Talos Rules 2021-01-14
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the exploit-kit, file-other, malware-backdoor, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2021-01-14 14:18:58 UTC

Snort Subscriber Rules Update

Date: 2021-01-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56877 <-> DISABLED <-> SERVER-WEBAPP Nagios XI mibs.php remote command injection attempt (server-webapp.rules)
 * 1:56878 <-> DISABLED <-> SERVER-WEBAPP Nagios XI mibs.php remote command injection attempt (server-webapp.rules)
 * 1:56879 <-> DISABLED <-> SERVER-WEBAPP Nagios XI mibs.php remote command injection attempt (server-webapp.rules)
 * 1:56880 <-> DISABLED <-> SERVER-WEBAPP Nagios XI mibs.php remote command injection attempt (server-webapp.rules)
 * 1:56886 <-> DISABLED <-> EXPLOIT-KIT RIG EK GandCrab page access attempt (exploit-kit.rules)
 * 1:56887 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.BumbleBee webshell access detected (malware-backdoor.rules)
 * 1:56888 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.BumbleBee webshell transfer attempt (malware-backdoor.rules)
 * 1:56889 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.BumbleBee webshell access detected (malware-backdoor.rules)
 * 1:56890 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.BumbleBee webshell transfer attempt (malware-backdoor.rules)
 * 1:56891 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BasicPipeShell variant communication attempt (malware-cnc.rules)
 * 1:56892 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BasicPipeShell variant communication attempt (malware-cnc.rules)
 * 3:56841 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56842 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56844 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56843 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56866 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56867 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56868 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56861 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56869 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56870 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56871 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56872 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56873 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56874 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56875 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56876 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56881 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect information disclosure attempt (file-other.rules)
 * 3:56882 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect information disclosure attempt (file-other.rules)
 * 3:56883 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect information disclosure attempt (file-other.rules)
 * 3:56839 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56838 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:56840 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56884 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect information disclosure attempt (file-other.rules)
 * 3:56885 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56893 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client openssl config DLL load attempt (file-other.rules)
 * 3:56894 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client openssl config DLL load attempt (file-other.rules)

Modified Rules:


 * 1:44116 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (server-webapp.rules)
 * 1:44118 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (server-webapp.rules)
 * 1:56446 <-> DISABLED <-> EXPLOIT-KIT RIG EK GandCrab page access attempt (exploit-kit.rules)
 * 1:44117 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (server-webapp.rules)
 * 3:54561 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:42493 <-> ENABLED <-> SERVER-OTHER Cisco RV Series Routers SSDP uuid stack buffer overflow attempt (server-other.rules)
 * 3:54560 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)

2021-01-14 14:18:58 UTC

Snort Subscriber Rules Update

Date: 2021-01-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56880 <-> DISABLED <-> SERVER-WEBAPP Nagios XI mibs.php remote command injection attempt (server-webapp.rules)
 * 1:56886 <-> DISABLED <-> EXPLOIT-KIT RIG EK GandCrab page access attempt (exploit-kit.rules)
 * 1:56890 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.BumbleBee webshell transfer attempt (malware-backdoor.rules)
 * 1:56887 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.BumbleBee webshell access detected (malware-backdoor.rules)
 * 1:56879 <-> DISABLED <-> SERVER-WEBAPP Nagios XI mibs.php remote command injection attempt (server-webapp.rules)
 * 1:56877 <-> DISABLED <-> SERVER-WEBAPP Nagios XI mibs.php remote command injection attempt (server-webapp.rules)
 * 1:56891 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BasicPipeShell variant communication attempt (malware-cnc.rules)
 * 1:56892 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BasicPipeShell variant communication attempt (malware-cnc.rules)
 * 1:56878 <-> DISABLED <-> SERVER-WEBAPP Nagios XI mibs.php remote command injection attempt (server-webapp.rules)
 * 1:56888 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.BumbleBee webshell transfer attempt (malware-backdoor.rules)
 * 1:56889 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.BumbleBee webshell access detected (malware-backdoor.rules)
 * 3:56893 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client openssl config DLL load attempt (file-other.rules)
 * 3:56894 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client openssl config DLL load attempt (file-other.rules)
 * 3:56866 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56843 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56882 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect information disclosure attempt (file-other.rules)
 * 3:56841 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56874 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56842 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56840 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56867 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56885 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56873 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56872 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56839 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56883 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect information disclosure attempt (file-other.rules)
 * 3:56868 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56861 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56844 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56871 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56869 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56870 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56875 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56876 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56881 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect information disclosure attempt (file-other.rules)
 * 3:56884 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect information disclosure attempt (file-other.rules)
 * 3:56838 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:56446 <-> DISABLED <-> EXPLOIT-KIT RIG EK GandCrab page access attempt (exploit-kit.rules)
 * 1:44116 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (server-webapp.rules)
 * 1:44117 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (server-webapp.rules)
 * 1:44118 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (server-webapp.rules)
 * 3:54561 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54560 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:42493 <-> ENABLED <-> SERVER-OTHER Cisco RV Series Routers SSDP uuid stack buffer overflow attempt (server-other.rules)

