Talos Rules 2021-10-21
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the indicator-compromise, indicator-obfuscation, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2021-10-21 13:18:18 UTC

Snort Subscriber Rules Update

Date: 2021-10-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091801.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58374 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET MagnumEmulator Servlet XML external entity injection attempt (server-webapp.rules)
 * 1:58375 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center iccSelectCommand expression language injection attempt (server-webapp.rules)
 * 1:58376 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center iccSelectCommand expression language injection attempt (server-webapp.rules)
 * 1:58377 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center eventInfo_content expression language injection attempt (server-webapp.rules)
 * 1:58378 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center eventInfo_content expression language injection attempt (server-webapp.rules)
 * 1:58379 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center devSoftSel Java expression language injection attempt (server-webapp.rules)
 * 1:58380 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center devSoftSel Java expression language injection attempt (server-webapp.rules)
 * 1:58381 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt (server-webapp.rules)
 * 1:58382 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt (server-webapp.rules)
 * 1:58383 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt (server-webapp.rules)
 * 1:58384 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center operationSelect Java expression language injection attempt (server-webapp.rules)
 * 1:58385 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center operationSelect Java expression language injection attempt (server-webapp.rules)

Modified Rules:


 * 1:47847 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:55829 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:47848 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:55827 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:45570 <-> DISABLED <-> SERVER-WEBAPP HP Moonshot Provisioning Manager Appliance khuploadfile.cgi directory traversal attempt (server-webapp.rules)
 * 1:47398 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt (indicator-compromise.rules)
 * 1:47399 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt (indicator-compromise.rules)
 * 1:47400 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft powershell.exe outbound shell attempt (indicator-compromise.rules)
 * 1:55828 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:47401 <-> DISABLED <-> INDICATOR-OBFUSCATION ICMP HTTP tunneling attempt (indicator-obfuscation.rules)
 * 1:47402 <-> DISABLED <-> INDICATOR-OBFUSCATION FTP file upload over non-standard port attempt (indicator-obfuscation.rules)
 * 1:47846 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47845 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47844 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47849 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47639 <-> DISABLED <-> INDICATOR-OBFUSCATION DNS TXT response record tunneling (indicator-obfuscation.rules)
 * 3:37675 <-> ENABLED <-> SERVER-OTHER Cisco IOS invalid IKE fragment length memory corruption or exhaustion attempt (server-other.rules)

2021-10-21 13:18:18 UTC

Snort Subscriber Rules Update

Date: 2021-10-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091800.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58378 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center eventInfo_content expression language injection attempt (server-webapp.rules)
 * 1:58375 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center iccSelectCommand expression language injection attempt (server-webapp.rules)
 * 1:58377 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center eventInfo_content expression language injection attempt (server-webapp.rules)
 * 1:58382 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt (server-webapp.rules)
 * 1:58374 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET MagnumEmulator Servlet XML external entity injection attempt (server-webapp.rules)
 * 1:58376 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center iccSelectCommand expression language injection attempt (server-webapp.rules)
 * 1:58385 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center operationSelect Java expression language injection attempt (server-webapp.rules)
 * 1:58380 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center devSoftSel Java expression language injection attempt (server-webapp.rules)
 * 1:58379 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center devSoftSel Java expression language injection attempt (server-webapp.rules)
 * 1:58383 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt (server-webapp.rules)
 * 1:58381 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt (server-webapp.rules)
 * 1:58384 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center operationSelect Java expression language injection attempt (server-webapp.rules)

Modified Rules:


 * 1:47844 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47847 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47848 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47398 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt (indicator-compromise.rules)
 * 1:47401 <-> DISABLED <-> INDICATOR-OBFUSCATION ICMP HTTP tunneling attempt (indicator-obfuscation.rules)
 * 1:47400 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft powershell.exe outbound shell attempt (indicator-compromise.rules)
 * 1:47845 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47399 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt (indicator-compromise.rules)
 * 1:55829 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:47639 <-> DISABLED <-> INDICATOR-OBFUSCATION DNS TXT response record tunneling (indicator-obfuscation.rules)
 * 1:47402 <-> DISABLED <-> INDICATOR-OBFUSCATION FTP file upload over non-standard port attempt (indicator-obfuscation.rules)
 * 1:47849 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:45570 <-> DISABLED <-> SERVER-WEBAPP HP Moonshot Provisioning Manager Appliance khuploadfile.cgi directory traversal attempt (server-webapp.rules)
 * 1:55827 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:55828 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:47846 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 3:37675 <-> ENABLED <-> SERVER-OTHER Cisco IOS invalid IKE fragment length memory corruption or exhaustion attempt (server-other.rules)

2021-10-21 13:18:18 UTC

Snort Subscriber Rules Update

Date: 2021-10-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58383 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt (server-webapp.rules)
 * 1:58380 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center devSoftSel Java expression language injection attempt (server-webapp.rules)
 * 1:58378 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center eventInfo_content expression language injection attempt (server-webapp.rules)
 * 1:58377 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center eventInfo_content expression language injection attempt (server-webapp.rules)
 * 1:58381 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt (server-webapp.rules)
 * 1:58384 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center operationSelect Java expression language injection attempt (server-webapp.rules)
 * 1:58379 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center devSoftSel Java expression language injection attempt (server-webapp.rules)
 * 1:58374 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET MagnumEmulator Servlet XML external entity injection attempt (server-webapp.rules)
 * 1:58376 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center iccSelectCommand expression language injection attempt (server-webapp.rules)
 * 1:58375 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center iccSelectCommand expression language injection attempt (server-webapp.rules)
 * 1:58385 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center operationSelect Java expression language injection attempt (server-webapp.rules)
 * 1:58382 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt (server-webapp.rules)

Modified Rules:


 * 1:47402 <-> DISABLED <-> INDICATOR-OBFUSCATION FTP file upload over non-standard port attempt (indicator-obfuscation.rules)
 * 1:47847 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47844 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:45570 <-> DISABLED <-> SERVER-WEBAPP HP Moonshot Provisioning Manager Appliance khuploadfile.cgi directory traversal attempt (server-webapp.rules)
 * 1:47639 <-> DISABLED <-> INDICATOR-OBFUSCATION DNS TXT response record tunneling (indicator-obfuscation.rules)
 * 1:47401 <-> DISABLED <-> INDICATOR-OBFUSCATION ICMP HTTP tunneling attempt (indicator-obfuscation.rules)
 * 1:55829 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:47845 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47398 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt (indicator-compromise.rules)
 * 1:47400 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft powershell.exe outbound shell attempt (indicator-compromise.rules)
 * 1:55827 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:55828 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:47846 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47848 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47849 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47399 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt (indicator-compromise.rules)
 * 3:37675 <-> ENABLED <-> SERVER-OTHER Cisco IOS invalid IKE fragment length memory corruption or exhaustion attempt (server-other.rules)

2021-10-21 13:18:18 UTC

Snort Subscriber Rules Update

Date: 2021-10-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58375 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center iccSelectCommand expression language injection attempt (server-webapp.rules)
 * 1:58385 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center operationSelect Java expression language injection attempt (server-webapp.rules)
 * 1:58376 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center iccSelectCommand expression language injection attempt (server-webapp.rules)
 * 1:58377 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center eventInfo_content expression language injection attempt (server-webapp.rules)
 * 1:58378 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center eventInfo_content expression language injection attempt (server-webapp.rules)
 * 1:58374 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET MagnumEmulator Servlet XML external entity injection attempt (server-webapp.rules)
 * 1:58379 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center devSoftSel Java expression language injection attempt (server-webapp.rules)
 * 1:58384 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center operationSelect Java expression language injection attempt (server-webapp.rules)
 * 1:58380 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center devSoftSel Java expression language injection attempt (server-webapp.rules)
 * 1:58381 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt (server-webapp.rules)
 * 1:58382 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt (server-webapp.rules)
 * 1:58383 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt (server-webapp.rules)

Modified Rules:


 * 1:47848 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47639 <-> DISABLED <-> INDICATOR-OBFUSCATION DNS TXT response record tunneling (indicator-obfuscation.rules)
 * 1:47847 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47400 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft powershell.exe outbound shell attempt (indicator-compromise.rules)
 * 1:47846 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47845 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47844 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47398 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt (indicator-compromise.rules)
 * 1:55829 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:47849 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:55827 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:47399 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt (indicator-compromise.rules)
 * 1:45570 <-> DISABLED <-> SERVER-WEBAPP HP Moonshot Provisioning Manager Appliance khuploadfile.cgi directory traversal attempt (server-webapp.rules)
 * 1:47402 <-> DISABLED <-> INDICATOR-OBFUSCATION FTP file upload over non-standard port attempt (indicator-obfuscation.rules)
 * 1:47401 <-> DISABLED <-> INDICATOR-OBFUSCATION ICMP HTTP tunneling attempt (indicator-obfuscation.rules)
 * 1:55828 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 3:37675 <-> ENABLED <-> SERVER-OTHER Cisco IOS invalid IKE fragment length memory corruption or exhaustion attempt (server-other.rules)

2021-10-21 13:18:18 UTC

Snort Subscriber Rules Update

Date: 2021-10-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58375 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center iccSelectCommand expression language injection attempt (server-webapp.rules)
 * 1:58376 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center iccSelectCommand expression language injection attempt (server-webapp.rules)
 * 1:58379 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center devSoftSel Java expression language injection attempt (server-webapp.rules)
 * 1:58380 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center devSoftSel Java expression language injection attempt (server-webapp.rules)
 * 1:58381 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt (server-webapp.rules)
 * 1:58382 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt (server-webapp.rules)
 * 1:58377 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center eventInfo_content expression language injection attempt (server-webapp.rules)
 * 1:58378 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center eventInfo_content expression language injection attempt (server-webapp.rules)
 * 1:58383 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt (server-webapp.rules)
 * 1:58374 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET MagnumEmulator Servlet XML external entity injection attempt (server-webapp.rules)
 * 1:58384 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center operationSelect Java expression language injection attempt (server-webapp.rules)
 * 1:58385 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center operationSelect Java expression language injection attempt (server-webapp.rules)

Modified Rules:


 * 1:47849 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47846 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47399 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt (indicator-compromise.rules)
 * 1:47848 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:55827 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:47639 <-> DISABLED <-> INDICATOR-OBFUSCATION DNS TXT response record tunneling (indicator-obfuscation.rules)
 * 1:55828 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:47402 <-> DISABLED <-> INDICATOR-OBFUSCATION FTP file upload over non-standard port attempt (indicator-obfuscation.rules)
 * 1:47847 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47844 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47400 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft powershell.exe outbound shell attempt (indicator-compromise.rules)
 * 1:45570 <-> DISABLED <-> SERVER-WEBAPP HP Moonshot Provisioning Manager Appliance khuploadfile.cgi directory traversal attempt (server-webapp.rules)
 * 1:55829 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:47398 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt (indicator-compromise.rules)
 * 1:47401 <-> DISABLED <-> INDICATOR-OBFUSCATION ICMP HTTP tunneling attempt (indicator-obfuscation.rules)
 * 1:47845 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 3:37675 <-> ENABLED <-> SERVER-OTHER Cisco IOS invalid IKE fragment length memory corruption or exhaustion attempt (server-other.rules)

2021-10-21 13:18:18 UTC

Snort Subscriber Rules Update

Date: 2021-10-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58374 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET MagnumEmulator Servlet XML external entity injection attempt (server-webapp.rules)
 * 1:58379 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center devSoftSel Java expression language injection attempt (server-webapp.rules)
 * 1:58375 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center iccSelectCommand expression language injection attempt (server-webapp.rules)
 * 1:58381 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt (server-webapp.rules)
 * 1:58380 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center devSoftSel Java expression language injection attempt (server-webapp.rules)
 * 1:58382 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt (server-webapp.rules)
 * 1:58383 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt (server-webapp.rules)
 * 1:58384 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center operationSelect Java expression language injection attempt (server-webapp.rules)
 * 1:58376 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center iccSelectCommand expression language injection attempt (server-webapp.rules)
 * 1:58385 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center operationSelect Java expression language injection attempt (server-webapp.rules)
 * 1:58377 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center eventInfo_content expression language injection attempt (server-webapp.rules)
 * 1:58378 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center eventInfo_content expression language injection attempt (server-webapp.rules)

Modified Rules:


 * 1:45570 <-> DISABLED <-> SERVER-WEBAPP HP Moonshot Provisioning Manager Appliance khuploadfile.cgi directory traversal attempt (server-webapp.rules)
 * 1:55828 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:47847 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47846 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47401 <-> DISABLED <-> INDICATOR-OBFUSCATION ICMP HTTP tunneling attempt (indicator-obfuscation.rules)
 * 1:55827 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:47849 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47848 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:55829 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:47399 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt (indicator-compromise.rules)
 * 1:47400 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft powershell.exe outbound shell attempt (indicator-compromise.rules)
 * 1:47844 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47402 <-> DISABLED <-> INDICATOR-OBFUSCATION FTP file upload over non-standard port attempt (indicator-obfuscation.rules)
 * 1:47845 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47639 <-> DISABLED <-> INDICATOR-OBFUSCATION DNS TXT response record tunneling (indicator-obfuscation.rules)
 * 1:47398 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt (indicator-compromise.rules)
 * 3:37675 <-> ENABLED <-> SERVER-OTHER Cisco IOS invalid IKE fragment length memory corruption or exhaustion attempt (server-other.rules)

2021-10-21 13:18:18 UTC

Snort Subscriber Rules Update

Date: 2021-10-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58377 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center eventInfo_content expression language injection attempt (server-webapp.rules)
 * 1:58380 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center devSoftSel Java expression language injection attempt (server-webapp.rules)
 * 1:58375 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center iccSelectCommand expression language injection attempt (server-webapp.rules)
 * 1:58384 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center operationSelect Java expression language injection attempt (server-webapp.rules)
 * 1:58376 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center iccSelectCommand expression language injection attempt (server-webapp.rules)
 * 1:58385 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center operationSelect Java expression language injection attempt (server-webapp.rules)
 * 1:58381 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt (server-webapp.rules)
 * 1:58382 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt (server-webapp.rules)
 * 1:58383 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt (server-webapp.rules)
 * 1:58378 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center eventInfo_content expression language injection attempt (server-webapp.rules)
 * 1:58379 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center devSoftSel Java expression language injection attempt (server-webapp.rules)
 * 1:58374 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET MagnumEmulator Servlet XML external entity injection attempt (server-webapp.rules)

Modified Rules:


 * 1:47844 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47845 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:55829 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:47846 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47848 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47847 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:55828 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:47402 <-> DISABLED <-> INDICATOR-OBFUSCATION FTP file upload over non-standard port attempt (indicator-obfuscation.rules)
 * 1:47639 <-> DISABLED <-> INDICATOR-OBFUSCATION DNS TXT response record tunneling (indicator-obfuscation.rules)
 * 1:47399 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt (indicator-compromise.rules)
 * 1:47400 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft powershell.exe outbound shell attempt (indicator-compromise.rules)
 * 1:47401 <-> DISABLED <-> INDICATOR-OBFUSCATION ICMP HTTP tunneling attempt (indicator-obfuscation.rules)
 * 1:55827 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:47849 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47398 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt (indicator-compromise.rules)
 * 1:45570 <-> DISABLED <-> SERVER-WEBAPP HP Moonshot Provisioning Manager Appliance khuploadfile.cgi directory traversal attempt (server-webapp.rules)
 * 3:37675 <-> ENABLED <-> SERVER-OTHER Cisco IOS invalid IKE fragment length memory corruption or exhaustion attempt (server-other.rules)

2021-10-21 13:18:18 UTC

Snort Subscriber Rules Update

Date: 2021-10-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58383 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt (server-webapp.rules)
 * 1:58374 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET MagnumEmulator Servlet XML external entity injection attempt (server-webapp.rules)
 * 1:58378 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center eventInfo_content expression language injection attempt (server-webapp.rules)
 * 1:58375 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center iccSelectCommand expression language injection attempt (server-webapp.rules)
 * 1:58382 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt (server-webapp.rules)
 * 1:58385 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center operationSelect Java expression language injection attempt (server-webapp.rules)
 * 1:58381 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt (server-webapp.rules)
 * 1:58384 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center operationSelect Java expression language injection attempt (server-webapp.rules)
 * 1:58380 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center devSoftSel Java expression language injection attempt (server-webapp.rules)
 * 1:58376 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center iccSelectCommand expression language injection attempt (server-webapp.rules)
 * 1:58379 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center devSoftSel Java expression language injection attempt (server-webapp.rules)
 * 1:58377 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center eventInfo_content expression language injection attempt (server-webapp.rules)

Modified Rules:


 * 1:45570 <-> DISABLED <-> SERVER-WEBAPP HP Moonshot Provisioning Manager Appliance khuploadfile.cgi directory traversal attempt (server-webapp.rules)
 * 1:47639 <-> DISABLED <-> INDICATOR-OBFUSCATION DNS TXT response record tunneling (indicator-obfuscation.rules)
 * 1:55827 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:47845 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47848 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47847 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47844 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47401 <-> DISABLED <-> INDICATOR-OBFUSCATION ICMP HTTP tunneling attempt (indicator-obfuscation.rules)
 * 1:47398 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt (indicator-compromise.rules)
 * 1:47399 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt (indicator-compromise.rules)
 * 1:47846 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:55829 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:55828 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:47849 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47400 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft powershell.exe outbound shell attempt (indicator-compromise.rules)
 * 1:47402 <-> DISABLED <-> INDICATOR-OBFUSCATION FTP file upload over non-standard port attempt (indicator-obfuscation.rules)
 * 3:37675 <-> ENABLED <-> SERVER-OTHER Cisco IOS invalid IKE fragment length memory corruption or exhaustion attempt (server-other.rules)

2021-10-21 13:18:18 UTC

Snort Subscriber Rules Update

Date: 2021-10-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58376 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center iccSelectCommand expression language injection attempt (server-webapp.rules)
 * 1:58382 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt (server-webapp.rules)
 * 1:58375 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center iccSelectCommand expression language injection attempt (server-webapp.rules)
 * 1:58377 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center eventInfo_content expression language injection attempt (server-webapp.rules)
 * 1:58385 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center operationSelect Java expression language injection attempt (server-webapp.rules)
 * 1:58378 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center eventInfo_content expression language injection attempt (server-webapp.rules)
 * 1:58380 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center devSoftSel Java expression language injection attempt (server-webapp.rules)
 * 1:58381 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt (server-webapp.rules)
 * 1:58374 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET MagnumEmulator Servlet XML external entity injection attempt (server-webapp.rules)
 * 1:58379 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center devSoftSel Java expression language injection attempt (server-webapp.rules)
 * 1:58384 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center operationSelect Java expression language injection attempt (server-webapp.rules)
 * 1:58383 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt (server-webapp.rules)

Modified Rules:


 * 1:47846 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47639 <-> DISABLED <-> INDICATOR-OBFUSCATION DNS TXT response record tunneling (indicator-obfuscation.rules)
 * 1:47845 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47849 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47398 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt (indicator-compromise.rules)
 * 1:47402 <-> DISABLED <-> INDICATOR-OBFUSCATION FTP file upload over non-standard port attempt (indicator-obfuscation.rules)
 * 1:47399 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt (indicator-compromise.rules)
 * 1:47400 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft powershell.exe outbound shell attempt (indicator-compromise.rules)
 * 1:55829 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:55828 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:47844 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47848 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47847 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47401 <-> DISABLED <-> INDICATOR-OBFUSCATION ICMP HTTP tunneling attempt (indicator-obfuscation.rules)
 * 1:55827 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:45570 <-> DISABLED <-> SERVER-WEBAPP HP Moonshot Provisioning Manager Appliance khuploadfile.cgi directory traversal attempt (server-webapp.rules)
 * 3:37675 <-> ENABLED <-> SERVER-OTHER Cisco IOS invalid IKE fragment length memory corruption or exhaustion attempt (server-other.rules)

2021-10-21 13:18:18 UTC

Snort Subscriber Rules Update

Date: 2021-10-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58376 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center iccSelectCommand expression language injection attempt (server-webapp.rules)
 * 1:58379 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center devSoftSel Java expression language injection attempt (server-webapp.rules)
 * 1:58384 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center operationSelect Java expression language injection attempt (server-webapp.rules)
 * 1:58377 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center eventInfo_content expression language injection attempt (server-webapp.rules)
 * 1:58381 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt (server-webapp.rules)
 * 1:58382 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt (server-webapp.rules)
 * 1:58385 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center operationSelect Java expression language injection attempt (server-webapp.rules)
 * 1:58380 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center devSoftSel Java expression language injection attempt (server-webapp.rules)
 * 1:58383 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt (server-webapp.rules)
 * 1:58378 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center eventInfo_content expression language injection attempt (server-webapp.rules)
 * 1:58374 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET MagnumEmulator Servlet XML external entity injection attempt (server-webapp.rules)
 * 1:58375 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center iccSelectCommand expression language injection attempt (server-webapp.rules)

Modified Rules:


 * 1:47400 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft powershell.exe outbound shell attempt (indicator-compromise.rules)
 * 1:47847 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47845 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47848 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47639 <-> DISABLED <-> INDICATOR-OBFUSCATION DNS TXT response record tunneling (indicator-obfuscation.rules)
 * 1:55827 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:55829 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:47399 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt (indicator-compromise.rules)
 * 1:47398 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt (indicator-compromise.rules)
 * 1:47844 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47846 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:55828 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:45570 <-> DISABLED <-> SERVER-WEBAPP HP Moonshot Provisioning Manager Appliance khuploadfile.cgi directory traversal attempt (server-webapp.rules)
 * 1:47849 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47402 <-> DISABLED <-> INDICATOR-OBFUSCATION FTP file upload over non-standard port attempt (indicator-obfuscation.rules)
 * 1:47401 <-> DISABLED <-> INDICATOR-OBFUSCATION ICMP HTTP tunneling attempt (indicator-obfuscation.rules)
 * 3:37675 <-> ENABLED <-> SERVER-OTHER Cisco IOS invalid IKE fragment length memory corruption or exhaustion attempt (server-other.rules)

2021-10-21 13:18:18 UTC

Snort Subscriber Rules Update

Date: 2021-10-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58381 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt (snort3-server-webapp.rules)
 * 1:58375 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center iccSelectCommand expression language injection attempt (snort3-server-webapp.rules)
 * 1:58376 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center iccSelectCommand expression language injection attempt (snort3-server-webapp.rules)
 * 1:58374 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET MagnumEmulator Servlet XML external entity injection attempt (snort3-server-webapp.rules)
 * 1:58377 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center eventInfo_content expression language injection attempt (snort3-server-webapp.rules)
 * 1:58380 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center devSoftSel Java expression language injection attempt (snort3-server-webapp.rules)
 * 1:58382 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt (snort3-server-webapp.rules)
 * 1:58385 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center operationSelect Java expression language injection attempt (snort3-server-webapp.rules)
 * 1:58384 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center operationSelect Java expression language injection attempt (snort3-server-webapp.rules)
 * 1:58379 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center devSoftSel Java expression language injection attempt (snort3-server-webapp.rules)
 * 1:58383 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt (snort3-server-webapp.rules)
 * 1:58378 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center eventInfo_content expression language injection attempt (snort3-server-webapp.rules)

Modified Rules:


 * 1:55828 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (snort3-server-webapp.rules)
 * 1:47848 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (snort3-malware-other.rules)
 * 1:47849 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (snort3-malware-other.rules)
 * 1:47402 <-> DISABLED <-> INDICATOR-OBFUSCATION FTP file upload over non-standard port attempt (snort3-indicator-obfuscation.rules)
 * 1:47639 <-> DISABLED <-> INDICATOR-OBFUSCATION DNS TXT response record tunneling (snort3-indicator-obfuscation.rules)
 * 1:55829 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (snort3-server-webapp.rules)
 * 1:47846 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (snort3-malware-other.rules)
 * 1:47398 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt (snort3-indicator-compromise.rules)
 * 1:47399 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt (snort3-indicator-compromise.rules)
 * 1:47401 <-> DISABLED <-> INDICATOR-OBFUSCATION ICMP HTTP tunneling attempt (snort3-indicator-obfuscation.rules)
 * 1:47400 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft powershell.exe outbound shell attempt (snort3-indicator-compromise.rules)
 * 1:47845 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (snort3-malware-other.rules)
 * 1:47847 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (snort3-malware-other.rules)
 * 1:45570 <-> DISABLED <-> SERVER-WEBAPP HP Moonshot Provisioning Manager Appliance khuploadfile.cgi directory traversal attempt (snort3-server-webapp.rules)
 * 1:47844 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (snort3-malware-other.rules)
 * 1:55827 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (snort3-server-webapp.rules)

2021-10-21 13:18:18 UTC

Snort Subscriber Rules Update

Date: 2021-10-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58381 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt (server-webapp.rules)
 * 1:58384 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center operationSelect Java expression language injection attempt (server-webapp.rules)
 * 1:58379 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center devSoftSel Java expression language injection attempt (server-webapp.rules)
 * 1:58378 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center eventInfo_content expression language injection attempt (server-webapp.rules)
 * 1:58385 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center operationSelect Java expression language injection attempt (server-webapp.rules)
 * 1:58376 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center iccSelectCommand expression language injection attempt (server-webapp.rules)
 * 1:58382 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt (server-webapp.rules)
 * 1:58375 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center iccSelectCommand expression language injection attempt (server-webapp.rules)
 * 1:58377 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center eventInfo_content expression language injection attempt (server-webapp.rules)
 * 1:58383 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt (server-webapp.rules)
 * 1:58380 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center devSoftSel Java expression language injection attempt (server-webapp.rules)
 * 1:58374 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET MagnumEmulator Servlet XML external entity injection attempt (server-webapp.rules)

Modified Rules:


 * 1:45570 <-> DISABLED <-> SERVER-WEBAPP HP Moonshot Provisioning Manager Appliance khuploadfile.cgi directory traversal attempt (server-webapp.rules)
 * 1:47402 <-> DISABLED <-> INDICATOR-OBFUSCATION FTP file upload over non-standard port attempt (indicator-obfuscation.rules)
 * 1:47848 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47400 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft powershell.exe outbound shell attempt (indicator-compromise.rules)
 * 1:47847 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47845 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47399 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt (indicator-compromise.rules)
 * 1:47639 <-> DISABLED <-> INDICATOR-OBFUSCATION DNS TXT response record tunneling (indicator-obfuscation.rules)
 * 1:55827 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:47844 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47849 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47401 <-> DISABLED <-> INDICATOR-OBFUSCATION ICMP HTTP tunneling attempt (indicator-obfuscation.rules)
 * 1:55828 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:55829 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:47846 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download (malware-other.rules)
 * 1:47398 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt (indicator-compromise.rules)

2021-10-21 13:20:39 UTC

Snort Subscriber Rules Update

Date: 2021-10-20-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58374 <-> SERVER-WEBAPP GE MDS PulseNET MagnumEmulator Servlet XML external entity injection attempt
* 1:58375 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center iccSelectCommand expression language injection attempt
* 1:58376 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center iccSelectCommand expression language injection attempt
* 1:58377 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center eventInfo_content expression language injection attempt
* 1:58378 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center eventInfo_content expression language injection attempt
* 1:58379 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center devSoftSel Java expression language injection attempt
* 1:58380 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center devSoftSel Java expression language injection attempt
* 1:58381 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt
* 1:58382 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt
* 1:58383 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt
* 1:58384 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center operationSelect Java expression language injection attempt
* 1:58385 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center operationSelect Java expression language injection attempt

Modified Rules:

* 3:37675 <-> SERVER-OTHER Cisco IOS invalid IKE fragment length memory corruption or exhaustion attempt
* 1:45570 <-> SERVER-WEBAPP HP Moonshot Provisioning Manager Appliance khuploadfile.cgi directory traversal attempt
* 1:47398 <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt
* 1:47399 <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt
* 1:47400 <-> INDICATOR-COMPROMISE Microsoft powershell.exe outbound shell attempt
* 1:47401 <-> INDICATOR-OBFUSCATION ICMP HTTP tunneling attempt
* 1:47402 <-> INDICATOR-OBFUSCATION FTP file upload over non-standard port attempt
* 1:47639 <-> INDICATOR-OBFUSCATION DNS TXT response record tunneling
* 1:47844 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47845 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47846 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47847 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47848 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47849 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:50028 <-> PUA-ADWARE Osx.Adware.TotalAdviseSearch variant download attempt
* 1:50029 <-> PUA-ADWARE Osx.Adware.TotalAdviseSearch variant download attempt
* 1:53861 <-> MALWARE-CNC Win.Trojan.Astaroth outbound beacon
* 1:55827 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55828 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55829 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt


2021-10-21 13:20:40 UTC

Snort Subscriber Rules Update

Date: 2021-10-20-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.4.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58374 <-> SERVER-WEBAPP GE MDS PulseNET MagnumEmulator Servlet XML external entity injection attempt
* 1:58375 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center iccSelectCommand expression language injection attempt
* 1:58376 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center iccSelectCommand expression language injection attempt
* 1:58377 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center eventInfo_content expression language injection attempt
* 1:58378 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center eventInfo_content expression language injection attempt
* 1:58379 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center devSoftSel Java expression language injection attempt
* 1:58380 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center devSoftSel Java expression language injection attempt
* 1:58381 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt
* 1:58382 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt
* 1:58383 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt
* 1:58384 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center operationSelect Java expression language injection attempt
* 1:58385 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center operationSelect Java expression language injection attempt

Modified Rules:

* 3:37675 <-> SERVER-OTHER Cisco IOS invalid IKE fragment length memory corruption or exhaustion attempt
* 1:45570 <-> SERVER-WEBAPP HP Moonshot Provisioning Manager Appliance khuploadfile.cgi directory traversal attempt
* 1:47398 <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt
* 1:47399 <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt
* 1:47400 <-> INDICATOR-COMPROMISE Microsoft powershell.exe outbound shell attempt
* 1:47401 <-> INDICATOR-OBFUSCATION ICMP HTTP tunneling attempt
* 1:47402 <-> INDICATOR-OBFUSCATION FTP file upload over non-standard port attempt
* 1:47639 <-> INDICATOR-OBFUSCATION DNS TXT response record tunneling
* 1:47844 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47845 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47846 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47847 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47848 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47849 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:50028 <-> PUA-ADWARE Osx.Adware.TotalAdviseSearch variant download attempt
* 1:50029 <-> PUA-ADWARE Osx.Adware.TotalAdviseSearch variant download attempt
* 1:53861 <-> MALWARE-CNC Win.Trojan.Astaroth outbound beacon
* 1:55827 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55828 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55829 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt


2021-10-21 13:20:40 UTC

Snort Subscriber Rules Update

Date: 2021-10-20-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58374 <-> SERVER-WEBAPP GE MDS PulseNET MagnumEmulator Servlet XML external entity injection attempt
* 1:58375 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center iccSelectCommand expression language injection attempt
* 1:58376 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center iccSelectCommand expression language injection attempt
* 1:58377 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center eventInfo_content expression language injection attempt
* 1:58378 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center eventInfo_content expression language injection attempt
* 1:58379 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center devSoftSel Java expression language injection attempt
* 1:58380 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center devSoftSel Java expression language injection attempt
* 1:58381 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt
* 1:58382 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt
* 1:58383 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt
* 1:58384 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center operationSelect Java expression language injection attempt
* 1:58385 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center operationSelect Java expression language injection attempt

Modified Rules:

* 3:37675 <-> SERVER-OTHER Cisco IOS invalid IKE fragment length memory corruption or exhaustion attempt
* 1:45570 <-> SERVER-WEBAPP HP Moonshot Provisioning Manager Appliance khuploadfile.cgi directory traversal attempt
* 1:47398 <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt
* 1:47399 <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt
* 1:47400 <-> INDICATOR-COMPROMISE Microsoft powershell.exe outbound shell attempt
* 1:47401 <-> INDICATOR-OBFUSCATION ICMP HTTP tunneling attempt
* 1:47402 <-> INDICATOR-OBFUSCATION FTP file upload over non-standard port attempt
* 1:47639 <-> INDICATOR-OBFUSCATION DNS TXT response record tunneling
* 1:47844 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47845 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47846 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47847 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47848 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47849 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:50028 <-> PUA-ADWARE Osx.Adware.TotalAdviseSearch variant download attempt
* 1:50029 <-> PUA-ADWARE Osx.Adware.TotalAdviseSearch variant download attempt
* 1:53861 <-> MALWARE-CNC Win.Trojan.Astaroth outbound beacon
* 1:55827 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55828 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55829 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt


2021-10-21 13:20:40 UTC

Snort Subscriber Rules Update

Date: 2021-10-20-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58374 <-> SERVER-WEBAPP GE MDS PulseNET MagnumEmulator Servlet XML external entity injection attempt
* 1:58375 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center iccSelectCommand expression language injection attempt
* 1:58376 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center iccSelectCommand expression language injection attempt
* 1:58377 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center eventInfo_content expression language injection attempt
* 1:58378 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center eventInfo_content expression language injection attempt
* 1:58379 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center devSoftSel Java expression language injection attempt
* 1:58380 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center devSoftSel Java expression language injection attempt
* 1:58381 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt
* 1:58382 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt
* 1:58383 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt
* 1:58384 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center operationSelect Java expression language injection attempt
* 1:58385 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center operationSelect Java expression language injection attempt

Modified Rules:

* 3:37675 <-> SERVER-OTHER Cisco IOS invalid IKE fragment length memory corruption or exhaustion attempt
* 1:45570 <-> SERVER-WEBAPP HP Moonshot Provisioning Manager Appliance khuploadfile.cgi directory traversal attempt
* 1:47398 <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt
* 1:47399 <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt
* 1:47400 <-> INDICATOR-COMPROMISE Microsoft powershell.exe outbound shell attempt
* 1:47401 <-> INDICATOR-OBFUSCATION ICMP HTTP tunneling attempt
* 1:47402 <-> INDICATOR-OBFUSCATION FTP file upload over non-standard port attempt
* 1:47639 <-> INDICATOR-OBFUSCATION DNS TXT response record tunneling
* 1:47844 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47845 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47846 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47847 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47848 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47849 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:50028 <-> PUA-ADWARE Osx.Adware.TotalAdviseSearch variant download attempt
* 1:50029 <-> PUA-ADWARE Osx.Adware.TotalAdviseSearch variant download attempt
* 1:53861 <-> MALWARE-CNC Win.Trojan.Astaroth outbound beacon
* 1:55827 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55828 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55829 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt


2021-10-21 13:20:40 UTC

Snort Subscriber Rules Update

Date: 2021-10-20-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.1.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58374 <-> SERVER-WEBAPP GE MDS PulseNET MagnumEmulator Servlet XML external entity injection attempt
* 1:58375 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center iccSelectCommand expression language injection attempt
* 1:58376 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center iccSelectCommand expression language injection attempt
* 1:58377 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center eventInfo_content expression language injection attempt
* 1:58378 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center eventInfo_content expression language injection attempt
* 1:58379 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center devSoftSel Java expression language injection attempt
* 1:58380 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center devSoftSel Java expression language injection attempt
* 1:58381 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt
* 1:58382 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt
* 1:58383 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt
* 1:58384 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center operationSelect Java expression language injection attempt
* 1:58385 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center operationSelect Java expression language injection attempt

Modified Rules:

* 3:37675 <-> SERVER-OTHER Cisco IOS invalid IKE fragment length memory corruption or exhaustion attempt
* 1:45570 <-> SERVER-WEBAPP HP Moonshot Provisioning Manager Appliance khuploadfile.cgi directory traversal attempt
* 1:47398 <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt
* 1:47399 <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt
* 1:47400 <-> INDICATOR-COMPROMISE Microsoft powershell.exe outbound shell attempt
* 1:47401 <-> INDICATOR-OBFUSCATION ICMP HTTP tunneling attempt
* 1:47402 <-> INDICATOR-OBFUSCATION FTP file upload over non-standard port attempt
* 1:47639 <-> INDICATOR-OBFUSCATION DNS TXT response record tunneling
* 1:47844 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47845 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47846 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47847 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47848 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47849 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:50028 <-> PUA-ADWARE Osx.Adware.TotalAdviseSearch variant download attempt
* 1:50029 <-> PUA-ADWARE Osx.Adware.TotalAdviseSearch variant download attempt
* 1:53861 <-> MALWARE-CNC Win.Trojan.Astaroth outbound beacon
* 1:55827 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55828 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55829 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt


2021-10-21 13:20:40 UTC

Snort Subscriber Rules Update

Date: 2021-10-20-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.3.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58374 <-> SERVER-WEBAPP GE MDS PulseNET MagnumEmulator Servlet XML external entity injection attempt
* 1:58375 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center iccSelectCommand expression language injection attempt
* 1:58376 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center iccSelectCommand expression language injection attempt
* 1:58377 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center eventInfo_content expression language injection attempt
* 1:58378 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center eventInfo_content expression language injection attempt
* 1:58379 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center devSoftSel Java expression language injection attempt
* 1:58380 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center devSoftSel Java expression language injection attempt
* 1:58381 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt
* 1:58382 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt
* 1:58383 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt
* 1:58384 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center operationSelect Java expression language injection attempt
* 1:58385 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center operationSelect Java expression language injection attempt

Modified Rules:

* 3:37675 <-> SERVER-OTHER Cisco IOS invalid IKE fragment length memory corruption or exhaustion attempt
* 1:45570 <-> SERVER-WEBAPP HP Moonshot Provisioning Manager Appliance khuploadfile.cgi directory traversal attempt
* 1:47398 <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt
* 1:47399 <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt
* 1:47400 <-> INDICATOR-COMPROMISE Microsoft powershell.exe outbound shell attempt
* 1:47401 <-> INDICATOR-OBFUSCATION ICMP HTTP tunneling attempt
* 1:47402 <-> INDICATOR-OBFUSCATION FTP file upload over non-standard port attempt
* 1:47639 <-> INDICATOR-OBFUSCATION DNS TXT response record tunneling
* 1:47844 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47845 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47846 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47847 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47848 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47849 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:50028 <-> PUA-ADWARE Osx.Adware.TotalAdviseSearch variant download attempt
* 1:50029 <-> PUA-ADWARE Osx.Adware.TotalAdviseSearch variant download attempt
* 1:53861 <-> MALWARE-CNC Win.Trojan.Astaroth outbound beacon
* 1:55827 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55828 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55829 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt


2021-10-21 13:20:40 UTC

Snort Subscriber Rules Update

Date: 2021-10-20-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.4.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58374 <-> SERVER-WEBAPP GE MDS PulseNET MagnumEmulator Servlet XML external entity injection attempt
* 1:58375 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center iccSelectCommand expression language injection attempt
* 1:58376 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center iccSelectCommand expression language injection attempt
* 1:58377 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center eventInfo_content expression language injection attempt
* 1:58378 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center eventInfo_content expression language injection attempt
* 1:58379 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center devSoftSel Java expression language injection attempt
* 1:58380 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center devSoftSel Java expression language injection attempt
* 1:58381 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt
* 1:58382 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt
* 1:58383 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt
* 1:58384 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center operationSelect Java expression language injection attempt
* 1:58385 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center operationSelect Java expression language injection attempt

Modified Rules:

* 3:37675 <-> SERVER-OTHER Cisco IOS invalid IKE fragment length memory corruption or exhaustion attempt
* 1:45570 <-> SERVER-WEBAPP HP Moonshot Provisioning Manager Appliance khuploadfile.cgi directory traversal attempt
* 1:47398 <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt
* 1:47399 <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt
* 1:47400 <-> INDICATOR-COMPROMISE Microsoft powershell.exe outbound shell attempt
* 1:47401 <-> INDICATOR-OBFUSCATION ICMP HTTP tunneling attempt
* 1:47402 <-> INDICATOR-OBFUSCATION FTP file upload over non-standard port attempt
* 1:47639 <-> INDICATOR-OBFUSCATION DNS TXT response record tunneling
* 1:47844 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47845 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47846 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47847 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47848 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47849 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:50028 <-> PUA-ADWARE Osx.Adware.TotalAdviseSearch variant download attempt
* 1:50029 <-> PUA-ADWARE Osx.Adware.TotalAdviseSearch variant download attempt
* 1:53861 <-> MALWARE-CNC Win.Trojan.Astaroth outbound beacon
* 1:55827 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55828 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55829 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt


2021-10-21 13:20:40 UTC

Snort Subscriber Rules Update

Date: 2021-10-20-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.5.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58374 <-> SERVER-WEBAPP GE MDS PulseNET MagnumEmulator Servlet XML external entity injection attempt
* 1:58375 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center iccSelectCommand expression language injection attempt
* 1:58376 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center iccSelectCommand expression language injection attempt
* 1:58377 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center eventInfo_content expression language injection attempt
* 1:58378 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center eventInfo_content expression language injection attempt
* 1:58379 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center devSoftSel Java expression language injection attempt
* 1:58380 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center devSoftSel Java expression language injection attempt
* 1:58381 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt
* 1:58382 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt
* 1:58383 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt
* 1:58384 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center operationSelect Java expression language injection attempt
* 1:58385 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center operationSelect Java expression language injection attempt

Modified Rules:

* 3:37675 <-> SERVER-OTHER Cisco IOS invalid IKE fragment length memory corruption or exhaustion attempt
* 1:45570 <-> SERVER-WEBAPP HP Moonshot Provisioning Manager Appliance khuploadfile.cgi directory traversal attempt
* 1:47398 <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt
* 1:47399 <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt
* 1:47400 <-> INDICATOR-COMPROMISE Microsoft powershell.exe outbound shell attempt
* 1:47401 <-> INDICATOR-OBFUSCATION ICMP HTTP tunneling attempt
* 1:47402 <-> INDICATOR-OBFUSCATION FTP file upload over non-standard port attempt
* 1:47639 <-> INDICATOR-OBFUSCATION DNS TXT response record tunneling
* 1:47844 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47845 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47846 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47847 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47848 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47849 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:50028 <-> PUA-ADWARE Osx.Adware.TotalAdviseSearch variant download attempt
* 1:50029 <-> PUA-ADWARE Osx.Adware.TotalAdviseSearch variant download attempt
* 1:53861 <-> MALWARE-CNC Win.Trojan.Astaroth outbound beacon
* 1:55827 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55828 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55829 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt


2021-10-21 13:20:40 UTC

Snort Subscriber Rules Update

Date: 2021-10-20-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.7.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58374 <-> SERVER-WEBAPP GE MDS PulseNET MagnumEmulator Servlet XML external entity injection attempt
* 1:58375 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center iccSelectCommand expression language injection attempt
* 1:58376 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center iccSelectCommand expression language injection attempt
* 1:58377 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center eventInfo_content expression language injection attempt
* 1:58378 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center eventInfo_content expression language injection attempt
* 1:58379 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center devSoftSel Java expression language injection attempt
* 1:58380 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center devSoftSel Java expression language injection attempt
* 1:58381 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt
* 1:58382 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt
* 1:58383 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt
* 1:58384 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center operationSelect Java expression language injection attempt
* 1:58385 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center operationSelect Java expression language injection attempt

Modified Rules:

* 3:37675 <-> SERVER-OTHER Cisco IOS invalid IKE fragment length memory corruption or exhaustion attempt
* 1:45570 <-> SERVER-WEBAPP HP Moonshot Provisioning Manager Appliance khuploadfile.cgi directory traversal attempt
* 1:47398 <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt
* 1:47399 <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt
* 1:47400 <-> INDICATOR-COMPROMISE Microsoft powershell.exe outbound shell attempt
* 1:47401 <-> INDICATOR-OBFUSCATION ICMP HTTP tunneling attempt
* 1:47402 <-> INDICATOR-OBFUSCATION FTP file upload over non-standard port attempt
* 1:47639 <-> INDICATOR-OBFUSCATION DNS TXT response record tunneling
* 1:47844 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47845 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47846 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47847 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47848 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47849 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:50028 <-> PUA-ADWARE Osx.Adware.TotalAdviseSearch variant download attempt
* 1:50029 <-> PUA-ADWARE Osx.Adware.TotalAdviseSearch variant download attempt
* 1:53861 <-> MALWARE-CNC Win.Trojan.Astaroth outbound beacon
* 1:55827 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55828 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55829 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt


2021-10-21 13:20:40 UTC

Snort Subscriber Rules Update

Date: 2021-10-20-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.9.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58374 <-> SERVER-WEBAPP GE MDS PulseNET MagnumEmulator Servlet XML external entity injection attempt
* 1:58375 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center iccSelectCommand expression language injection attempt
* 1:58376 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center iccSelectCommand expression language injection attempt
* 1:58377 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center eventInfo_content expression language injection attempt
* 1:58378 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center eventInfo_content expression language injection attempt
* 1:58379 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center devSoftSel Java expression language injection attempt
* 1:58380 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center devSoftSel Java expression language injection attempt
* 1:58381 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt
* 1:58382 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt
* 1:58383 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt
* 1:58384 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center operationSelect Java expression language injection attempt
* 1:58385 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center operationSelect Java expression language injection attempt

Modified Rules:

* 3:37675 <-> SERVER-OTHER Cisco IOS invalid IKE fragment length memory corruption or exhaustion attempt
* 1:45570 <-> SERVER-WEBAPP HP Moonshot Provisioning Manager Appliance khuploadfile.cgi directory traversal attempt
* 1:47398 <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt
* 1:47399 <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt
* 1:47400 <-> INDICATOR-COMPROMISE Microsoft powershell.exe outbound shell attempt
* 1:47401 <-> INDICATOR-OBFUSCATION ICMP HTTP tunneling attempt
* 1:47402 <-> INDICATOR-OBFUSCATION FTP file upload over non-standard port attempt
* 1:47639 <-> INDICATOR-OBFUSCATION DNS TXT response record tunneling
* 1:47844 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47845 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47846 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47847 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47848 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47849 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:50028 <-> PUA-ADWARE Osx.Adware.TotalAdviseSearch variant download attempt
* 1:50029 <-> PUA-ADWARE Osx.Adware.TotalAdviseSearch variant download attempt
* 1:53861 <-> MALWARE-CNC Win.Trojan.Astaroth outbound beacon
* 1:55827 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55828 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55829 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt


2021-10-21 13:20:40 UTC

Snort Subscriber Rules Update

Date: 2021-10-20-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.11.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58374 <-> SERVER-WEBAPP GE MDS PulseNET MagnumEmulator Servlet XML external entity injection attempt
* 1:58375 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center iccSelectCommand expression language injection attempt
* 1:58376 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center iccSelectCommand expression language injection attempt
* 1:58377 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center eventInfo_content expression language injection attempt
* 1:58378 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center eventInfo_content expression language injection attempt
* 1:58379 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center devSoftSel Java expression language injection attempt
* 1:58380 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center devSoftSel Java expression language injection attempt
* 1:58381 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt
* 1:58382 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt
* 1:58383 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway formConfiguration saveValue SQL injection attempt
* 1:58384 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center operationSelect Java expression language injection attempt
* 1:58385 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center operationSelect Java expression language injection attempt

Modified Rules:

* 3:37675 <-> SERVER-OTHER Cisco IOS invalid IKE fragment length memory corruption or exhaustion attempt
* 1:45570 <-> SERVER-WEBAPP HP Moonshot Provisioning Manager Appliance khuploadfile.cgi directory traversal attempt
* 1:47398 <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt
* 1:47399 <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt
* 1:47400 <-> INDICATOR-COMPROMISE Microsoft powershell.exe outbound shell attempt
* 1:47401 <-> INDICATOR-OBFUSCATION ICMP HTTP tunneling attempt
* 1:47402 <-> INDICATOR-OBFUSCATION FTP file upload over non-standard port attempt
* 1:47639 <-> INDICATOR-OBFUSCATION DNS TXT response record tunneling
* 1:47844 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47845 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47846 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47847 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47848 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:47849 <-> MALWARE-OTHER Win.Downloader.DDECmdExec variant download
* 1:50028 <-> PUA-ADWARE Osx.Adware.TotalAdviseSearch variant download attempt
* 1:50029 <-> PUA-ADWARE Osx.Adware.TotalAdviseSearch variant download attempt
* 1:53861 <-> MALWARE-CNC Win.Trojan.Astaroth outbound beacon
* 1:55827 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55828 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55829 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt