Talos Rules 2021-09-14
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2021-36963: A coding deficiency exists in Microsoft Windows Common Log File System driver that may lead to an escalation of privilege.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 40689 through 40690.

Microsoft Vulnerability CVE-2021-36975: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 58136 through 58137.

Microsoft Vulnerability CVE-2021-38633: A coding deficiency exists in Microsoft Windows Common Log File System driver that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 58140 through 58141.

Microsoft Vulnerability CVE-2021-40444: A coding deficiency exists in Microsoft MSHTML Engine that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 58120 through 58129 and 58132 through 58135.

Talos also has added and modified multiple rules in the file-image, file-other, malware-other, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2021-09-14 17:21:40 UTC

Snort Subscriber Rules Update

Date: 2021-09-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091801.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58136 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:58137 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:58138 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.R57 download attempt (malware-other.rules)
 * 1:58139 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.R57 upload attempt (malware-other.rules)
 * 1:58140 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt (os-windows.rules)
 * 1:58141 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt (os-windows.rules)
 * 1:58142 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt (malware-other.rules)
 * 1:58143 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt (malware-other.rules)
 * 1:58144 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt (malware-other.rules)
 * 1:58145 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt (malware-other.rules)
 * 1:58146 <-> ENABLED <-> SERVER-OTHER Realtek Wifi Simple Config UPnP SUBSCRIBE callback buffer overflow attempt (server-other.rules)
 * 1:58147 <-> DISABLED <-> MALWARE-OTHER ASP.Webshell.RemExp download attempt (malware-other.rules)
 * 1:58148 <-> ENABLED <-> MALWARE-OTHER ASP.Webshell.RemExp upload attempt (malware-other.rules)
 * 1:58149 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt (malware-other.rules)
 * 1:58150 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt (malware-other.rules)
 * 1:58151 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt (malware-other.rules)
 * 1:58152 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt (malware-other.rules)
 * 3:58154 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt (file-image.rules)
 * 3:58153 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt (file-image.rules)

Modified Rules:


 * 1:52243 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt (server-webapp.rules)
 * 1:49191 <-> DISABLED <-> SERVER-WEBAPP Dell EMC Virtual Appliance Manager undocumented credential use attempt (server-webapp.rules)
 * 1:40690 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:40689 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)

2021-09-14 17:21:40 UTC

Snort Subscriber Rules Update

Date: 2021-09-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091800.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58140 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt (os-windows.rules)
 * 1:58149 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt (malware-other.rules)
 * 1:58136 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:58142 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt (malware-other.rules)
 * 1:58143 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt (malware-other.rules)
 * 1:58144 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt (malware-other.rules)
 * 1:58146 <-> ENABLED <-> SERVER-OTHER Realtek Wifi Simple Config UPnP SUBSCRIBE callback buffer overflow attempt (server-other.rules)
 * 1:58147 <-> DISABLED <-> MALWARE-OTHER ASP.Webshell.RemExp download attempt (malware-other.rules)
 * 1:58150 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt (malware-other.rules)
 * 1:58141 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt (os-windows.rules)
 * 1:58151 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt (malware-other.rules)
 * 1:58152 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt (malware-other.rules)
 * 1:58139 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.R57 upload attempt (malware-other.rules)
 * 1:58138 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.R57 download attempt (malware-other.rules)
 * 1:58137 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:58145 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt (malware-other.rules)
 * 1:58148 <-> ENABLED <-> MALWARE-OTHER ASP.Webshell.RemExp upload attempt (malware-other.rules)
 * 3:58154 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt (file-image.rules)
 * 3:58153 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt (file-image.rules)

Modified Rules:


 * 1:40690 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:52243 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt (server-webapp.rules)
 * 1:40689 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:49191 <-> DISABLED <-> SERVER-WEBAPP Dell EMC Virtual Appliance Manager undocumented credential use attempt (server-webapp.rules)

2021-09-14 17:21:40 UTC

Snort Subscriber Rules Update

Date: 2021-09-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58147 <-> DISABLED <-> MALWARE-OTHER ASP.Webshell.RemExp download attempt (malware-other.rules)
 * 1:58148 <-> ENABLED <-> MALWARE-OTHER ASP.Webshell.RemExp upload attempt (malware-other.rules)
 * 1:58136 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:58150 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt (malware-other.rules)
 * 1:58151 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt (malware-other.rules)
 * 1:58149 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt (malware-other.rules)
 * 1:58137 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:58152 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt (malware-other.rules)
 * 1:58139 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.R57 upload attempt (malware-other.rules)
 * 1:58138 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.R57 download attempt (malware-other.rules)
 * 1:58140 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt (os-windows.rules)
 * 1:58141 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt (os-windows.rules)
 * 1:58142 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt (malware-other.rules)
 * 1:58143 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt (malware-other.rules)
 * 1:58145 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt (malware-other.rules)
 * 1:58144 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt (malware-other.rules)
 * 1:58146 <-> ENABLED <-> SERVER-OTHER Realtek Wifi Simple Config UPnP SUBSCRIBE callback buffer overflow attempt (server-other.rules)
 * 3:58153 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt (file-image.rules)
 * 3:58154 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt (file-image.rules)

Modified Rules:


 * 1:52243 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt (server-webapp.rules)
 * 1:49191 <-> DISABLED <-> SERVER-WEBAPP Dell EMC Virtual Appliance Manager undocumented credential use attempt (server-webapp.rules)
 * 1:40689 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:40690 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)

2021-09-14 17:21:40 UTC

Snort Subscriber Rules Update

Date: 2021-09-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58150 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt (malware-other.rules)
 * 1:58141 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt (os-windows.rules)
 * 1:58151 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt (malware-other.rules)
 * 1:58137 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:58149 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt (malware-other.rules)
 * 1:58138 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.R57 download attempt (malware-other.rules)
 * 1:58139 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.R57 upload attempt (malware-other.rules)
 * 1:58140 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt (os-windows.rules)
 * 1:58148 <-> ENABLED <-> MALWARE-OTHER ASP.Webshell.RemExp upload attempt (malware-other.rules)
 * 1:58152 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt (malware-other.rules)
 * 1:58147 <-> DISABLED <-> MALWARE-OTHER ASP.Webshell.RemExp download attempt (malware-other.rules)
 * 1:58146 <-> ENABLED <-> SERVER-OTHER Realtek Wifi Simple Config UPnP SUBSCRIBE callback buffer overflow attempt (server-other.rules)
 * 1:58143 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt (malware-other.rules)
 * 1:58145 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt (malware-other.rules)
 * 1:58142 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt (malware-other.rules)
 * 1:58136 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:58144 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt (malware-other.rules)
 * 3:58154 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt (file-image.rules)
 * 3:58153 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt (file-image.rules)

Modified Rules:


 * 1:49191 <-> DISABLED <-> SERVER-WEBAPP Dell EMC Virtual Appliance Manager undocumented credential use attempt (server-webapp.rules)
 * 1:52243 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt (server-webapp.rules)
 * 1:40690 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:40689 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)

2021-09-14 17:21:40 UTC

Snort Subscriber Rules Update

Date: 2021-09-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58151 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt (malware-other.rules)
 * 1:58144 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt (malware-other.rules)
 * 1:58152 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt (malware-other.rules)
 * 1:58139 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.R57 upload attempt (malware-other.rules)
 * 1:58140 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt (os-windows.rules)
 * 1:58137 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:58138 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.R57 download attempt (malware-other.rules)
 * 1:58147 <-> DISABLED <-> MALWARE-OTHER ASP.Webshell.RemExp download attempt (malware-other.rules)
 * 1:58142 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt (malware-other.rules)
 * 1:58146 <-> ENABLED <-> SERVER-OTHER Realtek Wifi Simple Config UPnP SUBSCRIBE callback buffer overflow attempt (server-other.rules)
 * 1:58141 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt (os-windows.rules)
 * 1:58136 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:58150 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt (malware-other.rules)
 * 1:58149 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt (malware-other.rules)
 * 1:58148 <-> ENABLED <-> MALWARE-OTHER ASP.Webshell.RemExp upload attempt (malware-other.rules)
 * 1:58145 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt (malware-other.rules)
 * 1:58143 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt (malware-other.rules)
 * 3:58154 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt (file-image.rules)
 * 3:58153 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt (file-image.rules)

Modified Rules:


 * 1:40690 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:52243 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt (server-webapp.rules)
 * 1:40689 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:49191 <-> DISABLED <-> SERVER-WEBAPP Dell EMC Virtual Appliance Manager undocumented credential use attempt (server-webapp.rules)

2021-09-14 17:21:40 UTC

Snort Subscriber Rules Update

Date: 2021-09-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58142 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt (malware-other.rules)
 * 1:58151 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt (malware-other.rules)
 * 1:58149 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt (malware-other.rules)
 * 1:58139 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.R57 upload attempt (malware-other.rules)
 * 1:58140 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt (os-windows.rules)
 * 1:58150 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt (malware-other.rules)
 * 1:58137 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:58138 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.R57 download attempt (malware-other.rules)
 * 1:58152 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt (malware-other.rules)
 * 1:58145 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt (malware-other.rules)
 * 1:58141 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt (os-windows.rules)
 * 1:58147 <-> DISABLED <-> MALWARE-OTHER ASP.Webshell.RemExp download attempt (malware-other.rules)
 * 1:58146 <-> ENABLED <-> SERVER-OTHER Realtek Wifi Simple Config UPnP SUBSCRIBE callback buffer overflow attempt (server-other.rules)
 * 1:58136 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:58144 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt (malware-other.rules)
 * 1:58148 <-> ENABLED <-> MALWARE-OTHER ASP.Webshell.RemExp upload attempt (malware-other.rules)
 * 1:58143 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt (malware-other.rules)
 * 3:58154 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt (file-image.rules)
 * 3:58153 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt (file-image.rules)

Modified Rules:


 * 1:49191 <-> DISABLED <-> SERVER-WEBAPP Dell EMC Virtual Appliance Manager undocumented credential use attempt (server-webapp.rules)
 * 1:52243 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt (server-webapp.rules)
 * 1:40689 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:40690 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)

2021-09-14 17:21:40 UTC

Snort Subscriber Rules Update

Date: 2021-09-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58152 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt (malware-other.rules)
 * 1:58141 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt (os-windows.rules)
 * 1:58138 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.R57 download attempt (malware-other.rules)
 * 1:58146 <-> ENABLED <-> SERVER-OTHER Realtek Wifi Simple Config UPnP SUBSCRIBE callback buffer overflow attempt (server-other.rules)
 * 1:58137 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:58142 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt (malware-other.rules)
 * 1:58143 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt (malware-other.rules)
 * 1:58140 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt (os-windows.rules)
 * 1:58139 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.R57 upload attempt (malware-other.rules)
 * 1:58144 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt (malware-other.rules)
 * 1:58147 <-> DISABLED <-> MALWARE-OTHER ASP.Webshell.RemExp download attempt (malware-other.rules)
 * 1:58151 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt (malware-other.rules)
 * 1:58149 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt (malware-other.rules)
 * 1:58150 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt (malware-other.rules)
 * 1:58136 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:58145 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt (malware-other.rules)
 * 1:58148 <-> ENABLED <-> MALWARE-OTHER ASP.Webshell.RemExp upload attempt (malware-other.rules)
 * 3:58154 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt (file-image.rules)
 * 3:58153 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt (file-image.rules)

Modified Rules:


 * 1:52243 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt (server-webapp.rules)
 * 1:40689 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:49191 <-> DISABLED <-> SERVER-WEBAPP Dell EMC Virtual Appliance Manager undocumented credential use attempt (server-webapp.rules)
 * 1:40690 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)

2021-09-14 17:21:40 UTC

Snort Subscriber Rules Update

Date: 2021-09-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58138 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.R57 download attempt (malware-other.rules)
 * 1:58148 <-> ENABLED <-> MALWARE-OTHER ASP.Webshell.RemExp upload attempt (malware-other.rules)
 * 1:58136 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:58139 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.R57 upload attempt (malware-other.rules)
 * 1:58150 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt (malware-other.rules)
 * 1:58147 <-> DISABLED <-> MALWARE-OTHER ASP.Webshell.RemExp download attempt (malware-other.rules)
 * 1:58152 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt (malware-other.rules)
 * 1:58142 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt (malware-other.rules)
 * 1:58141 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt (os-windows.rules)
 * 1:58143 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt (malware-other.rules)
 * 1:58140 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt (os-windows.rules)
 * 1:58144 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt (malware-other.rules)
 * 1:58146 <-> ENABLED <-> SERVER-OTHER Realtek Wifi Simple Config UPnP SUBSCRIBE callback buffer overflow attempt (server-other.rules)
 * 1:58137 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:58151 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt (malware-other.rules)
 * 1:58149 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt (malware-other.rules)
 * 1:58145 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt (malware-other.rules)
 * 3:58153 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt (file-image.rules)
 * 3:58154 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt (file-image.rules)

Modified Rules:


 * 1:40689 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:52243 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt (server-webapp.rules)
 * 1:49191 <-> DISABLED <-> SERVER-WEBAPP Dell EMC Virtual Appliance Manager undocumented credential use attempt (server-webapp.rules)
 * 1:40690 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)

2021-09-14 17:21:40 UTC

Snort Subscriber Rules Update

Date: 2021-09-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58152 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt (malware-other.rules)
 * 1:58142 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt (malware-other.rules)
 * 1:58143 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt (malware-other.rules)
 * 1:58144 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt (malware-other.rules)
 * 1:58150 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt (malware-other.rules)
 * 1:58141 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt (os-windows.rules)
 * 1:58136 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:58147 <-> DISABLED <-> MALWARE-OTHER ASP.Webshell.RemExp download attempt (malware-other.rules)
 * 1:58138 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.R57 download attempt (malware-other.rules)
 * 1:58146 <-> ENABLED <-> SERVER-OTHER Realtek Wifi Simple Config UPnP SUBSCRIBE callback buffer overflow attempt (server-other.rules)
 * 1:58145 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt (malware-other.rules)
 * 1:58137 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:58148 <-> ENABLED <-> MALWARE-OTHER ASP.Webshell.RemExp upload attempt (malware-other.rules)
 * 1:58149 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt (malware-other.rules)
 * 1:58139 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.R57 upload attempt (malware-other.rules)
 * 1:58140 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt (os-windows.rules)
 * 1:58151 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt (malware-other.rules)
 * 3:58154 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt (file-image.rules)
 * 3:58153 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt (file-image.rules)

Modified Rules:


 * 1:49191 <-> DISABLED <-> SERVER-WEBAPP Dell EMC Virtual Appliance Manager undocumented credential use attempt (server-webapp.rules)
 * 1:52243 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt (server-webapp.rules)
 * 1:40689 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:40690 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)

2021-09-14 17:21:40 UTC

Snort Subscriber Rules Update

Date: 2021-09-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58150 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt (malware-other.rules)
 * 1:58145 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt (malware-other.rules)
 * 1:58147 <-> DISABLED <-> MALWARE-OTHER ASP.Webshell.RemExp download attempt (malware-other.rules)
 * 1:58139 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.R57 upload attempt (malware-other.rules)
 * 1:58149 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt (malware-other.rules)
 * 1:58152 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt (malware-other.rules)
 * 1:58136 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:58137 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:58144 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt (malware-other.rules)
 * 1:58146 <-> ENABLED <-> SERVER-OTHER Realtek Wifi Simple Config UPnP SUBSCRIBE callback buffer overflow attempt (server-other.rules)
 * 1:58138 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.R57 download attempt (malware-other.rules)
 * 1:58148 <-> ENABLED <-> MALWARE-OTHER ASP.Webshell.RemExp upload attempt (malware-other.rules)
 * 1:58142 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt (malware-other.rules)
 * 1:58141 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt (os-windows.rules)
 * 1:58140 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt (os-windows.rules)
 * 1:58143 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt (malware-other.rules)
 * 1:58151 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt (malware-other.rules)
 * 3:58154 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt (file-image.rules)
 * 3:58153 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt (file-image.rules)

Modified Rules:


 * 1:49191 <-> DISABLED <-> SERVER-WEBAPP Dell EMC Virtual Appliance Manager undocumented credential use attempt (server-webapp.rules)
 * 1:52243 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt (server-webapp.rules)
 * 1:40690 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:40689 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)

2021-09-14 17:21:40 UTC

Snort Subscriber Rules Update

Date: 2021-09-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58146 <-> ENABLED <-> SERVER-OTHER Realtek Wifi Simple Config UPnP SUBSCRIBE callback buffer overflow attempt (snort3-server-other.rules)
 * 1:58152 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt (snort3-malware-other.rules)
 * 1:58144 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt (snort3-malware-other.rules)
 * 1:300051 <-> ENABLED <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt (snort3-native.rules)
 * 1:58136 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (snort3-os-windows.rules)
 * 1:58137 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (snort3-os-windows.rules)
 * 1:58145 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt (snort3-malware-other.rules)
 * 1:300050 <-> ENABLED <-> SERVER-OTHER Apache CouchDB remote privilege escalation attempt (snort3-native.rules)
 * 1:58150 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt (snort3-malware-other.rules)
 * 1:58141 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt (snort3-os-windows.rules)
 * 1:58138 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.R57 download attempt (snort3-malware-other.rules)
 * 1:58140 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt (snort3-os-windows.rules)
 * 1:58143 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt (snort3-malware-other.rules)
 * 1:58151 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt (snort3-malware-other.rules)
 * 1:58142 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt (snort3-malware-other.rules)
 * 1:58148 <-> ENABLED <-> MALWARE-OTHER ASP.Webshell.RemExp upload attempt (snort3-malware-other.rules)
 * 1:58147 <-> DISABLED <-> MALWARE-OTHER ASP.Webshell.RemExp download attempt (snort3-malware-other.rules)
 * 1:58149 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt (snort3-malware-other.rules)
 * 1:58139 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.R57 upload attempt (snort3-malware-other.rules)

Modified Rules:


 * 1:52243 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt (snort3-server-webapp.rules)
 * 1:40689 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (snort3-file-other.rules)
 * 1:49191 <-> DISABLED <-> SERVER-WEBAPP Dell EMC Virtual Appliance Manager undocumented credential use attempt (snort3-server-webapp.rules)
 * 1:40690 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (snort3-file-other.rules)

2021-09-14 17:21:40 UTC

Snort Subscriber Rules Update

Date: 2021-09-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58148 <-> ENABLED <-> MALWARE-OTHER ASP.Webshell.RemExp upload attempt (malware-other.rules)
 * 1:58136 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:58142 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt (malware-other.rules)
 * 1:58144 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt (malware-other.rules)
 * 1:58141 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt (os-windows.rules)
 * 1:58152 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt (malware-other.rules)
 * 1:58146 <-> ENABLED <-> SERVER-OTHER Realtek Wifi Simple Config UPnP SUBSCRIBE callback buffer overflow attempt (server-other.rules)
 * 1:58143 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt (malware-other.rules)
 * 1:58145 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt (malware-other.rules)
 * 1:58151 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt (malware-other.rules)
 * 1:58147 <-> DISABLED <-> MALWARE-OTHER ASP.Webshell.RemExp download attempt (malware-other.rules)
 * 1:58138 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.R57 download attempt (malware-other.rules)
 * 1:58150 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt (malware-other.rules)
 * 1:58149 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt (malware-other.rules)
 * 1:58140 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt (os-windows.rules)
 * 1:58137 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt (os-windows.rules)
 * 1:58139 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.R57 upload attempt (malware-other.rules)

Modified Rules:


 * 1:49191 <-> DISABLED <-> SERVER-WEBAPP Dell EMC Virtual Appliance Manager undocumented credential use attempt (server-webapp.rules)
 * 1:40689 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:40690 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:52243 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt (server-webapp.rules)

2021-09-14 17:28:56 UTC

Snort Subscriber Rules Update

Date: 2021-09-13-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300050 <-> SERVER-OTHER Apache CouchDB remote privilege escalation attempt
* 1:300051 <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt
* 1:58136 <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt
* 1:58137 <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt
* 1:58138 <-> MALWARE-OTHER Php.Webshell.R57 download attempt
* 1:58139 <-> MALWARE-OTHER Php.Webshell.R57 upload attempt
* 1:58140 <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt
* 1:58141 <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt
* 1:58142 <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt
* 1:58143 <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt
* 1:58144 <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt
* 1:58145 <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt
* 1:58146 <-> SERVER-OTHER Realtek Wifi Simple Config UPnP SUBSCRIBE callback buffer overflow attempt
* 1:58147 <-> MALWARE-OTHER ASP.Webshell.RemExp download attempt
* 1:58148 <-> MALWARE-OTHER ASP.Webshell.RemExp upload attempt
* 1:58149 <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt
* 1:58150 <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt
* 1:58151 <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt
* 1:58152 <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt
* 3:58153 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt
* 3:58154 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt

Modified Rules:

* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:49191 <-> SERVER-WEBAPP Dell EMC Virtual Appliance Manager undocumented credential use attempt
* 1:52243 <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt


2021-09-14 17:28:56 UTC

Snort Subscriber Rules Update

Date: 2021-09-13-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.4.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300050 <-> SERVER-OTHER Apache CouchDB remote privilege escalation attempt
* 1:300051 <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt
* 1:58136 <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt
* 1:58137 <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt
* 1:58138 <-> MALWARE-OTHER Php.Webshell.R57 download attempt
* 1:58139 <-> MALWARE-OTHER Php.Webshell.R57 upload attempt
* 1:58140 <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt
* 1:58141 <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt
* 1:58142 <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt
* 1:58143 <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt
* 1:58144 <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt
* 1:58145 <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt
* 1:58146 <-> SERVER-OTHER Realtek Wifi Simple Config UPnP SUBSCRIBE callback buffer overflow attempt
* 1:58147 <-> MALWARE-OTHER ASP.Webshell.RemExp download attempt
* 1:58148 <-> MALWARE-OTHER ASP.Webshell.RemExp upload attempt
* 1:58149 <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt
* 1:58150 <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt
* 1:58151 <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt
* 1:58152 <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt
* 3:58153 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt
* 3:58154 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt

Modified Rules:

* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:49191 <-> SERVER-WEBAPP Dell EMC Virtual Appliance Manager undocumented credential use attempt
* 1:52243 <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt


2021-09-14 17:28:56 UTC

Snort Subscriber Rules Update

Date: 2021-09-13-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300050 <-> SERVER-OTHER Apache CouchDB remote privilege escalation attempt
* 1:300051 <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt
* 1:58136 <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt
* 1:58137 <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt
* 1:58138 <-> MALWARE-OTHER Php.Webshell.R57 download attempt
* 1:58139 <-> MALWARE-OTHER Php.Webshell.R57 upload attempt
* 1:58140 <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt
* 1:58141 <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt
* 1:58142 <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt
* 1:58143 <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt
* 1:58144 <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt
* 1:58145 <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt
* 1:58146 <-> SERVER-OTHER Realtek Wifi Simple Config UPnP SUBSCRIBE callback buffer overflow attempt
* 1:58147 <-> MALWARE-OTHER ASP.Webshell.RemExp download attempt
* 1:58148 <-> MALWARE-OTHER ASP.Webshell.RemExp upload attempt
* 1:58149 <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt
* 1:58150 <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt
* 1:58151 <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt
* 1:58152 <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt
* 3:58153 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt
* 3:58154 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt

Modified Rules:

* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:49191 <-> SERVER-WEBAPP Dell EMC Virtual Appliance Manager undocumented credential use attempt
* 1:52243 <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt


2021-09-14 17:28:56 UTC

Snort Subscriber Rules Update

Date: 2021-09-13-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300050 <-> SERVER-OTHER Apache CouchDB remote privilege escalation attempt
* 1:300051 <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt
* 1:58136 <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt
* 1:58137 <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt
* 1:58138 <-> MALWARE-OTHER Php.Webshell.R57 download attempt
* 1:58139 <-> MALWARE-OTHER Php.Webshell.R57 upload attempt
* 1:58140 <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt
* 1:58141 <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt
* 1:58142 <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt
* 1:58143 <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt
* 1:58144 <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt
* 1:58145 <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt
* 1:58146 <-> SERVER-OTHER Realtek Wifi Simple Config UPnP SUBSCRIBE callback buffer overflow attempt
* 1:58147 <-> MALWARE-OTHER ASP.Webshell.RemExp download attempt
* 1:58148 <-> MALWARE-OTHER ASP.Webshell.RemExp upload attempt
* 1:58149 <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt
* 1:58150 <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt
* 1:58151 <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt
* 1:58152 <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt
* 3:58153 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt
* 3:58154 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt

Modified Rules:

* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:49191 <-> SERVER-WEBAPP Dell EMC Virtual Appliance Manager undocumented credential use attempt
* 1:52243 <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt


2021-09-14 17:28:56 UTC

Snort Subscriber Rules Update

Date: 2021-09-13-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.1.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300050 <-> SERVER-OTHER Apache CouchDB remote privilege escalation attempt
* 1:300051 <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt
* 1:58136 <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt
* 1:58137 <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt
* 1:58138 <-> MALWARE-OTHER Php.Webshell.R57 download attempt
* 1:58139 <-> MALWARE-OTHER Php.Webshell.R57 upload attempt
* 1:58140 <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt
* 1:58141 <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt
* 1:58142 <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt
* 1:58143 <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt
* 1:58144 <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt
* 1:58145 <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt
* 1:58146 <-> SERVER-OTHER Realtek Wifi Simple Config UPnP SUBSCRIBE callback buffer overflow attempt
* 1:58147 <-> MALWARE-OTHER ASP.Webshell.RemExp download attempt
* 1:58148 <-> MALWARE-OTHER ASP.Webshell.RemExp upload attempt
* 1:58149 <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt
* 1:58150 <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt
* 1:58151 <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt
* 1:58152 <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt
* 3:58153 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt
* 3:58154 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt

Modified Rules:

* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:49191 <-> SERVER-WEBAPP Dell EMC Virtual Appliance Manager undocumented credential use attempt
* 1:52243 <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt


2021-09-14 17:28:56 UTC

Snort Subscriber Rules Update

Date: 2021-09-13-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.3.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300050 <-> SERVER-OTHER Apache CouchDB remote privilege escalation attempt
* 1:300051 <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt
* 1:58136 <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt
* 1:58137 <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt
* 1:58138 <-> MALWARE-OTHER Php.Webshell.R57 download attempt
* 1:58139 <-> MALWARE-OTHER Php.Webshell.R57 upload attempt
* 1:58140 <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt
* 1:58141 <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt
* 1:58142 <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt
* 1:58143 <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt
* 1:58144 <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt
* 1:58145 <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt
* 1:58146 <-> SERVER-OTHER Realtek Wifi Simple Config UPnP SUBSCRIBE callback buffer overflow attempt
* 1:58147 <-> MALWARE-OTHER ASP.Webshell.RemExp download attempt
* 1:58148 <-> MALWARE-OTHER ASP.Webshell.RemExp upload attempt
* 1:58149 <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt
* 1:58150 <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt
* 1:58151 <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt
* 1:58152 <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt
* 3:58153 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt
* 3:58154 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt

Modified Rules:

* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:49191 <-> SERVER-WEBAPP Dell EMC Virtual Appliance Manager undocumented credential use attempt
* 1:52243 <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt


2021-09-14 17:28:56 UTC

Snort Subscriber Rules Update

Date: 2021-09-13-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.4.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300050 <-> SERVER-OTHER Apache CouchDB remote privilege escalation attempt
* 1:300051 <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt
* 1:58136 <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt
* 1:58137 <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt
* 1:58138 <-> MALWARE-OTHER Php.Webshell.R57 download attempt
* 1:58139 <-> MALWARE-OTHER Php.Webshell.R57 upload attempt
* 1:58140 <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt
* 1:58141 <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt
* 1:58142 <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt
* 1:58143 <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt
* 1:58144 <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt
* 1:58145 <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt
* 1:58146 <-> SERVER-OTHER Realtek Wifi Simple Config UPnP SUBSCRIBE callback buffer overflow attempt
* 1:58147 <-> MALWARE-OTHER ASP.Webshell.RemExp download attempt
* 1:58148 <-> MALWARE-OTHER ASP.Webshell.RemExp upload attempt
* 1:58149 <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt
* 1:58150 <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt
* 1:58151 <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt
* 1:58152 <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt
* 3:58153 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt
* 3:58154 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt

Modified Rules:

* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:49191 <-> SERVER-WEBAPP Dell EMC Virtual Appliance Manager undocumented credential use attempt
* 1:52243 <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt


2021-09-14 17:28:56 UTC

Snort Subscriber Rules Update

Date: 2021-09-13-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.5.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300050 <-> SERVER-OTHER Apache CouchDB remote privilege escalation attempt
* 1:300051 <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt
* 1:58136 <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt
* 1:58137 <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt
* 1:58138 <-> MALWARE-OTHER Php.Webshell.R57 download attempt
* 1:58139 <-> MALWARE-OTHER Php.Webshell.R57 upload attempt
* 1:58140 <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt
* 1:58141 <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt
* 1:58142 <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt
* 1:58143 <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt
* 1:58144 <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt
* 1:58145 <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt
* 1:58146 <-> SERVER-OTHER Realtek Wifi Simple Config UPnP SUBSCRIBE callback buffer overflow attempt
* 1:58147 <-> MALWARE-OTHER ASP.Webshell.RemExp download attempt
* 1:58148 <-> MALWARE-OTHER ASP.Webshell.RemExp upload attempt
* 1:58149 <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt
* 1:58150 <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt
* 1:58151 <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt
* 1:58152 <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt
* 3:58153 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt
* 3:58154 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt

Modified Rules:

* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:49191 <-> SERVER-WEBAPP Dell EMC Virtual Appliance Manager undocumented credential use attempt
* 1:52243 <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt


2021-09-14 17:28:56 UTC

Snort Subscriber Rules Update

Date: 2021-09-13-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.7.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300050 <-> SERVER-OTHER Apache CouchDB remote privilege escalation attempt
* 1:300051 <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt
* 1:58136 <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt
* 1:58137 <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt
* 1:58138 <-> MALWARE-OTHER Php.Webshell.R57 download attempt
* 1:58139 <-> MALWARE-OTHER Php.Webshell.R57 upload attempt
* 1:58140 <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt
* 1:58141 <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt
* 1:58142 <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt
* 1:58143 <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt
* 1:58144 <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt
* 1:58145 <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt
* 1:58146 <-> SERVER-OTHER Realtek Wifi Simple Config UPnP SUBSCRIBE callback buffer overflow attempt
* 1:58147 <-> MALWARE-OTHER ASP.Webshell.RemExp download attempt
* 1:58148 <-> MALWARE-OTHER ASP.Webshell.RemExp upload attempt
* 1:58149 <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt
* 1:58150 <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt
* 1:58151 <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt
* 1:58152 <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt
* 3:58153 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt
* 3:58154 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt

Modified Rules:

* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:49191 <-> SERVER-WEBAPP Dell EMC Virtual Appliance Manager undocumented credential use attempt
* 1:52243 <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt


2021-09-14 17:28:56 UTC

Snort Subscriber Rules Update

Date: 2021-09-13-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.9.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300050 <-> SERVER-OTHER Apache CouchDB remote privilege escalation attempt
* 1:300051 <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt
* 1:58136 <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt
* 1:58137 <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt
* 1:58138 <-> MALWARE-OTHER Php.Webshell.R57 download attempt
* 1:58139 <-> MALWARE-OTHER Php.Webshell.R57 upload attempt
* 1:58140 <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt
* 1:58141 <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt
* 1:58142 <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt
* 1:58143 <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt
* 1:58144 <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt
* 1:58145 <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt
* 1:58146 <-> SERVER-OTHER Realtek Wifi Simple Config UPnP SUBSCRIBE callback buffer overflow attempt
* 1:58147 <-> MALWARE-OTHER ASP.Webshell.RemExp download attempt
* 1:58148 <-> MALWARE-OTHER ASP.Webshell.RemExp upload attempt
* 1:58149 <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt
* 1:58150 <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt
* 1:58151 <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt
* 1:58152 <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt
* 3:58153 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt
* 3:58154 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt

Modified Rules:

* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:49191 <-> SERVER-WEBAPP Dell EMC Virtual Appliance Manager undocumented credential use attempt
* 1:52243 <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt


2021-09-14 17:28:56 UTC

Snort Subscriber Rules Update

Date: 2021-09-13-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.11.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300050 <-> SERVER-OTHER Apache CouchDB remote privilege escalation attempt
* 1:300051 <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt
* 1:58136 <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt
* 1:58137 <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt
* 1:58138 <-> MALWARE-OTHER Php.Webshell.R57 download attempt
* 1:58139 <-> MALWARE-OTHER Php.Webshell.R57 upload attempt
* 1:58140 <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt
* 1:58141 <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt
* 1:58142 <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt
* 1:58143 <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt
* 1:58144 <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt
* 1:58145 <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt
* 1:58146 <-> SERVER-OTHER Realtek Wifi Simple Config UPnP SUBSCRIBE callback buffer overflow attempt
* 1:58147 <-> MALWARE-OTHER ASP.Webshell.RemExp download attempt
* 1:58148 <-> MALWARE-OTHER ASP.Webshell.RemExp upload attempt
* 1:58149 <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt
* 1:58150 <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt
* 1:58151 <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt
* 1:58152 <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt
* 3:58153 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt
* 3:58154 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt

Modified Rules:

* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:49191 <-> SERVER-WEBAPP Dell EMC Virtual Appliance Manager undocumented credential use attempt
* 1:52243 <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt