Talos has added and modified multiple rules in the file-other, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:57217 <-> DISABLED <-> SERVER-WEBAPP SAP Solution Manager EEM uploadResource command execution attempt (server-webapp.rules) * 1:57218 <-> DISABLED <-> SERVER-WEBAPP SAP Solution Manager EEM uploadResource server side request forgery attempt (server-webapp.rules) * 1:57219 <-> DISABLED <-> POLICY-OTHER SAP Solution Manager EEM endpoint external access attempt (policy-other.rules) * 1:57220 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Micropsia variant outbound connection attempt (malware-cnc.rules) * 1:57221 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PyMicropsia variant outbound connection attempt (malware-cnc.rules) * 1:57224 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager directory traversal attempt (server-webapp.rules) * 1:57225 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager directory traversal attempt (server-webapp.rules) * 1:57226 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager directory traversal attempt (server-webapp.rules) * 1:57229 <-> ENABLED <-> SERVER-WEBAPP VMware vSphere Client vROPs plugin remote code execution attempt (server-webapp.rules) * 3:57231 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1223 attack attempt (file-other.rules) * 3:57222 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS arbitrary file write attempt (server-other.rules) * 3:57223 <-> ENABLED <-> POLICY-OTHER Cisco Application Services Engine API access detected (policy-other.rules) * 3:57227 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1225 attack attempt (file-other.rules) * 3:57228 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1225 attack attempt (file-other.rules) * 3:57230 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1223 attack attempt (file-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:57225 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager directory traversal attempt (server-webapp.rules) * 1:57221 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PyMicropsia variant outbound connection attempt (malware-cnc.rules) * 1:57220 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Micropsia variant outbound connection attempt (malware-cnc.rules) * 1:57218 <-> DISABLED <-> SERVER-WEBAPP SAP Solution Manager EEM uploadResource server side request forgery attempt (server-webapp.rules) * 1:57226 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager directory traversal attempt (server-webapp.rules) * 1:57224 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager directory traversal attempt (server-webapp.rules) * 1:57217 <-> DISABLED <-> SERVER-WEBAPP SAP Solution Manager EEM uploadResource command execution attempt (server-webapp.rules) * 1:57219 <-> DISABLED <-> POLICY-OTHER SAP Solution Manager EEM endpoint external access attempt (policy-other.rules) * 1:57229 <-> ENABLED <-> SERVER-WEBAPP VMware vSphere Client vROPs plugin remote code execution attempt (server-webapp.rules) * 3:57223 <-> ENABLED <-> POLICY-OTHER Cisco Application Services Engine API access detected (policy-other.rules) * 3:57222 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS arbitrary file write attempt (server-other.rules) * 3:57228 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1225 attack attempt (file-other.rules) * 3:57227 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1225 attack attempt (file-other.rules) * 3:57231 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1223 attack attempt (file-other.rules) * 3:57230 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1223 attack attempt (file-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:57218 <-> DISABLED <-> SERVER-WEBAPP SAP Solution Manager EEM uploadResource server side request forgery attempt (server-webapp.rules) * 1:57226 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager directory traversal attempt (server-webapp.rules) * 1:57221 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PyMicropsia variant outbound connection attempt (malware-cnc.rules) * 1:57220 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Micropsia variant outbound connection attempt (malware-cnc.rules) * 1:57229 <-> ENABLED <-> SERVER-WEBAPP VMware vSphere Client vROPs plugin remote code execution attempt (server-webapp.rules) * 1:57225 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager directory traversal attempt (server-webapp.rules) * 1:57217 <-> DISABLED <-> SERVER-WEBAPP SAP Solution Manager EEM uploadResource command execution attempt (server-webapp.rules) * 1:57219 <-> DISABLED <-> POLICY-OTHER SAP Solution Manager EEM endpoint external access attempt (policy-other.rules) * 1:57224 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager directory traversal attempt (server-webapp.rules) * 3:57228 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1225 attack attempt (file-other.rules) * 3:57231 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1223 attack attempt (file-other.rules) * 3:57223 <-> ENABLED <-> POLICY-OTHER Cisco Application Services Engine API access detected (policy-other.rules) * 3:57230 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1223 attack attempt (file-other.rules) * 3:57227 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1225 attack attempt (file-other.rules) * 3:57222 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS arbitrary file write attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:57220 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Micropsia variant outbound connection attempt (malware-cnc.rules) * 1:57229 <-> ENABLED <-> SERVER-WEBAPP VMware vSphere Client vROPs plugin remote code execution attempt (server-webapp.rules) * 1:57219 <-> DISABLED <-> POLICY-OTHER SAP Solution Manager EEM endpoint external access attempt (policy-other.rules) * 1:57224 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager directory traversal attempt (server-webapp.rules) * 1:57218 <-> DISABLED <-> SERVER-WEBAPP SAP Solution Manager EEM uploadResource server side request forgery attempt (server-webapp.rules) * 1:57221 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PyMicropsia variant outbound connection attempt (malware-cnc.rules) * 1:57217 <-> DISABLED <-> SERVER-WEBAPP SAP Solution Manager EEM uploadResource command execution attempt (server-webapp.rules) * 1:57226 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager directory traversal attempt (server-webapp.rules) * 1:57225 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager directory traversal attempt (server-webapp.rules) * 3:57222 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS arbitrary file write attempt (server-other.rules) * 3:57231 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1223 attack attempt (file-other.rules) * 3:57223 <-> ENABLED <-> POLICY-OTHER Cisco Application Services Engine API access detected (policy-other.rules) * 3:57227 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1225 attack attempt (file-other.rules) * 3:57228 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1225 attack attempt (file-other.rules) * 3:57230 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1223 attack attempt (file-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:57225 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager directory traversal attempt (server-webapp.rules) * 1:57219 <-> DISABLED <-> POLICY-OTHER SAP Solution Manager EEM endpoint external access attempt (policy-other.rules) * 1:57226 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager directory traversal attempt (server-webapp.rules) * 1:57221 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PyMicropsia variant outbound connection attempt (malware-cnc.rules) * 1:57224 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager directory traversal attempt (server-webapp.rules) * 1:57220 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Micropsia variant outbound connection attempt (malware-cnc.rules) * 1:57229 <-> ENABLED <-> SERVER-WEBAPP VMware vSphere Client vROPs plugin remote code execution attempt (server-webapp.rules) * 1:57217 <-> DISABLED <-> SERVER-WEBAPP SAP Solution Manager EEM uploadResource command execution attempt (server-webapp.rules) * 1:57218 <-> DISABLED <-> SERVER-WEBAPP SAP Solution Manager EEM uploadResource server side request forgery attempt (server-webapp.rules) * 3:57231 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1223 attack attempt (file-other.rules) * 3:57222 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS arbitrary file write attempt (server-other.rules) * 3:57227 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1225 attack attempt (file-other.rules) * 3:57228 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1225 attack attempt (file-other.rules) * 3:57230 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1223 attack attempt (file-other.rules) * 3:57223 <-> ENABLED <-> POLICY-OTHER Cisco Application Services Engine API access detected (policy-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:57218 <-> DISABLED <-> SERVER-WEBAPP SAP Solution Manager EEM uploadResource server side request forgery attempt (server-webapp.rules) * 1:57220 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Micropsia variant outbound connection attempt (malware-cnc.rules) * 1:57217 <-> DISABLED <-> SERVER-WEBAPP SAP Solution Manager EEM uploadResource command execution attempt (server-webapp.rules) * 1:57226 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager directory traversal attempt (server-webapp.rules) * 1:57219 <-> DISABLED <-> POLICY-OTHER SAP Solution Manager EEM endpoint external access attempt (policy-other.rules) * 1:57225 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager directory traversal attempt (server-webapp.rules) * 1:57221 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PyMicropsia variant outbound connection attempt (malware-cnc.rules) * 1:57229 <-> ENABLED <-> SERVER-WEBAPP VMware vSphere Client vROPs plugin remote code execution attempt (server-webapp.rules) * 1:57224 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager directory traversal attempt (server-webapp.rules) * 3:57231 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1223 attack attempt (file-other.rules) * 3:57227 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1225 attack attempt (file-other.rules) * 3:57230 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1223 attack attempt (file-other.rules) * 3:57228 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1225 attack attempt (file-other.rules) * 3:57223 <-> ENABLED <-> POLICY-OTHER Cisco Application Services Engine API access detected (policy-other.rules) * 3:57222 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS arbitrary file write attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:57220 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Micropsia variant outbound connection attempt (malware-cnc.rules) * 1:57221 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PyMicropsia variant outbound connection attempt (malware-cnc.rules) * 1:57225 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager directory traversal attempt (server-webapp.rules) * 1:57218 <-> DISABLED <-> SERVER-WEBAPP SAP Solution Manager EEM uploadResource server side request forgery attempt (server-webapp.rules) * 1:57219 <-> DISABLED <-> POLICY-OTHER SAP Solution Manager EEM endpoint external access attempt (policy-other.rules) * 1:57226 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager directory traversal attempt (server-webapp.rules) * 1:57229 <-> ENABLED <-> SERVER-WEBAPP VMware vSphere Client vROPs plugin remote code execution attempt (server-webapp.rules) * 1:57217 <-> DISABLED <-> SERVER-WEBAPP SAP Solution Manager EEM uploadResource command execution attempt (server-webapp.rules) * 1:57224 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager directory traversal attempt (server-webapp.rules) * 3:57228 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1225 attack attempt (file-other.rules) * 3:57231 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1223 attack attempt (file-other.rules) * 3:57230 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1223 attack attempt (file-other.rules) * 3:57227 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1225 attack attempt (file-other.rules) * 3:57223 <-> ENABLED <-> POLICY-OTHER Cisco Application Services Engine API access detected (policy-other.rules) * 3:57222 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS arbitrary file write attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:57226 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager directory traversal attempt (server-webapp.rules) * 1:57225 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager directory traversal attempt (server-webapp.rules) * 1:57224 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager directory traversal attempt (server-webapp.rules) * 1:57220 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Micropsia variant outbound connection attempt (malware-cnc.rules) * 1:57221 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PyMicropsia variant outbound connection attempt (malware-cnc.rules) * 1:57218 <-> DISABLED <-> SERVER-WEBAPP SAP Solution Manager EEM uploadResource server side request forgery attempt (server-webapp.rules) * 1:57217 <-> DISABLED <-> SERVER-WEBAPP SAP Solution Manager EEM uploadResource command execution attempt (server-webapp.rules) * 1:57229 <-> ENABLED <-> SERVER-WEBAPP VMware vSphere Client vROPs plugin remote code execution attempt (server-webapp.rules) * 1:57219 <-> DISABLED <-> POLICY-OTHER SAP Solution Manager EEM endpoint external access attempt (policy-other.rules) * 3:57223 <-> ENABLED <-> POLICY-OTHER Cisco Application Services Engine API access detected (policy-other.rules) * 3:57230 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1223 attack attempt (file-other.rules) * 3:57222 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS arbitrary file write attempt (server-other.rules) * 3:57231 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1223 attack attempt (file-other.rules) * 3:57228 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1225 attack attempt (file-other.rules) * 3:57227 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1225 attack attempt (file-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:57221 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PyMicropsia variant outbound connection attempt (snort3-malware-cnc.rules) * 1:57225 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager directory traversal attempt (snort3-server-webapp.rules) * 1:57224 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager directory traversal attempt (snort3-server-webapp.rules) * 1:57220 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Micropsia variant outbound connection attempt (snort3-malware-cnc.rules) * 1:57217 <-> DISABLED <-> SERVER-WEBAPP SAP Solution Manager EEM uploadResource command execution attempt (snort3-server-webapp.rules) * 1:57218 <-> DISABLED <-> SERVER-WEBAPP SAP Solution Manager EEM uploadResource server side request forgery attempt (snort3-server-webapp.rules) * 1:57229 <-> ENABLED <-> SERVER-WEBAPP VMware vSphere Client vROPs plugin remote code execution attempt (snort3-server-webapp.rules) * 1:57226 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager directory traversal attempt (snort3-server-webapp.rules) * 1:57219 <-> DISABLED <-> POLICY-OTHER SAP Solution Manager EEM endpoint external access attempt (snort3-policy-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:57221 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PyMicropsia variant outbound connection attempt (malware-cnc.rules) * 1:57225 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager directory traversal attempt (server-webapp.rules) * 1:57219 <-> DISABLED <-> POLICY-OTHER SAP Solution Manager EEM endpoint external access attempt (policy-other.rules) * 1:57218 <-> DISABLED <-> SERVER-WEBAPP SAP Solution Manager EEM uploadResource server side request forgery attempt (server-webapp.rules) * 1:57224 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager directory traversal attempt (server-webapp.rules) * 1:57229 <-> ENABLED <-> SERVER-WEBAPP VMware vSphere Client vROPs plugin remote code execution attempt (server-webapp.rules) * 1:57220 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Micropsia variant outbound connection attempt (malware-cnc.rules) * 1:57217 <-> DISABLED <-> SERVER-WEBAPP SAP Solution Manager EEM uploadResource command execution attempt (server-webapp.rules) * 1:57226 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager directory traversal attempt (server-webapp.rules) * 3:57222 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS arbitrary file write attempt (server-other.rules) * 3:57231 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1223 attack attempt (file-other.rules) * 3:57223 <-> ENABLED <-> POLICY-OTHER Cisco Application Services Engine API access detected (policy-other.rules) * 3:57227 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1225 attack attempt (file-other.rules) * 3:57230 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1223 attack attempt (file-other.rules) * 3:57228 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1225 attack attempt (file-other.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
