Talos Rules 2021-05-11
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2021-26419: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 57542 through 57543.

Microsoft Vulnerability CVE-2021-31166: A coding deficiency exists in HTTP Protocol Stack that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 57549 through 57550.

Microsoft Vulnerability CVE-2021-31170: A coding deficiency exists in Microsoft Graphics Component that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 57539 through 57540.

Microsoft Vulnerability CVE-2021-31181: A coding deficiency exists in Microsoft SharePoint that may lead to remote code execution.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 57548.

Microsoft Vulnerability CVE-2021-31188: A coding deficiency exists in Microsoft Graphics Component that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 57544 through 57545.

Talos also has added and modified multiple rules in the browser-ie, file-image, file-other, malware-backdoor, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2021-05-11 18:24:53 UTC

Snort Subscriber Rules Update

Date: 2021-05-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57539 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics component privilege escalation attempt (os-windows.rules)
 * 1:57540 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics component privilege escalation attempt (os-windows.rules)
 * 1:57541 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.ATRIUM variant inbound cnc connection (malware-backdoor.rules)
 * 1:57542 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57543 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57544 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:57545 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:57548 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint authenticated remote code execution attempt (server-webapp.rules)
 * 1:57549 <-> ENABLED <-> OS-WINDOWS Microsoft Windows HTTP protocol stack remote code execution attempt (os-windows.rules)
 * 1:57550 <-> ENABLED <-> OS-WINDOWS Microsoft Windows HTTP protocol stack remote code execution attempt (os-windows.rules)
 * 3:57546 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1295 attack attempt (file-other.rules)
 * 3:57547 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1295 attack attempt (file-other.rules)

Modified Rules:


 * 1:42805 <-> DISABLED <-> SERVER-WEBAPP Intel AMT remote administration tool authentication bypass attempt (server-webapp.rules)
 * 1:2278 <-> DISABLED <-> SERVER-WEBAPP HTTP request with negative Content-Length attempt (server-webapp.rules)
 * 1:15145 <-> DISABLED <-> SERVER-OTHER Apple CUPS TrueColor PNG filter overly large image height integer overflow attempt (server-other.rules)
 * 1:50982 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:15146 <-> DISABLED <-> SERVER-OTHER Apple CUPS RGB+Alpha PNG filter overly large image height integer overflow attempt (server-other.rules)
 * 1:50983 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50977 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50920 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station information disclosure attempt (server-webapp.rules)
 * 1:50978 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50984 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:51239 <-> DISABLED <-> SERVER-OTHER PHP-Proxy local file include attempt (server-other.rules)
 * 1:55703 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Netlogon crafted NetrServerReqChallenge elevation of privilege attempt (os-windows.rules)
 * 1:57465 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.STEADYPULSE variant inbound cnc connection (malware-backdoor.rules)
 * 1:16014 <-> DISABLED <-> SERVER-OTHER Novell eDirectory HTTP headers denial of service attempt (server-other.rules)
 * 1:20617 <-> DISABLED <-> SERVER-WEBAPP Sage SalesLogix admin authentication bypass attempt (server-webapp.rules)
 * 1:50981 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 3:54411 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1095 attack attempt (file-image.rules)
 * 3:54412 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1095 attack attempt (file-image.rules)
 * 3:54413 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1095 attack attempt (file-image.rules)
 * 3:54414 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1095 attack attempt (file-image.rules)

2021-05-11 18:24:53 UTC

Snort Subscriber Rules Update

Date: 2021-05-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57548 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint authenticated remote code execution attempt (server-webapp.rules)
 * 1:57543 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57542 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57549 <-> ENABLED <-> OS-WINDOWS Microsoft Windows HTTP protocol stack remote code execution attempt (os-windows.rules)
 * 1:57550 <-> ENABLED <-> OS-WINDOWS Microsoft Windows HTTP protocol stack remote code execution attempt (os-windows.rules)
 * 1:57541 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.ATRIUM variant inbound cnc connection (malware-backdoor.rules)
 * 1:57544 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:57545 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:57539 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics component privilege escalation attempt (os-windows.rules)
 * 1:57540 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics component privilege escalation attempt (os-windows.rules)
 * 3:57546 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1295 attack attempt (file-other.rules)
 * 3:57547 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1295 attack attempt (file-other.rules)

Modified Rules:


 * 1:2278 <-> DISABLED <-> SERVER-WEBAPP HTTP request with negative Content-Length attempt (server-webapp.rules)
 * 1:50981 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50920 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station information disclosure attempt (server-webapp.rules)
 * 1:42805 <-> DISABLED <-> SERVER-WEBAPP Intel AMT remote administration tool authentication bypass attempt (server-webapp.rules)
 * 1:51239 <-> DISABLED <-> SERVER-OTHER PHP-Proxy local file include attempt (server-other.rules)
 * 1:15145 <-> DISABLED <-> SERVER-OTHER Apple CUPS TrueColor PNG filter overly large image height integer overflow attempt (server-other.rules)
 * 1:15146 <-> DISABLED <-> SERVER-OTHER Apple CUPS RGB+Alpha PNG filter overly large image height integer overflow attempt (server-other.rules)
 * 1:50982 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:16014 <-> DISABLED <-> SERVER-OTHER Novell eDirectory HTTP headers denial of service attempt (server-other.rules)
 * 1:50983 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:57465 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.STEADYPULSE variant inbound cnc connection (malware-backdoor.rules)
 * 1:55703 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Netlogon crafted NetrServerReqChallenge elevation of privilege attempt (os-windows.rules)
 * 1:20617 <-> DISABLED <-> SERVER-WEBAPP Sage SalesLogix admin authentication bypass attempt (server-webapp.rules)
 * 1:50984 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50978 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50977 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 3:54411 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1095 attack attempt (file-image.rules)
 * 3:54412 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1095 attack attempt (file-image.rules)
 * 3:54413 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1095 attack attempt (file-image.rules)
 * 3:54414 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1095 attack attempt (file-image.rules)

2021-05-11 18:24:53 UTC

Snort Subscriber Rules Update

Date: 2021-05-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57548 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint authenticated remote code execution attempt (server-webapp.rules)
 * 1:57541 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.ATRIUM variant inbound cnc connection (malware-backdoor.rules)
 * 1:57543 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57542 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57545 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:57540 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics component privilege escalation attempt (os-windows.rules)
 * 1:57549 <-> ENABLED <-> OS-WINDOWS Microsoft Windows HTTP protocol stack remote code execution attempt (os-windows.rules)
 * 1:57550 <-> ENABLED <-> OS-WINDOWS Microsoft Windows HTTP protocol stack remote code execution attempt (os-windows.rules)
 * 1:57539 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics component privilege escalation attempt (os-windows.rules)
 * 1:57544 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 3:57547 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1295 attack attempt (file-other.rules)
 * 3:57546 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1295 attack attempt (file-other.rules)

Modified Rules:


 * 1:42805 <-> DISABLED <-> SERVER-WEBAPP Intel AMT remote administration tool authentication bypass attempt (server-webapp.rules)
 * 1:50977 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:2278 <-> DISABLED <-> SERVER-WEBAPP HTTP request with negative Content-Length attempt (server-webapp.rules)
 * 1:15145 <-> DISABLED <-> SERVER-OTHER Apple CUPS TrueColor PNG filter overly large image height integer overflow attempt (server-other.rules)
 * 1:16014 <-> DISABLED <-> SERVER-OTHER Novell eDirectory HTTP headers denial of service attempt (server-other.rules)
 * 1:15146 <-> DISABLED <-> SERVER-OTHER Apple CUPS RGB+Alpha PNG filter overly large image height integer overflow attempt (server-other.rules)
 * 1:50982 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:55703 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Netlogon crafted NetrServerReqChallenge elevation of privilege attempt (os-windows.rules)
 * 1:20617 <-> DISABLED <-> SERVER-WEBAPP Sage SalesLogix admin authentication bypass attempt (server-webapp.rules)
 * 1:50920 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station information disclosure attempt (server-webapp.rules)
 * 1:57465 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.STEADYPULSE variant inbound cnc connection (malware-backdoor.rules)
 * 1:50983 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50984 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:51239 <-> DISABLED <-> SERVER-OTHER PHP-Proxy local file include attempt (server-other.rules)
 * 1:50981 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50978 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 3:54411 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1095 attack attempt (file-image.rules)
 * 3:54412 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1095 attack attempt (file-image.rules)
 * 3:54413 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1095 attack attempt (file-image.rules)
 * 3:54414 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1095 attack attempt (file-image.rules)

2021-05-11 18:24:53 UTC

Snort Subscriber Rules Update

Date: 2021-05-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57545 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:57543 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57542 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57541 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.ATRIUM variant inbound cnc connection (malware-backdoor.rules)
 * 1:57540 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics component privilege escalation attempt (os-windows.rules)
 * 1:57539 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics component privilege escalation attempt (os-windows.rules)
 * 1:57548 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint authenticated remote code execution attempt (server-webapp.rules)
 * 1:57544 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:57549 <-> ENABLED <-> OS-WINDOWS Microsoft Windows HTTP protocol stack remote code execution attempt (os-windows.rules)
 * 1:57550 <-> ENABLED <-> OS-WINDOWS Microsoft Windows HTTP protocol stack remote code execution attempt (os-windows.rules)
 * 3:57547 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1295 attack attempt (file-other.rules)
 * 3:57546 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1295 attack attempt (file-other.rules)

Modified Rules:


 * 1:20617 <-> DISABLED <-> SERVER-WEBAPP Sage SalesLogix admin authentication bypass attempt (server-webapp.rules)
 * 1:50977 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:51239 <-> DISABLED <-> SERVER-OTHER PHP-Proxy local file include attempt (server-other.rules)
 * 1:2278 <-> DISABLED <-> SERVER-WEBAPP HTTP request with negative Content-Length attempt (server-webapp.rules)
 * 1:15145 <-> DISABLED <-> SERVER-OTHER Apple CUPS TrueColor PNG filter overly large image height integer overflow attempt (server-other.rules)
 * 1:16014 <-> DISABLED <-> SERVER-OTHER Novell eDirectory HTTP headers denial of service attempt (server-other.rules)
 * 1:42805 <-> DISABLED <-> SERVER-WEBAPP Intel AMT remote administration tool authentication bypass attempt (server-webapp.rules)
 * 1:50920 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station information disclosure attempt (server-webapp.rules)
 * 1:55703 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Netlogon crafted NetrServerReqChallenge elevation of privilege attempt (os-windows.rules)
 * 1:50982 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:57465 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.STEADYPULSE variant inbound cnc connection (malware-backdoor.rules)
 * 1:50984 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:15146 <-> DISABLED <-> SERVER-OTHER Apple CUPS RGB+Alpha PNG filter overly large image height integer overflow attempt (server-other.rules)
 * 1:50983 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50978 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50981 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 3:54411 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1095 attack attempt (file-image.rules)
 * 3:54412 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1095 attack attempt (file-image.rules)
 * 3:54413 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1095 attack attempt (file-image.rules)
 * 3:54414 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1095 attack attempt (file-image.rules)

2021-05-11 18:24:53 UTC

Snort Subscriber Rules Update

Date: 2021-05-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57541 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.ATRIUM variant inbound cnc connection (malware-backdoor.rules)
 * 1:57549 <-> ENABLED <-> OS-WINDOWS Microsoft Windows HTTP protocol stack remote code execution attempt (os-windows.rules)
 * 1:57544 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:57543 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57548 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint authenticated remote code execution attempt (server-webapp.rules)
 * 1:57545 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:57550 <-> ENABLED <-> OS-WINDOWS Microsoft Windows HTTP protocol stack remote code execution attempt (os-windows.rules)
 * 1:57540 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics component privilege escalation attempt (os-windows.rules)
 * 1:57539 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics component privilege escalation attempt (os-windows.rules)
 * 1:57542 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 3:57547 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1295 attack attempt (file-other.rules)
 * 3:57546 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1295 attack attempt (file-other.rules)

Modified Rules:


 * 1:50977 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:55703 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Netlogon crafted NetrServerReqChallenge elevation of privilege attempt (os-windows.rules)
 * 1:50982 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:15145 <-> DISABLED <-> SERVER-OTHER Apple CUPS TrueColor PNG filter overly large image height integer overflow attempt (server-other.rules)
 * 1:16014 <-> DISABLED <-> SERVER-OTHER Novell eDirectory HTTP headers denial of service attempt (server-other.rules)
 * 1:2278 <-> DISABLED <-> SERVER-WEBAPP HTTP request with negative Content-Length attempt (server-webapp.rules)
 * 1:42805 <-> DISABLED <-> SERVER-WEBAPP Intel AMT remote administration tool authentication bypass attempt (server-webapp.rules)
 * 1:20617 <-> DISABLED <-> SERVER-WEBAPP Sage SalesLogix admin authentication bypass attempt (server-webapp.rules)
 * 1:15146 <-> DISABLED <-> SERVER-OTHER Apple CUPS RGB+Alpha PNG filter overly large image height integer overflow attempt (server-other.rules)
 * 1:50920 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station information disclosure attempt (server-webapp.rules)
 * 1:51239 <-> DISABLED <-> SERVER-OTHER PHP-Proxy local file include attempt (server-other.rules)
 * 1:50981 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:57465 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.STEADYPULSE variant inbound cnc connection (malware-backdoor.rules)
 * 1:50983 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50978 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50984 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 3:54411 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1095 attack attempt (file-image.rules)
 * 3:54412 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1095 attack attempt (file-image.rules)
 * 3:54413 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1095 attack attempt (file-image.rules)
 * 3:54414 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1095 attack attempt (file-image.rules)

2021-05-11 18:24:53 UTC

Snort Subscriber Rules Update

Date: 2021-05-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57548 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint authenticated remote code execution attempt (server-webapp.rules)
 * 1:57542 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57541 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.ATRIUM variant inbound cnc connection (malware-backdoor.rules)
 * 1:57543 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57550 <-> ENABLED <-> OS-WINDOWS Microsoft Windows HTTP protocol stack remote code execution attempt (os-windows.rules)
 * 1:57539 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics component privilege escalation attempt (os-windows.rules)
 * 1:57545 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:57549 <-> ENABLED <-> OS-WINDOWS Microsoft Windows HTTP protocol stack remote code execution attempt (os-windows.rules)
 * 1:57540 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics component privilege escalation attempt (os-windows.rules)
 * 1:57544 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 3:57547 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1295 attack attempt (file-other.rules)
 * 3:57546 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1295 attack attempt (file-other.rules)

Modified Rules:


 * 1:57465 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.STEADYPULSE variant inbound cnc connection (malware-backdoor.rules)
 * 1:15145 <-> DISABLED <-> SERVER-OTHER Apple CUPS TrueColor PNG filter overly large image height integer overflow attempt (server-other.rules)
 * 1:50983 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:42805 <-> DISABLED <-> SERVER-WEBAPP Intel AMT remote administration tool authentication bypass attempt (server-webapp.rules)
 * 1:50981 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:15146 <-> DISABLED <-> SERVER-OTHER Apple CUPS RGB+Alpha PNG filter overly large image height integer overflow attempt (server-other.rules)
 * 1:2278 <-> DISABLED <-> SERVER-WEBAPP HTTP request with negative Content-Length attempt (server-webapp.rules)
 * 1:50982 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50978 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50920 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station information disclosure attempt (server-webapp.rules)
 * 1:55703 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Netlogon crafted NetrServerReqChallenge elevation of privilege attempt (os-windows.rules)
 * 1:20617 <-> DISABLED <-> SERVER-WEBAPP Sage SalesLogix admin authentication bypass attempt (server-webapp.rules)
 * 1:50984 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:51239 <-> DISABLED <-> SERVER-OTHER PHP-Proxy local file include attempt (server-other.rules)
 * 1:50977 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:16014 <-> DISABLED <-> SERVER-OTHER Novell eDirectory HTTP headers denial of service attempt (server-other.rules)
 * 3:54411 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1095 attack attempt (file-image.rules)
 * 3:54412 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1095 attack attempt (file-image.rules)
 * 3:54413 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1095 attack attempt (file-image.rules)
 * 3:54414 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1095 attack attempt (file-image.rules)

2021-05-11 18:24:53 UTC

Snort Subscriber Rules Update

Date: 2021-05-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57548 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint authenticated remote code execution attempt (server-webapp.rules)
 * 1:57540 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics component privilege escalation attempt (os-windows.rules)
 * 1:57541 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.ATRIUM variant inbound cnc connection (malware-backdoor.rules)
 * 1:57539 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics component privilege escalation attempt (os-windows.rules)
 * 1:57543 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57550 <-> ENABLED <-> OS-WINDOWS Microsoft Windows HTTP protocol stack remote code execution attempt (os-windows.rules)
 * 1:57545 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:57542 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57544 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:57549 <-> ENABLED <-> OS-WINDOWS Microsoft Windows HTTP protocol stack remote code execution attempt (os-windows.rules)
 * 3:57547 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1295 attack attempt (file-other.rules)
 * 3:57546 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1295 attack attempt (file-other.rules)

Modified Rules:


 * 1:50984 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:42805 <-> DISABLED <-> SERVER-WEBAPP Intel AMT remote administration tool authentication bypass attempt (server-webapp.rules)
 * 1:57465 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.STEADYPULSE variant inbound cnc connection (malware-backdoor.rules)
 * 1:50978 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50981 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:15145 <-> DISABLED <-> SERVER-OTHER Apple CUPS TrueColor PNG filter overly large image height integer overflow attempt (server-other.rules)
 * 1:50920 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station information disclosure attempt (server-webapp.rules)
 * 1:15146 <-> DISABLED <-> SERVER-OTHER Apple CUPS RGB+Alpha PNG filter overly large image height integer overflow attempt (server-other.rules)
 * 1:51239 <-> DISABLED <-> SERVER-OTHER PHP-Proxy local file include attempt (server-other.rules)
 * 1:50982 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:55703 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Netlogon crafted NetrServerReqChallenge elevation of privilege attempt (os-windows.rules)
 * 1:2278 <-> DISABLED <-> SERVER-WEBAPP HTTP request with negative Content-Length attempt (server-webapp.rules)
 * 1:16014 <-> DISABLED <-> SERVER-OTHER Novell eDirectory HTTP headers denial of service attempt (server-other.rules)
 * 1:50983 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:20617 <-> DISABLED <-> SERVER-WEBAPP Sage SalesLogix admin authentication bypass attempt (server-webapp.rules)
 * 1:50977 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 3:54411 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1095 attack attempt (file-image.rules)
 * 3:54412 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1095 attack attempt (file-image.rules)
 * 3:54413 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1095 attack attempt (file-image.rules)
 * 3:54414 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1095 attack attempt (file-image.rules)

2021-05-11 18:24:53 UTC

Snort Subscriber Rules Update

Date: 2021-05-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57543 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57544 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:57549 <-> ENABLED <-> OS-WINDOWS Microsoft Windows HTTP protocol stack remote code execution attempt (os-windows.rules)
 * 1:57548 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint authenticated remote code execution attempt (server-webapp.rules)
 * 1:57545 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:57542 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57540 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics component privilege escalation attempt (os-windows.rules)
 * 1:57541 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.ATRIUM variant inbound cnc connection (malware-backdoor.rules)
 * 1:57550 <-> ENABLED <-> OS-WINDOWS Microsoft Windows HTTP protocol stack remote code execution attempt (os-windows.rules)
 * 1:57539 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics component privilege escalation attempt (os-windows.rules)
 * 3:57546 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1295 attack attempt (file-other.rules)
 * 3:57547 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1295 attack attempt (file-other.rules)

Modified Rules:


 * 1:15145 <-> DISABLED <-> SERVER-OTHER Apple CUPS TrueColor PNG filter overly large image height integer overflow attempt (server-other.rules)
 * 1:2278 <-> DISABLED <-> SERVER-WEBAPP HTTP request with negative Content-Length attempt (server-webapp.rules)
 * 1:51239 <-> DISABLED <-> SERVER-OTHER PHP-Proxy local file include attempt (server-other.rules)
 * 1:42805 <-> DISABLED <-> SERVER-WEBAPP Intel AMT remote administration tool authentication bypass attempt (server-webapp.rules)
 * 1:50920 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station information disclosure attempt (server-webapp.rules)
 * 1:16014 <-> DISABLED <-> SERVER-OTHER Novell eDirectory HTTP headers denial of service attempt (server-other.rules)
 * 1:57465 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.STEADYPULSE variant inbound cnc connection (malware-backdoor.rules)
 * 1:50977 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50983 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:55703 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Netlogon crafted NetrServerReqChallenge elevation of privilege attempt (os-windows.rules)
 * 1:20617 <-> DISABLED <-> SERVER-WEBAPP Sage SalesLogix admin authentication bypass attempt (server-webapp.rules)
 * 1:50978 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50984 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:15146 <-> DISABLED <-> SERVER-OTHER Apple CUPS RGB+Alpha PNG filter overly large image height integer overflow attempt (server-other.rules)
 * 1:50982 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50981 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 3:54411 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1095 attack attempt (file-image.rules)
 * 3:54412 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1095 attack attempt (file-image.rules)
 * 3:54413 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1095 attack attempt (file-image.rules)
 * 3:54414 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1095 attack attempt (file-image.rules)

2021-05-11 18:24:53 UTC

Snort Subscriber Rules Update

Date: 2021-05-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57550 <-> ENABLED <-> OS-WINDOWS Microsoft Windows HTTP protocol stack remote code execution attempt (os-windows.rules)
 * 1:57542 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57543 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57548 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint authenticated remote code execution attempt (server-webapp.rules)
 * 1:57549 <-> ENABLED <-> OS-WINDOWS Microsoft Windows HTTP protocol stack remote code execution attempt (os-windows.rules)
 * 1:57540 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics component privilege escalation attempt (os-windows.rules)
 * 1:57545 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:57541 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.ATRIUM variant inbound cnc connection (malware-backdoor.rules)
 * 1:57539 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics component privilege escalation attempt (os-windows.rules)
 * 1:57544 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 3:57547 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1295 attack attempt (file-other.rules)
 * 3:57546 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1295 attack attempt (file-other.rules)

Modified Rules:


 * 1:2278 <-> DISABLED <-> SERVER-WEBAPP HTTP request with negative Content-Length attempt (server-webapp.rules)
 * 1:42805 <-> DISABLED <-> SERVER-WEBAPP Intel AMT remote administration tool authentication bypass attempt (server-webapp.rules)
 * 1:50920 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station information disclosure attempt (server-webapp.rules)
 * 1:50977 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:15145 <-> DISABLED <-> SERVER-OTHER Apple CUPS TrueColor PNG filter overly large image height integer overflow attempt (server-other.rules)
 * 1:50982 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50984 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:15146 <-> DISABLED <-> SERVER-OTHER Apple CUPS RGB+Alpha PNG filter overly large image height integer overflow attempt (server-other.rules)
 * 1:50981 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50978 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:51239 <-> DISABLED <-> SERVER-OTHER PHP-Proxy local file include attempt (server-other.rules)
 * 1:16014 <-> DISABLED <-> SERVER-OTHER Novell eDirectory HTTP headers denial of service attempt (server-other.rules)
 * 1:50983 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:57465 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.STEADYPULSE variant inbound cnc connection (malware-backdoor.rules)
 * 1:55703 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Netlogon crafted NetrServerReqChallenge elevation of privilege attempt (os-windows.rules)
 * 1:20617 <-> DISABLED <-> SERVER-WEBAPP Sage SalesLogix admin authentication bypass attempt (server-webapp.rules)
 * 3:54411 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1095 attack attempt (file-image.rules)
 * 3:54412 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1095 attack attempt (file-image.rules)
 * 3:54413 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1095 attack attempt (file-image.rules)
 * 3:54414 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1095 attack attempt (file-image.rules)

2021-05-11 18:24:53 UTC

Snort Subscriber Rules Update

Date: 2021-05-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57540 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics component privilege escalation attempt (snort3-os-windows.rules)
 * 1:57539 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics component privilege escalation attempt (snort3-os-windows.rules)
 * 1:57550 <-> ENABLED <-> OS-WINDOWS Microsoft Windows HTTP protocol stack remote code execution attempt (snort3-os-windows.rules)
 * 1:300013 <-> ENABLED <-> SERVER-APACHE Apache Struts CookieInterceptor classloader access attempt (snort3-native.rules)
 * 1:57549 <-> ENABLED <-> OS-WINDOWS Microsoft Windows HTTP protocol stack remote code execution attempt (snort3-os-windows.rules)
 * 1:57544 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (snort3-os-windows.rules)
 * 1:57543 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (snort3-browser-ie.rules)
 * 1:57548 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint authenticated remote code execution attempt (snort3-server-webapp.rules)
 * 1:57542 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (snort3-browser-ie.rules)
 * 1:57541 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.ATRIUM variant inbound cnc connection (snort3-malware-backdoor.rules)
 * 1:57545 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (snort3-os-windows.rules)

Modified Rules:


 * 1:50983 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (snort3-server-webapp.rules)
 * 1:50984 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (snort3-server-webapp.rules)
 * 1:15145 <-> DISABLED <-> SERVER-OTHER Apple CUPS TrueColor PNG filter overly large image height integer overflow attempt (snort3-server-other.rules)
 * 1:50978 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (snort3-server-webapp.rules)
 * 1:50920 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station information disclosure attempt (snort3-server-webapp.rules)
 * 1:50977 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (snort3-server-webapp.rules)
 * 1:55703 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Netlogon crafted NetrServerReqChallenge elevation of privilege attempt (snort3-os-windows.rules)
 * 1:15146 <-> DISABLED <-> SERVER-OTHER Apple CUPS RGB+Alpha PNG filter overly large image height integer overflow attempt (snort3-server-other.rules)
 * 1:50982 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (snort3-server-webapp.rules)
 * 1:51239 <-> DISABLED <-> SERVER-OTHER PHP-Proxy local file include attempt (snort3-server-other.rules)
 * 1:16014 <-> DISABLED <-> SERVER-OTHER Novell eDirectory HTTP headers denial of service attempt (snort3-server-other.rules)
 * 1:2278 <-> DISABLED <-> SERVER-WEBAPP HTTP request with negative Content-Length attempt (snort3-server-webapp.rules)
 * 1:20617 <-> DISABLED <-> SERVER-WEBAPP Sage SalesLogix admin authentication bypass attempt (snort3-server-webapp.rules)
 * 1:50981 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (snort3-server-webapp.rules)
 * 1:57465 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.STEADYPULSE variant inbound cnc connection (snort3-malware-backdoor.rules)
 * 1:42805 <-> DISABLED <-> SERVER-WEBAPP Intel AMT remote administration tool authentication bypass attempt (snort3-server-webapp.rules)

2021-05-11 18:24:53 UTC

Snort Subscriber Rules Update

Date: 2021-05-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57539 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics component privilege escalation attempt (os-windows.rules)
 * 1:57540 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics component privilege escalation attempt (os-windows.rules)
 * 1:57541 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.ATRIUM variant inbound cnc connection (malware-backdoor.rules)
 * 1:57542 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57543 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57544 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:57545 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:57548 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint authenticated remote code execution attempt (server-webapp.rules)
 * 1:57549 <-> ENABLED <-> OS-WINDOWS Microsoft Windows HTTP protocol stack remote code execution attempt (os-windows.rules)
 * 1:57550 <-> ENABLED <-> OS-WINDOWS Microsoft Windows HTTP protocol stack remote code execution attempt (os-windows.rules)
 * 3:57547 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1295 attack attempt (file-other.rules)
 * 3:57546 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1295 attack attempt (file-other.rules)

Modified Rules:


 * 1:50920 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station information disclosure attempt (server-webapp.rules)
 * 1:50983 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:51239 <-> DISABLED <-> SERVER-OTHER PHP-Proxy local file include attempt (server-other.rules)
 * 1:50978 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:15145 <-> DISABLED <-> SERVER-OTHER Apple CUPS TrueColor PNG filter overly large image height integer overflow attempt (server-other.rules)
 * 1:57465 <-> ENABLED <-> MALWARE-BACKDOOR Perl.Backdoor.STEADYPULSE variant inbound cnc connection (malware-backdoor.rules)
 * 1:2278 <-> DISABLED <-> SERVER-WEBAPP HTTP request with negative Content-Length attempt (server-webapp.rules)
 * 1:16014 <-> DISABLED <-> SERVER-OTHER Novell eDirectory HTTP headers denial of service attempt (server-other.rules)
 * 1:50982 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:15146 <-> DISABLED <-> SERVER-OTHER Apple CUPS RGB+Alpha PNG filter overly large image height integer overflow attempt (server-other.rules)
 * 1:20617 <-> DISABLED <-> SERVER-WEBAPP Sage SalesLogix admin authentication bypass attempt (server-webapp.rules)
 * 1:50984 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50977 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:55703 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Netlogon crafted NetrServerReqChallenge elevation of privilege attempt (os-windows.rules)
 * 1:50981 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:42805 <-> DISABLED <-> SERVER-WEBAPP Intel AMT remote administration tool authentication bypass attempt (server-webapp.rules)
 * 3:54411 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1095 attack attempt (file-image.rules)
 * 3:54412 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1095 attack attempt (file-image.rules)
 * 3:54413 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1095 attack attempt (file-image.rules)
 * 3:54414 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1095 attack attempt (file-image.rules)