHER Microsoft Sharepoint Server remote code execution attempt (server-other.rules)
 * 1:56850 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56853 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56862 <-> ENABLED <-> MALWARE-CNC MultiOS.Malware.GORAT outbound communication attempt (malware-cnc.rules)
 * 1:56856 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56864 <-> ENABLED <-> MALWARE-CNC MultiOS.Malware.GORAT command and control SSL certificate (malware-cnc.rules)
 * 3:56848 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1222 attack attempt (file-other.rules)
 * 3:56847 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1222 attack attempt (file-other.rules)

Modified Rules:


 * 1:43693 <-> DISABLED <-> SERVER-WEBAPP Mantis Bug Tracker password reset attempt (server-webapp.rules)
 * 1:24097 <-> DISABLED <-> CONTENT-REPLACE Teamviewer remote connection attempt (content-replace.rules)
 * 1:50879 <-> DISABLED <-> SERVER-WEBAPP WordPress Statistics cross site scripting attempt (server-webapp.rules)
 * 1:36197 <-> DISABLED <-> SERVER-WEBAPP nginx SMTP proxy STARTTLS plaintext command injection attempt (server-webapp.rules)
 * 1:24096 <-> DISABLED <-> CONTENT-REPLACE Teamviewer remote connection attempt (content-replace.rules)
 * 1:50876 <-> DISABLED <-> SERVER-WEBAPP WordPress Statistics cross site scripting attempt (server-webapp.rules)
 * 1:50877 <-> DISABLED <-> SERVER-WEBAPP WordPress Statistics cross site scripting attempt (server-webapp.rules)
 * 1:50878 <-> DISABLED <-> SERVER-WEBAPP WordPress Statistics cross site scripting attempt (server-webapp.rules)
 * 1:15416 <-> DISABLED <-> CONTENT-REPLACE ICQ deny http proxy login (content-replace.rules)
 * 1:24098 <-> DISABLED <-> CONTENT-REPLACE Teamviewer remote connection attempt (content-replace.rules)

2021-01-12 18:40:11 UTC

Snort Subscriber Rules Update

Date: 2021-01-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56853 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56858 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Defender buffer overflow attempt (file-executable.rules)
 * 1:56850 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56845 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber protocol cross-site scripting attempt (browser-other.rules)
 * 1:56865 <-> ENABLED <-> SERVER-OTHER Microsoft Sharepoint Server remote code execution attempt (server-other.rules)
 * 1:56859 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Defender buffer overflow attempt (file-executable.rules)
 * 1:56852 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56846 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber protocol cross-site scripting attempt (browser-other.rules)
 * 1:56855 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56854 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56856 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56851 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56857 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Defender buffer overflow attempt (file-executable.rules)
 * 1:56849 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56862 <-> ENABLED <-> MALWARE-CNC MultiOS.Malware.GORAT outbound communication attempt (malware-cnc.rules)
 * 1:56863 <-> ENABLED <-> MALWARE-CNC MultiOS.Malware.GORAT command and control response attempt (malware-cnc.rules)
 * 1:56864 <-> ENABLED <-> MALWARE-CNC MultiOS.Malware.GORAT command and control SSL certificate (malware-cnc.rules)
 * 1:56860 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Defender buffer overflow attempt (file-executable.rules)
 * 3:56847 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1222 attack attempt (file-other.rules)
 * 3:56848 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1222 attack attempt (file-other.rules)

Modified Rules:


 * 1:24096 <-> DISABLED <-> CONTENT-REPLACE Teamviewer remote connection attempt (content-replace.rules)
 * 1:50877 <-> DISABLED <-> SERVER-WEBAPP WordPress Statistics cross site scripting attempt (server-webapp.rules)
 * 1:50879 <-> DISABLED <-> SERVER-WEBAPP WordPress Statistics cross site scripting attempt (server-webapp.rules)
 * 1:36197 <-> DISABLED <-> SERVER-WEBAPP nginx SMTP proxy STARTTLS plaintext command injection attempt (server-webapp.rules)
 * 1:50878 <-> DISABLED <-> SERVER-WEBAPP WordPress Statistics cross site scripting attempt (server-webapp.rules)
 * 1:43693 <-> DISABLED <-> SERVER-WEBAPP Mantis Bug Tracker password reset attempt (server-webapp.rules)
 * 1:24097 <-> DISABLED <-> CONTENT-REPLACE Teamviewer remote connection attempt (content-replace.rules)
 * 1:24098 <-> DISABLED <-> CONTENT-REPLACE Teamviewer remote connection attempt (content-replace.rules)
 * 1:15416 <-> DISABLED <-> CONTENT-REPLACE ICQ deny http proxy login (content-replace.rules)
 * 1:50876 <-> DISABLED <-> SERVER-WEBAPP WordPress Statistics cross site scripting attempt (server-webapp.rules)

2021-01-12 18:40:11 UTC

Snort Subscriber Rules Update

Date: 2021-01-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56860 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Defender buffer overflow attempt (file-executable.rules)
 * 1:56855 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56865 <-> ENABLED <-> SERVER-OTHER Microsoft Sharepoint Server remote code execution attempt (server-other.rules)
 * 1:56858 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Defender buffer overflow attempt (file-executable.rules)
 * 1:56845 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber protocol cross-site scripting attempt (browser-other.rules)
 * 1:56854 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56846 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber protocol cross-site scripting attempt (browser-other.rules)
 * 1:56856 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56857 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Defender buffer overflow attempt (file-executable.rules)
 * 1:56851 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56852 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56849 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56850 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56862 <-> ENABLED <-> MALWARE-CNC MultiOS.Malware.GORAT outbound communication attempt (malware-cnc.rules)
 * 1:56863 <-> ENABLED <-> MALWARE-CNC MultiOS.Malware.GORAT command and control response attempt (malware-cnc.rules)
 * 1:56864 <-> ENABLED <-> MALWARE-CNC MultiOS.Malware.GORAT command and control SSL certificate (malware-cnc.rules)
 * 1:56853 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56859 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Defender buffer overflow attempt (file-executable.rules)
 * 3:56847 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1222 attack attempt (file-other.rules)
 * 3:56848 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1222 attack attempt (file-other.rules)

Modified Rules:


 * 1:50876 <-> DISABLED <-> SERVER-WEBAPP WordPress Statistics cross site scripting attempt (server-webapp.rules)
 * 1:24096 <-> DISABLED <-> CONTENT-REPLACE Teamviewer remote connection attempt (content-replace.rules)
 * 1:15416 <-> DISABLED <-> CONTENT-REPLACE ICQ deny http proxy login (content-replace.rules)
 * 1:50877 <-> DISABLED <-> SERVER-WEBAPP WordPress Statistics cross site scripting attempt (server-webapp.rules)
 * 1:43693 <-> DISABLED <-> SERVER-WEBAPP Mantis Bug Tracker password reset attempt (server-webapp.rules)
 * 1:24097 <-> DISABLED <-> CONTENT-REPLACE Teamviewer remote connection attempt (content-replace.rules)
 * 1:36197 <-> DISABLED <-> SERVER-WEBAPP nginx SMTP proxy STARTTLS plaintext command injection attempt (server-webapp.rules)
 * 1:50879 <-> DISABLED <-> SERVER-WEBAPP WordPress Statistics cross site scripting attempt (server-webapp.rules)
 * 1:50878 <-> DISABLED <-> SERVER-WEBAPP WordPress Statistics cross site scripting attempt (server-webapp.rules)
 * 1:24098 <-> DISABLED <-> CONTENT-REPLACE Teamviewer remote connection attempt (content-replace.rules)

2021-01-12 18:40:11 UTC

Snort Subscriber Rules Update

Date: 2021-01-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56860 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Defender buffer overflow attempt (file-executable.rules)
 * 1:56846 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber protocol cross-site scripting attempt (browser-other.rules)
 * 1:56849 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56855 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56850 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56851 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56865 <-> ENABLED <-> SERVER-OTHER Microsoft Sharepoint Server remote code execution attempt (server-other.rules)
 * 1:56845 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber protocol cross-site scripting attempt (browser-other.rules)
 * 1:56854 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56858 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Defender buffer overflow attempt (file-executable.rules)
 * 1:56852 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56862 <-> ENABLED <-> MALWARE-CNC MultiOS.Malware.GORAT outbound communication attempt (malware-cnc.rules)
 * 1:56863 <-> ENABLED <-> MALWARE-CNC MultiOS.Malware.GORAT command and control response attempt (malware-cnc.rules)
 * 1:56864 <-> ENABLED <-> MALWARE-CNC MultiOS.Malware.GORAT command and control SSL certificate (malware-cnc.rules)
 * 1:56857 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Defender buffer overflow attempt (file-executable.rules)
 * 1:56856 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56853 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56859 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Defender buffer overflow attempt (file-executable.rules)
 * 3:56847 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1222 attack attempt (file-other.rules)
 * 3:56848 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1222 attack attempt (file-other.rules)

Modified Rules:


 * 1:15416 <-> DISABLED <-> CONTENT-REPLACE ICQ deny http proxy login (content-replace.rules)
 * 1:24097 <-> DISABLED <-> CONTENT-REPLACE Teamviewer remote connection attempt (content-replace.rules)
 * 1:50876 <-> DISABLED <-> SERVER-WEBAPP WordPress Statistics cross site scripting attempt (server-webapp.rules)
 * 1:24096 <-> DISABLED <-> CONTENT-REPLACE Teamviewer remote connection attempt (content-replace.rules)
 * 1:50877 <-> DISABLED <-> SERVER-WEBAPP WordPress Statistics cross site scripting attempt (server-webapp.rules)
 * 1:50879 <-> DISABLED <-> SERVER-WEBAPP WordPress Statistics cross site scripting attempt (server-webapp.rules)
 * 1:43693 <-> DISABLED <-> SERVER-WEBAPP Mantis Bug Tracker password reset attempt (server-webapp.rules)
 * 1:36197 <-> DISABLED <-> SERVER-WEBAPP nginx SMTP proxy STARTTLS plaintext command injection attempt (server-webapp.rules)
 * 1:24098 <-> DISABLED <-> CONTENT-REPLACE Teamviewer remote connection attempt (content-replace.rules)
 * 1:50878 <-> DISABLED <-> SERVER-WEBAPP WordPress Statistics cross site scripting attempt (server-webapp.rules)

2021-01-12 18:40:11 UTC

Snort Subscriber Rules Update

Date: 2021-01-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56846 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber protocol cross-site scripting attempt (browser-other.rules)
 * 1:56855 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56849 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56865 <-> ENABLED <-> SERVER-OTHER Microsoft Sharepoint Server remote code execution attempt (server-other.rules)
 * 1:56860 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Defender buffer overflow attempt (file-executable.rules)
 * 1:56851 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56862 <-> ENABLED <-> MALWARE-CNC MultiOS.Malware.GORAT outbound communication attempt (malware-cnc.rules)
 * 1:56845 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber protocol cross-site scripting attempt (browser-other.rules)
 * 1:56863 <-> ENABLED <-> MALWARE-CNC MultiOS.Malware.GORAT command and control response attempt (malware-cnc.rules)
 * 1:56864 <-> ENABLED <-> MALWARE-CNC MultiOS.Malware.GORAT command and control SSL certificate (malware-cnc.rules)
 * 1:56852 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56854 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56856 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56858 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Defender buffer overflow attempt (file-executable.rules)
 * 1:56850 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56853 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56857 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Defender buffer overflow attempt (file-executable.rules)
 * 1:56859 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Defender buffer overflow attempt (file-executable.rules)
 * 3:56848 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1222 attack attempt (file-other.rules)
 * 3:56847 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1222 attack attempt (file-other.rules)

Modified Rules:


 * 1:24096 <-> DISABLED <-> CONTENT-REPLACE Teamviewer remote connection attempt (content-replace.rules)
 * 1:24097 <-> DISABLED <-> CONTENT-REPLACE Teamviewer remote connection attempt (content-replace.rules)
 * 1:50877 <-> DISABLED <-> SERVER-WEBAPP WordPress Statistics cross site scripting attempt (server-webapp.rules)
 * 1:50876 <-> DISABLED <-> SERVER-WEBAPP WordPress Statistics cross site scripting attempt (server-webapp.rules)
 * 1:15416 <-> DISABLED <-> CONTENT-REPLACE ICQ deny http proxy login (content-replace.rules)
 * 1:43693 <-> DISABLED <-> SERVER-WEBAPP Mantis Bug Tracker password reset attempt (server-webapp.rules)
 * 1:36197 <-> DISABLED <-> SERVER-WEBAPP nginx SMTP proxy STARTTLS plaintext command injection attempt (server-webapp.rules)
 * 1:24098 <-> DISABLED <-> CONTENT-REPLACE Teamviewer remote connection attempt (content-replace.rules)
 * 1:50879 <-> DISABLED <-> SERVER-WEBAPP WordPress Statistics cross site scripting attempt (server-webapp.rules)
 * 1:50878 <-> DISABLED <-> SERVER-WEBAPP WordPress Statistics cross site scripting attempt (server-webapp.rules)

2021-01-12 18:40:11 UTC

Snort Subscriber Rules Update

Date: 2021-01-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56859 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Defender buffer overflow attempt (file-executable.rules)
 * 1:56852 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56853 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56855 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56854 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56863 <-> ENABLED <-> MALWARE-CNC MultiOS.Malware.GORAT command and control response attempt (malware-cnc.rules)
 * 1:56851 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56865 <-> ENABLED <-> SERVER-OTHER Microsoft Sharepoint Server remote code execution attempt (server-other.rules)
 * 1:56849 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56856 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56850 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56846 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber protocol cross-site scripting attempt (browser-other.rules)
 * 1:56864 <-> ENABLED <-> MALWARE-CNC MultiOS.Malware.GORAT command and control SSL certificate (malware-cnc.rules)
 * 1:56862 <-> ENABLED <-> MALWARE-CNC MultiOS.Malware.GORAT outbound communication attempt (malware-cnc.rules)
 * 1:56858 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Defender buffer overflow attempt (file-executable.rules)
 * 1:56857 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Defender buffer overflow attempt (file-executable.rules)
 * 1:56860 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Defender buffer overflow attempt (file-executable.rules)
 * 1:56845 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber protocol cross-site scripting attempt (browser-other.rules)
 * 3:56847 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1222 attack attempt (file-other.rules)
 * 3:56848 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1222 attack attempt (file-other.rules)

Modified Rules:


 * 1:36197 <-> DISABLED <-> SERVER-WEBAPP nginx SMTP proxy STARTTLS plaintext command injection attempt (server-webapp.rules)
 * 1:24097 <-> DISABLED <-> CONTENT-REPLACE Teamviewer remote connection attempt (content-replace.rules)
 * 1:24096 <-> DISABLED <-> CONTENT-REPLACE Teamviewer remote connection attempt (content-replace.rules)
 * 1:50878 <-> DISABLED <-> SERVER-WEBAPP WordPress Statistics cross site scripting attempt (server-webapp.rules)
 * 1:15416 <-> DISABLED <-> CONTENT-REPLACE ICQ deny http proxy login (content-replace.rules)
 * 1:43693 <-> DISABLED <-> SERVER-WEBAPP Mantis Bug Tracker password reset attempt (server-webapp.rules)
 * 1:50877 <-> DISABLED <-> SERVER-WEBAPP WordPress Statistics cross site scripting attempt (server-webapp.rules)
 * 1:50879 <-> DISABLED <-> SERVER-WEBAPP WordPress Statistics cross site scripting attempt (server-webapp.rules)
 * 1:24098 <-> DISABLED <-> CONTENT-REPLACE Teamviewer remote connection attempt (content-replace.rules)
 * 1:50876 <-> DISABLED <-> SERVER-WEBAPP WordPress Statistics cross site scripting attempt (server-webapp.rules)

2021-01-12 18:40:11 UTC

Snort Subscriber Rules Update

Date: 2021-01-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56846 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber protocol cross-site scripting attempt (snort3-browser-other.rules)
 * 1:56853 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (snort3-os-windows.rules)
 * 1:15416 <-> DISABLED <-> CONTENT-REPLACE ICQ deny http proxy login (snort3-content-replace.rules)
 * 1:12032 <-> DISABLED <-> CONTENT-REPLACE MSN deny out-bound file transfer attempts (snort3-content-replace.rules)
 * 1:15415 <-> DISABLED <-> CONTENT-REPLACE AIM or ICQ deny unencrypted login connection (snort3-content-replace.rules)
 * 1:12031 <-> DISABLED <-> CONTENT-REPLACE MSN deny in-bound file transfer attempts (snort3-content-replace.rules)
 * 1:56856 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (snort3-os-windows.rules)
 * 1:56857 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Defender buffer overflow attempt (snort3-file-executable.rules)
 * 1:56858 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Defender buffer overflow attempt (snort3-file-executable.rules)
 * 1:56859 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Defender buffer overflow attempt (snort3-file-executable.rules)
 * 1:56860 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Defender buffer overflow attempt (snort3-file-executable.rules)
 * 1:56862 <-> ENABLED <-> MALWARE-CNC MultiOS.Malware.GORAT outbound communication attempt (snort3-malware-cnc.rules)
 * 1:56863 <-> ENABLED <-> MALWARE-CNC MultiOS.Malware.GORAT command and control response attempt (snort3-malware-cnc.rules)
 * 1:56864 <-> ENABLED <-> MALWARE-CNC MultiOS.Malware.GORAT command and control SSL certificate (snort3-malware-cnc.rules)
 * 1:56865 <-> ENABLED <-> SERVER-OTHER Microsoft Sharepoint Server remote code execution attempt (snort3-server-other.rules)
 * 1:15417 <-> DISABLED <-> CONTENT-REPLACE AIM deny server certificate for encrypted login (snort3-content-replace.rules)
 * 1:15420 <-> DISABLED <-> CONTENT-REPLACE MSN deny login (snort3-content-replace.rules)
 * 1:56845 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber protocol cross-site scripting attempt (snort3-browser-other.rules)
 * 1:56849 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (snort3-os-windows.rules)
 * 1:56850 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (snort3-os-windows.rules)
 * 1:18469 <-> DISABLED <-> CONTENT-REPLACE Microsoft Windows Encrypted DCERPC request attempt (snort3-content-replace.rules)
 * 1:12033 <-> DISABLED <-> CONTENT-REPLACE Jabber deny in-bound file transfer attempts (snort3-content-replace.rules)
 * 1:12040 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger deny out-bound file transfer attempts (snort3-content-replace.rules)
 * 1:12034 <-> DISABLED <-> CONTENT-REPLACE Jabber deny out-bound file transfer attempts (snort3-content-replace.rules)
 * 1:12042 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger V7 deny out-bound file transfer attempts (snort3-content-replace.rules)
 * 1:15438 <-> DISABLED <-> CONTENT-REPLACE QQ 2009 deny udp login (snort3-content-replace.rules)
 * 1:56852 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (snort3-os-windows.rules)
 * 1:56854 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (snort3-os-windows.rules)
 * 1:12039 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger deny in-bound file transfer attempts (snort3-content-replace.rules)
 * 1:15439 <-> DISABLED <-> CONTENT-REPLACE QQ 2009 deny tcp login (snort3-content-replace.rules)
 * 1:15570 <-> DISABLED <-> CONTENT-REPLACE Google Talk deny login (snort3-content-replace.rules)
 * 1:12041 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger V7 deny in-bound file transfer attempts (snort3-content-replace.rules)
 * 1:15441 <-> DISABLED <-> CONTENT-REPLACE QQ 2009 deny tcp login (snort3-content-replace.rules)
 * 1:12038 <-> DISABLED <-> CONTENT-REPLACE AIM deny out-bound file transfer attempts (snort3-content-replace.rules)
 * 1:15429 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger deny outbound login attempt (snort3-content-replace.rules)
 * 1:12037 <-> DISABLED <-> CONTENT-REPLACE AIM deny in-bound file transfer attempts (snort3-content-replace.rules)
 * 1:12036 <-> DISABLED <-> CONTENT-REPLACE IRC deny out-bound file transfer attempts (snort3-content-replace.rules)
 * 1:12035 <-> DISABLED <-> CONTENT-REPLACE IRC deny in-bound file transfer attempts (snort3-content-replace.rules)
 * 1:15440 <-> DISABLED <-> CONTENT-REPLACE QQ 2008 deny udp login (snort3-content-replace.rules)
 * 1:56855 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (snort3-os-windows.rules)
 * 1:56851 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (snort3-os-windows.rules)

Modified Rules:


 * 1:43693 <-> DISABLED <-> SERVER-WEBAPP Mantis Bug Tracker password reset attempt (snort3-server-webapp.rules)
 * 1:50876 <-> DISABLED <-> SERVER-WEBAPP WordPress Statistics cross site scripting attempt (snort3-server-webapp.rules)
 * 1:50877 <-> DISABLED <-> SERVER-WEBAPP WordPress Statistics cross site scripting attempt (snort3-server-webapp.rules)
 * 1:50878 <-> DISABLED <-> SERVER-WEBAPP WordPress Statistics cross site scripting attempt (snort3-server-webapp.rules)
 * 1:50879 <-> DISABLED <-> SERVER-WEBAPP WordPress Statistics cross site scripting attempt (snort3-server-webapp.rules)
 * 1:24096 <-> DISABLED <-> CONTENT-REPLACE Teamviewer remote connection attempt (snort3-content-replace.rules)
 * 1:24098 <-> DISABLED <-> CONTENT-REPLACE Teamviewer remote connection attempt (snort3-content-replace.rules)
 * 1:36197 <-> DISABLED <-> SERVER-WEBAPP nginx SMTP proxy STARTTLS plaintext command injection attempt (snort3-server-webapp.rules)
 * 1:24097 <-> DISABLED <-> CONTENT-REPLACE Teamviewer remote connection attempt (snort3-content-replace.rules)

2021-01-12 18:40:11 UTC

Snort Subscriber Rules Update

Date: 2021-01-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56853 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56852 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56865 <-> ENABLED <-> SERVER-OTHER Microsoft Sharepoint Server remote code execution attempt (server-other.rules)
 * 1:56850 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56846 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber protocol cross-site scripting attempt (browser-other.rules)
 * 1:56845 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber protocol cross-site scripting attempt (browser-other.rules)
 * 1:56849 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56851 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56854 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56863 <-> ENABLED <-> MALWARE-CNC MultiOS.Malware.GORAT command and control response attempt (malware-cnc.rules)
 * 1:56864 <-> ENABLED <-> MALWARE-CNC MultiOS.Malware.GORAT command and control SSL certificate (malware-cnc.rules)
 * 1:56860 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Defender buffer overflow attempt (file-executable.rules)
 * 1:56862 <-> ENABLED <-> MALWARE-CNC MultiOS.Malware.GORAT outbound communication attempt (malware-cnc.rules)
 * 1:56855 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56857 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Defender buffer overflow attempt (file-executable.rules)
 * 1:56856 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:56859 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Defender buffer overflow attempt (file-executable.rules)
 * 1:56858 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Defender buffer overflow attempt (file-executable.rules)
 * 3:56848 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1222 attack attempt (file-other.rules)
 * 3:56847 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1222 attack attempt (file-other.rules)

Modified Rules:


 * 1:50878 <-> DISABLED <-> SERVER-WEBAPP WordPress Statistics cross site scripting attempt (server-webapp.rules)
 * 1:50877 <-> DISABLED <-> SERVER-WEBAPP WordPress Statistics cross site scripting attempt (server-webapp.rules)
 * 1:43693 <-> DISABLED <-> SERVER-WEBAPP Mantis Bug Tracker password reset attempt (server-webapp.rules)
 * 1:24096 <-> DISABLED <-> CONTENT-REPLACE Teamviewer remote connection attempt (content-replace.rules)
 * 1:50876 <-> DISABLED <-> SERVER-WEBAPP WordPress Statistics cross site scripting attempt (server-webapp.rules)
 * 1:24097 <-> DISABLED <-> CONTENT-REPLACE Teamviewer remote connection attempt (content-replace.rules)
 * 1:36197 <-> DISABLED <-> SERVER-WEBAPP nginx SMTP proxy STARTTLS plaintext command injection attempt (server-webapp.rules)
 * 1:15416 <-> DISABLED <-> CONTENT-REPLACE ICQ deny http proxy login (content-replace.rules)
 * 1:50879 <-> DISABLED <-> SERVER-WEBAPP WordPress Statistics cross site scripting attempt (server-webapp.rules)
 * 1:24098 <-> DISABLED <-> CONTENT-REPLACE Teamviewer remote connection attempt (content-replace.rules)