2021-01-14 14:18:58 UTC

Snort Subscriber Rules Update

Date: 2021-01-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56879 <-> DISABLED <-> SERVER-WEBAPP Nagios XI mibs.php remote command injection attempt (server-webapp.rules)
 * 1:56890 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.BumbleBee webshell transfer attempt (malware-backdoor.rules)
 * 1:56889 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.BumbleBee webshell access detected (malware-backdoor.rules)
 * 1:56887 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.BumbleBee webshell access detected (malware-backdoor.rules)
 * 1:56880 <-> DISABLED <-> SERVER-WEBAPP Nagios XI mibs.php remote command injection attempt (server-webapp.rules)
 * 1:56891 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BasicPipeShell variant communication attempt (malware-cnc.rules)
 * 1:56888 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.BumbleBee webshell transfer attempt (malware-backdoor.rules)
 * 1:56892 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BasicPipeShell variant communication attempt (malware-cnc.rules)
 * 1:56886 <-> DISABLED <-> EXPLOIT-KIT RIG EK GandCrab page access attempt (exploit-kit.rules)
 * 1:56877 <-> DISABLED <-> SERVER-WEBAPP Nagios XI mibs.php remote command injection attempt (server-webapp.rules)
 * 1:56878 <-> DISABLED <-> SERVER-WEBAPP Nagios XI mibs.php remote command injection attempt (server-webapp.rules)
 * 3:56866 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56861 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56882 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect information disclosure attempt (file-other.rules)
 * 3:56867 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56881 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect information disclosure attempt (file-other.rules)
 * 3:56872 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56842 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56841 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56868 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56884 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect information disclosure attempt (file-other.rules)
 * 3:56885 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56883 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect information disclosure attempt (file-other.rules)
 * 3:56843 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56844 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56869 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56840 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56870 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56873 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56871 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56839 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56838 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:56893 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client openssl config DLL load attempt (file-other.rules)
 * 3:56894 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client openssl config DLL load attempt (file-other.rules)
 * 3:56874 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56875 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56876 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)

Modified Rules:


 * 1:44116 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (server-webapp.rules)
 * 1:44117 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (server-webapp.rules)
 * 1:56446 <-> DISABLED <-> EXPLOIT-KIT RIG EK GandCrab page access attempt (exploit-kit.rules)
 * 1:44118 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (server-webapp.rules)
 * 3:54561 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:42493 <-> ENABLED <-> SERVER-OTHER Cisco RV Series Routers SSDP uuid stack buffer overflow attempt (server-other.rules)
 * 3:54560 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)

2021-01-14 14:18:58 UTC

Snort Subscriber Rules Update

Date: 2021-01-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56879 <-> DISABLED <-> SERVER-WEBAPP Nagios XI mibs.php remote command injection attempt (server-webapp.rules)
 * 1:56890 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.BumbleBee webshell transfer attempt (malware-backdoor.rules)
 * 1:56888 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.BumbleBee webshell transfer attempt (malware-backdoor.rules)
 * 1:56887 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.BumbleBee webshell access detected (malware-backdoor.rules)
 * 1:56889 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.BumbleBee webshell access detected (malware-backdoor.rules)
 * 1:56886 <-> DISABLED <-> EXPLOIT-KIT RIG EK GandCrab page access attempt (exploit-kit.rules)
 * 1:56880 <-> DISABLED <-> SERVER-WEBAPP Nagios XI mibs.php remote command injection attempt (server-webapp.rules)
 * 1:56891 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BasicPipeShell variant communication attempt (malware-cnc.rules)
 * 1:56892 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BasicPipeShell variant communication attempt (malware-cnc.rules)
 * 1:56878 <-> DISABLED <-> SERVER-WEBAPP Nagios XI mibs.php remote command injection attempt (server-webapp.rules)
 * 1:56877 <-> DISABLED <-> SERVER-WEBAPP Nagios XI mibs.php remote command injection attempt (server-webapp.rules)
 * 3:56872 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56866 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56861 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56882 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect information disclosure attempt (file-other.rules)
 * 3:56843 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56883 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect information disclosure attempt (file-other.rules)
 * 3:56871 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56869 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56870 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56881 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect information disclosure attempt (file-other.rules)
 * 3:56876 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56894 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client openssl config DLL load attempt (file-other.rules)
 * 3:56842 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56867 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56844 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56893 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client openssl config DLL load attempt (file-other.rules)
 * 3:56884 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect information disclosure attempt (file-other.rules)
 * 3:56839 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56874 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56875 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56840 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56838 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:56841 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56885 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56873 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56868 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)

Modified Rules:


 * 1:44118 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (server-webapp.rules)
 * 1:44116 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (server-webapp.rules)
 * 1:44117 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (server-webapp.rules)
 * 1:56446 <-> DISABLED <-> EXPLOIT-KIT RIG EK GandCrab page access attempt (exploit-kit.rules)
 * 3:54561 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:42493 <-> ENABLED <-> SERVER-OTHER Cisco RV Series Routers SSDP uuid stack buffer overflow attempt (server-other.rules)
 * 3:54560 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)

2021-01-14 14:18:58 UTC

Snort Subscriber Rules Update

Date: 2021-01-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56879 <-> DISABLED <-> SERVER-WEBAPP Nagios XI mibs.php remote command injection attempt (server-webapp.rules)
 * 1:56890 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.BumbleBee webshell transfer attempt (malware-backdoor.rules)
 * 1:56878 <-> DISABLED <-> SERVER-WEBAPP Nagios XI mibs.php remote command injection attempt (server-webapp.rules)
 * 1:56877 <-> DISABLED <-> SERVER-WEBAPP Nagios XI mibs.php remote command injection attempt (server-webapp.rules)
 * 1:56887 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.BumbleBee webshell access detected (malware-backdoor.rules)
 * 1:56891 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BasicPipeShell variant communication attempt (malware-cnc.rules)
 * 1:56892 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BasicPipeShell variant communication attempt (malware-cnc.rules)
 * 1:56880 <-> DISABLED <-> SERVER-WEBAPP Nagios XI mibs.php remote command injection attempt (server-webapp.rules)
 * 1:56886 <-> DISABLED <-> EXPLOIT-KIT RIG EK GandCrab page access attempt (exploit-kit.rules)
 * 1:56889 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.BumbleBee webshell access detected (malware-backdoor.rules)
 * 1:56888 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.BumbleBee webshell transfer attempt (malware-backdoor.rules)
 * 3:56883 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect information disclosure attempt (file-other.rules)
 * 3:56885 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56861 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56866 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56882 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect information disclosure attempt (file-other.rules)
 * 3:56884 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect information disclosure attempt (file-other.rules)
 * 3:56872 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56871 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56881 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect information disclosure attempt (file-other.rules)
 * 3:56868 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56893 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client openssl config DLL load attempt (file-other.rules)
 * 3:56894 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client openssl config DLL load attempt (file-other.rules)
 * 3:56842 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56843 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56841 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56875 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56873 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56839 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56867 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56838 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:56874 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56870 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56876 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56840 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56844 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56869 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)

Modified Rules:


 * 1:44117 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (server-webapp.rules)
 * 1:44118 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (server-webapp.rules)
 * 1:44116 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (server-webapp.rules)
 * 1:56446 <-> DISABLED <-> EXPLOIT-KIT RIG EK GandCrab page access attempt (exploit-kit.rules)
 * 3:54560 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:42493 <-> ENABLED <-> SERVER-OTHER Cisco RV Series Routers SSDP uuid stack buffer overflow attempt (server-other.rules)
 * 3:54561 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)

2021-01-14 14:18:58 UTC

Snort Subscriber Rules Update

Date: 2021-01-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56890 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.BumbleBee webshell transfer attempt (malware-backdoor.rules)
 * 1:56889 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.BumbleBee webshell access detected (malware-backdoor.rules)
 * 1:56877 <-> DISABLED <-> SERVER-WEBAPP Nagios XI mibs.php remote command injection attempt (server-webapp.rules)
 * 1:56887 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.BumbleBee webshell access detected (malware-backdoor.rules)
 * 1:56891 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BasicPipeShell variant communication attempt (malware-cnc.rules)
 * 1:56892 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BasicPipeShell variant communication attempt (malware-cnc.rules)
 * 1:56879 <-> DISABLED <-> SERVER-WEBAPP Nagios XI mibs.php remote command injection attempt (server-webapp.rules)
 * 1:56878 <-> DISABLED <-> SERVER-WEBAPP Nagios XI mibs.php remote command injection attempt (server-webapp.rules)
 * 1:56886 <-> DISABLED <-> EXPLOIT-KIT RIG EK GandCrab page access attempt (exploit-kit.rules)
 * 1:56880 <-> DISABLED <-> SERVER-WEBAPP Nagios XI mibs.php remote command injection attempt (server-webapp.rules)
 * 1:56888 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.BumbleBee webshell transfer attempt (malware-backdoor.rules)
 * 3:56876 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56866 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56861 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56882 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect information disclosure attempt (file-other.rules)
 * 3:56871 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56884 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect information disclosure attempt (file-other.rules)
 * 3:56869 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56875 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56844 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56874 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56873 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56868 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56870 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56838 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:56840 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56894 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client openssl config DLL load attempt (file-other.rules)
 * 3:56841 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56881 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect information disclosure attempt (file-other.rules)
 * 3:56842 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56893 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client openssl config DLL load attempt (file-other.rules)
 * 3:56885 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56843 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56839 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56867 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56872 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56883 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect information disclosure attempt (file-other.rules)

Modified Rules:


 * 1:44118 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (server-webapp.rules)
 * 1:44117 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (server-webapp.rules)
 * 1:56446 <-> DISABLED <-> EXPLOIT-KIT RIG EK GandCrab page access attempt (exploit-kit.rules)
 * 1:44116 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (server-webapp.rules)
 * 3:54561 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54560 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:42493 <-> ENABLED <-> SERVER-OTHER Cisco RV Series Routers SSDP uuid stack buffer overflow attempt (server-other.rules)

2021-01-14 14:18:58 UTC

Snort Subscriber Rules Update

Date: 2021-01-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56888 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.BumbleBee webshell transfer attempt (malware-backdoor.rules)
 * 1:56889 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.BumbleBee webshell access detected (malware-backdoor.rules)
 * 1:56887 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.BumbleBee webshell access detected (malware-backdoor.rules)
 * 1:56891 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BasicPipeShell variant communication attempt (malware-cnc.rules)
 * 1:56892 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BasicPipeShell variant communication attempt (malware-cnc.rules)
 * 1:56877 <-> DISABLED <-> SERVER-WEBAPP Nagios XI mibs.php remote command injection attempt (server-webapp.rules)
 * 1:56879 <-> DISABLED <-> SERVER-WEBAPP Nagios XI mibs.php remote command injection attempt (server-webapp.rules)
 * 1:56886 <-> DISABLED <-> EXPLOIT-KIT RIG EK GandCrab page access attempt (exploit-kit.rules)
 * 1:56880 <-> DISABLED <-> SERVER-WEBAPP Nagios XI mibs.php remote command injection attempt (server-webapp.rules)
 * 1:56878 <-> DISABLED <-> SERVER-WEBAPP Nagios XI mibs.php remote command injection attempt (server-webapp.rules)
 * 1:56890 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.BumbleBee webshell transfer attempt (malware-backdoor.rules)
 * 3:56869 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56842 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56876 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56883 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect information disclosure attempt (file-other.rules)
 * 3:56881 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect information disclosure attempt (file-other.rules)
 * 3:56874 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56868 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56870 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56893 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client openssl config DLL load attempt (file-other.rules)
 * 3:56894 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client openssl config DLL load attempt (file-other.rules)
 * 3:56884 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect information disclosure attempt (file-other.rules)
 * 3:56871 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56875 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56839 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56840 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56838 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:56866 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56843 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56841 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56873 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56872 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56844 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56867 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56861 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56882 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect information disclosure attempt (file-other.rules)
 * 3:56885 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)

Modified Rules:


 * 1:44117 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (server-webapp.rules)
 * 1:44118 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (server-webapp.rules)
 * 1:56446 <-> DISABLED <-> EXPLOIT-KIT RIG EK GandCrab page access attempt (exploit-kit.rules)
 * 1:44116 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (server-webapp.rules)
 * 3:54560 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54561 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:42493 <-> ENABLED <-> SERVER-OTHER Cisco RV Series Routers SSDP uuid stack buffer overflow attempt (server-other.rules)

2021-01-14 14:18:58 UTC

Snort Subscriber Rules Update

Date: 2021-01-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56887 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.BumbleBee webshell access detected (malware-backdoor.rules)
 * 1:56880 <-> DISABLED <-> SERVER-WEBAPP Nagios XI mibs.php remote command injection attempt (server-webapp.rules)
 * 1:56891 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BasicPipeShell variant communication attempt (malware-cnc.rules)
 * 1:56892 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BasicPipeShell variant communication attempt (malware-cnc.rules)
 * 1:56888 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.BumbleBee webshell transfer attempt (malware-backdoor.rules)
 * 1:56877 <-> DISABLED <-> SERVER-WEBAPP Nagios XI mibs.php remote command injection attempt (server-webapp.rules)
 * 1:56879 <-> DISABLED <-> SERVER-WEBAPP Nagios XI mibs.php remote command injection attempt (server-webapp.rules)
 * 1:56878 <-> DISABLED <-> SERVER-WEBAPP Nagios XI mibs.php remote command injection attempt (server-webapp.rules)
 * 1:56890 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.BumbleBee webshell transfer attempt (malware-backdoor.rules)
 * 1:56889 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.BumbleBee webshell access detected (malware-backdoor.rules)
 * 1:56886 <-> DISABLED <-> EXPLOIT-KIT RIG EK GandCrab page access attempt (exploit-kit.rules)
 * 3:56842 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56875 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56893 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client openssl config DLL load attempt (file-other.rules)
 * 3:56876 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56844 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56840 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56868 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56882 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect information disclosure attempt (file-other.rules)
 * 3:56839 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56874 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56870 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56838 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:56881 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect information disclosure attempt (file-other.rules)
 * 3:56861 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56841 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56884 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect information disclosure attempt (file-other.rules)
 * 3:56867 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56871 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56866 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56885 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56894 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client openssl config DLL load attempt (file-other.rules)
 * 3:56869 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56843 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56872 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56873 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56883 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect information disclosure attempt (file-other.rules)

Modified Rules:


 * 1:44116 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (server-webapp.rules)
 * 1:44118 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (server-webapp.rules)
 * 1:44117 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (server-webapp.rules)
 * 1:56446 <-> DISABLED <-> EXPLOIT-KIT RIG EK GandCrab page access attempt (exploit-kit.rules)
 * 3:42493 <-> ENABLED <-> SERVER-OTHER Cisco RV Series Routers SSDP uuid stack buffer overflow attempt (server-other.rules)
 * 3:54560 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54561 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)

2021-01-14 14:18:58 UTC

Snort Subscriber Rules Update

Date: 2021-01-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56887 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.BumbleBee webshell access detected (snort3-malware-backdoor.rules)
 * 1:56892 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BasicPipeShell variant communication attempt (snort3-malware-cnc.rules)
 * 1:56879 <-> DISABLED <-> SERVER-WEBAPP Nagios XI mibs.php remote command injection attempt (snort3-server-webapp.rules)
 * 1:56889 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.BumbleBee webshell access detected (snort3-malware-backdoor.rules)
 * 1:56880 <-> DISABLED <-> SERVER-WEBAPP Nagios XI mibs.php remote command injection attempt (snort3-server-webapp.rules)
 * 1:56886 <-> DISABLED <-> EXPLOIT-KIT RIG EK GandCrab page access attempt (snort3-exploit-kit.rules)
 * 1:56878 <-> DISABLED <-> SERVER-WEBAPP Nagios XI mibs.php remote command injection attempt (snort3-server-webapp.rules)
 * 1:56877 <-> DISABLED <-> SERVER-WEBAPP Nagios XI mibs.php remote command injection attempt (snort3-server-webapp.rules)
 * 1:56888 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.BumbleBee webshell transfer attempt (snort3-malware-backdoor.rules)
 * 1:56891 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BasicPipeShell variant communication attempt (snort3-malware-cnc.rules)
 * 1:56890 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.BumbleBee webshell transfer attempt (snort3-malware-backdoor.rules)

Modified Rules:


 * 1:44117 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (snort3-server-webapp.rules)
 * 1:44118 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (snort3-server-webapp.rules)
 * 1:44116 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (snort3-server-webapp.rules)
 * 1:56446 <-> DISABLED <-> EXPLOIT-KIT RIG EK GandCrab page access attempt (snort3-exploit-kit.rules)

2021-01-14 14:18:59 UTC

Snort Subscriber Rules Update

Date: 2021-01-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56879 <-> DISABLED <-> SERVER-WEBAPP Nagios XI mibs.php remote command injection attempt (server-webapp.rules)
 * 1:56886 <-> DISABLED <-> EXPLOIT-KIT RIG EK GandCrab page access attempt (exploit-kit.rules)
 * 1:56880 <-> DISABLED <-> SERVER-WEBAPP Nagios XI mibs.php remote command injection attempt (server-webapp.rules)
 * 1:56891 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BasicPipeShell variant communication attempt (malware-cnc.rules)
 * 1:56889 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.BumbleBee webshell access detected (malware-backdoor.rules)
 * 1:56877 <-> DISABLED <-> SERVER-WEBAPP Nagios XI mibs.php remote command injection attempt (server-webapp.rules)
 * 1:56892 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BasicPipeShell variant communication attempt (malware-cnc.rules)
 * 1:56878 <-> DISABLED <-> SERVER-WEBAPP Nagios XI mibs.php remote command injection attempt (server-webapp.rules)
 * 1:56887 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.BumbleBee webshell access detected (malware-backdoor.rules)
 * 1:56888 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.BumbleBee webshell transfer attempt (malware-backdoor.rules)
 * 1:56890 <-> ENABLED <-> MALWARE-BACKDOOR Win.Trojan.BumbleBee webshell transfer attempt (malware-backdoor.rules)
 * 3:56871 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56868 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56884 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect information disclosure attempt (file-other.rules)
 * 3:56867 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56840 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56893 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client openssl config DLL load attempt (file-other.rules)
 * 3:56839 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56872 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56883 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect information disclosure attempt (file-other.rules)
 * 3:56894 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client openssl config DLL load attempt (file-other.rules)
 * 3:56875 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56876 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56881 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect information disclosure attempt (file-other.rules)
 * 3:56866 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56861 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56844 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56873 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56841 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56842 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56843 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56869 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56885 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56838 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:56870 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56874 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:56882 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect information disclosure attempt (file-other.rules)

Modified Rules:


 * 1:44117 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (server-webapp.rules)
 * 1:56446 <-> DISABLED <-> EXPLOIT-KIT RIG EK GandCrab page access attempt (exploit-kit.rules)
 * 1:44116 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (server-webapp.rules)
 * 1:44118 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (server-webapp.rules)
 * 3:54561 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54560 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:42493 <-> ENABLED <-> SERVER-OTHER Cisco RV Series Routers SSDP uuid stack buffer overflow attempt (server-other.rules)