Talos Rules 2021-10-07
This release adds and modifies rules in several categories.

Talos is releasing SID 58276 (SID 300053 for Snort3) as coverage for CVE-2021-41773, an Apache HTTP server directory traversal vulnerability which can lead to remote code execution.

Talos has added and modified multiple rules in the malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2021-10-07 13:22:43 UTC

Snort Subscriber Rules Update

Date: 2021-10-06-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.5.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt
* 3:58254 <-> SERVER-WEBAPP Cisco Identity Services Engine command execution attempt
* 3:58255 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58256 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58257 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58258 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58259 <-> SERVER-WEBAPP Cisco Intersight Virtual Appliance command injection attempt
* 1:58260 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58261 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58262 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58263 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58264 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58265 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58266 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58267 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58268 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58269 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58270 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58271 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58272 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58273 <-> SERVER-WEBAPP QNAP HBS 3 authorization bypass attempt
* 1:58274 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt
* 1:58275 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt
* 1:58277 <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt
* 1:58278 <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt
* 1:58279 <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt
* 1:58280 <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt
* 1:58281 <-> MALWARE-CNC Win.Dropper.SquirrelWaffle C2 HTTP response

Modified Rules:

* 1:37732 <-> POLICY-OTHER eicar test string download attempt
* 1:45909 <-> MALWARE-CNC CobaltStrike trial version inbound beacon response


2021-10-07 13:22:43 UTC

Snort Subscriber Rules Update

Date: 2021-10-06-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.7.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt
* 3:58254 <-> SERVER-WEBAPP Cisco Identity Services Engine command execution attempt
* 3:58255 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58256 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58257 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58258 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58259 <-> SERVER-WEBAPP Cisco Intersight Virtual Appliance command injection attempt
* 1:58260 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58261 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58262 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58263 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58264 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58265 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58266 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58267 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58268 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58269 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58270 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58271 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58272 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58273 <-> SERVER-WEBAPP QNAP HBS 3 authorization bypass attempt
* 1:58274 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt
* 1:58275 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt
* 1:58277 <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt
* 1:58278 <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt
* 1:58279 <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt
* 1:58280 <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt
* 1:58281 <-> MALWARE-CNC Win.Dropper.SquirrelWaffle C2 HTTP response

Modified Rules:

* 1:37732 <-> POLICY-OTHER eicar test string download attempt
* 1:45909 <-> MALWARE-CNC CobaltStrike trial version inbound beacon response


2021-10-07 13:22:43 UTC

Snort Subscriber Rules Update

Date: 2021-10-06-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.9.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt
* 3:58254 <-> SERVER-WEBAPP Cisco Identity Services Engine command execution attempt
* 3:58255 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58256 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58257 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58258 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58259 <-> SERVER-WEBAPP Cisco Intersight Virtual Appliance command injection attempt
* 1:58260 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58261 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58262 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58263 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58264 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58265 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58266 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58267 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58268 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58269 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58270 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58271 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58272 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58273 <-> SERVER-WEBAPP QNAP HBS 3 authorization bypass attempt
* 1:58274 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt
* 1:58275 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt
* 1:58277 <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt
* 1:58278 <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt
* 1:58279 <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt
* 1:58280 <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt
* 1:58281 <-> MALWARE-CNC Win.Dropper.SquirrelWaffle C2 HTTP response

Modified Rules:

* 1:37732 <-> POLICY-OTHER eicar test string download attempt
* 1:45909 <-> MALWARE-CNC CobaltStrike trial version inbound beacon response


