Talos Rules 2021-09-16
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-image, indicator-shellcode and os-windows rule sets to provide coverage for emerging threats from these technologies.

Change logs

2021-09-16 13:04:54 UTC

Snort Subscriber Rules Update

Date: 2021-09-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091801.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58155 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound beacon (malware-cnc.rules)
 * 3:58157 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1371 attack attempt (file-image.rules)
 * 3:58156 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1371 attack attempt (file-image.rules)
 * 3:58158 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1371 attack attempt (file-image.rules)
 * 3:58159 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1371 attack attempt (file-image.rules)

Modified Rules:


 * 1:57605 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTTP protocol stack remote code execution attempt (os-windows.rules)
 * 1:46937 <-> ENABLED <-> INDICATOR-SHELLCODE ysoserial Java object deserialization exploit attempt (indicator-shellcode.rules)

2021-09-16 13:04:54 UTC

Snort Subscriber Rules Update

Date: 2021-09-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091800.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58155 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound beacon (malware-cnc.rules)
 * 3:58156 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1371 attack attempt (file-image.rules)
 * 3:58157 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1371 attack attempt (file-image.rules)
 * 3:58159 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1371 attack attempt (file-image.rules)
 * 3:58158 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1371 attack attempt (file-image.rules)

Modified Rules:


 * 1:57605 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTTP protocol stack remote code execution attempt (os-windows.rules)
 * 1:46937 <-> ENABLED <-> INDICATOR-SHELLCODE ysoserial Java object deserialization exploit attempt (indicator-shellcode.rules)

2021-09-16 13:04:54 UTC

Snort Subscriber Rules Update

Date: 2021-09-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58155 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound beacon (malware-cnc.rules)
 * 3:58156 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1371 attack attempt (file-image.rules)
 * 3:58159 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1371 attack attempt (file-image.rules)
 * 3:58158 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1371 attack attempt (file-image.rules)
 * 3:58157 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1371 attack attempt (file-image.rules)

Modified Rules:


 * 1:57605 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTTP protocol stack remote code execution attempt (os-windows.rules)
 * 1:46937 <-> ENABLED <-> INDICATOR-SHELLCODE ysoserial Java object deserialization exploit attempt (indicator-shellcode.rules)

2021-09-16 13:04:54 UTC

Snort Subscriber Rules Update

Date: 2021-09-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58155 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound beacon (malware-cnc.rules)
 * 3:58156 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1371 attack attempt (file-image.rules)
 * 3:58158 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1371 attack attempt (file-image.rules)
 * 3:58159 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1371 attack attempt (file-image.rules)
 * 3:58157 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1371 attack attempt (file-image.rules)

Modified Rules:


 * 1:46937 <-> ENABLED <-> INDICATOR-SHELLCODE ysoserial Java object deserialization exploit attempt (indicator-shellcode.rules)
 * 1:57605 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTTP protocol stack remote code execution attempt (os-windows.rules)

2021-09-16 13:04:54 UTC

Snort Subscriber Rules Update

Date: 2021-09-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58155 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound beacon (malware-cnc.rules)
 * 3:58159 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1371 attack attempt (file-image.rules)
 * 3:58156 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1371 attack attempt (file-image.rules)
 * 3:58158 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1371 attack attempt (file-image.rules)
 * 3:58157 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1371 attack attempt (file-image.rules)

Modified Rules:


 * 1:57605 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTTP protocol stack remote code execution attempt (os-windows.rules)
 * 1:46937 <-> ENABLED <-> INDICATOR-SHELLCODE ysoserial Java object deserialization exploit attempt (indicator-shellcode.rules)

2021-09-16 13:04:54 UTC

Snort Subscriber Rules Update

Date: 2021-09-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58155 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound beacon (malware-cnc.rules)
 * 3:58156 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1371 attack attempt (file-image.rules)
 * 3:58158 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1371 attack attempt (file-image.rules)
 * 3:58157 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1371 attack attempt (file-image.rules)
 * 3:58159 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1371 attack attempt (file-image.rules)

Modified Rules:


 * 1:57605 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTTP protocol stack remote code execution attempt (os-windows.rules)
 * 1:46937 <-> ENABLED <-> INDICATOR-SHELLCODE ysoserial Java object deserialization exploit attempt (indicator-shellcode.rules)

2021-09-16 13:04:54 UTC

Snort Subscriber Rules Update

Date: 2021-09-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58155 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound beacon (malware-cnc.rules)
 * 3:58157 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1371 attack attempt (file-image.rules)
 * 3:58159 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1371 attack attempt (file-image.rules)
 * 3:58158 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1371 attack attempt (file-image.rules)
 * 3:58156 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1371 attack attempt (file-image.rules)

Modified Rules:


 * 1:57605 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTTP protocol stack remote code execution attempt (os-windows.rules)
 * 1:46937 <-> ENABLED <-> INDICATOR-SHELLCODE ysoserial Java object deserialization exploit attempt (indicator-shellcode.rules)

2021-09-16 13:04:54 UTC

Snort Subscriber Rules Update

Date: 2021-09-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58155 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound beacon (malware-cnc.rules)
 * 3:58158 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1371 attack attempt (file-image.rules)
 * 3:58157 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1371 attack attempt (file-image.rules)
 * 3:58159 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1371 attack attempt (file-image.rules)
 * 3:58156 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1371 attack attempt (file-image.rules)

Modified Rules:


 * 1:46937 <-> ENABLED <-> INDICATOR-SHELLCODE ysoserial Java object deserialization exploit attempt (indicator-shellcode.rules)
 * 1:57605 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTTP protocol stack remote code execution attempt (os-windows.rules)

2021-09-16 13:04:54 UTC

Snort Subscriber Rules Update

Date: 2021-09-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58155 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound beacon (malware-cnc.rules)
 * 3:58156 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1371 attack attempt (file-image.rules)
 * 3:58159 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1371 attack attempt (file-image.rules)
 * 3:58157 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1371 attack attempt (file-image.rules)
 * 3:58158 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1371 attack attempt (file-image.rules)

Modified Rules:


 * 1:46937 <-> ENABLED <-> INDICATOR-SHELLCODE ysoserial Java object deserialization exploit attempt (indicator-shellcode.rules)
 * 1:57605 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTTP protocol stack remote code execution attempt (os-windows.rules)

2021-09-16 13:04:54 UTC

Snort Subscriber Rules Update

Date: 2021-09-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58155 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound beacon (malware-cnc.rules)
 * 3:58158 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1371 attack attempt (file-image.rules)
 * 3:58159 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1371 attack attempt (file-image.rules)
 * 3:58156 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1371 attack attempt (file-image.rules)
 * 3:58157 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1371 attack attempt (file-image.rules)

Modified Rules:


 * 1:57605 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTTP protocol stack remote code execution attempt (os-windows.rules)
 * 1:46937 <-> ENABLED <-> INDICATOR-SHELLCODE ysoserial Java object deserialization exploit attempt (indicator-shellcode.rules)

2021-09-16 13:04:54 UTC

Snort Subscriber Rules Update

Date: 2021-09-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58155 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound beacon (snort3-malware-cnc.rules)

Modified Rules:


 * 1:46937 <-> ENABLED <-> INDICATOR-SHELLCODE ysoserial Java object deserialization exploit attempt (snort3-indicator-shellcode.rules)
 * 1:57605 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTTP protocol stack remote code execution attempt (snort3-os-windows.rules)

2021-09-16 13:04:54 UTC

Snort Subscriber Rules Update

Date: 2021-09-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58155 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound beacon (malware-cnc.rules)

Modified Rules:


 * 1:57605 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTTP protocol stack remote code execution attempt (os-windows.rules)
 * 1:46937 <-> ENABLED <-> INDICATOR-SHELLCODE ysoserial Java object deserialization exploit attempt (indicator-shellcode.rules)

2021-09-16 13:06:19 UTC

Snort Subscriber Rules Update

Date: 2021-09-13-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300050 <-> SERVER-OTHER Apache CouchDB remote privilege escalation attempt
* 1:300051 <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt
* 1:58136 <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt
* 1:58137 <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt
* 1:58138 <-> MALWARE-OTHER Php.Webshell.R57 download attempt
* 1:58139 <-> MALWARE-OTHER Php.Webshell.R57 upload attempt
* 1:58140 <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt
* 1:58141 <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt
* 1:58142 <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt
* 1:58143 <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt
* 1:58144 <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt
* 1:58145 <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt
* 1:58146 <-> SERVER-OTHER Realtek Wifi Simple Config UPnP SUBSCRIBE callback buffer overflow attempt
* 1:58147 <-> MALWARE-OTHER ASP.Webshell.RemExp download attempt
* 1:58148 <-> MALWARE-OTHER ASP.Webshell.RemExp upload attempt
* 1:58149 <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt
* 1:58150 <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt
* 1:58151 <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt
* 1:58152 <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt
* 3:58153 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt
* 3:58154 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt

Modified Rules:

* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:49191 <-> SERVER-WEBAPP Dell EMC Virtual Appliance Manager undocumented credential use attempt
* 1:52243 <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt


2021-09-16 13:06:19 UTC

Snort Subscriber Rules Update

Date: 2021-09-13-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.4.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300050 <-> SERVER-OTHER Apache CouchDB remote privilege escalation attempt
* 1:300051 <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt
* 1:58136 <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt
* 1:58137 <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt
* 1:58138 <-> MALWARE-OTHER Php.Webshell.R57 download attempt
* 1:58139 <-> MALWARE-OTHER Php.Webshell.R57 upload attempt
* 1:58140 <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt
* 1:58141 <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt
* 1:58142 <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt
* 1:58143 <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt
* 1:58144 <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt
* 1:58145 <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt
* 1:58146 <-> SERVER-OTHER Realtek Wifi Simple Config UPnP SUBSCRIBE callback buffer overflow attempt
* 1:58147 <-> MALWARE-OTHER ASP.Webshell.RemExp download attempt
* 1:58148 <-> MALWARE-OTHER ASP.Webshell.RemExp upload attempt
* 1:58149 <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt
* 1:58150 <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt
* 1:58151 <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt
* 1:58152 <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt
* 3:58153 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt
* 3:58154 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt

Modified Rules:

* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:49191 <-> SERVER-WEBAPP Dell EMC Virtual Appliance Manager undocumented credential use attempt
* 1:52243 <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt


2021-09-16 13:06:19 UTC

Snort Subscriber Rules Update

Date: 2021-09-13-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300050 <-> SERVER-OTHER Apache CouchDB remote privilege escalation attempt
* 1:300051 <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt
* 1:58136 <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt
* 1:58137 <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt
* 1:58138 <-> MALWARE-OTHER Php.Webshell.R57 download attempt
* 1:58139 <-> MALWARE-OTHER Php.Webshell.R57 upload attempt
* 1:58140 <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt
* 1:58141 <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt
* 1:58142 <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt
* 1:58143 <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt
* 1:58144 <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt
* 1:58145 <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt
* 1:58146 <-> SERVER-OTHER Realtek Wifi Simple Config UPnP SUBSCRIBE callback buffer overflow attempt
* 1:58147 <-> MALWARE-OTHER ASP.Webshell.RemExp download attempt
* 1:58148 <-> MALWARE-OTHER ASP.Webshell.RemExp upload attempt
* 1:58149 <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt
* 1:58150 <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt
* 1:58151 <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt
* 1:58152 <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt
* 3:58153 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt
* 3:58154 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt

Modified Rules:

* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:49191 <-> SERVER-WEBAPP Dell EMC Virtual Appliance Manager undocumented credential use attempt
* 1:52243 <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt


2021-09-16 13:06:19 UTC

Snort Subscriber Rules Update

Date: 2021-09-13-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300050 <-> SERVER-OTHER Apache CouchDB remote privilege escalation attempt
* 1:300051 <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt
* 1:58136 <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt
* 1:58137 <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt
* 1:58138 <-> MALWARE-OTHER Php.Webshell.R57 download attempt
* 1:58139 <-> MALWARE-OTHER Php.Webshell.R57 upload attempt
* 1:58140 <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt
* 1:58141 <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt
* 1:58142 <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt
* 1:58143 <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt
* 1:58144 <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt
* 1:58145 <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt
* 1:58146 <-> SERVER-OTHER Realtek Wifi Simple Config UPnP SUBSCRIBE callback buffer overflow attempt
* 1:58147 <-> MALWARE-OTHER ASP.Webshell.RemExp download attempt
* 1:58148 <-> MALWARE-OTHER ASP.Webshell.RemExp upload attempt
* 1:58149 <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt
* 1:58150 <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt
* 1:58151 <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt
* 1:58152 <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt
* 3:58153 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt
* 3:58154 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt

Modified Rules:

* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:49191 <-> SERVER-WEBAPP Dell EMC Virtual Appliance Manager undocumented credential use attempt
* 1:52243 <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt


2021-09-16 13:06:19 UTC

Snort Subscriber Rules Update

Date: 2021-09-13-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.1.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300050 <-> SERVER-OTHER Apache CouchDB remote privilege escalation attempt
* 1:300051 <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt
* 1:58136 <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt
* 1:58137 <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt
* 1:58138 <-> MALWARE-OTHER Php.Webshell.R57 download attempt
* 1:58139 <-> MALWARE-OTHER Php.Webshell.R57 upload attempt
* 1:58140 <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt
* 1:58141 <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt
* 1:58142 <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt
* 1:58143 <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt
* 1:58144 <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt
* 1:58145 <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt
* 1:58146 <-> SERVER-OTHER Realtek Wifi Simple Config UPnP SUBSCRIBE callback buffer overflow attempt
* 1:58147 <-> MALWARE-OTHER ASP.Webshell.RemExp download attempt
* 1:58148 <-> MALWARE-OTHER ASP.Webshell.RemExp upload attempt
* 1:58149 <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt
* 1:58150 <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt
* 1:58151 <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt
* 1:58152 <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt
* 3:58153 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt
* 3:58154 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt

Modified Rules:

* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:49191 <-> SERVER-WEBAPP Dell EMC Virtual Appliance Manager undocumented credential use attempt
* 1:52243 <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt


2021-09-16 13:06:19 UTC

Snort Subscriber Rules Update

Date: 2021-09-13-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.3.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300050 <-> SERVER-OTHER Apache CouchDB remote privilege escalation attempt
* 1:300051 <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt
* 1:58136 <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt
* 1:58137 <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt
* 1:58138 <-> MALWARE-OTHER Php.Webshell.R57 download attempt
* 1:58139 <-> MALWARE-OTHER Php.Webshell.R57 upload attempt
* 1:58140 <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt
* 1:58141 <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt
* 1:58142 <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt
* 1:58143 <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt
* 1:58144 <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt
* 1:58145 <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt
* 1:58146 <-> SERVER-OTHER Realtek Wifi Simple Config UPnP SUBSCRIBE callback buffer overflow attempt
* 1:58147 <-> MALWARE-OTHER ASP.Webshell.RemExp download attempt
* 1:58148 <-> MALWARE-OTHER ASP.Webshell.RemExp upload attempt
* 1:58149 <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt
* 1:58150 <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt
* 1:58151 <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt
* 1:58152 <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt
* 3:58153 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt
* 3:58154 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt

Modified Rules:

* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:49191 <-> SERVER-WEBAPP Dell EMC Virtual Appliance Manager undocumented credential use attempt
* 1:52243 <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt


2021-09-16 13:06:20 UTC

Snort Subscriber Rules Update

Date: 2021-09-13-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.4.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300050 <-> SERVER-OTHER Apache CouchDB remote privilege escalation attempt
* 1:300051 <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt
* 1:58136 <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt
* 1:58137 <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt
* 1:58138 <-> MALWARE-OTHER Php.Webshell.R57 download attempt
* 1:58139 <-> MALWARE-OTHER Php.Webshell.R57 upload attempt
* 1:58140 <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt
* 1:58141 <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt
* 1:58142 <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt
* 1:58143 <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt
* 1:58144 <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt
* 1:58145 <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt
* 1:58146 <-> SERVER-OTHER Realtek Wifi Simple Config UPnP SUBSCRIBE callback buffer overflow attempt
* 1:58147 <-> MALWARE-OTHER ASP.Webshell.RemExp download attempt
* 1:58148 <-> MALWARE-OTHER ASP.Webshell.RemExp upload attempt
* 1:58149 <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt
* 1:58150 <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt
* 1:58151 <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt
* 1:58152 <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt
* 3:58153 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt
* 3:58154 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt

Modified Rules:

* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:49191 <-> SERVER-WEBAPP Dell EMC Virtual Appliance Manager undocumented credential use attempt
* 1:52243 <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt


2021-09-16 13:06:20 UTC

Snort Subscriber Rules Update

Date: 2021-09-13-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.5.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300050 <-> SERVER-OTHER Apache CouchDB remote privilege escalation attempt
* 1:300051 <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt
* 1:58136 <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt
* 1:58137 <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt
* 1:58138 <-> MALWARE-OTHER Php.Webshell.R57 download attempt
* 1:58139 <-> MALWARE-OTHER Php.Webshell.R57 upload attempt
* 1:58140 <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt
* 1:58141 <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt
* 1:58142 <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt
* 1:58143 <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt
* 1:58144 <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt
* 1:58145 <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt
* 1:58146 <-> SERVER-OTHER Realtek Wifi Simple Config UPnP SUBSCRIBE callback buffer overflow attempt
* 1:58147 <-> MALWARE-OTHER ASP.Webshell.RemExp download attempt
* 1:58148 <-> MALWARE-OTHER ASP.Webshell.RemExp upload attempt
* 1:58149 <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt
* 1:58150 <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt
* 1:58151 <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt
* 1:58152 <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt
* 3:58153 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt
* 3:58154 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt

Modified Rules:

* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:49191 <-> SERVER-WEBAPP Dell EMC Virtual Appliance Manager undocumented credential use attempt
* 1:52243 <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt


2021-09-16 13:06:20 UTC

Snort Subscriber Rules Update

Date: 2021-09-13-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.7.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300050 <-> SERVER-OTHER Apache CouchDB remote privilege escalation attempt
* 1:300051 <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt
* 1:58136 <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt
* 1:58137 <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt
* 1:58138 <-> MALWARE-OTHER Php.Webshell.R57 download attempt
* 1:58139 <-> MALWARE-OTHER Php.Webshell.R57 upload attempt
* 1:58140 <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt
* 1:58141 <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt
* 1:58142 <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt
* 1:58143 <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt
* 1:58144 <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt
* 1:58145 <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt
* 1:58146 <-> SERVER-OTHER Realtek Wifi Simple Config UPnP SUBSCRIBE callback buffer overflow attempt
* 1:58147 <-> MALWARE-OTHER ASP.Webshell.RemExp download attempt
* 1:58148 <-> MALWARE-OTHER ASP.Webshell.RemExp upload attempt
* 1:58149 <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt
* 1:58150 <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt
* 1:58151 <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt
* 1:58152 <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt
* 3:58153 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt
* 3:58154 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt

Modified Rules:

* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:49191 <-> SERVER-WEBAPP Dell EMC Virtual Appliance Manager undocumented credential use attempt
* 1:52243 <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt


2021-09-16 13:06:20 UTC

Snort Subscriber Rules Update

Date: 2021-09-13-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.9.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300050 <-> SERVER-OTHER Apache CouchDB remote privilege escalation attempt
* 1:300051 <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt
* 1:58136 <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt
* 1:58137 <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt
* 1:58138 <-> MALWARE-OTHER Php.Webshell.R57 download attempt
* 1:58139 <-> MALWARE-OTHER Php.Webshell.R57 upload attempt
* 1:58140 <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt
* 1:58141 <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt
* 1:58142 <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt
* 1:58143 <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt
* 1:58144 <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt
* 1:58145 <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt
* 1:58146 <-> SERVER-OTHER Realtek Wifi Simple Config UPnP SUBSCRIBE callback buffer overflow attempt
* 1:58147 <-> MALWARE-OTHER ASP.Webshell.RemExp download attempt
* 1:58148 <-> MALWARE-OTHER ASP.Webshell.RemExp upload attempt
* 1:58149 <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt
* 1:58150 <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt
* 1:58151 <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt
* 1:58152 <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt
* 3:58153 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt
* 3:58154 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt

Modified Rules:

* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:49191 <-> SERVER-WEBAPP Dell EMC Virtual Appliance Manager undocumented credential use attempt
* 1:52243 <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt


2021-09-16 13:06:20 UTC

Snort Subscriber Rules Update

Date: 2021-09-13-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.11.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300050 <-> SERVER-OTHER Apache CouchDB remote privilege escalation attempt
* 1:300051 <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt
* 1:58136 <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt
* 1:58137 <-> OS-WINDOWS Microsoft Windows Win32k kernel driver privilege escalation attempt
* 1:58138 <-> MALWARE-OTHER Php.Webshell.R57 download attempt
* 1:58139 <-> MALWARE-OTHER Php.Webshell.R57 upload attempt
* 1:58140 <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt
* 1:58141 <-> OS-WINDOWS Microsoft Windows CLFS local privilege escalation attempt
* 1:58142 <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt
* 1:58143 <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt
* 1:58144 <-> MALWARE-OTHER Php.Webshell.WorseLinux download attempt
* 1:58145 <-> MALWARE-OTHER Php.Webshell.WorseLinux upload attempt
* 1:58146 <-> SERVER-OTHER Realtek Wifi Simple Config UPnP SUBSCRIBE callback buffer overflow attempt
* 1:58147 <-> MALWARE-OTHER ASP.Webshell.RemExp download attempt
* 1:58148 <-> MALWARE-OTHER ASP.Webshell.RemExp upload attempt
* 1:58149 <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt
* 1:58150 <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt
* 1:58151 <-> MALWARE-OTHER Php.Webshell.Ayyildiz upload attempt
* 1:58152 <-> MALWARE-OTHER Php.Webshell.Ayyildiz download attempt
* 3:58153 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt
* 3:58154 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1373 attack attempt

Modified Rules:

* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:49191 <-> SERVER-WEBAPP Dell EMC Virtual Appliance Manager undocumented credential use attempt
* 1:52243 <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt