Talos Rules 2021-03-18
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-image, file-pdf, malware-backdoor, malware-cnc, netbios, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2021-03-18 12:55:08 UTC

Snort Subscriber Rules Update

Date: 2021-03-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57299 <-> DISABLED <-> SERVER-WEBAPP Apache HTTP server mod_rewrite external URL redirection attempt (server-webapp.rules)
 * 1:57311 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules)
 * 1:57312 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules)
 * 1:57313 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules)
 * 1:57314 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57315 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57316 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57317 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57318 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57319 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57320 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57321 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 3:57307 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules)
 * 3:57308 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules)
 * 3:57309 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules)
 * 3:57310 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1268 attack attempt (netbios.rules)
 * 3:57300 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:57302 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1264 attack attempt (file-image.rules)
 * 3:57301 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1264 attack attempt (file-image.rules)
 * 3:57304 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1266 attack attempt (file-pdf.rules)
 * 3:57303 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1266 attack attempt (file-pdf.rules)
 * 3:57306 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1272 attack attempt (server-webapp.rules)
 * 3:57305 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1272 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:5708 <-> DISABLED <-> POLICY-OTHER web server file upload attempt (policy-other.rules)
 * 1:7070 <-> DISABLED <-> POLICY-OTHER script tag in URI - likely cross-site scripting attempt (policy-other.rules)
 * 3:51369 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RDP DecompressUnchopper integer overflow attempt (os-windows.rules)

2021-03-18 12:55:08 UTC

Snort Subscriber Rules Update

Date: 2021-03-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57315 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57311 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules)
 * 1:57299 <-> DISABLED <-> SERVER-WEBAPP Apache HTTP server mod_rewrite external URL redirection attempt (server-webapp.rules)
 * 1:57320 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57316 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57318 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57319 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57321 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57313 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules)
 * 1:57317 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57314 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57312 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules)
 * 3:57307 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules)
 * 3:57308 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules)
 * 3:57310 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1268 attack attempt (netbios.rules)
 * 3:57309 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules)
 * 3:57301 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1264 attack attempt (file-image.rules)
 * 3:57300 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:57303 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1266 attack attempt (file-pdf.rules)
 * 3:57304 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1266 attack attempt (file-pdf.rules)
 * 3:57305 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1272 attack attempt (server-webapp.rules)
 * 3:57306 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1272 attack attempt (server-webapp.rules)
 * 3:57302 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1264 attack attempt (file-image.rules)

Modified Rules:


 * 1:5708 <-> DISABLED <-> POLICY-OTHER web server file upload attempt (policy-other.rules)
 * 1:7070 <-> DISABLED <-> POLICY-OTHER script tag in URI - likely cross-site scripting attempt (policy-other.rules)
 * 3:51369 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RDP DecompressUnchopper integer overflow attempt (os-windows.rules)

2021-03-18 12:55:08 UTC

Snort Subscriber Rules Update

Date: 2021-03-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57321 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57316 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57320 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57314 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57315 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57318 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57313 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules)
 * 1:57299 <-> DISABLED <-> SERVER-WEBAPP Apache HTTP server mod_rewrite external URL redirection attempt (server-webapp.rules)
 * 1:57312 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules)
 * 1:57317 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57311 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules)
 * 1:57319 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 3:57307 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules)
 * 3:57309 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules)
 * 3:57308 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules)
 * 3:57302 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1264 attack attempt (file-image.rules)
 * 3:57301 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1264 attack attempt (file-image.rules)
 * 3:57300 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:57305 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1272 attack attempt (server-webapp.rules)
 * 3:57310 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1268 attack attempt (netbios.rules)
 * 3:57306 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1272 attack attempt (server-webapp.rules)
 * 3:57304 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1266 attack attempt (file-pdf.rules)
 * 3:57303 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1266 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:7070 <-> DISABLED <-> POLICY-OTHER script tag in URI - likely cross-site scripting attempt (policy-other.rules)
 * 1:5708 <-> DISABLED <-> POLICY-OTHER web server file upload attempt (policy-other.rules)
 * 3:51369 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RDP DecompressUnchopper integer overflow attempt (os-windows.rules)

2021-03-18 12:55:08 UTC

Snort Subscriber Rules Update

Date: 2021-03-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57312 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules)
 * 1:57317 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57319 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57320 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57311 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules)
 * 1:57313 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules)
 * 1:57299 <-> DISABLED <-> SERVER-WEBAPP Apache HTTP server mod_rewrite external URL redirection attempt (server-webapp.rules)
 * 1:57321 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57315 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57314 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57316 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57318 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 3:57309 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules)
 * 3:57308 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules)
 * 3:57301 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1264 attack attempt (file-image.rules)
 * 3:57307 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules)
 * 3:57302 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1264 attack attempt (file-image.rules)
 * 3:57310 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1268 attack attempt (netbios.rules)
 * 3:57300 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:57304 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1266 attack attempt (file-pdf.rules)
 * 3:57303 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1266 attack attempt (file-pdf.rules)
 * 3:57306 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1272 attack attempt (server-webapp.rules)
 * 3:57305 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1272 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:5708 <-> DISABLED <-> POLICY-OTHER web server file upload attempt (policy-other.rules)
 * 1:7070 <-> DISABLED <-> POLICY-OTHER script tag in URI - likely cross-site scripting attempt (policy-other.rules)
 * 3:51369 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RDP DecompressUnchopper integer overflow attempt (os-windows.rules)

2021-03-18 12:55:08 UTC

Snort Subscriber Rules Update

Date: 2021-03-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57313 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules)
 * 1:57315 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57317 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57320 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57299 <-> DISABLED <-> SERVER-WEBAPP Apache HTTP server mod_rewrite external URL redirection attempt (server-webapp.rules)
 * 1:57311 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules)
 * 1:57314 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57312 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules)
 * 1:57316 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57318 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57321 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57319 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 3:57307 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules)
 * 3:57306 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1272 attack attempt (server-webapp.rules)
 * 3:57309 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules)
 * 3:57305 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1272 attack attempt (server-webapp.rules)
 * 3:57310 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1268 attack attempt (netbios.rules)
 * 3:57300 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:57303 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1266 attack attempt (file-pdf.rules)
 * 3:57308 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules)
 * 3:57301 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1264 attack attempt (file-image.rules)
 * 3:57302 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1264 attack attempt (file-image.rules)
 * 3:57304 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1266 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:7070 <-> DISABLED <-> POLICY-OTHER script tag in URI - likely cross-site scripting attempt (policy-other.rules)
 * 1:5708 <-> DISABLED <-> POLICY-OTHER web server file upload attempt (policy-other.rules)
 * 3:51369 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RDP DecompressUnchopper integer overflow attempt (os-windows.rules)

2021-03-18 12:55:08 UTC

Snort Subscriber Rules Update

Date: 2021-03-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57317 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57316 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57312 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules)
 * 1:57321 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57319 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57299 <-> DISABLED <-> SERVER-WEBAPP Apache HTTP server mod_rewrite external URL redirection attempt (server-webapp.rules)
 * 1:57311 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules)
 * 1:57313 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules)
 * 1:57314 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57320 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57318 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57315 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 3:57308 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules)
 * 3:57304 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1266 attack attempt (file-pdf.rules)
 * 3:57309 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules)
 * 3:57307 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules)
 * 3:57303 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1266 attack attempt (file-pdf.rules)
 * 3:57302 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1264 attack attempt (file-image.rules)
 * 3:57306 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1272 attack attempt (server-webapp.rules)
 * 3:57301 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1264 attack attempt (file-image.rules)
 * 3:57305 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1272 attack attempt (server-webapp.rules)
 * 3:57300 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:57310 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1268 attack attempt (netbios.rules)

Modified Rules:


 * 1:7070 <-> DISABLED <-> POLICY-OTHER script tag in URI - likely cross-site scripting attempt (policy-other.rules)
 * 1:5708 <-> DISABLED <-> POLICY-OTHER web server file upload attempt (policy-other.rules)
 * 3:51369 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RDP DecompressUnchopper integer overflow attempt (os-windows.rules)

2021-03-18 12:55:08 UTC

Snort Subscriber Rules Update

Date: 2021-03-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57321 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57312 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules)
 * 1:57314 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57316 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57320 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57317 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57311 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules)
 * 1:57299 <-> DISABLED <-> SERVER-WEBAPP Apache HTTP server mod_rewrite external URL redirection attempt (server-webapp.rules)
 * 1:57318 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57313 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules)
 * 1:57315 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57319 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 3:57307 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules)
 * 3:57300 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:57308 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules)
 * 3:57309 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules)
 * 3:57304 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1266 attack attempt (file-pdf.rules)
 * 3:57310 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1268 attack attempt (netbios.rules)
 * 3:57301 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1264 attack attempt (file-image.rules)
 * 3:57302 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1264 attack attempt (file-image.rules)
 * 3:57306 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1272 attack attempt (server-webapp.rules)
 * 3:57305 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1272 attack attempt (server-webapp.rules)
 * 3:57303 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1266 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:5708 <-> DISABLED <-> POLICY-OTHER web server file upload attempt (policy-other.rules)
 * 1:7070 <-> DISABLED <-> POLICY-OTHER script tag in URI - likely cross-site scripting attempt (policy-other.rules)
 * 3:51369 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RDP DecompressUnchopper integer overflow attempt (os-windows.rules)

2021-03-18 12:55:08 UTC

Snort Subscriber Rules Update

Date: 2021-03-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57321 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57320 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57313 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules)
 * 1:57314 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57316 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57311 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules)
 * 1:57317 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57318 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57312 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules)
 * 1:57315 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57299 <-> DISABLED <-> SERVER-WEBAPP Apache HTTP server mod_rewrite external URL redirection attempt (server-webapp.rules)
 * 1:57319 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 3:57302 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1264 attack attempt (file-image.rules)
 * 3:57303 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1266 attack attempt (file-pdf.rules)
 * 3:57308 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules)
 * 3:57300 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:57309 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules)
 * 3:57307 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules)
 * 3:57305 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1272 attack attempt (server-webapp.rules)
 * 3:57304 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1266 attack attempt (file-pdf.rules)
 * 3:57301 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1264 attack attempt (file-image.rules)
 * 3:57306 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1272 attack attempt (server-webapp.rules)
 * 3:57310 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1268 attack attempt (netbios.rules)

Modified Rules:


 * 1:5708 <-> DISABLED <-> POLICY-OTHER web server file upload attempt (policy-other.rules)
 * 1:7070 <-> DISABLED <-> POLICY-OTHER script tag in URI - likely cross-site scripting attempt (policy-other.rules)
 * 3:51369 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RDP DecompressUnchopper integer overflow attempt (os-windows.rules)

2021-03-18 12:55:08 UTC

Snort Subscriber Rules Update

Date: 2021-03-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57312 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (snort3-malware-cnc.rules)
 * 1:57311 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (snort3-malware-cnc.rules)
 * 1:57299 <-> DISABLED <-> SERVER-WEBAPP Apache HTTP server mod_rewrite external URL redirection attempt (snort3-server-webapp.rules)
 * 1:57318 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (snort3-malware-backdoor.rules)
 * 1:57317 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (snort3-malware-backdoor.rules)
 * 1:57319 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (snort3-malware-backdoor.rules)
 * 1:57316 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (snort3-malware-backdoor.rules)
 * 1:57321 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (snort3-malware-backdoor.rules)
 * 1:57313 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (snort3-malware-cnc.rules)
 * 1:57320 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (snort3-malware-backdoor.rules)
 * 1:57314 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (snort3-malware-backdoor.rules)
 * 1:57315 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (snort3-malware-backdoor.rules)

Modified Rules:


 * 1:5708 <-> DISABLED <-> POLICY-OTHER web server file upload attempt (snort3-policy-other.rules)
 * 1:7070 <-> DISABLED <-> POLICY-OTHER script tag in URI - likely cross-site scripting attempt (snort3-policy-other.rules)

2021-03-18 12:55:08 UTC

Snort Subscriber Rules Update

Date: 2021-03-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57315 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57312 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules)
 * 1:57311 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules)
 * 1:57317 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57319 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57320 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57299 <-> DISABLED <-> SERVER-WEBAPP Apache HTTP server mod_rewrite external URL redirection attempt (server-webapp.rules)
 * 1:57316 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57321 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57318 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57314 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules)
 * 1:57313 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules)
 * 3:57301 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1264 attack attempt (file-image.rules)
 * 3:57304 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1266 attack attempt (file-pdf.rules)
 * 3:57307 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules)
 * 3:57305 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1272 attack attempt (server-webapp.rules)
 * 3:57308 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules)
 * 3:57302 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1264 attack attempt (file-image.rules)
 * 3:57310 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1268 attack attempt (netbios.rules)
 * 3:57309 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules)
 * 3:57300 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:57306 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1272 attack attempt (server-webapp.rules)
 * 3:57303 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1266 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:5708 <-> DISABLED <-> POLICY-OTHER web server file upload attempt (policy-other.rules)
 * 1:7070 <-> DISABLED <-> POLICY-OTHER script tag in URI - likely cross-site scripting attempt (policy-other.rules)
 * 3:51369 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RDP DecompressUnchopper integer overflow attempt (os-windows.rules)