2021-10-07 13:22:43 UTC

Snort Subscriber Rules Update

Date: 2021-10-06-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.11.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt
* 3:58254 <-> SERVER-WEBAPP Cisco Identity Services Engine command execution attempt
* 3:58255 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58256 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58257 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58258 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58259 <-> SERVER-WEBAPP Cisco Intersight Virtual Appliance command injection attempt
* 1:58260 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58261 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58262 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58263 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58264 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58265 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58266 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58267 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58268 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58269 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58270 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58271 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58272 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58273 <-> SERVER-WEBAPP QNAP HBS 3 authorization bypass attempt
* 1:58274 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt
* 1:58275 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt
* 1:58277 <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt
* 1:58278 <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt
* 1:58279 <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt
* 1:58280 <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt
* 1:58281 <-> MALWARE-CNC Win.Dropper.SquirrelWaffle C2 HTTP response

Modified Rules:

* 1:37732 <-> POLICY-OTHER eicar test string download attempt
* 1:45909 <-> MALWARE-CNC CobaltStrike trial version inbound beacon response


2021-10-07 13:22:43 UTC

Snort Subscriber Rules Update

Date: 2021-10-06-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.4.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt
* 3:58254 <-> SERVER-WEBAPP Cisco Identity Services Engine command execution attempt
* 3:58255 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58256 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58257 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58258 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58259 <-> SERVER-WEBAPP Cisco Intersight Virtual Appliance command injection attempt
* 1:58260 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58261 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58262 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58263 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58264 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58265 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58266 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58267 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58268 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58269 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58270 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58271 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58272 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58273 <-> SERVER-WEBAPP QNAP HBS 3 authorization bypass attempt
* 1:58274 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt
* 1:58275 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt
* 1:58277 <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt
* 1:58278 <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt
* 1:58279 <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt
* 1:58280 <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt
* 1:58281 <-> MALWARE-CNC Win.Dropper.SquirrelWaffle C2 HTTP response

Modified Rules:

* 1:37732 <-> POLICY-OTHER eicar test string download attempt
* 1:45909 <-> MALWARE-CNC CobaltStrike trial version inbound beacon response


2021-10-07 13:22:43 UTC

Snort Subscriber Rules Update

Date: 2021-10-06-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.3.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt
* 3:58254 <-> SERVER-WEBAPP Cisco Identity Services Engine command execution attempt
* 3:58255 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58256 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58257 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58258 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58259 <-> SERVER-WEBAPP Cisco Intersight Virtual Appliance command injection attempt
* 1:58260 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58261 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58262 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58263 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58264 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58265 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58266 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58267 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58268 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58269 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58270 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58271 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58272 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58273 <-> SERVER-WEBAPP QNAP HBS 3 authorization bypass attempt
* 1:58274 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt
* 1:58275 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt
* 1:58277 <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt
* 1:58278 <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt
* 1:58279 <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt
* 1:58280 <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt
* 1:58281 <-> MALWARE-CNC Win.Dropper.SquirrelWaffle C2 HTTP response

Modified Rules:

* 1:37732 <-> POLICY-OTHER eicar test string download attempt
* 1:45909 <-> MALWARE-CNC CobaltStrike trial version inbound beacon response


2021-10-07 13:22:43 UTC

Snort Subscriber Rules Update

Date: 2021-10-06-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.1.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt
* 3:58254 <-> SERVER-WEBAPP Cisco Identity Services Engine command execution attempt
* 3:58255 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58256 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58257 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58258 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58259 <-> SERVER-WEBAPP Cisco Intersight Virtual Appliance command injection attempt
* 1:58260 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58261 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58262 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58263 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58264 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58265 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58266 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58267 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58268 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58269 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58270 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58271 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58272 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58273 <-> SERVER-WEBAPP QNAP HBS 3 authorization bypass attempt
* 1:58274 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt
* 1:58275 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt
* 1:58277 <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt
* 1:58278 <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt
* 1:58279 <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt
* 1:58280 <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt
* 1:58281 <-> MALWARE-CNC Win.Dropper.SquirrelWaffle C2 HTTP response

Modified Rules:

* 1:37732 <-> POLICY-OTHER eicar test string download attempt
* 1:45909 <-> MALWARE-CNC CobaltStrike trial version inbound beacon response


2021-10-07 13:22:43 UTC

Snort Subscriber Rules Update

Date: 2021-10-06-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt
* 3:58254 <-> SERVER-WEBAPP Cisco Identity Services Engine command execution attempt
* 3:58255 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58256 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58257 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58258 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58259 <-> SERVER-WEBAPP Cisco Intersight Virtual Appliance command injection attempt
* 1:58260 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58261 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58262 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58263 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58264 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58265 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58266 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58267 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58268 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58269 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58270 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58271 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58272 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58273 <-> SERVER-WEBAPP QNAP HBS 3 authorization bypass attempt
* 1:58274 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt
* 1:58275 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt
* 1:58277 <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt
* 1:58278 <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt
* 1:58279 <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt
* 1:58280 <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt
* 1:58281 <-> MALWARE-CNC Win.Dropper.SquirrelWaffle C2 HTTP response

Modified Rules:

* 1:37732 <-> POLICY-OTHER eicar test string download attempt
* 1:45909 <-> MALWARE-CNC CobaltStrike trial version inbound beacon response


2021-10-07 13:22:43 UTC

Snort Subscriber Rules Update

Date: 2021-10-06-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt
* 3:58254 <-> SERVER-WEBAPP Cisco Identity Services Engine command execution attempt
* 3:58255 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58256 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58257 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58258 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58259 <-> SERVER-WEBAPP Cisco Intersight Virtual Appliance command injection attempt
* 1:58260 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58261 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58262 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58263 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58264 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58265 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58266 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58267 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58268 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58269 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58270 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58271 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58272 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58273 <-> SERVER-WEBAPP QNAP HBS 3 authorization bypass attempt
* 1:58274 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt
* 1:58275 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt
* 1:58277 <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt
* 1:58278 <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt
* 1:58279 <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt
* 1:58280 <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt
* 1:58281 <-> MALWARE-CNC Win.Dropper.SquirrelWaffle C2 HTTP response

Modified Rules:

* 1:37732 <-> POLICY-OTHER eicar test string download attempt
* 1:45909 <-> MALWARE-CNC CobaltStrike trial version inbound beacon response


2021-10-07 13:22:43 UTC

Snort Subscriber Rules Update

Date: 2021-10-06-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.4.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt
* 3:58254 <-> SERVER-WEBAPP Cisco Identity Services Engine command execution attempt
* 3:58255 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58256 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58257 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58258 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58259 <-> SERVER-WEBAPP Cisco Intersight Virtual Appliance command injection attempt
* 1:58260 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58261 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58262 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58263 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58264 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58265 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58266 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58267 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58268 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58269 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58270 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58271 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58272 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58273 <-> SERVER-WEBAPP QNAP HBS 3 authorization bypass attempt
* 1:58274 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt
* 1:58275 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt
* 1:58277 <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt
* 1:58278 <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt
* 1:58279 <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt
* 1:58280 <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt
* 1:58281 <-> MALWARE-CNC Win.Dropper.SquirrelWaffle C2 HTTP response

Modified Rules:

* 1:37732 <-> POLICY-OTHER eicar test string download attempt
* 1:45909 <-> MALWARE-CNC CobaltStrike trial version inbound beacon response


2021-10-07 13:22:43 UTC

Snort Subscriber Rules Update

Date: 2021-10-06-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt
* 3:58254 <-> SERVER-WEBAPP Cisco Identity Services Engine command execution attempt
* 3:58255 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58256 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58257 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58258 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58259 <-> SERVER-WEBAPP Cisco Intersight Virtual Appliance command injection attempt
* 1:58260 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58261 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58262 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58263 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58264 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58265 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58266 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58267 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58268 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58269 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58270 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58271 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58272 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58273 <-> SERVER-WEBAPP QNAP HBS 3 authorization bypass attempt
* 1:58274 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt
* 1:58275 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt
* 1:58277 <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt
* 1:58278 <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt
* 1:58279 <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt
* 1:58280 <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt
* 1:58281 <-> MALWARE-CNC Win.Dropper.SquirrelWaffle C2 HTTP response

Modified Rules:

* 1:37732 <-> POLICY-OTHER eicar test string download attempt
* 1:45909 <-> MALWARE-CNC CobaltStrike trial version inbound beacon response


2021-10-07 13:22:43 UTC

Snort Subscriber Rules Update

Date: 2021-10-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58263 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58262 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58280 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58279 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58261 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58260 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58264 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58265 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58266 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58267 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58268 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58269 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58270 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58271 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58272 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58273 <-> ENABLED <-> SERVER-WEBAPP QNAP HBS 3 authorization bypass attempt (server-webapp.rules)
 * 1:58278 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58274 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (server-webapp.rules)
 * 1:58275 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (server-webapp.rules)
 * 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (server-webapp.rules)
 * 1:58277 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58281 <-> ENABLED <-> MALWARE-CNC Win.Dropper.SquirrelWaffle C2 HTTP response (malware-cnc.rules)

Modified Rules:


 * 1:37732 <-> ENABLED <-> POLICY-OTHER eicar test string download attempt (policy-other.rules)
 * 1:45909 <-> DISABLED <-> MALWARE-CNC CobaltStrike trial version inbound beacon response (malware-cnc.rules)

2021-10-07 13:22:43 UTC

Snort Subscriber Rules Update

Date: 2021-10-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58272 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (snort3-server-webapp.rules)
 * 1:58266 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (snort3-server-webapp.rules)
 * 1:58264 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (snort3-server-webapp.rules)
 * 1:58280 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (snort3-malware-cnc.rules)
 * 1:58260 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (snort3-server-webapp.rules)
 * 1:58267 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (snort3-server-webapp.rules)
 * 1:58261 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (snort3-server-webapp.rules)
 * 1:58279 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (snort3-malware-cnc.rules)
 * 1:58281 <-> ENABLED <-> MALWARE-CNC Win.Dropper.SquirrelWaffle C2 HTTP response (snort3-malware-cnc.rules)
 * 1:58273 <-> ENABLED <-> SERVER-WEBAPP QNAP HBS 3 authorization bypass attempt (snort3-server-webapp.rules)
 * 1:58274 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (snort3-server-webapp.rules)
 * 1:58275 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (snort3-server-webapp.rules)
 * 1:300053 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (snort3-native.rules)
 * 1:58270 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (snort3-server-webapp.rules)
 * 1:58268 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (snort3-server-webapp.rules)
 * 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (snort3-server-webapp.rules)
 * 1:58277 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (snort3-malware-cnc.rules)
 * 1:58265 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (snort3-server-webapp.rules)
 * 1:58271 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (snort3-server-webapp.rules)
 * 1:58263 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (snort3-server-webapp.rules)
 * 1:58269 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (snort3-server-webapp.rules)
 * 1:58278 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (snort3-malware-cnc.rules)
 * 1:58262 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (snort3-server-webapp.rules)

Modified Rules:


 * 1:37732 <-> ENABLED <-> POLICY-OTHER eicar test string download attempt (snort3-policy-other.rules)
 * 1:45909 <-> DISABLED <-> MALWARE-CNC CobaltStrike trial version inbound beacon response (snort3-malware-cnc.rules)

2021-10-07 13:22:43 UTC

Snort Subscriber Rules Update

Date: 2021-10-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58267 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58280 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58261 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58278 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58281 <-> ENABLED <-> MALWARE-CNC Win.Dropper.SquirrelWaffle C2 HTTP response (malware-cnc.rules)
 * 1:58260 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58263 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58264 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58279 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58277 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58266 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58269 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58271 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58270 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58272 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58262 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58265 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58274 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (server-webapp.rules)
 * 1:58273 <-> ENABLED <-> SERVER-WEBAPP QNAP HBS 3 authorization bypass attempt (server-webapp.rules)
 * 1:58268 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (server-webapp.rules)
 * 1:58275 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (server-webapp.rules)
 * 3:58254 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine command execution attempt (server-webapp.rules)
 * 3:58255 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58256 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58257 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58258 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58259 <-> ENABLED <-> SERVER-WEBAPP Cisco Intersight Virtual Appliance command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:37732 <-> ENABLED <-> POLICY-OTHER eicar test string download attempt (policy-other.rules)
 * 1:45909 <-> DISABLED <-> MALWARE-CNC CobaltStrike trial version inbound beacon response (malware-cnc.rules)

2021-10-07 13:22:43 UTC

Snort Subscriber Rules Update

Date: 2021-10-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58265 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58260 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58277 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58268 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58272 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58281 <-> ENABLED <-> MALWARE-CNC Win.Dropper.SquirrelWaffle C2 HTTP response (malware-cnc.rules)
 * 1:58267 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58263 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58278 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58270 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58271 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58266 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58264 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58280 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58279 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58274 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (server-webapp.rules)
 * 1:58262 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58273 <-> ENABLED <-> SERVER-WEBAPP QNAP HBS 3 authorization bypass attempt (server-webapp.rules)
 * 1:58269 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58275 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (server-webapp.rules)
 * 1:58261 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (server-webapp.rules)
 * 3:58254 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine command execution attempt (server-webapp.rules)
 * 3:58255 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58256 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58257 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58258 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58259 <-> ENABLED <-> SERVER-WEBAPP Cisco Intersight Virtual Appliance command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:37732 <-> ENABLED <-> POLICY-OTHER eicar test string download attempt (policy-other.rules)
 * 1:45909 <-> DISABLED <-> MALWARE-CNC CobaltStrike trial version inbound beacon response (malware-cnc.rules)

2021-10-07 13:22:43 UTC

Snort Subscriber Rules Update

Date: 2021-10-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58260 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58280 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (server-webapp.rules)
 * 1:58261 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58264 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58262 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58272 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58279 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58271 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58265 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58273 <-> ENABLED <-> SERVER-WEBAPP QNAP HBS 3 authorization bypass attempt (server-webapp.rules)
 * 1:58267 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58269 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58278 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58270 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58268 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58281 <-> ENABLED <-> MALWARE-CNC Win.Dropper.SquirrelWaffle C2 HTTP response (malware-cnc.rules)
 * 1:58266 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58275 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (server-webapp.rules)
 * 1:58277 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58274 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (server-webapp.rules)
 * 1:58263 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 3:58256 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58254 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine command execution attempt (server-webapp.rules)
 * 3:58259 <-> ENABLED <-> SERVER-WEBAPP Cisco Intersight Virtual Appliance command injection attempt (server-webapp.rules)
 * 3:58258 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58257 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58255 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:45909 <-> DISABLED <-> MALWARE-CNC CobaltStrike trial version inbound beacon response (malware-cnc.rules)
 * 1:37732 <-> ENABLED <-> POLICY-OTHER eicar test string download attempt (policy-other.rules)

2021-10-07 13:22:43 UTC

Snort Subscriber Rules Update

Date: 2021-10-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58260 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58266 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58270 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58277 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58263 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58279 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58261 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58281 <-> ENABLED <-> MALWARE-CNC Win.Dropper.SquirrelWaffle C2 HTTP response (malware-cnc.rules)
 * 1:58268 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58267 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58271 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58264 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58272 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58269 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58274 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (server-webapp.rules)
 * 1:58273 <-> ENABLED <-> SERVER-WEBAPP QNAP HBS 3 authorization bypass attempt (server-webapp.rules)
 * 1:58275 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (server-webapp.rules)
 * 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (server-webapp.rules)
 * 1:58265 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58262 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58280 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58278 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 3:58254 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine command execution attempt (server-webapp.rules)
 * 3:58255 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58256 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58257 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58258 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58259 <-> ENABLED <-> SERVER-WEBAPP Cisco Intersight Virtual Appliance command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:37732 <-> ENABLED <-> POLICY-OTHER eicar test string download attempt (policy-other.rules)
 * 1:45909 <-> DISABLED <-> MALWARE-CNC CobaltStrike trial version inbound beacon response (malware-cnc.rules)

2021-10-07 13:22:43 UTC

Snort Subscriber Rules Update

Date: 2021-10-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58268 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58270 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58264 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58271 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58280 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58261 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58272 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58279 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58263 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58278 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58267 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58265 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58260 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58266 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58281 <-> ENABLED <-> MALWARE-CNC Win.Dropper.SquirrelWaffle C2 HTTP response (malware-cnc.rules)
 * 1:58262 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (server-webapp.rules)
 * 1:58275 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (server-webapp.rules)
 * 1:58273 <-> ENABLED <-> SERVER-WEBAPP QNAP HBS 3 authorization bypass attempt (server-webapp.rules)
 * 1:58274 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (server-webapp.rules)
 * 1:58277 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58269 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 3:58258 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58254 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine command execution attempt (server-webapp.rules)
 * 3:58255 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58259 <-> ENABLED <-> SERVER-WEBAPP Cisco Intersight Virtual Appliance command injection attempt (server-webapp.rules)
 * 3:58257 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58256 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:45909 <-> DISABLED <-> MALWARE-CNC CobaltStrike trial version inbound beacon response (malware-cnc.rules)
 * 1:37732 <-> ENABLED <-> POLICY-OTHER eicar test string download attempt (policy-other.rules)

2021-10-07 13:22:43 UTC

Snort Subscriber Rules Update

Date: 2021-10-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58277 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58280 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58275 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (server-webapp.rules)
 * 1:58263 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58269 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58264 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58260 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58278 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58266 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58262 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58273 <-> ENABLED <-> SERVER-WEBAPP QNAP HBS 3 authorization bypass attempt (server-webapp.rules)
 * 1:58272 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58261 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58279 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (server-webapp.rules)
 * 1:58265 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58268 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58267 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58270 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58271 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58281 <-> ENABLED <-> MALWARE-CNC Win.Dropper.SquirrelWaffle C2 HTTP response (malware-cnc.rules)
 * 1:58274 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (server-webapp.rules)
 * 3:58254 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine command execution attempt (server-webapp.rules)
 * 3:58255 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58256 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58257 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58258 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58259 <-> ENABLED <-> SERVER-WEBAPP Cisco Intersight Virtual Appliance command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:45909 <-> DISABLED <-> MALWARE-CNC CobaltStrike trial version inbound beacon response (malware-cnc.rules)
 * 1:37732 <-> ENABLED <-> POLICY-OTHER eicar test string download attempt (policy-other.rules)

2021-10-07 13:22:43 UTC

Snort Subscriber Rules Update

Date: 2021-10-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58278 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58279 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58271 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58263 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58272 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58267 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58264 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58281 <-> ENABLED <-> MALWARE-CNC Win.Dropper.SquirrelWaffle C2 HTTP response (malware-cnc.rules)
 * 1:58277 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58261 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58266 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58270 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58275 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (server-webapp.rules)
 * 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (server-webapp.rules)
 * 1:58268 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58269 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58273 <-> ENABLED <-> SERVER-WEBAPP QNAP HBS 3 authorization bypass attempt (server-webapp.rules)
 * 1:58280 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58260 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58265 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58274 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (server-webapp.rules)
 * 1:58262 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 3:58254 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine command execution attempt (server-webapp.rules)
 * 3:58255 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58256 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58257 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58258 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58259 <-> ENABLED <-> SERVER-WEBAPP Cisco Intersight Virtual Appliance command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:37732 <-> ENABLED <-> POLICY-OTHER eicar test string download attempt (policy-other.rules)
 * 1:45909 <-> DISABLED <-> MALWARE-CNC CobaltStrike trial version inbound beacon response (malware-cnc.rules)

2021-10-07 13:22:43 UTC

Snort Subscriber Rules Update

Date: 2021-10-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58267 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58281 <-> ENABLED <-> MALWARE-CNC Win.Dropper.SquirrelWaffle C2 HTTP response (malware-cnc.rules)
 * 1:58278 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58265 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58270 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58266 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58271 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58272 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58273 <-> ENABLED <-> SERVER-WEBAPP QNAP HBS 3 authorization bypass attempt (server-webapp.rules)
 * 1:58274 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (server-webapp.rules)
 * 1:58275 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (server-webapp.rules)
 * 1:58280 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58261 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (server-webapp.rules)
 * 1:58277 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58262 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58268 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58264 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58260 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58263 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58269 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58279 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 3:58254 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine command execution attempt (server-webapp.rules)
 * 3:58255 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58256 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58257 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58258 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58259 <-> ENABLED <-> SERVER-WEBAPP Cisco Intersight Virtual Appliance command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:37732 <-> ENABLED <-> POLICY-OTHER eicar test string download attempt (policy-other.rules)
 * 1:45909 <-> DISABLED <-> MALWARE-CNC CobaltStrike trial version inbound beacon response (malware-cnc.rules)

2021-10-07 13:22:43 UTC

Snort Subscriber Rules Update

Date: 2021-10-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091800.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58280 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58279 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58274 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (server-webapp.rules)
 * 1:58281 <-> ENABLED <-> MALWARE-CNC Win.Dropper.SquirrelWaffle C2 HTTP response (malware-cnc.rules)
 * 1:58261 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58264 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58260 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58265 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58266 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58267 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58268 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58269 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58270 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58271 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58272 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (server-webapp.rules)
 * 1:58275 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (server-webapp.rules)
 * 1:58277 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58278 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58262 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58263 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58273 <-> ENABLED <-> SERVER-WEBAPP QNAP HBS 3 authorization bypass attempt (server-webapp.rules)
 * 3:58257 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58255 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58254 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine command execution attempt (server-webapp.rules)
 * 3:58256 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58259 <-> ENABLED <-> SERVER-WEBAPP Cisco Intersight Virtual Appliance command injection attempt (server-webapp.rules)
 * 3:58258 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:37732 <-> ENABLED <-> POLICY-OTHER eicar test string download attempt (policy-other.rules)
 * 1:45909 <-> DISABLED <-> MALWARE-CNC CobaltStrike trial version inbound beacon response (malware-cnc.rules)

2021-10-07 13:22:43 UTC

Snort Subscriber Rules Update

Date: 2021-10-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091801.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58260 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58261 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58262 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58263 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58264 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58265 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58266 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58267 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58268 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58269 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58270 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58271 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58272 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58273 <-> ENABLED <-> SERVER-WEBAPP QNAP HBS 3 authorization bypass attempt (server-webapp.rules)
 * 1:58274 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (server-webapp.rules)
 * 1:58275 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (server-webapp.rules)
 * 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (server-webapp.rules)
 * 1:58277 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58278 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58279 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58280 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58281 <-> ENABLED <-> MALWARE-CNC Win.Dropper.SquirrelWaffle C2 HTTP response (malware-cnc.rules)
 * 3:58254 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine command execution attempt (server-webapp.rules)
 * 3:58256 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58255 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58258 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58257 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58259 <-> ENABLED <-> SERVER-WEBAPP Cisco Intersight Virtual Appliance command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:45909 <-> DISABLED <-> MALWARE-CNC CobaltStrike trial version inbound beacon response (malware-cnc.rules)
 * 1:37732 <-> ENABLED <-> POLICY-OTHER eicar test string download attempt (policy-other.rules)