Talos Rules 2021-03-23
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the malware-other, netbios and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2021-03-23 12:46:39 UTC

Snort Subscriber Rules Update

Date: 2021-03-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57322 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoejoCrypt variant binary download attempt (malware-other.rules)
 * 1:57323 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoejoCrypt variant binary download attempt (malware-other.rules)
 * 1:57324 <-> DISABLED <-> SERVER-WEBAPP Netis WF2419 router command injection attempt (server-webapp.rules)
 * 1:57325 <-> DISABLED <-> SERVER-WEBAPP Netis WF2419 router command injection attempt (server-webapp.rules)
 * 1:57326 <-> DISABLED <-> SERVER-WEBAPP Netis WF2419 router command injection attempt (server-webapp.rules)
 * 1:57327 <-> DISABLED <-> SERVER-WEBAPP Netis WF2419 router command injection attempt (server-webapp.rules)
 * 1:57328 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 Firewall command injection attempt (server-webapp.rules)
 * 1:57329 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 Firewall command injection attempt (server-webapp.rules)
 * 1:57330 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 Firewall command injection attempt (server-webapp.rules)
 * 1:57331 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 Firewall command injection attempt (server-webapp.rules)
 * 1:57332 <-> DISABLED <-> SERVER-WEBAPP Netgear ProSAFE Plus unauthenticated command injection attempt (server-webapp.rules)
 * 1:57333 <-> DISABLED <-> SERVER-WEBAPP Netgear ProSAFE Plus unauthenticated command injection attempt (server-webapp.rules)
 * 1:57334 <-> DISABLED <-> SERVER-WEBAPP Netgear ProSAFE Plus unauthenticated command injection attempt (server-webapp.rules)
 * 1:57335 <-> DISABLED <-> SERVER-WEBAPP Netgear ProSAFE Plus unauthenticated command injection attempt (server-webapp.rules)
 * 1:57336 <-> DISABLED <-> POLICY-OTHER F5 iControl REST interface tm.util.bash invocation attempt (policy-other.rules)
 * 1:57337 <-> ENABLED <-> SERVER-WEBAPP F5 iControl REST interface ssrf attempt (server-webapp.rules)
 * 3:57338 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1273 attack attempt (server-webapp.rules)
 * 3:57339 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1273 attack attempt (server-webapp.rules)
 * 3:57340 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1269 attack attempt (netbios.rules)

Modified Rules:



2021-03-23 12:46:39 UTC

Snort Subscriber Rules Update

Date: 2021-03-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57331 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 Firewall command injection attempt (server-webapp.rules)
 * 1:57323 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoejoCrypt variant binary download attempt (malware-other.rules)
 * 1:57332 <-> DISABLED <-> SERVER-WEBAPP Netgear ProSAFE Plus unauthenticated command injection attempt (server-webapp.rules)
 * 1:57336 <-> DISABLED <-> POLICY-OTHER F5 iControl REST interface tm.util.bash invocation attempt (policy-other.rules)
 * 1:57337 <-> ENABLED <-> SERVER-WEBAPP F5 iControl REST interface ssrf attempt (server-webapp.rules)
 * 1:57324 <-> DISABLED <-> SERVER-WEBAPP Netis WF2419 router command injection attempt (server-webapp.rules)
 * 1:57325 <-> DISABLED <-> SERVER-WEBAPP Netis WF2419 router command injection attempt (server-webapp.rules)
 * 1:57326 <-> DISABLED <-> SERVER-WEBAPP Netis WF2419 router command injection attempt (server-webapp.rules)
 * 1:57327 <-> DISABLED <-> SERVER-WEBAPP Netis WF2419 router command injection attempt (server-webapp.rules)
 * 1:57328 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 Firewall command injection attempt (server-webapp.rules)
 * 1:57329 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 Firewall command injection attempt (server-webapp.rules)
 * 1:57334 <-> DISABLED <-> SERVER-WEBAPP Netgear ProSAFE Plus unauthenticated command injection attempt (server-webapp.rules)
 * 1:57335 <-> DISABLED <-> SERVER-WEBAPP Netgear ProSAFE Plus unauthenticated command injection attempt (server-webapp.rules)
 * 1:57333 <-> DISABLED <-> SERVER-WEBAPP Netgear ProSAFE Plus unauthenticated command injection attempt (server-webapp.rules)
 * 1:57322 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoejoCrypt variant binary download attempt (malware-other.rules)
 * 1:57330 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 Firewall command injection attempt (server-webapp.rules)
 * 3:57339 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1273 attack attempt (server-webapp.rules)
 * 3:57340 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1269 attack attempt (netbios.rules)
 * 3:57338 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1273 attack attempt (server-webapp.rules)

Modified Rules:



2021-03-23 12:46:39 UTC

Snort Subscriber Rules Update

Date: 2021-03-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57327 <-> DISABLED <-> SERVER-WEBAPP Netis WF2419 router command injection attempt (server-webapp.rules)
 * 1:57337 <-> ENABLED <-> SERVER-WEBAPP F5 iControl REST interface ssrf attempt (server-webapp.rules)
 * 1:57322 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoejoCrypt variant binary download attempt (malware-other.rules)
 * 1:57326 <-> DISABLED <-> SERVER-WEBAPP Netis WF2419 router command injection attempt (server-webapp.rules)
 * 1:57329 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 Firewall command injection attempt (server-webapp.rules)
 * 1:57325 <-> DISABLED <-> SERVER-WEBAPP Netis WF2419 router command injection attempt (server-webapp.rules)
 * 1:57332 <-> DISABLED <-> SERVER-WEBAPP Netgear ProSAFE Plus unauthenticated command injection attempt (server-webapp.rules)
 * 1:57333 <-> DISABLED <-> SERVER-WEBAPP Netgear ProSAFE Plus unauthenticated command injection attempt (server-webapp.rules)
 * 1:57334 <-> DISABLED <-> SERVER-WEBAPP Netgear ProSAFE Plus unauthenticated command injection attempt (server-webapp.rules)
 * 1:57335 <-> DISABLED <-> SERVER-WEBAPP Netgear ProSAFE Plus unauthenticated command injection attempt (server-webapp.rules)
 * 1:57331 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 Firewall command injection attempt (server-webapp.rules)
 * 1:57330 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 Firewall command injection attempt (server-webapp.rules)
 * 1:57323 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoejoCrypt variant binary download attempt (malware-other.rules)
 * 1:57324 <-> DISABLED <-> SERVER-WEBAPP Netis WF2419 router command injection attempt (server-webapp.rules)
 * 1:57328 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 Firewall command injection attempt (server-webapp.rules)
 * 1:57336 <-> DISABLED <-> POLICY-OTHER F5 iControl REST interface tm.util.bash invocation attempt (policy-other.rules)
 * 3:57339 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1273 attack attempt (server-webapp.rules)
 * 3:57340 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1269 attack attempt (netbios.rules)
 * 3:57338 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1273 attack attempt (server-webapp.rules)

Modified Rules:



2021-03-23 12:46:39 UTC

Snort Subscriber Rules Update

Date: 2021-03-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57334 <-> DISABLED <-> SERVER-WEBAPP Netgear ProSAFE Plus unauthenticated command injection attempt (server-webapp.rules)
 * 1:57323 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoejoCrypt variant binary download attempt (malware-other.rules)
 * 1:57333 <-> DISABLED <-> SERVER-WEBAPP Netgear ProSAFE Plus unauthenticated command injection attempt (server-webapp.rules)
 * 1:57337 <-> ENABLED <-> SERVER-WEBAPP F5 iControl REST interface ssrf attempt (server-webapp.rules)
 * 1:57336 <-> DISABLED <-> POLICY-OTHER F5 iControl REST interface tm.util.bash invocation attempt (policy-other.rules)
 * 1:57335 <-> DISABLED <-> SERVER-WEBAPP Netgear ProSAFE Plus unauthenticated command injection attempt (server-webapp.rules)
 * 1:57325 <-> DISABLED <-> SERVER-WEBAPP Netis WF2419 router command injection attempt (server-webapp.rules)
 * 1:57324 <-> DISABLED <-> SERVER-WEBAPP Netis WF2419 router command injection attempt (server-webapp.rules)
 * 1:57332 <-> DISABLED <-> SERVER-WEBAPP Netgear ProSAFE Plus unauthenticated command injection attempt (server-webapp.rules)
 * 1:57328 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 Firewall command injection attempt (server-webapp.rules)
 * 1:57329 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 Firewall command injection attempt (server-webapp.rules)
 * 1:57330 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 Firewall command injection attempt (server-webapp.rules)
 * 1:57331 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 Firewall command injection attempt (server-webapp.rules)
 * 1:57322 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoejoCrypt variant binary download attempt (malware-other.rules)
 * 1:57326 <-> DISABLED <-> SERVER-WEBAPP Netis WF2419 router command injection attempt (server-webapp.rules)
 * 1:57327 <-> DISABLED <-> SERVER-WEBAPP Netis WF2419 router command injection attempt (server-webapp.rules)
 * 3:57339 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1273 attack attempt (server-webapp.rules)
 * 3:57338 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1273 attack attempt (server-webapp.rules)
 * 3:57340 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1269 attack attempt (netbios.rules)

Modified Rules:



2021-03-23 12:46:39 UTC

Snort Subscriber Rules Update

Date: 2021-03-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57333 <-> DISABLED <-> SERVER-WEBAPP Netgear ProSAFE Plus unauthenticated command injection attempt (server-webapp.rules)
 * 1:57337 <-> ENABLED <-> SERVER-WEBAPP F5 iControl REST interface ssrf attempt (server-webapp.rules)
 * 1:57335 <-> DISABLED <-> SERVER-WEBAPP Netgear ProSAFE Plus unauthenticated command injection attempt (server-webapp.rules)
 * 1:57330 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 Firewall command injection attempt (server-webapp.rules)
 * 1:57326 <-> DISABLED <-> SERVER-WEBAPP Netis WF2419 router command injection attempt (server-webapp.rules)
 * 1:57324 <-> DISABLED <-> SERVER-WEBAPP Netis WF2419 router command injection attempt (server-webapp.rules)
 * 1:57329 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 Firewall command injection attempt (server-webapp.rules)
 * 1:57334 <-> DISABLED <-> SERVER-WEBAPP Netgear ProSAFE Plus unauthenticated command injection attempt (server-webapp.rules)
 * 1:57332 <-> DISABLED <-> SERVER-WEBAPP Netgear ProSAFE Plus unauthenticated command injection attempt (server-webapp.rules)
 * 1:57328 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 Firewall command injection attempt (server-webapp.rules)
 * 1:57336 <-> DISABLED <-> POLICY-OTHER F5 iControl REST interface tm.util.bash invocation attempt (policy-other.rules)
 * 1:57325 <-> DISABLED <-> SERVER-WEBAPP Netis WF2419 router command injection attempt (server-webapp.rules)
 * 1:57323 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoejoCrypt variant binary download attempt (malware-other.rules)
 * 1:57331 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 Firewall command injection attempt (server-webapp.rules)
 * 1:57322 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoejoCrypt variant binary download attempt (malware-other.rules)
 * 1:57327 <-> DISABLED <-> SERVER-WEBAPP Netis WF2419 router command injection attempt (server-webapp.rules)
 * 3:57339 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1273 attack attempt (server-webapp.rules)
 * 3:57340 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1269 attack attempt (netbios.rules)
 * 3:57338 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1273 attack attempt (server-webapp.rules)

Modified Rules:



2021-03-23 12:46:39 UTC

Snort Subscriber Rules Update

Date: 2021-03-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57325 <-> DISABLED <-> SERVER-WEBAPP Netis WF2419 router command injection attempt (server-webapp.rules)
 * 1:57332 <-> DISABLED <-> SERVER-WEBAPP Netgear ProSAFE Plus unauthenticated command injection attempt (server-webapp.rules)
 * 1:57333 <-> DISABLED <-> SERVER-WEBAPP Netgear ProSAFE Plus unauthenticated command injection attempt (server-webapp.rules)
 * 1:57335 <-> DISABLED <-> SERVER-WEBAPP Netgear ProSAFE Plus unauthenticated command injection attempt (server-webapp.rules)
 * 1:57324 <-> DISABLED <-> SERVER-WEBAPP Netis WF2419 router command injection attempt (server-webapp.rules)
 * 1:57337 <-> ENABLED <-> SERVER-WEBAPP F5 iControl REST interface ssrf attempt (server-webapp.rules)
 * 1:57323 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoejoCrypt variant binary download attempt (malware-other.rules)
 * 1:57329 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 Firewall command injection attempt (server-webapp.rules)
 * 1:57326 <-> DISABLED <-> SERVER-WEBAPP Netis WF2419 router command injection attempt (server-webapp.rules)
 * 1:57327 <-> DISABLED <-> SERVER-WEBAPP Netis WF2419 router command injection attempt (server-webapp.rules)
 * 1:57334 <-> DISABLED <-> SERVER-WEBAPP Netgear ProSAFE Plus unauthenticated command injection attempt (server-webapp.rules)
 * 1:57322 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoejoCrypt variant binary download attempt (malware-other.rules)
 * 1:57328 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 Firewall command injection attempt (server-webapp.rules)
 * 1:57330 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 Firewall command injection attempt (server-webapp.rules)
 * 1:57331 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 Firewall command injection attempt (server-webapp.rules)
 * 1:57336 <-> DISABLED <-> POLICY-OTHER F5 iControl REST interface tm.util.bash invocation attempt (policy-other.rules)
 * 3:57338 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1273 attack attempt (server-webapp.rules)
 * 3:57339 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1273 attack attempt (server-webapp.rules)
 * 3:57340 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1269 attack attempt (netbios.rules)

Modified Rules:



2021-03-23 12:46:39 UTC

Snort Subscriber Rules Update

Date: 2021-03-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57336 <-> DISABLED <-> POLICY-OTHER F5 iControl REST interface tm.util.bash invocation attempt (policy-other.rules)
 * 1:57323 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoejoCrypt variant binary download attempt (malware-other.rules)
 * 1:57326 <-> DISABLED <-> SERVER-WEBAPP Netis WF2419 router command injection attempt (server-webapp.rules)
 * 1:57324 <-> DISABLED <-> SERVER-WEBAPP Netis WF2419 router command injection attempt (server-webapp.rules)
 * 1:57333 <-> DISABLED <-> SERVER-WEBAPP Netgear ProSAFE Plus unauthenticated command injection attempt (server-webapp.rules)
 * 1:57335 <-> DISABLED <-> SERVER-WEBAPP Netgear ProSAFE Plus unauthenticated command injection attempt (server-webapp.rules)
 * 1:57325 <-> DISABLED <-> SERVER-WEBAPP Netis WF2419 router command injection attempt (server-webapp.rules)
 * 1:57327 <-> DISABLED <-> SERVER-WEBAPP Netis WF2419 router command injection attempt (server-webapp.rules)
 * 1:57332 <-> DISABLED <-> SERVER-WEBAPP Netgear ProSAFE Plus unauthenticated command injection attempt (server-webapp.rules)
 * 1:57328 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 Firewall command injection attempt (server-webapp.rules)
 * 1:57329 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 Firewall command injection attempt (server-webapp.rules)
 * 1:57337 <-> ENABLED <-> SERVER-WEBAPP F5 iControl REST interface ssrf attempt (server-webapp.rules)
 * 1:57330 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 Firewall command injection attempt (server-webapp.rules)
 * 1:57322 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoejoCrypt variant binary download attempt (malware-other.rules)
 * 1:57334 <-> DISABLED <-> SERVER-WEBAPP Netgear ProSAFE Plus unauthenticated command injection attempt (server-webapp.rules)
 * 1:57331 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 Firewall command injection attempt (server-webapp.rules)
 * 3:57338 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1273 attack attempt (server-webapp.rules)
 * 3:57339 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1273 attack attempt (server-webapp.rules)
 * 3:57340 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1269 attack attempt (netbios.rules)

Modified Rules:



2021-03-23 12:46:39 UTC

Snort Subscriber Rules Update

Date: 2021-03-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57335 <-> DISABLED <-> SERVER-WEBAPP Netgear ProSAFE Plus unauthenticated command injection attempt (server-webapp.rules)
 * 1:57332 <-> DISABLED <-> SERVER-WEBAPP Netgear ProSAFE Plus unauthenticated command injection attempt (server-webapp.rules)
 * 1:57331 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 Firewall command injection attempt (server-webapp.rules)
 * 1:57327 <-> DISABLED <-> SERVER-WEBAPP Netis WF2419 router command injection attempt (server-webapp.rules)
 * 1:57334 <-> DISABLED <-> SERVER-WEBAPP Netgear ProSAFE Plus unauthenticated command injection attempt (server-webapp.rules)
 * 1:57325 <-> DISABLED <-> SERVER-WEBAPP Netis WF2419 router command injection attempt (server-webapp.rules)
 * 1:57336 <-> DISABLED <-> POLICY-OTHER F5 iControl REST interface tm.util.bash invocation attempt (policy-other.rules)
 * 1:57323 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoejoCrypt variant binary download attempt (malware-other.rules)
 * 1:57328 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 Firewall command injection attempt (server-webapp.rules)
 * 1:57326 <-> DISABLED <-> SERVER-WEBAPP Netis WF2419 router command injection attempt (server-webapp.rules)
 * 1:57337 <-> ENABLED <-> SERVER-WEBAPP F5 iControl REST interface ssrf attempt (server-webapp.rules)
 * 1:57330 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 Firewall command injection attempt (server-webapp.rules)
 * 1:57324 <-> DISABLED <-> SERVER-WEBAPP Netis WF2419 router command injection attempt (server-webapp.rules)
 * 1:57329 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 Firewall command injection attempt (server-webapp.rules)
 * 1:57333 <-> DISABLED <-> SERVER-WEBAPP Netgear ProSAFE Plus unauthenticated command injection attempt (server-webapp.rules)
 * 1:57322 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoejoCrypt variant binary download attempt (malware-other.rules)
 * 3:57339 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1273 attack attempt (server-webapp.rules)
 * 3:57338 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1273 attack attempt (server-webapp.rules)
 * 3:57340 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1269 attack attempt (netbios.rules)

Modified Rules:



2021-03-23 12:46:39 UTC

Snort Subscriber Rules Update

Date: 2021-03-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57327 <-> DISABLED <-> SERVER-WEBAPP Netis WF2419 router command injection attempt (snort3-server-webapp.rules)
 * 1:57329 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 Firewall command injection attempt (snort3-server-webapp.rules)
 * 1:57330 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 Firewall command injection attempt (snort3-server-webapp.rules)
 * 1:57323 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoejoCrypt variant binary download attempt (snort3-malware-other.rules)
 * 1:57336 <-> DISABLED <-> POLICY-OTHER F5 iControl REST interface tm.util.bash invocation attempt (snort3-policy-other.rules)
 * 1:57331 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 Firewall command injection attempt (snort3-server-webapp.rules)
 * 1:57332 <-> DISABLED <-> SERVER-WEBAPP Netgear ProSAFE Plus unauthenticated command injection attempt (snort3-server-webapp.rules)
 * 1:57334 <-> DISABLED <-> SERVER-WEBAPP Netgear ProSAFE Plus unauthenticated command injection attempt (snort3-server-webapp.rules)
 * 1:57333 <-> DISABLED <-> SERVER-WEBAPP Netgear ProSAFE Plus unauthenticated command injection attempt (snort3-server-webapp.rules)
 * 1:57326 <-> DISABLED <-> SERVER-WEBAPP Netis WF2419 router command injection attempt (snort3-server-webapp.rules)
 * 1:57322 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoejoCrypt variant binary download attempt (snort3-malware-other.rules)
 * 1:57328 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 Firewall command injection attempt (snort3-server-webapp.rules)
 * 1:57325 <-> DISABLED <-> SERVER-WEBAPP Netis WF2419 router command injection attempt (snort3-server-webapp.rules)
 * 1:57324 <-> DISABLED <-> SERVER-WEBAPP Netis WF2419 router command injection attempt (snort3-server-webapp.rules)
 * 1:57337 <-> ENABLED <-> SERVER-WEBAPP F5 iControl REST interface ssrf attempt (snort3-server-webapp.rules)
 * 1:57335 <-> DISABLED <-> SERVER-WEBAPP Netgear ProSAFE Plus unauthenticated command injection attempt (snort3-server-webapp.rules)

Modified Rules:



2021-03-23 12:46:39 UTC

Snort Subscriber Rules Update

Date: 2021-03-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57334 <-> DISABLED <-> SERVER-WEBAPP Netgear ProSAFE Plus unauthenticated command injection attempt (server-webapp.rules)
 * 1:57333 <-> DISABLED <-> SERVER-WEBAPP Netgear ProSAFE Plus unauthenticated command injection attempt (server-webapp.rules)
 * 1:57322 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoejoCrypt variant binary download attempt (malware-other.rules)
 * 1:57323 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoejoCrypt variant binary download attempt (malware-other.rules)
 * 1:57324 <-> DISABLED <-> SERVER-WEBAPP Netis WF2419 router command injection attempt (server-webapp.rules)
 * 1:57325 <-> DISABLED <-> SERVER-WEBAPP Netis WF2419 router command injection attempt (server-webapp.rules)
 * 1:57326 <-> DISABLED <-> SERVER-WEBAPP Netis WF2419 router command injection attempt (server-webapp.rules)
 * 1:57336 <-> DISABLED <-> POLICY-OTHER F5 iControl REST interface tm.util.bash invocation attempt (policy-other.rules)
 * 1:57335 <-> DISABLED <-> SERVER-WEBAPP Netgear ProSAFE Plus unauthenticated command injection attempt (server-webapp.rules)
 * 1:57327 <-> DISABLED <-> SERVER-WEBAPP Netis WF2419 router command injection attempt (server-webapp.rules)
 * 1:57328 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 Firewall command injection attempt (server-webapp.rules)
 * 1:57337 <-> ENABLED <-> SERVER-WEBAPP F5 iControl REST interface ssrf attempt (server-webapp.rules)
 * 1:57329 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 Firewall command injection attempt (server-webapp.rules)
 * 1:57330 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 Firewall command injection attempt (server-webapp.rules)
 * 1:57332 <-> DISABLED <-> SERVER-WEBAPP Netgear ProSAFE Plus unauthenticated command injection attempt (server-webapp.rules)
 * 1:57331 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 Firewall command injection attempt (server-webapp.rules)
 * 3:57339 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1273 attack attempt (server-webapp.rules)
 * 3:57340 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1269 attack attempt (netbios.rules)
 * 3:57338 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1273 attack attempt (server-webapp.rules)

Modified Rules: