Talos Rules 2021-08-10
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2021-26432: A coding deficiency exists in Microsoft Windows Services for NFS ONCRPC XDR Driver that may lead to remote code execution.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 58003.

Microsoft Vulnerability CVE-2021-34480: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 57998 through 57999.

Microsoft Vulnerability CVE-2021-34535: A coding deficiency exists in Remote Desktop Client that may lead to remote code execution.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 57997.

Talos has added and modified multiple rules in the browser-chrome, browser-ie, malware-cnc, malware-other, os-linux and server-other rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2021-08-10 17:22:40 UTC

Snort Subscriber Rules Update

Date: 2021-08-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091800.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57984 <-> DISABLED <-> SERVER-OTHER Apache Dubbo insecure deserialization remote code execution attempt (server-other.rules)
 * 1:57985 <-> DISABLED <-> OS-LINUX Linux Kernel seq_file integer underflow privilege escalation attempt (os-linux.rules)
 * 1:57986 <-> DISABLED <-> OS-LINUX Linux Kernel seq_file integer underflow privilege escalation attempt (os-linux.rules)
 * 1:57987 <-> DISABLED <-> OS-LINUX Linux Kernel netfilter xt_compat_target_from_user out of bounds write attempt (os-linux.rules)
 * 1:57988 <-> DISABLED <-> OS-LINUX Linux Kernel netfilter xt_compat_target_from_user out of bounds write attempt (os-linux.rules)
 * 1:57989 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neurevt variant outbound connection detected (malware-cnc.rules)
 * 1:57990 <-> ENABLED <-> MALWARE-OTHER Muhstik botnet outbound HTTP scanner request (malware-other.rules)
 * 1:57991 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bandidos outbound connection attempt (malware-cnc.rules)
 * 1:57992 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:57993 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:57994 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:57995 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:57996 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:57997 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client integer overflow attempt (os-windows.rules)
 * 1:57998 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57999 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:58000 <-> DISABLED <-> MALWARE-CNC Zloader command and control outbound connection attempt (malware-cnc.rules)
 * 1:58003 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NFS remote code execution attempt (os-windows.rules)
 * 3:58001 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1352 attack attempt (browser-chrome.rules)
 * 3:58002 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1352 attack attempt (browser-chrome.rules)

Modified Rules:



2021-08-10 17:22:40 UTC

Snort Subscriber Rules Update

Date: 2021-08-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57998 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57997 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client integer overflow attempt (os-windows.rules)
 * 1:57985 <-> DISABLED <-> OS-LINUX Linux Kernel seq_file integer underflow privilege escalation attempt (os-linux.rules)
 * 1:57984 <-> DISABLED <-> SERVER-OTHER Apache Dubbo insecure deserialization remote code execution attempt (server-other.rules)
 * 1:57986 <-> DISABLED <-> OS-LINUX Linux Kernel seq_file integer underflow privilege escalation attempt (os-linux.rules)
 * 1:57988 <-> DISABLED <-> OS-LINUX Linux Kernel netfilter xt_compat_target_from_user out of bounds write attempt (os-linux.rules)
 * 1:57989 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neurevt variant outbound connection detected (malware-cnc.rules)
 * 1:57990 <-> ENABLED <-> MALWARE-OTHER Muhstik botnet outbound HTTP scanner request (malware-other.rules)
 * 1:57991 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bandidos outbound connection attempt (malware-cnc.rules)
 * 1:57992 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:57993 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:57994 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:57995 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:58000 <-> DISABLED <-> MALWARE-CNC Zloader command and control outbound connection attempt (malware-cnc.rules)
 * 1:57999 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:58003 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NFS remote code execution attempt (os-windows.rules)
 * 1:57987 <-> DISABLED <-> OS-LINUX Linux Kernel netfilter xt_compat_target_from_user out of bounds write attempt (os-linux.rules)
 * 1:57996 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 3:58001 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1352 attack attempt (browser-chrome.rules)
 * 3:58002 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1352 attack attempt (browser-chrome.rules)

Modified Rules:



2021-08-10 17:22:40 UTC

Snort Subscriber Rules Update

Date: 2021-08-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57989 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neurevt variant outbound connection detected (malware-cnc.rules)
 * 1:57986 <-> DISABLED <-> OS-LINUX Linux Kernel seq_file integer underflow privilege escalation attempt (os-linux.rules)
 * 1:57990 <-> ENABLED <-> MALWARE-OTHER Muhstik botnet outbound HTTP scanner request (malware-other.rules)
 * 1:57984 <-> DISABLED <-> SERVER-OTHER Apache Dubbo insecure deserialization remote code execution attempt (server-other.rules)
 * 1:58003 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NFS remote code execution attempt (os-windows.rules)
 * 1:57987 <-> DISABLED <-> OS-LINUX Linux Kernel netfilter xt_compat_target_from_user out of bounds write attempt (os-linux.rules)
 * 1:57991 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bandidos outbound connection attempt (malware-cnc.rules)
 * 1:57997 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client integer overflow attempt (os-windows.rules)
 * 1:57988 <-> DISABLED <-> OS-LINUX Linux Kernel netfilter xt_compat_target_from_user out of bounds write attempt (os-linux.rules)
 * 1:57992 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:57985 <-> DISABLED <-> OS-LINUX Linux Kernel seq_file integer underflow privilege escalation attempt (os-linux.rules)
 * 1:57994 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:57993 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:57996 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:57995 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:57999 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57998 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:58000 <-> DISABLED <-> MALWARE-CNC Zloader command and control outbound connection attempt (malware-cnc.rules)
 * 3:58001 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1352 attack attempt (browser-chrome.rules)
 * 3:58002 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1352 attack attempt (browser-chrome.rules)

Modified Rules:



2021-08-10 17:22:40 UTC

Snort Subscriber Rules Update

Date: 2021-08-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57987 <-> DISABLED <-> OS-LINUX Linux Kernel netfilter xt_compat_target_from_user out of bounds write attempt (os-linux.rules)
 * 1:58003 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NFS remote code execution attempt (os-windows.rules)
 * 1:57999 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57985 <-> DISABLED <-> OS-LINUX Linux Kernel seq_file integer underflow privilege escalation attempt (os-linux.rules)
 * 1:57998 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57989 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neurevt variant outbound connection detected (malware-cnc.rules)
 * 1:57988 <-> DISABLED <-> OS-LINUX Linux Kernel netfilter xt_compat_target_from_user out of bounds write attempt (os-linux.rules)
 * 1:57990 <-> ENABLED <-> MALWARE-OTHER Muhstik botnet outbound HTTP scanner request (malware-other.rules)
 * 1:57993 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:57992 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:57995 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:57994 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:57991 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bandidos outbound connection attempt (malware-cnc.rules)
 * 1:57996 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:58000 <-> DISABLED <-> MALWARE-CNC Zloader command and control outbound connection attempt (malware-cnc.rules)
 * 1:57986 <-> DISABLED <-> OS-LINUX Linux Kernel seq_file integer underflow privilege escalation attempt (os-linux.rules)
 * 1:57997 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client integer overflow attempt (os-windows.rules)
 * 1:57984 <-> DISABLED <-> SERVER-OTHER Apache Dubbo insecure deserialization remote code execution attempt (server-other.rules)
 * 3:58002 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1352 attack attempt (browser-chrome.rules)
 * 3:58001 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1352 attack attempt (browser-chrome.rules)

Modified Rules:



2021-08-10 17:22:40 UTC

Snort Subscriber Rules Update

Date: 2021-08-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57995 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:57998 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57996 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:57985 <-> DISABLED <-> OS-LINUX Linux Kernel seq_file integer underflow privilege escalation attempt (os-linux.rules)
 * 1:58000 <-> DISABLED <-> MALWARE-CNC Zloader command and control outbound connection attempt (malware-cnc.rules)
 * 1:57999 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:58003 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NFS remote code execution attempt (os-windows.rules)
 * 1:57986 <-> DISABLED <-> OS-LINUX Linux Kernel seq_file integer underflow privilege escalation attempt (os-linux.rules)
 * 1:57997 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client integer overflow attempt (os-windows.rules)
 * 1:57984 <-> DISABLED <-> SERVER-OTHER Apache Dubbo insecure deserialization remote code execution attempt (server-other.rules)
 * 1:57988 <-> DISABLED <-> OS-LINUX Linux Kernel netfilter xt_compat_target_from_user out of bounds write attempt (os-linux.rules)
 * 1:57994 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:57993 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:57990 <-> ENABLED <-> MALWARE-OTHER Muhstik botnet outbound HTTP scanner request (malware-other.rules)
 * 1:57989 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neurevt variant outbound connection detected (malware-cnc.rules)
 * 1:57992 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:57987 <-> DISABLED <-> OS-LINUX Linux Kernel netfilter xt_compat_target_from_user out of bounds write attempt (os-linux.rules)
 * 1:57991 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bandidos outbound connection attempt (malware-cnc.rules)
 * 3:58001 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1352 attack attempt (browser-chrome.rules)
 * 3:58002 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1352 attack attempt (browser-chrome.rules)

Modified Rules:



2021-08-10 17:22:40 UTC

Snort Subscriber Rules Update

Date: 2021-08-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57989 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neurevt variant outbound connection detected (malware-cnc.rules)
 * 1:57985 <-> DISABLED <-> OS-LINUX Linux Kernel seq_file integer underflow privilege escalation attempt (os-linux.rules)
 * 1:57987 <-> DISABLED <-> OS-LINUX Linux Kernel netfilter xt_compat_target_from_user out of bounds write attempt (os-linux.rules)
 * 1:57988 <-> DISABLED <-> OS-LINUX Linux Kernel netfilter xt_compat_target_from_user out of bounds write attempt (os-linux.rules)
 * 1:58000 <-> DISABLED <-> MALWARE-CNC Zloader command and control outbound connection attempt (malware-cnc.rules)
 * 1:57990 <-> ENABLED <-> MALWARE-OTHER Muhstik botnet outbound HTTP scanner request (malware-other.rules)
 * 1:57986 <-> DISABLED <-> OS-LINUX Linux Kernel seq_file integer underflow privilege escalation attempt (os-linux.rules)
 * 1:57991 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bandidos outbound connection attempt (malware-cnc.rules)
 * 1:57995 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:57994 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:57996 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:57998 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57993 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:58003 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NFS remote code execution attempt (os-windows.rules)
 * 1:57992 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:57997 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client integer overflow attempt (os-windows.rules)
 * 1:57984 <-> DISABLED <-> SERVER-OTHER Apache Dubbo insecure deserialization remote code execution attempt (server-other.rules)
 * 1:57999 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 3:58001 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1352 attack attempt (browser-chrome.rules)
 * 3:58002 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1352 attack attempt (browser-chrome.rules)

Modified Rules:



2021-08-10 17:22:40 UTC

Snort Subscriber Rules Update

Date: 2021-08-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57984 <-> DISABLED <-> SERVER-OTHER Apache Dubbo insecure deserialization remote code execution attempt (server-other.rules)
 * 1:57995 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:57993 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:57989 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neurevt variant outbound connection detected (malware-cnc.rules)
 * 1:57996 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:57994 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:58000 <-> DISABLED <-> MALWARE-CNC Zloader command and control outbound connection attempt (malware-cnc.rules)
 * 1:57988 <-> DISABLED <-> OS-LINUX Linux Kernel netfilter xt_compat_target_from_user out of bounds write attempt (os-linux.rules)
 * 1:57985 <-> DISABLED <-> OS-LINUX Linux Kernel seq_file integer underflow privilege escalation attempt (os-linux.rules)
 * 1:58003 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NFS remote code execution attempt (os-windows.rules)
 * 1:57991 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bandidos outbound connection attempt (malware-cnc.rules)
 * 1:57999 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57998 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57992 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:57990 <-> ENABLED <-> MALWARE-OTHER Muhstik botnet outbound HTTP scanner request (malware-other.rules)
 * 1:57987 <-> DISABLED <-> OS-LINUX Linux Kernel netfilter xt_compat_target_from_user out of bounds write attempt (os-linux.rules)
 * 1:57986 <-> DISABLED <-> OS-LINUX Linux Kernel seq_file integer underflow privilege escalation attempt (os-linux.rules)
 * 1:57997 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client integer overflow attempt (os-windows.rules)
 * 3:58001 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1352 attack attempt (browser-chrome.rules)
 * 3:58002 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1352 attack attempt (browser-chrome.rules)

Modified Rules:



2021-08-10 17:22:40 UTC

Snort Subscriber Rules Update

Date: 2021-08-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57984 <-> DISABLED <-> SERVER-OTHER Apache Dubbo insecure deserialization remote code execution attempt (server-other.rules)
 * 1:57992 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:58003 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NFS remote code execution attempt (os-windows.rules)
 * 1:57999 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57987 <-> DISABLED <-> OS-LINUX Linux Kernel netfilter xt_compat_target_from_user out of bounds write attempt (os-linux.rules)
 * 1:57986 <-> DISABLED <-> OS-LINUX Linux Kernel seq_file integer underflow privilege escalation attempt (os-linux.rules)
 * 1:57988 <-> DISABLED <-> OS-LINUX Linux Kernel netfilter xt_compat_target_from_user out of bounds write attempt (os-linux.rules)
 * 1:57998 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57990 <-> ENABLED <-> MALWARE-OTHER Muhstik botnet outbound HTTP scanner request (malware-other.rules)
 * 1:57989 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neurevt variant outbound connection detected (malware-cnc.rules)
 * 1:57996 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:57995 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:57991 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bandidos outbound connection attempt (malware-cnc.rules)
 * 1:57994 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:57993 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:58000 <-> DISABLED <-> MALWARE-CNC Zloader command and control outbound connection attempt (malware-cnc.rules)
 * 1:57997 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client integer overflow attempt (os-windows.rules)
 * 1:57985 <-> DISABLED <-> OS-LINUX Linux Kernel seq_file integer underflow privilege escalation attempt (os-linux.rules)
 * 3:58002 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1352 attack attempt (browser-chrome.rules)
 * 3:58001 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1352 attack attempt (browser-chrome.rules)

Modified Rules:



2021-08-10 17:22:40 UTC

Snort Subscriber Rules Update

Date: 2021-08-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57999 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57988 <-> DISABLED <-> OS-LINUX Linux Kernel netfilter xt_compat_target_from_user out of bounds write attempt (os-linux.rules)
 * 1:57985 <-> DISABLED <-> OS-LINUX Linux Kernel seq_file integer underflow privilege escalation attempt (os-linux.rules)
 * 1:58000 <-> DISABLED <-> MALWARE-CNC Zloader command and control outbound connection attempt (malware-cnc.rules)
 * 1:57987 <-> DISABLED <-> OS-LINUX Linux Kernel netfilter xt_compat_target_from_user out of bounds write attempt (os-linux.rules)
 * 1:57986 <-> DISABLED <-> OS-LINUX Linux Kernel seq_file integer underflow privilege escalation attempt (os-linux.rules)
 * 1:57998 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57990 <-> ENABLED <-> MALWARE-OTHER Muhstik botnet outbound HTTP scanner request (malware-other.rules)
 * 1:57991 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bandidos outbound connection attempt (malware-cnc.rules)
 * 1:57989 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neurevt variant outbound connection detected (malware-cnc.rules)
 * 1:57984 <-> DISABLED <-> SERVER-OTHER Apache Dubbo insecure deserialization remote code execution attempt (server-other.rules)
 * 1:57992 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:57993 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:57994 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:57995 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:57996 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:58003 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NFS remote code execution attempt (os-windows.rules)
 * 1:57997 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client integer overflow attempt (os-windows.rules)
 * 3:58001 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1352 attack attempt (browser-chrome.rules)
 * 3:58002 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1352 attack attempt (browser-chrome.rules)

Modified Rules:



2021-08-10 17:22:40 UTC

Snort Subscriber Rules Update

Date: 2021-08-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57985 <-> DISABLED <-> OS-LINUX Linux Kernel seq_file integer underflow privilege escalation attempt (snort3-os-linux.rules)
 * 1:57990 <-> ENABLED <-> MALWARE-OTHER Muhstik botnet outbound HTTP scanner request (snort3-malware-other.rules)
 * 1:58003 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NFS remote code execution attempt (snort3-os-windows.rules)
 * 1:57989 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neurevt variant outbound connection detected (snort3-malware-cnc.rules)
 * 1:57992 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (snort3-malware-cnc.rules)
 * 1:57997 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client integer overflow attempt (snort3-os-windows.rules)
 * 1:57987 <-> DISABLED <-> OS-LINUX Linux Kernel netfilter xt_compat_target_from_user out of bounds write attempt (snort3-os-linux.rules)
 * 1:57996 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (snort3-malware-cnc.rules)
 * 1:57984 <-> DISABLED <-> SERVER-OTHER Apache Dubbo insecure deserialization remote code execution attempt (snort3-server-other.rules)
 * 1:57988 <-> DISABLED <-> OS-LINUX Linux Kernel netfilter xt_compat_target_from_user out of bounds write attempt (snort3-os-linux.rules)
 * 1:57993 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (snort3-malware-cnc.rules)
 * 1:57995 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (snort3-malware-cnc.rules)
 * 1:57986 <-> DISABLED <-> OS-LINUX Linux Kernel seq_file integer underflow privilege escalation attempt (snort3-os-linux.rules)
 * 1:58000 <-> DISABLED <-> MALWARE-CNC Zloader command and control outbound connection attempt (snort3-malware-cnc.rules)
 * 1:57994 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (snort3-malware-cnc.rules)
 * 1:57991 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bandidos outbound connection attempt (snort3-malware-cnc.rules)
 * 1:57998 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (snort3-browser-ie.rules)
 * 1:57999 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (snort3-browser-ie.rules)

Modified Rules:



2021-08-10 17:22:40 UTC

Snort Subscriber Rules Update

Date: 2021-08-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57987 <-> DISABLED <-> OS-LINUX Linux Kernel netfilter xt_compat_target_from_user out of bounds write attempt (os-linux.rules)
 * 1:58003 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NFS remote code execution attempt (os-windows.rules)
 * 1:57984 <-> DISABLED <-> SERVER-OTHER Apache Dubbo insecure deserialization remote code execution attempt (server-other.rules)
 * 1:57990 <-> ENABLED <-> MALWARE-OTHER Muhstik botnet outbound HTTP scanner request (malware-other.rules)
 * 1:57997 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client integer overflow attempt (os-windows.rules)
 * 1:57995 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:57993 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:57988 <-> DISABLED <-> OS-LINUX Linux Kernel netfilter xt_compat_target_from_user out of bounds write attempt (os-linux.rules)
 * 1:57999 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57992 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:57989 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neurevt variant outbound connection detected (malware-cnc.rules)
 * 1:58000 <-> DISABLED <-> MALWARE-CNC Zloader command and control outbound connection attempt (malware-cnc.rules)
 * 1:57985 <-> DISABLED <-> OS-LINUX Linux Kernel seq_file integer underflow privilege escalation attempt (os-linux.rules)
 * 1:57991 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bandidos outbound connection attempt (malware-cnc.rules)
 * 1:57998 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57994 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:57996 <-> ENABLED <-> MALWARE-CNC Jsp.Webshell.JspFileBrowser inbound connection attempt (malware-cnc.rules)
 * 1:57986 <-> DISABLED <-> OS-LINUX Linux Kernel seq_file integer underflow privilege escalation attempt (os-linux.rules)

Modified Rules:



2021-08-10 17:26:49 UTC

Snort Subscriber Rules Update

Date: 2021-08-06-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:57983 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt

Modified Rules:

* 1:57906 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57907 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57908 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57909 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt


2021-08-10 17:26:50 UTC

Snort Subscriber Rules Update

Date: 2021-08-06-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.4.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:57983 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt

Modified Rules:

* 1:57906 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57907 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57908 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57909 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt


2021-08-10 17:26:50 UTC

Snort Subscriber Rules Update

Date: 2021-08-06-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:57983 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt

Modified Rules:

* 1:57906 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57907 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57908 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57909 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt


2021-08-10 17:26:50 UTC

Snort Subscriber Rules Update

Date: 2021-08-06-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:57983 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt

Modified Rules:

* 1:57906 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57907 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57908 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57909 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt


2021-08-10 17:26:50 UTC

Snort Subscriber Rules Update

Date: 2021-08-06-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.1.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:57983 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt

Modified Rules:

* 1:57906 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57907 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57908 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57909 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt


2021-08-10 17:26:50 UTC

Snort Subscriber Rules Update

Date: 2021-08-06-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.3.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:57983 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt

Modified Rules:

* 1:57906 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57907 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57908 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57909 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt


2021-08-10 17:26:50 UTC

Snort Subscriber Rules Update

Date: 2021-08-06-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.4.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:57983 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt

Modified Rules:

* 1:57906 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57907 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57908 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57909 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt


2021-08-10 17:26:50 UTC

Snort Subscriber Rules Update

Date: 2021-08-06-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.5.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:57983 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt

Modified Rules:

* 1:57906 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57907 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57908 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57909 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt


2021-08-10 17:26:50 UTC

Snort Subscriber Rules Update

Date: 2021-08-06-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.7.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:57983 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt

Modified Rules:

* 1:57906 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57907 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57908 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57909 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt


2021-08-10 17:26:50 UTC

Snort Subscriber Rules Update

Date: 2021-08-06-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.9.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:57983 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt

Modified Rules:

* 1:57906 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57907 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57908 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57909 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt