Talos Rules 2021-10-12
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2021-40443: A coding deficiency exists in Microsoft Windows Common Log File System driver that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 58303 through 58304.

Microsoft Vulnerability CVE-2021-40449: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 58288 through 58289.

Microsoft Vulnerability CVE-2021-40450: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 58310 through 58313.

Microsoft Vulnerability CVE-2021-40466: A coding deficiency exists in Microsoft Windows Common Log File System driver that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 58308 through 58309.

Microsoft Vulnerability CVE-2021-40467: A coding deficiency exists in Microsoft Windows Common Log File System driver that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 58305 through 58306.

Microsoft Vulnerability CVE-2021-40470: A coding deficiency exists in DirectX Graphics Kernel that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 58294 through 58295.

Microsoft Vulnerability CVE-2021-40487: A coding deficiency exists in Microsoft SharePoint that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 58314 through 58319.

Microsoft Vulnerability CVE-2021-41357: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 58286 through 58287.

Talos also has added and modified multiple rules in the malware-other, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2021-10-12 17:25:00 UTC

Snort Subscriber Rules Update

Date: 2021-10-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091801.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58282 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfAddFormServer Java expression language injection attempt (server-webapp.rules)
 * 1:58283 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfSelItemServer Java expression language injection attempt (server-webapp.rules)
 * 1:58284 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center FileUploadServlet Unrestricted arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:58285 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_RightWindow XML external entity injection attempt (server-webapp.rules)
 * 1:58286 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:58287 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:58288 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege exploit download attempt (os-windows.rules)
 * 1:58289 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege exploit download attempt (os-windows.rules)
 * 1:58290 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (server-webapp.rules)
 * 1:58291 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (server-webapp.rules)
 * 1:58292 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (server-webapp.rules)
 * 1:58293 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (server-webapp.rules)
 * 1:58294 <-> DISABLED <-> OS-WINDOWS Microsoft DirectX graphics kernel privilege escalation attempt (os-windows.rules)
 * 1:58295 <-> DISABLED <-> OS-WINDOWS Microsoft DirectX graphics kernel privilege escalation attempt (os-windows.rules)
 * 1:58296 <-> ENABLED <-> MALWARE-OTHER Jsp.Webshell.Chopper download attempt (malware-other.rules)
 * 1:58297 <-> ENABLED <-> MALWARE-OTHER Jsp.Webshell.Chopper upload attempt (malware-other.rules)
 * 1:58299 <-> DISABLED <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt (policy-other.rules)
 * 1:58300 <-> DISABLED <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt (policy-other.rules)
 * 1:58301 <-> DISABLED <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt (policy-other.rules)
 * 1:58302 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET IntegrationXMLProcessorServlet Write XML external entity injection attempt (server-webapp.rules)
 * 1:58303 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS privilege escalation attempt (os-windows.rules)
 * 1:58304 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS privilege escalation attempt (os-windows.rules)
 * 1:58305 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58306 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58307 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_Table XML external entity injection attempt (server-webapp.rules)
 * 1:58308 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS kernel driver buffer overflow attempt (os-windows.rules)
 * 1:58309 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS kernel driver buffer overflow attempt (os-windows.rules)
 * 1:58310 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (os-windows.rules)
 * 1:58311 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (os-windows.rules)
 * 1:58312 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (os-windows.rules)
 * 1:58313 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (os-windows.rules)
 * 1:58314 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58315 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58316 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58317 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58318 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58319 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 3:58298 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2021-1378 attack attempt (protocol-other.rules)

Modified Rules:


 * 1:55828 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:58269 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:58270 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:58271 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:58272 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (server-webapp.rules)
 * 1:55827 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:55829 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)

2021-10-12 17:25:00 UTC

Snort Subscriber Rules Update

Date: 2021-10-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091800.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58311 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (os-windows.rules)
 * 1:58313 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (os-windows.rules)
 * 1:58283 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfSelItemServer Java expression language injection attempt (server-webapp.rules)
 * 1:58284 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center FileUploadServlet Unrestricted arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:58288 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege exploit download attempt (os-windows.rules)
 * 1:58287 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:58290 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (server-webapp.rules)
 * 1:58286 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:58282 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfAddFormServer Java expression language injection attempt (server-webapp.rules)
 * 1:58292 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (server-webapp.rules)
 * 1:58293 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (server-webapp.rules)
 * 1:58294 <-> DISABLED <-> OS-WINDOWS Microsoft DirectX graphics kernel privilege escalation attempt (os-windows.rules)
 * 1:58295 <-> DISABLED <-> OS-WINDOWS Microsoft DirectX graphics kernel privilege escalation attempt (os-windows.rules)
 * 1:58296 <-> ENABLED <-> MALWARE-OTHER Jsp.Webshell.Chopper download attempt (malware-other.rules)
 * 1:58300 <-> DISABLED <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt (policy-other.rules)
 * 1:58297 <-> ENABLED <-> MALWARE-OTHER Jsp.Webshell.Chopper upload attempt (malware-other.rules)
 * 1:58299 <-> DISABLED <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt (policy-other.rules)
 * 1:58289 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege exploit download attempt (os-windows.rules)
 * 1:58301 <-> DISABLED <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt (policy-other.rules)
 * 1:58302 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET IntegrationXMLProcessorServlet Write XML external entity injection attempt (server-webapp.rules)
 * 1:58303 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS privilege escalation attempt (os-windows.rules)
 * 1:58304 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS privilege escalation attempt (os-windows.rules)
 * 1:58305 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58306 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58307 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_Table XML external entity injection attempt (server-webapp.rules)
 * 1:58308 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS kernel driver buffer overflow attempt (os-windows.rules)
 * 1:58309 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS kernel driver buffer overflow attempt (os-windows.rules)
 * 1:58310 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (os-windows.rules)
 * 1:58291 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (server-webapp.rules)
 * 1:58315 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58314 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58316 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58317 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58318 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58319 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58312 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (os-windows.rules)
 * 1:58285 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_RightWindow XML external entity injection attempt (server-webapp.rules)
 * 3:58298 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2021-1378 attack attempt (protocol-other.rules)

Modified Rules:


 * 1:55829 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:58269 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:55828 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:55827 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:58271 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:58272 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (server-webapp.rules)
 * 1:58270 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)

2021-10-12 17:25:00 UTC

Snort Subscriber Rules Update

Date: 2021-10-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58308 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS kernel driver buffer overflow attempt (os-windows.rules)
 * 1:58283 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfSelItemServer Java expression language injection attempt (server-webapp.rules)
 * 1:58313 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (os-windows.rules)
 * 1:58311 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (os-windows.rules)
 * 1:58312 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (os-windows.rules)
 * 1:58309 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS kernel driver buffer overflow attempt (os-windows.rules)
 * 1:58314 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58315 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58316 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58317 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58318 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58319 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58282 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfAddFormServer Java expression language injection attempt (server-webapp.rules)
 * 1:58285 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_RightWindow XML external entity injection attempt (server-webapp.rules)
 * 1:58301 <-> DISABLED <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt (policy-other.rules)
 * 1:58287 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:58295 <-> DISABLED <-> OS-WINDOWS Microsoft DirectX graphics kernel privilege escalation attempt (os-windows.rules)
 * 1:58297 <-> ENABLED <-> MALWARE-OTHER Jsp.Webshell.Chopper upload attempt (malware-other.rules)
 * 1:58299 <-> DISABLED <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt (policy-other.rules)
 * 1:58310 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (os-windows.rules)
 * 1:58303 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS privilege escalation attempt (os-windows.rules)
 * 1:58302 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET IntegrationXMLProcessorServlet Write XML external entity injection attempt (server-webapp.rules)
 * 1:58304 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS privilege escalation attempt (os-windows.rules)
 * 1:58305 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58306 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58307 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_Table XML external entity injection attempt (server-webapp.rules)
 * 1:58286 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:58288 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege exploit download attempt (os-windows.rules)
 * 1:58284 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center FileUploadServlet Unrestricted arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:58289 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege exploit download attempt (os-windows.rules)
 * 1:58291 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (server-webapp.rules)
 * 1:58290 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (server-webapp.rules)
 * 1:58293 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (server-webapp.rules)
 * 1:58292 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (server-webapp.rules)
 * 1:58294 <-> DISABLED <-> OS-WINDOWS Microsoft DirectX graphics kernel privilege escalation attempt (os-windows.rules)
 * 1:58296 <-> ENABLED <-> MALWARE-OTHER Jsp.Webshell.Chopper download attempt (malware-other.rules)
 * 1:58300 <-> DISABLED <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt (policy-other.rules)
 * 3:58298 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2021-1378 attack attempt (protocol-other.rules)

Modified Rules:


 * 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (server-webapp.rules)
 * 1:55828 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:58269 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:58270 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:58271 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:58272 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:55829 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:55827 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)

2021-10-12 17:25:00 UTC

Snort Subscriber Rules Update

Date: 2021-10-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58293 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (server-webapp.rules)
 * 1:58310 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (os-windows.rules)
 * 1:58319 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58288 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege exploit download attempt (os-windows.rules)
 * 1:58311 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (os-windows.rules)
 * 1:58284 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center FileUploadServlet Unrestricted arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:58285 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_RightWindow XML external entity injection attempt (server-webapp.rules)
 * 1:58287 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:58318 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58283 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfSelItemServer Java expression language injection attempt (server-webapp.rules)
 * 1:58315 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58289 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege exploit download attempt (os-windows.rules)
 * 1:58312 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (os-windows.rules)
 * 1:58313 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (os-windows.rules)
 * 1:58314 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58317 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58286 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:58290 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (server-webapp.rules)
 * 1:58291 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (server-webapp.rules)
 * 1:58316 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58294 <-> DISABLED <-> OS-WINDOWS Microsoft DirectX graphics kernel privilege escalation attempt (os-windows.rules)
 * 1:58309 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS kernel driver buffer overflow attempt (os-windows.rules)
 * 1:58296 <-> ENABLED <-> MALWARE-OTHER Jsp.Webshell.Chopper download attempt (malware-other.rules)
 * 1:58295 <-> DISABLED <-> OS-WINDOWS Microsoft DirectX graphics kernel privilege escalation attempt (os-windows.rules)
 * 1:58297 <-> ENABLED <-> MALWARE-OTHER Jsp.Webshell.Chopper upload attempt (malware-other.rules)
 * 1:58282 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfAddFormServer Java expression language injection attempt (server-webapp.rules)
 * 1:58299 <-> DISABLED <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt (policy-other.rules)
 * 1:58300 <-> DISABLED <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt (policy-other.rules)
 * 1:58301 <-> DISABLED <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt (policy-other.rules)
 * 1:58302 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET IntegrationXMLProcessorServlet Write XML external entity injection attempt (server-webapp.rules)
 * 1:58303 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS privilege escalation attempt (os-windows.rules)
 * 1:58304 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS privilege escalation attempt (os-windows.rules)
 * 1:58305 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58306 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58307 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_Table XML external entity injection attempt (server-webapp.rules)
 * 1:58292 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (server-webapp.rules)
 * 1:58308 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS kernel driver buffer overflow attempt (os-windows.rules)
 * 3:58298 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2021-1378 attack attempt (protocol-other.rules)

Modified Rules:


 * 1:55828 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:55827 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:58271 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:58272 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:58269 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (server-webapp.rules)
 * 1:55829 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:58270 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)

2021-10-12 17:25:00 UTC

Snort Subscriber Rules Update

Date: 2021-10-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58291 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (server-webapp.rules)
 * 1:58313 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (os-windows.rules)
 * 1:58286 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:58315 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58295 <-> DISABLED <-> OS-WINDOWS Microsoft DirectX graphics kernel privilege escalation attempt (os-windows.rules)
 * 1:58294 <-> DISABLED <-> OS-WINDOWS Microsoft DirectX graphics kernel privilege escalation attempt (os-windows.rules)
 * 1:58299 <-> DISABLED <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt (policy-other.rules)
 * 1:58290 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (server-webapp.rules)
 * 1:58317 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58292 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (server-webapp.rules)
 * 1:58288 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege exploit download attempt (os-windows.rules)
 * 1:58314 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58289 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege exploit download attempt (os-windows.rules)
 * 1:58316 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58282 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfAddFormServer Java expression language injection attempt (server-webapp.rules)
 * 1:58305 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58310 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (os-windows.rules)
 * 1:58311 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (os-windows.rules)
 * 1:58319 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58297 <-> ENABLED <-> MALWARE-OTHER Jsp.Webshell.Chopper upload attempt (malware-other.rules)
 * 1:58312 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (os-windows.rules)
 * 1:58300 <-> DISABLED <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt (policy-other.rules)
 * 1:58306 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58302 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET IntegrationXMLProcessorServlet Write XML external entity injection attempt (server-webapp.rules)
 * 1:58285 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_RightWindow XML external entity injection attempt (server-webapp.rules)
 * 1:58287 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:58308 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS kernel driver buffer overflow attempt (os-windows.rules)
 * 1:58283 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfSelItemServer Java expression language injection attempt (server-webapp.rules)
 * 1:58296 <-> ENABLED <-> MALWARE-OTHER Jsp.Webshell.Chopper download attempt (malware-other.rules)
 * 1:58301 <-> DISABLED <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt (policy-other.rules)
 * 1:58304 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS privilege escalation attempt (os-windows.rules)
 * 1:58303 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS privilege escalation attempt (os-windows.rules)
 * 1:58307 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_Table XML external entity injection attempt (server-webapp.rules)
 * 1:58318 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58293 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (server-webapp.rules)
 * 1:58284 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center FileUploadServlet Unrestricted arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:58309 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS kernel driver buffer overflow attempt (os-windows.rules)
 * 3:58298 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2021-1378 attack attempt (protocol-other.rules)

Modified Rules:


 * 1:58269 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:58272 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:55828 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:58271 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (server-webapp.rules)
 * 1:55829 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:58270 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:55827 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)

2021-10-12 17:25:00 UTC

Snort Subscriber Rules Update

Date: 2021-10-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58309 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS kernel driver buffer overflow attempt (os-windows.rules)
 * 1:58318 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58307 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_Table XML external entity injection attempt (server-webapp.rules)
 * 1:58319 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58287 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:58282 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfAddFormServer Java expression language injection attempt (server-webapp.rules)
 * 1:58304 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS privilege escalation attempt (os-windows.rules)
 * 1:58312 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (os-windows.rules)
 * 1:58285 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_RightWindow XML external entity injection attempt (server-webapp.rules)
 * 1:58305 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58284 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center FileUploadServlet Unrestricted arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:58292 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (server-webapp.rules)
 * 1:58310 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (os-windows.rules)
 * 1:58311 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (os-windows.rules)
 * 1:58297 <-> ENABLED <-> MALWARE-OTHER Jsp.Webshell.Chopper upload attempt (malware-other.rules)
 * 1:58295 <-> DISABLED <-> OS-WINDOWS Microsoft DirectX graphics kernel privilege escalation attempt (os-windows.rules)
 * 1:58283 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfSelItemServer Java expression language injection attempt (server-webapp.rules)
 * 1:58294 <-> DISABLED <-> OS-WINDOWS Microsoft DirectX graphics kernel privilege escalation attempt (os-windows.rules)
 * 1:58306 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58316 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58314 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58315 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58300 <-> DISABLED <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt (policy-other.rules)
 * 1:58301 <-> DISABLED <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt (policy-other.rules)
 * 1:58299 <-> DISABLED <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt (policy-other.rules)
 * 1:58317 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58313 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (os-windows.rules)
 * 1:58291 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (server-webapp.rules)
 * 1:58286 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:58302 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET IntegrationXMLProcessorServlet Write XML external entity injection attempt (server-webapp.rules)
 * 1:58288 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege exploit download attempt (os-windows.rules)
 * 1:58303 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS privilege escalation attempt (os-windows.rules)
 * 1:58296 <-> ENABLED <-> MALWARE-OTHER Jsp.Webshell.Chopper download attempt (malware-other.rules)
 * 1:58308 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS kernel driver buffer overflow attempt (os-windows.rules)
 * 1:58290 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (server-webapp.rules)
 * 1:58289 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege exploit download attempt (os-windows.rules)
 * 1:58293 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (server-webapp.rules)
 * 3:58298 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2021-1378 attack attempt (protocol-other.rules)

Modified Rules:


 * 1:58270 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:55828 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:55827 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:55829 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:58271 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:58269 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:58272 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (server-webapp.rules)

2021-10-12 17:25:00 UTC

Snort Subscriber Rules Update

Date: 2021-10-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58286 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:58310 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (os-windows.rules)
 * 1:58304 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS privilege escalation attempt (os-windows.rules)
 * 1:58314 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58284 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center FileUploadServlet Unrestricted arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:58309 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS kernel driver buffer overflow attempt (os-windows.rules)
 * 1:58312 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (os-windows.rules)
 * 1:58301 <-> DISABLED <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt (policy-other.rules)
 * 1:58302 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET IntegrationXMLProcessorServlet Write XML external entity injection attempt (server-webapp.rules)
 * 1:58283 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfSelItemServer Java expression language injection attempt (server-webapp.rules)
 * 1:58313 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (os-windows.rules)
 * 1:58316 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58289 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege exploit download attempt (os-windows.rules)
 * 1:58287 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:58291 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (server-webapp.rules)
 * 1:58294 <-> DISABLED <-> OS-WINDOWS Microsoft DirectX graphics kernel privilege escalation attempt (os-windows.rules)
 * 1:58295 <-> DISABLED <-> OS-WINDOWS Microsoft DirectX graphics kernel privilege escalation attempt (os-windows.rules)
 * 1:58319 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58292 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (server-webapp.rules)
 * 1:58293 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (server-webapp.rules)
 * 1:58296 <-> ENABLED <-> MALWARE-OTHER Jsp.Webshell.Chopper download attempt (malware-other.rules)
 * 1:58306 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58297 <-> ENABLED <-> MALWARE-OTHER Jsp.Webshell.Chopper upload attempt (malware-other.rules)
 * 1:58303 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS privilege escalation attempt (os-windows.rules)
 * 1:58285 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_RightWindow XML external entity injection attempt (server-webapp.rules)
 * 1:58315 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58300 <-> DISABLED <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt (policy-other.rules)
 * 1:58288 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege exploit download attempt (os-windows.rules)
 * 1:58305 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58290 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (server-webapp.rules)
 * 1:58318 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58299 <-> DISABLED <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt (policy-other.rules)
 * 1:58308 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS kernel driver buffer overflow attempt (os-windows.rules)
 * 1:58307 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_Table XML external entity injection attempt (server-webapp.rules)
 * 1:58282 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfAddFormServer Java expression language injection attempt (server-webapp.rules)
 * 1:58317 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58311 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (os-windows.rules)
 * 3:58298 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2021-1378 attack attempt (protocol-other.rules)

Modified Rules:


 * 1:55828 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:55827 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:58271 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:58272 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (server-webapp.rules)
 * 1:58269 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:55829 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:58270 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)

2021-10-12 17:25:00 UTC

Snort Subscriber Rules Update

Date: 2021-10-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58312 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (os-windows.rules)
 * 1:58282 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfAddFormServer Java expression language injection attempt (server-webapp.rules)
 * 1:58296 <-> ENABLED <-> MALWARE-OTHER Jsp.Webshell.Chopper download attempt (malware-other.rules)
 * 1:58319 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58317 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58309 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS kernel driver buffer overflow attempt (os-windows.rules)
 * 1:58310 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (os-windows.rules)
 * 1:58284 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center FileUploadServlet Unrestricted arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:58314 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58285 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_RightWindow XML external entity injection attempt (server-webapp.rules)
 * 1:58318 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58293 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (server-webapp.rules)
 * 1:58294 <-> DISABLED <-> OS-WINDOWS Microsoft DirectX graphics kernel privilege escalation attempt (os-windows.rules)
 * 1:58283 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfSelItemServer Java expression language injection attempt (server-webapp.rules)
 * 1:58295 <-> DISABLED <-> OS-WINDOWS Microsoft DirectX graphics kernel privilege escalation attempt (os-windows.rules)
 * 1:58292 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (server-webapp.rules)
 * 1:58297 <-> ENABLED <-> MALWARE-OTHER Jsp.Webshell.Chopper upload attempt (malware-other.rules)
 * 1:58299 <-> DISABLED <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt (policy-other.rules)
 * 1:58300 <-> DISABLED <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt (policy-other.rules)
 * 1:58301 <-> DISABLED <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt (policy-other.rules)
 * 1:58290 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (server-webapp.rules)
 * 1:58288 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege exploit download attempt (os-windows.rules)
 * 1:58302 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET IntegrationXMLProcessorServlet Write XML external entity injection attempt (server-webapp.rules)
 * 1:58316 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58311 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (os-windows.rules)
 * 1:58303 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS privilege escalation attempt (os-windows.rules)
 * 1:58304 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS privilege escalation attempt (os-windows.rules)
 * 1:58313 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (os-windows.rules)
 * 1:58287 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:58315 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58305 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58289 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege exploit download attempt (os-windows.rules)
 * 1:58291 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (server-webapp.rules)
 * 1:58306 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58307 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_Table XML external entity injection attempt (server-webapp.rules)
 * 1:58308 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS kernel driver buffer overflow attempt (os-windows.rules)
 * 1:58286 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 3:58298 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2021-1378 attack attempt (protocol-other.rules)

Modified Rules:


 * 1:55828 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:58269 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:55827 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:58272 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (server-webapp.rules)
 * 1:55829 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:58270 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:58271 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)

2021-10-12 17:25:00 UTC

Snort Subscriber Rules Update

Date: 2021-10-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58310 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (os-windows.rules)
 * 1:58315 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58286 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:58289 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege exploit download attempt (os-windows.rules)
 * 1:58314 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58313 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (os-windows.rules)
 * 1:58312 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (os-windows.rules)
 * 1:58292 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (server-webapp.rules)
 * 1:58282 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfAddFormServer Java expression language injection attempt (server-webapp.rules)
 * 1:58284 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center FileUploadServlet Unrestricted arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:58293 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (server-webapp.rules)
 * 1:58290 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (server-webapp.rules)
 * 1:58316 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58296 <-> ENABLED <-> MALWARE-OTHER Jsp.Webshell.Chopper download attempt (malware-other.rules)
 * 1:58285 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_RightWindow XML external entity injection attempt (server-webapp.rules)
 * 1:58300 <-> DISABLED <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt (policy-other.rules)
 * 1:58283 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfSelItemServer Java expression language injection attempt (server-webapp.rules)
 * 1:58294 <-> DISABLED <-> OS-WINDOWS Microsoft DirectX graphics kernel privilege escalation attempt (os-windows.rules)
 * 1:58305 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58304 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS privilege escalation attempt (os-windows.rules)
 * 1:58299 <-> DISABLED <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt (policy-other.rules)
 * 1:58309 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS kernel driver buffer overflow attempt (os-windows.rules)
 * 1:58295 <-> DISABLED <-> OS-WINDOWS Microsoft DirectX graphics kernel privilege escalation attempt (os-windows.rules)
 * 1:58291 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (server-webapp.rules)
 * 1:58318 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58306 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58302 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET IntegrationXMLProcessorServlet Write XML external entity injection attempt (server-webapp.rules)
 * 1:58301 <-> DISABLED <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt (policy-other.rules)
 * 1:58317 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58311 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (os-windows.rules)
 * 1:58307 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_Table XML external entity injection attempt (server-webapp.rules)
 * 1:58303 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS privilege escalation attempt (os-windows.rules)
 * 1:58319 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58288 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege exploit download attempt (os-windows.rules)
 * 1:58308 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS kernel driver buffer overflow attempt (os-windows.rules)
 * 1:58287 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:58297 <-> ENABLED <-> MALWARE-OTHER Jsp.Webshell.Chopper upload attempt (malware-other.rules)
 * 3:58298 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2021-1378 attack attempt (protocol-other.rules)

Modified Rules:


 * 1:55828 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:55829 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:58269 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:58272 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:55827 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:58271 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (server-webapp.rules)
 * 1:58270 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)

2021-10-12 17:25:00 UTC

Snort Subscriber Rules Update

Date: 2021-10-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58282 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfAddFormServer Java expression language injection attempt (server-webapp.rules)
 * 1:58311 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (os-windows.rules)
 * 1:58312 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (os-windows.rules)
 * 1:58287 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:58283 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfSelItemServer Java expression language injection attempt (server-webapp.rules)
 * 1:58310 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (os-windows.rules)
 * 1:58307 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_Table XML external entity injection attempt (server-webapp.rules)
 * 1:58286 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:58306 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58319 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58318 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58290 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (server-webapp.rules)
 * 1:58293 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (server-webapp.rules)
 * 1:58302 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET IntegrationXMLProcessorServlet Write XML external entity injection attempt (server-webapp.rules)
 * 1:58316 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58299 <-> DISABLED <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt (policy-other.rules)
 * 1:58313 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (os-windows.rules)
 * 1:58317 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58284 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center FileUploadServlet Unrestricted arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:58297 <-> ENABLED <-> MALWARE-OTHER Jsp.Webshell.Chopper upload attempt (malware-other.rules)
 * 1:58292 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (server-webapp.rules)
 * 1:58285 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_RightWindow XML external entity injection attempt (server-webapp.rules)
 * 1:58296 <-> ENABLED <-> MALWARE-OTHER Jsp.Webshell.Chopper download attempt (malware-other.rules)
 * 1:58309 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS kernel driver buffer overflow attempt (os-windows.rules)
 * 1:58289 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege exploit download attempt (os-windows.rules)
 * 1:58315 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58295 <-> DISABLED <-> OS-WINDOWS Microsoft DirectX graphics kernel privilege escalation attempt (os-windows.rules)
 * 1:58294 <-> DISABLED <-> OS-WINDOWS Microsoft DirectX graphics kernel privilege escalation attempt (os-windows.rules)
 * 1:58288 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege exploit download attempt (os-windows.rules)
 * 1:58308 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS kernel driver buffer overflow attempt (os-windows.rules)
 * 1:58291 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (server-webapp.rules)
 * 1:58301 <-> DISABLED <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt (policy-other.rules)
 * 1:58300 <-> DISABLED <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt (policy-other.rules)
 * 1:58305 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58304 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS privilege escalation attempt (os-windows.rules)
 * 1:58303 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS privilege escalation attempt (os-windows.rules)
 * 1:58314 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 3:58298 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2021-1378 attack attempt (protocol-other.rules)

Modified Rules:


 * 1:58269 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:55828 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:58272 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (server-webapp.rules)
 * 1:55827 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:58271 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:58270 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:55829 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)

2021-10-12 17:25:00 UTC

Snort Subscriber Rules Update

Date: 2021-10-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58288 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege exploit download attempt (snort3-os-windows.rules)
 * 1:58292 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (snort3-server-webapp.rules)
 * 1:58282 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfAddFormServer Java expression language injection attempt (snort3-server-webapp.rules)
 * 1:58286 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (snort3-os-windows.rules)
 * 1:58289 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege exploit download attempt (snort3-os-windows.rules)
 * 1:58315 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (snort3-server-webapp.rules)
 * 1:58317 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (snort3-server-webapp.rules)
 * 1:58283 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfSelItemServer Java expression language injection attempt (snort3-server-webapp.rules)
 * 1:58318 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (snort3-server-webapp.rules)
 * 1:58287 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (snort3-os-windows.rules)
 * 1:58316 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (snort3-server-webapp.rules)
 * 1:58293 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (snort3-server-webapp.rules)
 * 1:58290 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (snort3-server-webapp.rules)
 * 1:58285 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_RightWindow XML external entity injection attempt (snort3-server-webapp.rules)
 * 1:58313 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (snort3-os-windows.rules)
 * 1:58284 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center FileUploadServlet Unrestricted arbitrary JSP file upload attempt (snort3-server-webapp.rules)
 * 1:58312 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (snort3-os-windows.rules)
 * 1:58296 <-> ENABLED <-> MALWARE-OTHER Jsp.Webshell.Chopper download attempt (snort3-malware-other.rules)
 * 1:58294 <-> DISABLED <-> OS-WINDOWS Microsoft DirectX graphics kernel privilege escalation attempt (snort3-os-windows.rules)
 * 1:58311 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (snort3-os-windows.rules)
 * 1:58291 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (snort3-server-webapp.rules)
 * 1:58297 <-> ENABLED <-> MALWARE-OTHER Jsp.Webshell.Chopper upload attempt (snort3-malware-other.rules)
 * 1:58299 <-> DISABLED <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt (snort3-policy-other.rules)
 * 1:58319 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (snort3-server-webapp.rules)
 * 1:58300 <-> DISABLED <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt (snort3-policy-other.rules)
 * 1:58301 <-> DISABLED <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt (snort3-policy-other.rules)
 * 1:58302 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET IntegrationXMLProcessorServlet Write XML external entity injection attempt (snort3-server-webapp.rules)
 * 1:58303 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS privilege escalation attempt (snort3-os-windows.rules)
 * 1:58304 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS privilege escalation attempt (snort3-os-windows.rules)
 * 1:58305 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (snort3-os-windows.rules)
 * 1:58306 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (snort3-os-windows.rules)
 * 1:58307 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_Table XML external entity injection attempt (snort3-server-webapp.rules)
 * 1:58308 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS kernel driver buffer overflow attempt (snort3-os-windows.rules)
 * 1:58310 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (snort3-os-windows.rules)
 * 1:58309 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS kernel driver buffer overflow attempt (snort3-os-windows.rules)
 * 1:58314 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (snort3-server-webapp.rules)
 * 1:58295 <-> DISABLED <-> OS-WINDOWS Microsoft DirectX graphics kernel privilege escalation attempt (snort3-os-windows.rules)

Modified Rules:


 * 1:55829 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (snort3-server-webapp.rules)
 * 1:58271 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (snort3-server-webapp.rules)
 * 1:300053 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (snort3-native.rules)
 * 1:55827 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (snort3-server-webapp.rules)
 * 1:58270 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (snort3-server-webapp.rules)
 * 1:55828 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (snort3-server-webapp.rules)
 * 1:58269 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (snort3-server-webapp.rules)
 * 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (snort3-server-webapp.rules)
 * 1:58272 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (snort3-server-webapp.rules)

2021-10-12 17:25:00 UTC

Snort Subscriber Rules Update

Date: 2021-10-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58313 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (os-windows.rules)
 * 1:58286 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:58296 <-> ENABLED <-> MALWARE-OTHER Jsp.Webshell.Chopper download attempt (malware-other.rules)
 * 1:58283 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfSelItemServer Java expression language injection attempt (server-webapp.rules)
 * 1:58315 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58311 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (os-windows.rules)
 * 1:58312 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (os-windows.rules)
 * 1:58282 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfAddFormServer Java expression language injection attempt (server-webapp.rules)
 * 1:58318 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58316 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58285 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_RightWindow XML external entity injection attempt (server-webapp.rules)
 * 1:58284 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center FileUploadServlet Unrestricted arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:58294 <-> DISABLED <-> OS-WINDOWS Microsoft DirectX graphics kernel privilege escalation attempt (os-windows.rules)
 * 1:58319 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58291 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (server-webapp.rules)
 * 1:58307 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_Table XML external entity injection attempt (server-webapp.rules)
 * 1:58314 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58287 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:58299 <-> DISABLED <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt (policy-other.rules)
 * 1:58300 <-> DISABLED <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt (policy-other.rules)
 * 1:58295 <-> DISABLED <-> OS-WINDOWS Microsoft DirectX graphics kernel privilege escalation attempt (os-windows.rules)
 * 1:58306 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58305 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58293 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (server-webapp.rules)
 * 1:58297 <-> ENABLED <-> MALWARE-OTHER Jsp.Webshell.Chopper upload attempt (malware-other.rules)
 * 1:58304 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS privilege escalation attempt (os-windows.rules)
 * 1:58289 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege exploit download attempt (os-windows.rules)
 * 1:58288 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege exploit download attempt (os-windows.rules)
 * 1:58309 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS kernel driver buffer overflow attempt (os-windows.rules)
 * 1:58303 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS privilege escalation attempt (os-windows.rules)
 * 1:58301 <-> DISABLED <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt (policy-other.rules)
 * 1:58292 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (server-webapp.rules)
 * 1:58310 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt (os-windows.rules)
 * 1:58317 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt (server-webapp.rules)
 * 1:58302 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET IntegrationXMLProcessorServlet Write XML external entity injection attempt (server-webapp.rules)
 * 1:58290 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt (server-webapp.rules)
 * 1:58308 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS kernel driver buffer overflow attempt (os-windows.rules)

Modified Rules:


 * 1:58272 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:55829 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:55828 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (server-webapp.rules)
 * 1:55827 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:58270 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:58271 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:58269 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)

2021-10-12 17:26:15 UTC

Snort Subscriber Rules Update

Date: 2021-10-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58282 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfAddFormServer Java expression language injection attempt
* 1:58283 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfSelItemServer Java expression language injection attempt
* 1:58284 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center FileUploadServlet Unrestricted arbitrary JSP file upload attempt
* 1:58285 <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_RightWindow XML external entity injection attempt
* 1:58286 <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt
* 1:58287 <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt
* 1:58288 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege exploit download attempt
* 1:58289 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege exploit download attempt
* 1:58290 <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt
* 1:58291 <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt
* 1:58292 <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt
* 1:58293 <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt
* 1:58294 <-> OS-WINDOWS Microsoft DirectX graphics kernel privilege escalation attempt
* 1:58295 <-> OS-WINDOWS Microsoft DirectX graphics kernel privilege escalation attempt
* 1:58296 <-> MALWARE-OTHER Jsp.Webshell.Chopper download attempt
* 1:58297 <-> MALWARE-OTHER Jsp.Webshell.Chopper upload attempt
* 3:58298 <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2021-1378 attack attempt
* 1:58299 <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt
* 1:58300 <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt
* 1:58301 <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt
* 1:58302 <-> SERVER-WEBAPP GE MDS PulseNET IntegrationXMLProcessorServlet Write XML external entity injection attempt
* 1:58303 <-> OS-WINDOWS Microsoft Windows CLFS privilege escalation attempt
* 1:58304 <-> OS-WINDOWS Microsoft Windows CLFS privilege escalation attempt
* 1:58305 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58306 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58307 <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_Table XML external entity injection attempt
* 1:58308 <-> OS-WINDOWS Microsoft Windows CLFS kernel driver buffer overflow attempt
* 1:58309 <-> OS-WINDOWS Microsoft Windows CLFS kernel driver buffer overflow attempt
* 1:58310 <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt
* 1:58311 <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt
* 1:58312 <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt
* 1:58313 <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt
* 1:58314 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58315 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58316 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58317 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58318 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58319 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt

Modified Rules:

* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt
* 1:55827 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55828 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55829 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:58269 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:58270 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:58271 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:58272 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt


2021-10-12 17:26:15 UTC

Snort Subscriber Rules Update

Date: 2021-10-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.4.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58282 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfAddFormServer Java expression language injection attempt
* 1:58283 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfSelItemServer Java expression language injection attempt
* 1:58284 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center FileUploadServlet Unrestricted arbitrary JSP file upload attempt
* 1:58285 <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_RightWindow XML external entity injection attempt
* 1:58286 <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt
* 1:58287 <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt
* 1:58288 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege exploit download attempt
* 1:58289 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege exploit download attempt
* 1:58290 <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt
* 1:58291 <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt
* 1:58292 <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt
* 1:58293 <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt
* 1:58294 <-> OS-WINDOWS Microsoft DirectX graphics kernel privilege escalation attempt
* 1:58295 <-> OS-WINDOWS Microsoft DirectX graphics kernel privilege escalation attempt
* 1:58296 <-> MALWARE-OTHER Jsp.Webshell.Chopper download attempt
* 1:58297 <-> MALWARE-OTHER Jsp.Webshell.Chopper upload attempt
* 3:58298 <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2021-1378 attack attempt
* 1:58299 <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt
* 1:58300 <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt
* 1:58301 <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt
* 1:58302 <-> SERVER-WEBAPP GE MDS PulseNET IntegrationXMLProcessorServlet Write XML external entity injection attempt
* 1:58303 <-> OS-WINDOWS Microsoft Windows CLFS privilege escalation attempt
* 1:58304 <-> OS-WINDOWS Microsoft Windows CLFS privilege escalation attempt
* 1:58305 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58306 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58307 <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_Table XML external entity injection attempt
* 1:58308 <-> OS-WINDOWS Microsoft Windows CLFS kernel driver buffer overflow attempt
* 1:58309 <-> OS-WINDOWS Microsoft Windows CLFS kernel driver buffer overflow attempt
* 1:58310 <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt
* 1:58311 <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt
* 1:58312 <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt
* 1:58313 <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt
* 1:58314 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58315 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58316 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58317 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58318 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58319 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt

Modified Rules:

* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt
* 1:55827 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55828 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55829 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:58269 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:58270 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:58271 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:58272 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt


2021-10-12 17:26:15 UTC

Snort Subscriber Rules Update

Date: 2021-10-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58282 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfAddFormServer Java expression language injection attempt
* 1:58283 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfSelItemServer Java expression language injection attempt
* 1:58284 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center FileUploadServlet Unrestricted arbitrary JSP file upload attempt
* 1:58285 <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_RightWindow XML external entity injection attempt
* 1:58286 <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt
* 1:58287 <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt
* 1:58288 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege exploit download attempt
* 1:58289 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege exploit download attempt
* 1:58290 <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt
* 1:58291 <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt
* 1:58292 <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt
* 1:58293 <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt
* 1:58294 <-> OS-WINDOWS Microsoft DirectX graphics kernel privilege escalation attempt
* 1:58295 <-> OS-WINDOWS Microsoft DirectX graphics kernel privilege escalation attempt
* 1:58296 <-> MALWARE-OTHER Jsp.Webshell.Chopper download attempt
* 1:58297 <-> MALWARE-OTHER Jsp.Webshell.Chopper upload attempt
* 3:58298 <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2021-1378 attack attempt
* 1:58299 <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt
* 1:58300 <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt
* 1:58301 <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt
* 1:58302 <-> SERVER-WEBAPP GE MDS PulseNET IntegrationXMLProcessorServlet Write XML external entity injection attempt
* 1:58303 <-> OS-WINDOWS Microsoft Windows CLFS privilege escalation attempt
* 1:58304 <-> OS-WINDOWS Microsoft Windows CLFS privilege escalation attempt
* 1:58305 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58306 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58307 <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_Table XML external entity injection attempt
* 1:58308 <-> OS-WINDOWS Microsoft Windows CLFS kernel driver buffer overflow attempt
* 1:58309 <-> OS-WINDOWS Microsoft Windows CLFS kernel driver buffer overflow attempt
* 1:58310 <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt
* 1:58311 <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt
* 1:58312 <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt
* 1:58313 <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt
* 1:58314 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58315 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58316 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58317 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58318 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58319 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt

Modified Rules:

* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt
* 1:55827 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55828 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55829 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:58269 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:58270 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:58271 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:58272 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt


2021-10-12 17:26:15 UTC

Snort Subscriber Rules Update

Date: 2021-10-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58282 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfAddFormServer Java expression language injection attempt
* 1:58283 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfSelItemServer Java expression language injection attempt
* 1:58284 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center FileUploadServlet Unrestricted arbitrary JSP file upload attempt
* 1:58285 <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_RightWindow XML external entity injection attempt
* 1:58286 <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt
* 1:58287 <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt
* 1:58288 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege exploit download attempt
* 1:58289 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege exploit download attempt
* 1:58290 <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt
* 1:58291 <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt
* 1:58292 <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt
* 1:58293 <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt
* 1:58294 <-> OS-WINDOWS Microsoft DirectX graphics kernel privilege escalation attempt
* 1:58295 <-> OS-WINDOWS Microsoft DirectX graphics kernel privilege escalation attempt
* 1:58296 <-> MALWARE-OTHER Jsp.Webshell.Chopper download attempt
* 1:58297 <-> MALWARE-OTHER Jsp.Webshell.Chopper upload attempt
* 3:58298 <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2021-1378 attack attempt
* 1:58299 <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt
* 1:58300 <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt
* 1:58301 <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt
* 1:58302 <-> SERVER-WEBAPP GE MDS PulseNET IntegrationXMLProcessorServlet Write XML external entity injection attempt
* 1:58303 <-> OS-WINDOWS Microsoft Windows CLFS privilege escalation attempt
* 1:58304 <-> OS-WINDOWS Microsoft Windows CLFS privilege escalation attempt
* 1:58305 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58306 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58307 <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_Table XML external entity injection attempt
* 1:58308 <-> OS-WINDOWS Microsoft Windows CLFS kernel driver buffer overflow attempt
* 1:58309 <-> OS-WINDOWS Microsoft Windows CLFS kernel driver buffer overflow attempt
* 1:58310 <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt
* 1:58311 <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt
* 1:58312 <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt
* 1:58313 <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt
* 1:58314 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58315 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58316 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58317 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58318 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58319 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt

Modified Rules:

* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt
* 1:55827 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55828 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55829 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:58269 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:58270 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:58271 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:58272 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt


2021-10-12 17:26:15 UTC

Snort Subscriber Rules Update

Date: 2021-10-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.1.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58282 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfAddFormServer Java expression language injection attempt
* 1:58283 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfSelItemServer Java expression language injection attempt
* 1:58284 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center FileUploadServlet Unrestricted arbitrary JSP file upload attempt
* 1:58285 <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_RightWindow XML external entity injection attempt
* 1:58286 <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt
* 1:58287 <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt
* 1:58288 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege exploit download attempt
* 1:58289 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege exploit download attempt
* 1:58290 <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt
* 1:58291 <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt
* 1:58292 <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt
* 1:58293 <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt
* 1:58294 <-> OS-WINDOWS Microsoft DirectX graphics kernel privilege escalation attempt
* 1:58295 <-> OS-WINDOWS Microsoft DirectX graphics kernel privilege escalation attempt
* 1:58296 <-> MALWARE-OTHER Jsp.Webshell.Chopper download attempt
* 1:58297 <-> MALWARE-OTHER Jsp.Webshell.Chopper upload attempt
* 3:58298 <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2021-1378 attack attempt
* 1:58299 <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt
* 1:58300 <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt
* 1:58301 <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt
* 1:58302 <-> SERVER-WEBAPP GE MDS PulseNET IntegrationXMLProcessorServlet Write XML external entity injection attempt
* 1:58303 <-> OS-WINDOWS Microsoft Windows CLFS privilege escalation attempt
* 1:58304 <-> OS-WINDOWS Microsoft Windows CLFS privilege escalation attempt
* 1:58305 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58306 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58307 <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_Table XML external entity injection attempt
* 1:58308 <-> OS-WINDOWS Microsoft Windows CLFS kernel driver buffer overflow attempt
* 1:58309 <-> OS-WINDOWS Microsoft Windows CLFS kernel driver buffer overflow attempt
* 1:58310 <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt
* 1:58311 <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt
* 1:58312 <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt
* 1:58313 <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt
* 1:58314 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58315 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58316 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58317 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58318 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58319 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt

Modified Rules:

* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt
* 1:55827 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55828 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55829 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:58269 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:58270 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:58271 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:58272 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt


2021-10-12 17:26:15 UTC

Snort Subscriber Rules Update

Date: 2021-10-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.3.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58282 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfAddFormServer Java expression language injection attempt
* 1:58283 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfSelItemServer Java expression language injection attempt
* 1:58284 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center FileUploadServlet Unrestricted arbitrary JSP file upload attempt
* 1:58285 <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_RightWindow XML external entity injection attempt
* 1:58286 <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt
* 1:58287 <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt
* 1:58288 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege exploit download attempt
* 1:58289 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege exploit download attempt
* 1:58290 <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt
* 1:58291 <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt
* 1:58292 <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt
* 1:58293 <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt
* 1:58294 <-> OS-WINDOWS Microsoft DirectX graphics kernel privilege escalation attempt
* 1:58295 <-> OS-WINDOWS Microsoft DirectX graphics kernel privilege escalation attempt
* 1:58296 <-> MALWARE-OTHER Jsp.Webshell.Chopper download attempt
* 1:58297 <-> MALWARE-OTHER Jsp.Webshell.Chopper upload attempt
* 3:58298 <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2021-1378 attack attempt
* 1:58299 <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt
* 1:58300 <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt
* 1:58301 <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt
* 1:58302 <-> SERVER-WEBAPP GE MDS PulseNET IntegrationXMLProcessorServlet Write XML external entity injection attempt
* 1:58303 <-> OS-WINDOWS Microsoft Windows CLFS privilege escalation attempt
* 1:58304 <-> OS-WINDOWS Microsoft Windows CLFS privilege escalation attempt
* 1:58305 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58306 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58307 <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_Table XML external entity injection attempt
* 1:58308 <-> OS-WINDOWS Microsoft Windows CLFS kernel driver buffer overflow attempt
* 1:58309 <-> OS-WINDOWS Microsoft Windows CLFS kernel driver buffer overflow attempt
* 1:58310 <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt
* 1:58311 <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt
* 1:58312 <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt
* 1:58313 <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt
* 1:58314 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58315 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58316 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58317 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58318 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58319 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt

Modified Rules:

* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt
* 1:55827 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55828 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55829 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:58269 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:58270 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:58271 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:58272 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt


2021-10-12 17:26:15 UTC

Snort Subscriber Rules Update

Date: 2021-10-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.4.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58282 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfAddFormServer Java expression language injection attempt
* 1:58283 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfSelItemServer Java expression language injection attempt
* 1:58284 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center FileUploadServlet Unrestricted arbitrary JSP file upload attempt
* 1:58285 <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_RightWindow XML external entity injection attempt
* 1:58286 <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt
* 1:58287 <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt
* 1:58288 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege exploit download attempt
* 1:58289 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege exploit download attempt
* 1:58290 <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt
* 1:58291 <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt
* 1:58292 <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt
* 1:58293 <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt
* 1:58294 <-> OS-WINDOWS Microsoft DirectX graphics kernel privilege escalation attempt
* 1:58295 <-> OS-WINDOWS Microsoft DirectX graphics kernel privilege escalation attempt
* 1:58296 <-> MALWARE-OTHER Jsp.Webshell.Chopper download attempt
* 1:58297 <-> MALWARE-OTHER Jsp.Webshell.Chopper upload attempt
* 3:58298 <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2021-1378 attack attempt
* 1:58299 <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt
* 1:58300 <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt
* 1:58301 <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt
* 1:58302 <-> SERVER-WEBAPP GE MDS PulseNET IntegrationXMLProcessorServlet Write XML external entity injection attempt
* 1:58303 <-> OS-WINDOWS Microsoft Windows CLFS privilege escalation attempt
* 1:58304 <-> OS-WINDOWS Microsoft Windows CLFS privilege escalation attempt
* 1:58305 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58306 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58307 <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_Table XML external entity injection attempt
* 1:58308 <-> OS-WINDOWS Microsoft Windows CLFS kernel driver buffer overflow attempt
* 1:58309 <-> OS-WINDOWS Microsoft Windows CLFS kernel driver buffer overflow attempt
* 1:58310 <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt
* 1:58311 <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt
* 1:58312 <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt
* 1:58313 <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt
* 1:58314 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58315 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58316 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58317 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58318 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58319 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt

Modified Rules:

* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt
* 1:55827 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55828 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55829 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:58269 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:58270 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:58271 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:58272 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt


2021-10-12 17:26:15 UTC

Snort Subscriber Rules Update

Date: 2021-10-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.5.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58282 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfAddFormServer Java expression language injection attempt
* 1:58283 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfSelItemServer Java expression language injection attempt
* 1:58284 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center FileUploadServlet Unrestricted arbitrary JSP file upload attempt
* 1:58285 <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_RightWindow XML external entity injection attempt
* 1:58286 <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt
* 1:58287 <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt
* 1:58288 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege exploit download attempt
* 1:58289 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege exploit download attempt
* 1:58290 <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt
* 1:58291 <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt
* 1:58292 <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt
* 1:58293 <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt
* 1:58294 <-> OS-WINDOWS Microsoft DirectX graphics kernel privilege escalation attempt
* 1:58295 <-> OS-WINDOWS Microsoft DirectX graphics kernel privilege escalation attempt
* 1:58296 <-> MALWARE-OTHER Jsp.Webshell.Chopper download attempt
* 1:58297 <-> MALWARE-OTHER Jsp.Webshell.Chopper upload attempt
* 3:58298 <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2021-1378 attack attempt
* 1:58299 <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt
* 1:58300 <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt
* 1:58301 <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt
* 1:58302 <-> SERVER-WEBAPP GE MDS PulseNET IntegrationXMLProcessorServlet Write XML external entity injection attempt
* 1:58303 <-> OS-WINDOWS Microsoft Windows CLFS privilege escalation attempt
* 1:58304 <-> OS-WINDOWS Microsoft Windows CLFS privilege escalation attempt
* 1:58305 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58306 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58307 <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_Table XML external entity injection attempt
* 1:58308 <-> OS-WINDOWS Microsoft Windows CLFS kernel driver buffer overflow attempt
* 1:58309 <-> OS-WINDOWS Microsoft Windows CLFS kernel driver buffer overflow attempt
* 1:58310 <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt
* 1:58311 <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt
* 1:58312 <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt
* 1:58313 <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt
* 1:58314 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58315 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58316 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58317 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58318 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58319 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt

Modified Rules:

* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt
* 1:55827 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55828 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55829 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:58269 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:58270 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:58271 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:58272 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt


2021-10-12 17:26:15 UTC

Snort Subscriber Rules Update

Date: 2021-10-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.7.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58282 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfAddFormServer Java expression language injection attempt
* 1:58283 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfSelItemServer Java expression language injection attempt
* 1:58284 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center FileUploadServlet Unrestricted arbitrary JSP file upload attempt
* 1:58285 <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_RightWindow XML external entity injection attempt
* 1:58286 <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt
* 1:58287 <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt
* 1:58288 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege exploit download attempt
* 1:58289 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege exploit download attempt
* 1:58290 <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt
* 1:58291 <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt
* 1:58292 <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt
* 1:58293 <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt
* 1:58294 <-> OS-WINDOWS Microsoft DirectX graphics kernel privilege escalation attempt
* 1:58295 <-> OS-WINDOWS Microsoft DirectX graphics kernel privilege escalation attempt
* 1:58296 <-> MALWARE-OTHER Jsp.Webshell.Chopper download attempt
* 1:58297 <-> MALWARE-OTHER Jsp.Webshell.Chopper upload attempt
* 3:58298 <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2021-1378 attack attempt
* 1:58299 <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt
* 1:58300 <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt
* 1:58301 <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt
* 1:58302 <-> SERVER-WEBAPP GE MDS PulseNET IntegrationXMLProcessorServlet Write XML external entity injection attempt
* 1:58303 <-> OS-WINDOWS Microsoft Windows CLFS privilege escalation attempt
* 1:58304 <-> OS-WINDOWS Microsoft Windows CLFS privilege escalation attempt
* 1:58305 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58306 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58307 <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_Table XML external entity injection attempt
* 1:58308 <-> OS-WINDOWS Microsoft Windows CLFS kernel driver buffer overflow attempt
* 1:58309 <-> OS-WINDOWS Microsoft Windows CLFS kernel driver buffer overflow attempt
* 1:58310 <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt
* 1:58311 <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt
* 1:58312 <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt
* 1:58313 <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt
* 1:58314 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58315 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58316 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58317 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58318 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58319 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt

Modified Rules:

* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt
* 1:55827 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55828 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55829 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:58269 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:58270 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:58271 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:58272 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt


2021-10-12 17:26:16 UTC

Snort Subscriber Rules Update

Date: 2021-10-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.9.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58282 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfAddFormServer Java expression language injection attempt
* 1:58283 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfSelItemServer Java expression language injection attempt
* 1:58284 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center FileUploadServlet Unrestricted arbitrary JSP file upload attempt
* 1:58285 <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_RightWindow XML external entity injection attempt
* 1:58286 <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt
* 1:58287 <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt
* 1:58288 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege exploit download attempt
* 1:58289 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege exploit download attempt
* 1:58290 <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt
* 1:58291 <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt
* 1:58292 <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt
* 1:58293 <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt
* 1:58294 <-> OS-WINDOWS Microsoft DirectX graphics kernel privilege escalation attempt
* 1:58295 <-> OS-WINDOWS Microsoft DirectX graphics kernel privilege escalation attempt
* 1:58296 <-> MALWARE-OTHER Jsp.Webshell.Chopper download attempt
* 1:58297 <-> MALWARE-OTHER Jsp.Webshell.Chopper upload attempt
* 3:58298 <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2021-1378 attack attempt
* 1:58299 <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt
* 1:58300 <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt
* 1:58301 <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt
* 1:58302 <-> SERVER-WEBAPP GE MDS PulseNET IntegrationXMLProcessorServlet Write XML external entity injection attempt
* 1:58303 <-> OS-WINDOWS Microsoft Windows CLFS privilege escalation attempt
* 1:58304 <-> OS-WINDOWS Microsoft Windows CLFS privilege escalation attempt
* 1:58305 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58306 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58307 <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_Table XML external entity injection attempt
* 1:58308 <-> OS-WINDOWS Microsoft Windows CLFS kernel driver buffer overflow attempt
* 1:58309 <-> OS-WINDOWS Microsoft Windows CLFS kernel driver buffer overflow attempt
* 1:58310 <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt
* 1:58311 <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt
* 1:58312 <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt
* 1:58313 <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt
* 1:58314 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58315 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58316 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58317 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58318 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58319 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt

Modified Rules:

* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt
* 1:55827 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55828 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55829 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:58269 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:58270 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:58271 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:58272 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt


2021-10-12 17:26:16 UTC

Snort Subscriber Rules Update

Date: 2021-10-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.11.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58282 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfAddFormServer Java expression language injection attempt
* 1:58283 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfSelItemServer Java expression language injection attempt
* 1:58284 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center FileUploadServlet Unrestricted arbitrary JSP file upload attempt
* 1:58285 <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_RightWindow XML external entity injection attempt
* 1:58286 <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt
* 1:58287 <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt
* 1:58288 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege exploit download attempt
* 1:58289 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege exploit download attempt
* 1:58290 <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt
* 1:58291 <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt
* 1:58292 <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt
* 1:58293 <-> SERVER-WEBAPP Trend Micro Encryption for Email Gateway registration command injection attempt
* 1:58294 <-> OS-WINDOWS Microsoft DirectX graphics kernel privilege escalation attempt
* 1:58295 <-> OS-WINDOWS Microsoft DirectX graphics kernel privilege escalation attempt
* 1:58296 <-> MALWARE-OTHER Jsp.Webshell.Chopper download attempt
* 1:58297 <-> MALWARE-OTHER Jsp.Webshell.Chopper upload attempt
* 3:58298 <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2021-1378 attack attempt
* 1:58299 <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt
* 1:58300 <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt
* 1:58301 <-> POLICY-OTHER Alibaba Nacos potential authentication bypass attempt
* 1:58302 <-> SERVER-WEBAPP GE MDS PulseNET IntegrationXMLProcessorServlet Write XML external entity injection attempt
* 1:58303 <-> OS-WINDOWS Microsoft Windows CLFS privilege escalation attempt
* 1:58304 <-> OS-WINDOWS Microsoft Windows CLFS privilege escalation attempt
* 1:58305 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58306 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58307 <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_Table XML external entity injection attempt
* 1:58308 <-> OS-WINDOWS Microsoft Windows CLFS kernel driver buffer overflow attempt
* 1:58309 <-> OS-WINDOWS Microsoft Windows CLFS kernel driver buffer overflow attempt
* 1:58310 <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt
* 1:58311 <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt
* 1:58312 <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt
* 1:58313 <-> OS-WINDOWS Microsoft Windows 10 Win32k elevation of privilege attempt
* 1:58314 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58315 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58316 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58317 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58318 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt
* 1:58319 <-> SERVER-WEBAPP Microsoft SharePoint Server remote code execution attempt

Modified Rules:

* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt
* 1:55827 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55828 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55829 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:58269 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:58270 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:58271 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:58272 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt