Talos Rules 2021-07-20
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the malware-backdoor, os-other, server-apache, server-other and sql rule sets to provide coverage for emerging threats from these technologies.

Change logs

2021-07-20 13:21:13 UTC

Snort Subscriber Rules Update

Date: 2021-07-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091800.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57918 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center MibFileServlet File Deletion directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 1:108 <-> DISABLED <-> MALWARE-BACKDOOR QAZ Worm Client Login access (malware-backdoor.rules)
 * 1:13990 <-> DISABLED <-> SQL union select - possible sql injection attempt - GET parameter (sql.rules)
 * 1:16426 <-> DISABLED <-> SERVER-WEBAPP Oracle Java System Web Server 7.0 WebDAV format string exploit attempt - PROPFIND method (server-webapp.rules)
 * 1:195 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response (malware-backdoor.rules)
 * 1:1980 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection (malware-backdoor.rules)
 * 1:1981 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 3150 (malware-backdoor.rules)
 * 1:1982 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 3150 (malware-backdoor.rules)
 * 1:1983 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 4120 (malware-backdoor.rules)
 * 1:1984 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 4120 (malware-backdoor.rules)
 * 1:2100 <-> DISABLED <-> MALWARE-BACKDOOR SubSeven 2.1 Gold server connection response (malware-backdoor.rules)
 * 1:44328 <-> DISABLED <-> SERVER-APACHE Apache Struts freemarker tag OGNL expression injection attempt (server-apache.rules)
 * 1:45499 <-> DISABLED <-> SERVER-OTHER ISC DHCPD remote denial of service attempt (server-other.rules)
 * 3:57745 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1309 attack attempt (os-other.rules)
 * 3:57746 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1309 attack attempt (os-other.rules)

2021-07-20 13:21:13 UTC

Snort Subscriber Rules Update

Date: 2021-07-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57918 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center MibFileServlet File Deletion directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 1:195 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response (malware-backdoor.rules)
 * 1:44328 <-> DISABLED <-> SERVER-APACHE Apache Struts freemarker tag OGNL expression injection attempt (server-apache.rules)
 * 1:1980 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection (malware-backdoor.rules)
 * 1:16426 <-> DISABLED <-> SERVER-WEBAPP Oracle Java System Web Server 7.0 WebDAV format string exploit attempt - PROPFIND method (server-webapp.rules)
 * 1:1981 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 3150 (malware-backdoor.rules)
 * 1:108 <-> DISABLED <-> MALWARE-BACKDOOR QAZ Worm Client Login access (malware-backdoor.rules)
 * 1:1982 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 3150 (malware-backdoor.rules)
 * 1:1983 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 4120 (malware-backdoor.rules)
 * 1:1984 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 4120 (malware-backdoor.rules)
 * 1:45499 <-> DISABLED <-> SERVER-OTHER ISC DHCPD remote denial of service attempt (server-other.rules)
 * 1:13990 <-> DISABLED <-> SQL union select - possible sql injection attempt - GET parameter (sql.rules)
 * 1:2100 <-> DISABLED <-> MALWARE-BACKDOOR SubSeven 2.1 Gold server connection response (malware-backdoor.rules)
 * 3:57745 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1309 attack attempt (os-other.rules)
 * 3:57746 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1309 attack attempt (os-other.rules)

2021-07-20 13:21:13 UTC

Snort Subscriber Rules Update

Date: 2021-07-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57918 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center MibFileServlet File Deletion directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 1:1982 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 3150 (malware-backdoor.rules)
 * 1:1984 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 4120 (malware-backdoor.rules)
 * 1:1983 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 4120 (malware-backdoor.rules)
 * 1:45499 <-> DISABLED <-> SERVER-OTHER ISC DHCPD remote denial of service attempt (server-other.rules)
 * 1:1981 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 3150 (malware-backdoor.rules)
 * 1:2100 <-> DISABLED <-> MALWARE-BACKDOOR SubSeven 2.1 Gold server connection response (malware-backdoor.rules)
 * 1:1980 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection (malware-backdoor.rules)
 * 1:44328 <-> DISABLED <-> SERVER-APACHE Apache Struts freemarker tag OGNL expression injection attempt (server-apache.rules)
 * 1:13990 <-> DISABLED <-> SQL union select - possible sql injection attempt - GET parameter (sql.rules)
 * 1:16426 <-> DISABLED <-> SERVER-WEBAPP Oracle Java System Web Server 7.0 WebDAV format string exploit attempt - PROPFIND method (server-webapp.rules)
 * 1:108 <-> DISABLED <-> MALWARE-BACKDOOR QAZ Worm Client Login access (malware-backdoor.rules)
 * 1:195 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response (malware-backdoor.rules)
 * 3:57745 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1309 attack attempt (os-other.rules)
 * 3:57746 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1309 attack attempt (os-other.rules)

2021-07-20 13:21:13 UTC

Snort Subscriber Rules Update

Date: 2021-07-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57918 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center MibFileServlet File Deletion directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 1:2100 <-> DISABLED <-> MALWARE-BACKDOOR SubSeven 2.1 Gold server connection response (malware-backdoor.rules)
 * 1:45499 <-> DISABLED <-> SERVER-OTHER ISC DHCPD remote denial of service attempt (server-other.rules)
 * 1:1983 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 4120 (malware-backdoor.rules)
 * 1:1984 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 4120 (malware-backdoor.rules)
 * 1:1982 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 3150 (malware-backdoor.rules)
 * 1:1980 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection (malware-backdoor.rules)
 * 1:1981 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 3150 (malware-backdoor.rules)
 * 1:13990 <-> DISABLED <-> SQL union select - possible sql injection attempt - GET parameter (sql.rules)
 * 1:195 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response (malware-backdoor.rules)
 * 1:108 <-> DISABLED <-> MALWARE-BACKDOOR QAZ Worm Client Login access (malware-backdoor.rules)
 * 1:16426 <-> DISABLED <-> SERVER-WEBAPP Oracle Java System Web Server 7.0 WebDAV format string exploit attempt - PROPFIND method (server-webapp.rules)
 * 1:44328 <-> DISABLED <-> SERVER-APACHE Apache Struts freemarker tag OGNL expression injection attempt (server-apache.rules)
 * 3:57746 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1309 attack attempt (os-other.rules)
 * 3:57745 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1309 attack attempt (os-other.rules)

2021-07-20 13:21:13 UTC

Snort Subscriber Rules Update

Date: 2021-07-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57918 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center MibFileServlet File Deletion directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 1:108 <-> DISABLED <-> MALWARE-BACKDOOR QAZ Worm Client Login access (malware-backdoor.rules)
 * 1:2100 <-> DISABLED <-> MALWARE-BACKDOOR SubSeven 2.1 Gold server connection response (malware-backdoor.rules)
 * 1:1984 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 4120 (malware-backdoor.rules)
 * 1:44328 <-> DISABLED <-> SERVER-APACHE Apache Struts freemarker tag OGNL expression injection attempt (server-apache.rules)
 * 1:45499 <-> DISABLED <-> SERVER-OTHER ISC DHCPD remote denial of service attempt (server-other.rules)
 * 1:195 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response (malware-backdoor.rules)
 * 1:1981 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 3150 (malware-backdoor.rules)
 * 1:16426 <-> DISABLED <-> SERVER-WEBAPP Oracle Java System Web Server 7.0 WebDAV format string exploit attempt - PROPFIND method (server-webapp.rules)
 * 1:1983 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 4120 (malware-backdoor.rules)
 * 1:1982 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 3150 (malware-backdoor.rules)
 * 1:13990 <-> DISABLED <-> SQL union select - possible sql injection attempt - GET parameter (sql.rules)
 * 1:1980 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection (malware-backdoor.rules)
 * 3:57745 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1309 attack attempt (os-other.rules)
 * 3:57746 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1309 attack attempt (os-other.rules)

2021-07-20 13:21:13 UTC

Snort Subscriber Rules Update

Date: 2021-07-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57918 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center MibFileServlet File Deletion directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 1:16426 <-> DISABLED <-> SERVER-WEBAPP Oracle Java System Web Server 7.0 WebDAV format string exploit attempt - PROPFIND method (server-webapp.rules)
 * 1:44328 <-> DISABLED <-> SERVER-APACHE Apache Struts freemarker tag OGNL expression injection attempt (server-apache.rules)
 * 1:2100 <-> DISABLED <-> MALWARE-BACKDOOR SubSeven 2.1 Gold server connection response (malware-backdoor.rules)
 * 1:45499 <-> DISABLED <-> SERVER-OTHER ISC DHCPD remote denial of service attempt (server-other.rules)
 * 1:13990 <-> DISABLED <-> SQL union select - possible sql injection attempt - GET parameter (sql.rules)
 * 1:1984 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 4120 (malware-backdoor.rules)
 * 1:1980 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection (malware-backdoor.rules)
 * 1:108 <-> DISABLED <-> MALWARE-BACKDOOR QAZ Worm Client Login access (malware-backdoor.rules)
 * 1:1981 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 3150 (malware-backdoor.rules)
 * 1:1982 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 3150 (malware-backdoor.rules)
 * 1:195 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response (malware-backdoor.rules)
 * 1:1983 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 4120 (malware-backdoor.rules)
 * 3:57745 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1309 attack attempt (os-other.rules)
 * 3:57746 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1309 attack attempt (os-other.rules)

2021-07-20 13:21:13 UTC

Snort Subscriber Rules Update

Date: 2021-07-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57918 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center MibFileServlet File Deletion directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 1:1984 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 4120 (malware-backdoor.rules)
 * 1:45499 <-> DISABLED <-> SERVER-OTHER ISC DHCPD remote denial of service attempt (server-other.rules)
 * 1:1983 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 4120 (malware-backdoor.rules)
 * 1:44328 <-> DISABLED <-> SERVER-APACHE Apache Struts freemarker tag OGNL expression injection attempt (server-apache.rules)
 * 1:2100 <-> DISABLED <-> MALWARE-BACKDOOR SubSeven 2.1 Gold server connection response (malware-backdoor.rules)
 * 1:1982 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 3150 (malware-backdoor.rules)
 * 1:16426 <-> DISABLED <-> SERVER-WEBAPP Oracle Java System Web Server 7.0 WebDAV format string exploit attempt - PROPFIND method (server-webapp.rules)
 * 1:1981 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 3150 (malware-backdoor.rules)
 * 1:108 <-> DISABLED <-> MALWARE-BACKDOOR QAZ Worm Client Login access (malware-backdoor.rules)
 * 1:1980 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection (malware-backdoor.rules)
 * 1:195 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response (malware-backdoor.rules)
 * 1:13990 <-> DISABLED <-> SQL union select - possible sql injection attempt - GET parameter (sql.rules)
 * 3:57745 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1309 attack attempt (os-other.rules)
 * 3:57746 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1309 attack attempt (os-other.rules)

2021-07-20 13:21:13 UTC

Snort Subscriber Rules Update

Date: 2021-07-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57918 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center MibFileServlet File Deletion directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 1:45499 <-> DISABLED <-> SERVER-OTHER ISC DHCPD remote denial of service attempt (server-other.rules)
 * 1:1983 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 4120 (malware-backdoor.rules)
 * 1:1982 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 3150 (malware-backdoor.rules)
 * 1:108 <-> DISABLED <-> MALWARE-BACKDOOR QAZ Worm Client Login access (malware-backdoor.rules)
 * 1:1980 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection (malware-backdoor.rules)
 * 1:44328 <-> DISABLED <-> SERVER-APACHE Apache Struts freemarker tag OGNL expression injection attempt (server-apache.rules)
 * 1:2100 <-> DISABLED <-> MALWARE-BACKDOOR SubSeven 2.1 Gold server connection response (malware-backdoor.rules)
 * 1:195 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response (malware-backdoor.rules)
 * 1:16426 <-> DISABLED <-> SERVER-WEBAPP Oracle Java System Web Server 7.0 WebDAV format string exploit attempt - PROPFIND method (server-webapp.rules)
 * 1:1984 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 4120 (malware-backdoor.rules)
 * 1:13990 <-> DISABLED <-> SQL union select - possible sql injection attempt - GET parameter (sql.rules)
 * 1:1981 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 3150 (malware-backdoor.rules)
 * 3:57745 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1309 attack attempt (os-other.rules)
 * 3:57746 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1309 attack attempt (os-other.rules)

2021-07-20 13:21:13 UTC

Snort Subscriber Rules Update

Date: 2021-07-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57918 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center MibFileServlet File Deletion directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 1:108 <-> DISABLED <-> MALWARE-BACKDOOR QAZ Worm Client Login access (malware-backdoor.rules)
 * 1:1980 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection (malware-backdoor.rules)
 * 1:45499 <-> DISABLED <-> SERVER-OTHER ISC DHCPD remote denial of service attempt (server-other.rules)
 * 1:195 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response (malware-backdoor.rules)
 * 1:16426 <-> DISABLED <-> SERVER-WEBAPP Oracle Java System Web Server 7.0 WebDAV format string exploit attempt - PROPFIND method (server-webapp.rules)
 * 1:13990 <-> DISABLED <-> SQL union select - possible sql injection attempt - GET parameter (sql.rules)
 * 1:44328 <-> DISABLED <-> SERVER-APACHE Apache Struts freemarker tag OGNL expression injection attempt (server-apache.rules)
 * 1:1981 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 3150 (malware-backdoor.rules)
 * 1:1982 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 3150 (malware-backdoor.rules)
 * 1:1983 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 4120 (malware-backdoor.rules)
 * 1:1984 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 4120 (malware-backdoor.rules)
 * 1:2100 <-> DISABLED <-> MALWARE-BACKDOOR SubSeven 2.1 Gold server connection response (malware-backdoor.rules)
 * 3:57746 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1309 attack attempt (os-other.rules)
 * 3:57745 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1309 attack attempt (os-other.rules)

2021-07-20 13:21:13 UTC

Snort Subscriber Rules Update

Date: 2021-07-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57918 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center MibFileServlet File Deletion directory traversal attempt (snort3-server-webapp.rules)

Modified Rules:


 * 1:16426 <-> DISABLED <-> SERVER-WEBAPP Oracle Java System Web Server 7.0 WebDAV format string exploit attempt - PROPFIND method (snort3-server-webapp.rules)
 * 1:1981 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 3150 (snort3-malware-backdoor.rules)
 * 1:2100 <-> DISABLED <-> MALWARE-BACKDOOR SubSeven 2.1 Gold server connection response (snort3-malware-backdoor.rules)
 * 1:108 <-> DISABLED <-> MALWARE-BACKDOOR QAZ Worm Client Login access (snort3-malware-backdoor.rules)
 * 1:1980 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection (snort3-malware-backdoor.rules)
 * 1:45499 <-> DISABLED <-> SERVER-OTHER ISC DHCPD remote denial of service attempt (snort3-server-other.rules)
 * 1:195 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response (snort3-malware-backdoor.rules)
 * 1:1984 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 4120 (snort3-malware-backdoor.rules)
 * 1:13990 <-> DISABLED <-> SQL union select - possible sql injection attempt - GET parameter (snort3-sql.rules)
 * 1:1982 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 3150 (snort3-malware-backdoor.rules)
 * 1:44328 <-> DISABLED <-> SERVER-APACHE Apache Struts freemarker tag OGNL expression injection attempt (snort3-server-apache.rules)
 * 1:1983 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 4120 (snort3-malware-backdoor.rules)

2021-07-20 13:21:13 UTC

Snort Subscriber Rules Update

Date: 2021-07-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57918 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center MibFileServlet File Deletion directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 1:44328 <-> DISABLED <-> SERVER-APACHE Apache Struts freemarker tag OGNL expression injection attempt (server-apache.rules)
 * 1:1982 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 3150 (malware-backdoor.rules)
 * 1:1980 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection (malware-backdoor.rules)
 * 1:1981 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 3150 (malware-backdoor.rules)
 * 1:195 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response (malware-backdoor.rules)
 * 1:13990 <-> DISABLED <-> SQL union select - possible sql injection attempt - GET parameter (sql.rules)
 * 1:108 <-> DISABLED <-> MALWARE-BACKDOOR QAZ Worm Client Login access (malware-backdoor.rules)
 * 1:1984 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 4120 (malware-backdoor.rules)
 * 1:45499 <-> DISABLED <-> SERVER-OTHER ISC DHCPD remote denial of service attempt (server-other.rules)
 * 1:16426 <-> DISABLED <-> SERVER-WEBAPP Oracle Java System Web Server 7.0 WebDAV format string exploit attempt - PROPFIND method (server-webapp.rules)
 * 1:1983 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 4120 (malware-backdoor.rules)
 * 1:2100 <-> DISABLED <-> MALWARE-BACKDOOR SubSeven 2.1 Gold server connection response (malware-backdoor.rules)
 * 3:57746 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1309 attack attempt (os-other.rules)
 * 3:57745 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1309 attack attempt (os-other.rules)

2021-07-20 13:34:58 UTC

Snort Subscriber Rules Update

Date: 2021-07-19-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 3:57829 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1316 attack attempt
* 3:57830 <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1336 attack attempt
* 3:57831 <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1336 attack attempt
* 3:57882 <-> SERVER-WEBAPP Cisco Business Process Automation privilege escalation attempt
* 3:57883 <-> SERVER-WEBAPP Cisco Business Process Automation privilege escalation attempt
* 3:57884 <-> SERVER-WEBAPP Cisco Business Process Automation privilege escalation attempt
* 3:57885 <-> SERVER-WEBAPP Cisco Business Process Automation privilege escalation attempt
* 3:57886 <-> POLICY-OTHER Cisco Business Process Automation permissions modification detected
* 3:57887 <-> SERVER-WEBAPP Cisco Web Security Appliance command injection attempt
* 3:57888 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1339 attack attempt
* 3:57889 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1339 attack attempt
* 3:57899 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1340 attack attempt
* 3:57900 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1340 attack attempt
* 1:57918 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center MibFileServlet File Deletion directory traversal attempt

Modified Rules:

* 1:108 <-> MALWARE-BACKDOOR QAZ Worm Client Login access
* 1:13990 <-> SQL union select - possible sql injection attempt - GET parameter
* 1:16426 <-> SERVER-WEBAPP Oracle Java System Web Server 7.0 WebDAV format string exploit attempt - PROPFIND method
* 1:195 <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response
* 1:1980 <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection
* 1:1981 <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 3150
* 1:1982 <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 3150
* 1:1983 <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 4120
* 1:1984 <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 4120
* 1:2100 <-> MALWARE-BACKDOOR SubSeven 2.1 Gold server connection response
* 1:44328 <-> SERVER-APACHE Apache Struts freemarker tag OGNL expression injection attempt
* 1:45499 <-> SERVER-OTHER ISC DHCPD remote denial of service attempt
* 3:57745 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1309 attack attempt
* 3:57746 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1309 attack attempt
* 3:57783 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1324 attack attempt
* 3:57784 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1324 attack attempt


2021-07-20 13:34:58 UTC

Snort Subscriber Rules Update

Date: 2021-07-19-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.4.

The format of the file is:

gid:sid <-> Message

New Rules:

* 3:57829 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1316 attack attempt
* 3:57830 <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1336 attack attempt
* 3:57831 <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1336 attack attempt
* 3:57882 <-> SERVER-WEBAPP Cisco Business Process Automation privilege escalation attempt
* 3:57883 <-> SERVER-WEBAPP Cisco Business Process Automation privilege escalation attempt
* 3:57884 <-> SERVER-WEBAPP Cisco Business Process Automation privilege escalation attempt
* 3:57885 <-> SERVER-WEBAPP Cisco Business Process Automation privilege escalation attempt
* 3:57886 <-> POLICY-OTHER Cisco Business Process Automation permissions modification detected
* 3:57887 <-> SERVER-WEBAPP Cisco Web Security Appliance command injection attempt
* 3:57888 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1339 attack attempt
* 3:57889 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1339 attack attempt
* 3:57899 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1340 attack attempt
* 3:57900 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1340 attack attempt
* 1:57918 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center MibFileServlet File Deletion directory traversal attempt

Modified Rules:

* 1:108 <-> MALWARE-BACKDOOR QAZ Worm Client Login access
* 1:13990 <-> SQL union select - possible sql injection attempt - GET parameter
* 1:16426 <-> SERVER-WEBAPP Oracle Java System Web Server 7.0 WebDAV format string exploit attempt - PROPFIND method
* 1:195 <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response
* 1:1980 <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection
* 1:1981 <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 3150
* 1:1982 <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 3150
* 1:1983 <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 4120
* 1:1984 <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 4120
* 1:2100 <-> MALWARE-BACKDOOR SubSeven 2.1 Gold server connection response
* 1:44328 <-> SERVER-APACHE Apache Struts freemarker tag OGNL expression injection attempt
* 1:45499 <-> SERVER-OTHER ISC DHCPD remote denial of service attempt
* 3:57745 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1309 attack attempt
* 3:57746 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1309 attack attempt
* 3:57783 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1324 attack attempt
* 3:57784 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1324 attack attempt


2021-07-20 13:34:58 UTC

Snort Subscriber Rules Update

Date: 2021-07-19-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 3:57829 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1316 attack attempt
* 3:57830 <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1336 attack attempt
* 3:57831 <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1336 attack attempt
* 3:57882 <-> SERVER-WEBAPP Cisco Business Process Automation privilege escalation attempt
* 3:57883 <-> SERVER-WEBAPP Cisco Business Process Automation privilege escalation attempt
* 3:57884 <-> SERVER-WEBAPP Cisco Business Process Automation privilege escalation attempt
* 3:57885 <-> SERVER-WEBAPP Cisco Business Process Automation privilege escalation attempt
* 3:57886 <-> POLICY-OTHER Cisco Business Process Automation permissions modification detected
* 3:57887 <-> SERVER-WEBAPP Cisco Web Security Appliance command injection attempt
* 3:57888 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1339 attack attempt
* 3:57889 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1339 attack attempt
* 3:57899 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1340 attack attempt
* 3:57900 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1340 attack attempt
* 1:57918 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center MibFileServlet File Deletion directory traversal attempt

Modified Rules:

* 1:108 <-> MALWARE-BACKDOOR QAZ Worm Client Login access
* 1:13990 <-> SQL union select - possible sql injection attempt - GET parameter
* 1:16426 <-> SERVER-WEBAPP Oracle Java System Web Server 7.0 WebDAV format string exploit attempt - PROPFIND method
* 1:195 <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response
* 1:1980 <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection
* 1:1981 <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 3150
* 1:1982 <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 3150
* 1:1983 <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 4120
* 1:1984 <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 4120
* 1:2100 <-> MALWARE-BACKDOOR SubSeven 2.1 Gold server connection response
* 1:44328 <-> SERVER-APACHE Apache Struts freemarker tag OGNL expression injection attempt
* 1:45499 <-> SERVER-OTHER ISC DHCPD remote denial of service attempt
* 3:57745 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1309 attack attempt
* 3:57746 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1309 attack attempt
* 3:57783 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1324 attack attempt
* 3:57784 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1324 attack attempt


2021-07-20 13:34:58 UTC

Snort Subscriber Rules Update

Date: 2021-07-19-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 3:57829 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1316 attack attempt
* 3:57830 <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1336 attack attempt
* 3:57831 <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1336 attack attempt
* 3:57882 <-> SERVER-WEBAPP Cisco Business Process Automation privilege escalation attempt
* 3:57883 <-> SERVER-WEBAPP Cisco Business Process Automation privilege escalation attempt
* 3:57884 <-> SERVER-WEBAPP Cisco Business Process Automation privilege escalation attempt
* 3:57885 <-> SERVER-WEBAPP Cisco Business Process Automation privilege escalation attempt
* 3:57886 <-> POLICY-OTHER Cisco Business Process Automation permissions modification detected
* 3:57887 <-> SERVER-WEBAPP Cisco Web Security Appliance command injection attempt
* 3:57888 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1339 attack attempt
* 3:57889 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1339 attack attempt
* 3:57899 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1340 attack attempt
* 3:57900 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1340 attack attempt
* 1:57918 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center MibFileServlet File Deletion directory traversal attempt

Modified Rules:

* 1:108 <-> MALWARE-BACKDOOR QAZ Worm Client Login access
* 1:13990 <-> SQL union select - possible sql injection attempt - GET parameter
* 1:16426 <-> SERVER-WEBAPP Oracle Java System Web Server 7.0 WebDAV format string exploit attempt - PROPFIND method
* 1:195 <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response
* 1:1980 <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection
* 1:1981 <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 3150
* 1:1982 <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 3150
* 1:1983 <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 4120
* 1:1984 <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 4120
* 1:2100 <-> MALWARE-BACKDOOR SubSeven 2.1 Gold server connection response
* 1:44328 <-> SERVER-APACHE Apache Struts freemarker tag OGNL expression injection attempt
* 1:45499 <-> SERVER-OTHER ISC DHCPD remote denial of service attempt
* 3:57745 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1309 attack attempt
* 3:57746 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1309 attack attempt
* 3:57783 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1324 attack attempt
* 3:57784 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1324 attack attempt


2021-07-20 13:34:58 UTC

Snort Subscriber Rules Update

Date: 2021-07-19-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.1.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 3:57829 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1316 attack attempt
* 3:57830 <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1336 attack attempt
* 3:57831 <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1336 attack attempt
* 3:57882 <-> SERVER-WEBAPP Cisco Business Process Automation privilege escalation attempt
* 3:57883 <-> SERVER-WEBAPP Cisco Business Process Automation privilege escalation attempt
* 3:57884 <-> SERVER-WEBAPP Cisco Business Process Automation privilege escalation attempt
* 3:57885 <-> SERVER-WEBAPP Cisco Business Process Automation privilege escalation attempt
* 3:57886 <-> POLICY-OTHER Cisco Business Process Automation permissions modification detected
* 3:57887 <-> SERVER-WEBAPP Cisco Web Security Appliance command injection attempt
* 3:57888 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1339 attack attempt
* 3:57889 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1339 attack attempt
* 3:57899 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1340 attack attempt
* 3:57900 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1340 attack attempt
* 1:57918 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center MibFileServlet File Deletion directory traversal attempt

Modified Rules:

* 1:108 <-> MALWARE-BACKDOOR QAZ Worm Client Login access
* 1:13990 <-> SQL union select - possible sql injection attempt - GET parameter
* 1:16426 <-> SERVER-WEBAPP Oracle Java System Web Server 7.0 WebDAV format string exploit attempt - PROPFIND method
* 1:195 <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response
* 1:1980 <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection
* 1:1981 <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 3150
* 1:1982 <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 3150
* 1:1983 <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 4120
* 1:1984 <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 4120
* 1:2100 <-> MALWARE-BACKDOOR SubSeven 2.1 Gold server connection response
* 1:44328 <-> SERVER-APACHE Apache Struts freemarker tag OGNL expression injection attempt
* 1:45499 <-> SERVER-OTHER ISC DHCPD remote denial of service attempt
* 3:57745 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1309 attack attempt
* 3:57746 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1309 attack attempt
* 3:57783 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1324 attack attempt
* 3:57784 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1324 attack attempt


2021-07-20 13:34:58 UTC

Snort Subscriber Rules Update

Date: 2021-07-19-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.3.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 3:57829 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1316 attack attempt
* 3:57830 <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1336 attack attempt
* 3:57831 <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1336 attack attempt
* 3:57882 <-> SERVER-WEBAPP Cisco Business Process Automation privilege escalation attempt
* 3:57883 <-> SERVER-WEBAPP Cisco Business Process Automation privilege escalation attempt
* 3:57884 <-> SERVER-WEBAPP Cisco Business Process Automation privilege escalation attempt
* 3:57885 <-> SERVER-WEBAPP Cisco Business Process Automation privilege escalation attempt
* 3:57886 <-> POLICY-OTHER Cisco Business Process Automation permissions modification detected
* 3:57887 <-> SERVER-WEBAPP Cisco Web Security Appliance command injection attempt
* 3:57888 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1339 attack attempt
* 3:57889 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1339 attack attempt
* 3:57899 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1340 attack attempt
* 3:57900 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1340 attack attempt
* 1:57918 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center MibFileServlet File Deletion directory traversal attempt

Modified Rules:

* 1:108 <-> MALWARE-BACKDOOR QAZ Worm Client Login access
* 1:13990 <-> SQL union select - possible sql injection attempt - GET parameter
* 1:16426 <-> SERVER-WEBAPP Oracle Java System Web Server 7.0 WebDAV format string exploit attempt - PROPFIND method
* 1:195 <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response
* 1:1980 <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection
* 1:1981 <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 3150
* 1:1982 <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 3150
* 1:1983 <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 4120
* 1:1984 <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 4120
* 1:2100 <-> MALWARE-BACKDOOR SubSeven 2.1 Gold server connection response
* 1:44328 <-> SERVER-APACHE Apache Struts freemarker tag OGNL expression injection attempt
* 1:45499 <-> SERVER-OTHER ISC DHCPD remote denial of service attempt
* 3:57745 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1309 attack attempt
* 3:57746 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1309 attack attempt
* 3:57783 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1324 attack attempt
* 3:57784 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1324 attack attempt


2021-07-20 13:34:58 UTC

Snort Subscriber Rules Update

Date: 2021-07-19-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.4.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 3:57829 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1316 attack attempt
* 3:57830 <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1336 attack attempt
* 3:57831 <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1336 attack attempt
* 3:57882 <-> SERVER-WEBAPP Cisco Business Process Automation privilege escalation attempt
* 3:57883 <-> SERVER-WEBAPP Cisco Business Process Automation privilege escalation attempt
* 3:57884 <-> SERVER-WEBAPP Cisco Business Process Automation privilege escalation attempt
* 3:57885 <-> SERVER-WEBAPP Cisco Business Process Automation privilege escalation attempt
* 3:57886 <-> POLICY-OTHER Cisco Business Process Automation permissions modification detected
* 3:57887 <-> SERVER-WEBAPP Cisco Web Security Appliance command injection attempt
* 3:57888 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1339 attack attempt
* 3:57889 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1339 attack attempt
* 3:57899 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1340 attack attempt
* 3:57900 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1340 attack attempt
* 1:57918 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center MibFileServlet File Deletion directory traversal attempt

Modified Rules:

* 1:108 <-> MALWARE-BACKDOOR QAZ Worm Client Login access
* 1:13990 <-> SQL union select - possible sql injection attempt - GET parameter
* 1:16426 <-> SERVER-WEBAPP Oracle Java System Web Server 7.0 WebDAV format string exploit attempt - PROPFIND method
* 1:195 <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response
* 1:1980 <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection
* 1:1981 <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 3150
* 1:1982 <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 3150
* 1:1983 <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 4120
* 1:1984 <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 4120
* 1:2100 <-> MALWARE-BACKDOOR SubSeven 2.1 Gold server connection response
* 1:44328 <-> SERVER-APACHE Apache Struts freemarker tag OGNL expression injection attempt
* 1:45499 <-> SERVER-OTHER ISC DHCPD remote denial of service attempt
* 3:57745 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1309 attack attempt
* 3:57746 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1309 attack attempt
* 3:57783 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1324 attack attempt
* 3:57784 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1324 attack attempt


2021-07-20 13:34:59 UTC

Snort Subscriber Rules Update

Date: 2021-07-19-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.5.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 3:57829 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1316 attack attempt
* 3:57830 <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1336 attack attempt
* 3:57831 <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1336 attack attempt
* 3:57882 <-> SERVER-WEBAPP Cisco Business Process Automation privilege escalation attempt
* 3:57883 <-> SERVER-WEBAPP Cisco Business Process Automation privilege escalation attempt
* 3:57884 <-> SERVER-WEBAPP Cisco Business Process Automation privilege escalation attempt
* 3:57885 <-> SERVER-WEBAPP Cisco Business Process Automation privilege escalation attempt
* 3:57886 <-> POLICY-OTHER Cisco Business Process Automation permissions modification detected
* 3:57887 <-> SERVER-WEBAPP Cisco Web Security Appliance command injection attempt
* 3:57888 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1339 attack attempt
* 3:57889 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1339 attack attempt
* 3:57899 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1340 attack attempt
* 3:57900 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1340 attack attempt
* 1:57918 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center MibFileServlet File Deletion directory traversal attempt

Modified Rules:

* 1:108 <-> MALWARE-BACKDOOR QAZ Worm Client Login access
* 1:13990 <-> SQL union select - possible sql injection attempt - GET parameter
* 1:16426 <-> SERVER-WEBAPP Oracle Java System Web Server 7.0 WebDAV format string exploit attempt - PROPFIND method
* 1:195 <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response
* 1:1980 <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection
* 1:1981 <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 3150
* 1:1982 <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 3150
* 1:1983 <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 4120
* 1:1984 <-> MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 4120
* 1:2100 <-> MALWARE-BACKDOOR SubSeven 2.1 Gold server connection response
* 1:44328 <-> SERVER-APACHE Apache Struts freemarker tag OGNL expression injection attempt
* 1:45499 <-> SERVER-OTHER ISC DHCPD remote denial of service attempt
* 3:57745 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1309 attack attempt
* 3:57746 <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1309 attack attempt
* 3:57783 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1324 attack attempt
* 3:57784 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1324 attack attempt