Talos Rules 2021-10-28
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-multimedia, indicator-scan, malware-cnc, malware-other, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2021-10-28 12:40:05 UTC

Snort Subscriber Rules Update

Date: 2021-10-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091801.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58418 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt (server-webapp.rules)
 * 1:58419 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt (server-webapp.rules)
 * 1:58420 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt (server-webapp.rules)
 * 1:58421 <-> DISABLED <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt (server-webapp.rules)
 * 1:58422 <-> DISABLED <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt (server-webapp.rules)
 * 1:58423 <-> DISABLED <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt (server-webapp.rules)
 * 1:58424 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt (server-webapp.rules)
 * 1:58425 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt (server-webapp.rules)
 * 1:58426 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt (server-webapp.rules)
 * 1:58427 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager widget_old_SP1 dlp_policy directory traversal attempt (server-webapp.rules)
 * 1:58428 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager Widget modDLPViolationCntdrildown.php directory traversal attempt (server-webapp.rules)
 * 1:58429 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58430 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58431 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58432 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58433 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58434 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic download attempt (malware-other.rules)
 * 1:58435 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic upload attempt (malware-other.rules)
 * 1:58436 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic upload attempt (malware-other.rules)
 * 1:58437 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic download attempt (malware-other.rules)
 * 1:58438 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic upload attempt (malware-other.rules)
 * 1:58439 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic download attempt (malware-other.rules)
 * 1:58447 <-> DISABLED <-> SERVER-APACHE Apache Druid remote code execution attempt (server-apache.rules)
 * 3:58441 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt (server-webapp.rules)
 * 3:58440 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services stack buffer overflow attempt (server-webapp.rules)
 * 3:58442 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD denial of service attempt (server-other.rules)
 * 3:58443 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt (server-webapp.rules)
 * 3:58445 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt (server-webapp.rules)
 * 3:58444 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt (server-webapp.rules)
 * 3:58446 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 1:19559 <-> DISABLED <-> INDICATOR-SCAN SSH brute force login attempt (indicator-scan.rules)
 * 1:35714 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt (file-multimedia.rules)
 * 1:35711 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt (file-multimedia.rules)
 * 1:35712 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt (file-multimedia.rules)
 * 1:35713 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt (file-multimedia.rules)
 * 1:35626 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:35625 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:35627 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:55829 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:55828 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:12710 <-> DISABLED <-> SERVER-OTHER ASN.1 constructed bit string (server-other.rules)
 * 1:35624 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:35716 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:35715 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:35717 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:55827 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:35718 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)

2021-10-28 12:40:05 UTC

Snort Subscriber Rules Update

Date: 2021-10-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091800.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58434 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic download attempt (malware-other.rules)
 * 1:58431 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58430 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58433 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58432 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58437 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic download attempt (malware-other.rules)
 * 1:58438 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic upload attempt (malware-other.rules)
 * 1:58439 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic download attempt (malware-other.rules)
 * 1:58436 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic upload attempt (malware-other.rules)
 * 1:58435 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic upload attempt (malware-other.rules)
 * 1:58429 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58419 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt (server-webapp.rules)
 * 1:58421 <-> DISABLED <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt (server-webapp.rules)
 * 1:58420 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt (server-webapp.rules)
 * 1:58423 <-> DISABLED <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt (server-webapp.rules)
 * 1:58418 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt (server-webapp.rules)
 * 1:58425 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt (server-webapp.rules)
 * 1:58424 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt (server-webapp.rules)
 * 1:58427 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager widget_old_SP1 dlp_policy directory traversal attempt (server-webapp.rules)
 * 1:58422 <-> DISABLED <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt (server-webapp.rules)
 * 1:58428 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager Widget modDLPViolationCntdrildown.php directory traversal attempt (server-webapp.rules)
 * 1:58426 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt (server-webapp.rules)
 * 1:58447 <-> DISABLED <-> SERVER-APACHE Apache Druid remote code execution attempt (server-apache.rules)
 * 3:58441 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt (server-webapp.rules)
 * 3:58440 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services stack buffer overflow attempt (server-webapp.rules)
 * 3:58442 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD denial of service attempt (server-other.rules)
 * 3:58444 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt (server-webapp.rules)
 * 3:58443 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt (server-webapp.rules)
 * 3:58446 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center directory traversal attempt (server-webapp.rules)
 * 3:58445 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt (server-webapp.rules)

Modified Rules:


 * 1:35711 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt (file-multimedia.rules)
 * 1:35625 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:35714 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt (file-multimedia.rules)
 * 1:55829 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:35627 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:35712 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt (file-multimedia.rules)
 * 1:35713 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt (file-multimedia.rules)
 * 1:19559 <-> DISABLED <-> INDICATOR-SCAN SSH brute force login attempt (indicator-scan.rules)
 * 1:12710 <-> DISABLED <-> SERVER-OTHER ASN.1 constructed bit string (server-other.rules)
 * 1:35624 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:35716 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:35715 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:35718 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:35717 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:55827 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:35626 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:55828 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)

2021-10-28 12:40:05 UTC

Snort Subscriber Rules Update

Date: 2021-10-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58430 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58437 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic download attempt (malware-other.rules)
 * 1:58435 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic upload attempt (malware-other.rules)
 * 1:58429 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58427 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager widget_old_SP1 dlp_policy directory traversal attempt (server-webapp.rules)
 * 1:58436 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic upload attempt (malware-other.rules)
 * 1:58434 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic download attempt (malware-other.rules)
 * 1:58433 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58423 <-> DISABLED <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt (server-webapp.rules)
 * 1:58422 <-> DISABLED <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt (server-webapp.rules)
 * 1:58420 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt (server-webapp.rules)
 * 1:58438 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic upload attempt (malware-other.rules)
 * 1:58432 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58431 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58447 <-> DISABLED <-> SERVER-APACHE Apache Druid remote code execution attempt (server-apache.rules)
 * 1:58426 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt (server-webapp.rules)
 * 1:58425 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt (server-webapp.rules)
 * 1:58424 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt (server-webapp.rules)
 * 1:58419 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt (server-webapp.rules)
 * 1:58418 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt (server-webapp.rules)
 * 1:58439 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic download attempt (malware-other.rules)
 * 1:58428 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager Widget modDLPViolationCntdrildown.php directory traversal attempt (server-webapp.rules)
 * 1:58421 <-> DISABLED <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt (server-webapp.rules)
 * 3:58441 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt (server-webapp.rules)
 * 3:58440 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services stack buffer overflow attempt (server-webapp.rules)
 * 3:58443 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt (server-webapp.rules)
 * 3:58445 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt (server-webapp.rules)
 * 3:58444 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt (server-webapp.rules)
 * 3:58442 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD denial of service attempt (server-other.rules)
 * 3:58446 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 1:19559 <-> DISABLED <-> INDICATOR-SCAN SSH brute force login attempt (indicator-scan.rules)
 * 1:35714 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt (file-multimedia.rules)
 * 1:35712 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt (file-multimedia.rules)
 * 1:35713 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt (file-multimedia.rules)
 * 1:35627 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:35626 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:35711 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt (file-multimedia.rules)
 * 1:55828 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:12710 <-> DISABLED <-> SERVER-OTHER ASN.1 constructed bit string (server-other.rules)
 * 1:35624 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:35625 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:55829 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:35715 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:35717 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:35716 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:55827 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:35718 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)

2021-10-28 12:40:05 UTC

Snort Subscriber Rules Update

Date: 2021-10-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58434 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic download attempt (malware-other.rules)
 * 1:58431 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58419 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt (server-webapp.rules)
 * 1:58436 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic upload attempt (malware-other.rules)
 * 1:58435 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic upload attempt (malware-other.rules)
 * 1:58424 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt (server-webapp.rules)
 * 1:58425 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt (server-webapp.rules)
 * 1:58437 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic download attempt (malware-other.rules)
 * 1:58429 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58418 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt (server-webapp.rules)
 * 1:58427 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager widget_old_SP1 dlp_policy directory traversal attempt (server-webapp.rules)
 * 1:58432 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58433 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58422 <-> DISABLED <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt (server-webapp.rules)
 * 1:58447 <-> DISABLED <-> SERVER-APACHE Apache Druid remote code execution attempt (server-apache.rules)
 * 1:58430 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58420 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt (server-webapp.rules)
 * 1:58438 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic upload attempt (malware-other.rules)
 * 1:58439 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic download attempt (malware-other.rules)
 * 1:58426 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt (server-webapp.rules)
 * 1:58423 <-> DISABLED <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt (server-webapp.rules)
 * 1:58421 <-> DISABLED <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt (server-webapp.rules)
 * 1:58428 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager Widget modDLPViolationCntdrildown.php directory traversal attempt (server-webapp.rules)
 * 3:58440 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services stack buffer overflow attempt (server-webapp.rules)
 * 3:58441 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt (server-webapp.rules)
 * 3:58443 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt (server-webapp.rules)
 * 3:58442 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD denial of service attempt (server-other.rules)
 * 3:58445 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt (server-webapp.rules)
 * 3:58444 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt (server-webapp.rules)
 * 3:58446 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 1:35625 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:35714 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt (file-multimedia.rules)
 * 1:35712 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt (file-multimedia.rules)
 * 1:19559 <-> DISABLED <-> INDICATOR-SCAN SSH brute force login attempt (indicator-scan.rules)
 * 1:35713 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt (file-multimedia.rules)
 * 1:35626 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:12710 <-> DISABLED <-> SERVER-OTHER ASN.1 constructed bit string (server-other.rules)
 * 1:35627 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:35624 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:35717 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:35716 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:35715 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:35718 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:55827 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:55829 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:35711 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt (file-multimedia.rules)
 * 1:55828 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)

2021-10-28 12:40:05 UTC

Snort Subscriber Rules Update

Date: 2021-10-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58433 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58424 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt (server-webapp.rules)
 * 1:58421 <-> DISABLED <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt (server-webapp.rules)
 * 1:58435 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic upload attempt (malware-other.rules)
 * 1:58428 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager Widget modDLPViolationCntdrildown.php directory traversal attempt (server-webapp.rules)
 * 1:58437 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic download attempt (malware-other.rules)
 * 1:58438 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic upload attempt (malware-other.rules)
 * 1:58431 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58434 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic download attempt (malware-other.rules)
 * 1:58422 <-> DISABLED <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt (server-webapp.rules)
 * 1:58427 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager widget_old_SP1 dlp_policy directory traversal attempt (server-webapp.rules)
 * 1:58432 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58423 <-> DISABLED <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt (server-webapp.rules)
 * 1:58419 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt (server-webapp.rules)
 * 1:58429 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58420 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt (server-webapp.rules)
 * 1:58425 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt (server-webapp.rules)
 * 1:58447 <-> DISABLED <-> SERVER-APACHE Apache Druid remote code execution attempt (server-apache.rules)
 * 1:58436 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic upload attempt (malware-other.rules)
 * 1:58418 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt (server-webapp.rules)
 * 1:58426 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt (server-webapp.rules)
 * 1:58430 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58439 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic download attempt (malware-other.rules)
 * 3:58440 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services stack buffer overflow attempt (server-webapp.rules)
 * 3:58442 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD denial of service attempt (server-other.rules)
 * 3:58444 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt (server-webapp.rules)
 * 3:58441 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt (server-webapp.rules)
 * 3:58445 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt (server-webapp.rules)
 * 3:58446 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center directory traversal attempt (server-webapp.rules)
 * 3:58443 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt (server-webapp.rules)

Modified Rules:


 * 1:35626 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:35625 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:12710 <-> DISABLED <-> SERVER-OTHER ASN.1 constructed bit string (server-other.rules)
 * 1:35624 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:55828 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:35714 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt (file-multimedia.rules)
 * 1:35712 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt (file-multimedia.rules)
 * 1:35627 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:35715 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:35717 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:55829 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:35713 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt (file-multimedia.rules)
 * 1:55827 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:35716 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:35718 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:19559 <-> DISABLED <-> INDICATOR-SCAN SSH brute force login attempt (indicator-scan.rules)
 * 1:35711 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt (file-multimedia.rules)

2021-10-28 12:40:05 UTC

Snort Subscriber Rules Update

Date: 2021-10-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58432 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58433 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58427 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager widget_old_SP1 dlp_policy directory traversal attempt (server-webapp.rules)
 * 1:58430 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58431 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58435 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic upload attempt (malware-other.rules)
 * 1:58447 <-> DISABLED <-> SERVER-APACHE Apache Druid remote code execution attempt (server-apache.rules)
 * 1:58424 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt (server-webapp.rules)
 * 1:58428 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager Widget modDLPViolationCntdrildown.php directory traversal attempt (server-webapp.rules)
 * 1:58426 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt (server-webapp.rules)
 * 1:58437 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic download attempt (malware-other.rules)
 * 1:58429 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58419 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt (server-webapp.rules)
 * 1:58421 <-> DISABLED <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt (server-webapp.rules)
 * 1:58439 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic download attempt (malware-other.rules)
 * 1:58422 <-> DISABLED <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt (server-webapp.rules)
 * 1:58438 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic upload attempt (malware-other.rules)
 * 1:58434 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic download attempt (malware-other.rules)
 * 1:58418 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt (server-webapp.rules)
 * 1:58425 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt (server-webapp.rules)
 * 1:58423 <-> DISABLED <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt (server-webapp.rules)
 * 1:58436 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic upload attempt (malware-other.rules)
 * 1:58420 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt (server-webapp.rules)
 * 3:58443 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt (server-webapp.rules)
 * 3:58441 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt (server-webapp.rules)
 * 3:58444 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt (server-webapp.rules)
 * 3:58440 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services stack buffer overflow attempt (server-webapp.rules)
 * 3:58445 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt (server-webapp.rules)
 * 3:58442 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD denial of service attempt (server-other.rules)
 * 3:58446 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 1:35714 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt (file-multimedia.rules)
 * 1:35712 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt (file-multimedia.rules)
 * 1:35713 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt (file-multimedia.rules)
 * 1:35715 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:55827 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:55829 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:19559 <-> DISABLED <-> INDICATOR-SCAN SSH brute force login attempt (indicator-scan.rules)
 * 1:35718 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:35624 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:35626 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:35711 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt (file-multimedia.rules)
 * 1:35625 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:12710 <-> DISABLED <-> SERVER-OTHER ASN.1 constructed bit string (server-other.rules)
 * 1:35627 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:55828 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:35716 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:35717 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)

2021-10-28 12:40:05 UTC

Snort Subscriber Rules Update

Date: 2021-10-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58429 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58419 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt (server-webapp.rules)
 * 1:58439 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic download attempt (malware-other.rules)
 * 1:58418 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt (server-webapp.rules)
 * 1:58438 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic upload attempt (malware-other.rules)
 * 1:58437 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic download attempt (malware-other.rules)
 * 1:58420 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt (server-webapp.rules)
 * 1:58426 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt (server-webapp.rules)
 * 1:58430 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58447 <-> DISABLED <-> SERVER-APACHE Apache Druid remote code execution attempt (server-apache.rules)
 * 1:58435 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic upload attempt (malware-other.rules)
 * 1:58436 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic upload attempt (malware-other.rules)
 * 1:58422 <-> DISABLED <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt (server-webapp.rules)
 * 1:58431 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58434 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic download attempt (malware-other.rules)
 * 1:58424 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt (server-webapp.rules)
 * 1:58433 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58432 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58428 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager Widget modDLPViolationCntdrildown.php directory traversal attempt (server-webapp.rules)
 * 1:58423 <-> DISABLED <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt (server-webapp.rules)
 * 1:58427 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager widget_old_SP1 dlp_policy directory traversal attempt (server-webapp.rules)
 * 1:58425 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt (server-webapp.rules)
 * 1:58421 <-> DISABLED <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt (server-webapp.rules)
 * 3:58445 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt (server-webapp.rules)
 * 3:58446 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center directory traversal attempt (server-webapp.rules)
 * 3:58443 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt (server-webapp.rules)
 * 3:58440 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services stack buffer overflow attempt (server-webapp.rules)
 * 3:58444 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt (server-webapp.rules)
 * 3:58442 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD denial of service attempt (server-other.rules)
 * 3:58441 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt (server-webapp.rules)

Modified Rules:


 * 1:35715 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:35714 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt (file-multimedia.rules)
 * 1:35712 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt (file-multimedia.rules)
 * 1:35624 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:35711 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt (file-multimedia.rules)
 * 1:35713 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt (file-multimedia.rules)
 * 1:35626 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:35716 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:55827 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:35717 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:35627 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:35718 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:55828 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:55829 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:35625 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:12710 <-> DISABLED <-> SERVER-OTHER ASN.1 constructed bit string (server-other.rules)
 * 1:19559 <-> DISABLED <-> INDICATOR-SCAN SSH brute force login attempt (indicator-scan.rules)

2021-10-28 12:40:05 UTC

Snort Subscriber Rules Update

Date: 2021-10-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58426 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt (server-webapp.rules)
 * 1:58428 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager Widget modDLPViolationCntdrildown.php directory traversal attempt (server-webapp.rules)
 * 1:58438 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic upload attempt (malware-other.rules)
 * 1:58435 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic upload attempt (malware-other.rules)
 * 1:58423 <-> DISABLED <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt (server-webapp.rules)
 * 1:58418 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt (server-webapp.rules)
 * 1:58433 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58420 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt (server-webapp.rules)
 * 1:58447 <-> DISABLED <-> SERVER-APACHE Apache Druid remote code execution attempt (server-apache.rules)
 * 1:58421 <-> DISABLED <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt (server-webapp.rules)
 * 1:58427 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager widget_old_SP1 dlp_policy directory traversal attempt (server-webapp.rules)
 * 1:58419 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt (server-webapp.rules)
 * 1:58436 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic upload attempt (malware-other.rules)
 * 1:58439 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic download attempt (malware-other.rules)
 * 1:58430 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58432 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58422 <-> DISABLED <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt (server-webapp.rules)
 * 1:58431 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58437 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic download attempt (malware-other.rules)
 * 1:58424 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt (server-webapp.rules)
 * 1:58434 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic download attempt (malware-other.rules)
 * 1:58425 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt (server-webapp.rules)
 * 1:58429 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 3:58446 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center directory traversal attempt (server-webapp.rules)
 * 3:58440 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services stack buffer overflow attempt (server-webapp.rules)
 * 3:58442 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD denial of service attempt (server-other.rules)
 * 3:58443 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt (server-webapp.rules)
 * 3:58441 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt (server-webapp.rules)
 * 3:58445 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt (server-webapp.rules)
 * 3:58444 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt (server-webapp.rules)

Modified Rules:


 * 1:35718 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:35714 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt (file-multimedia.rules)
 * 1:35716 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:55827 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:35711 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt (file-multimedia.rules)
 * 1:35712 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt (file-multimedia.rules)
 * 1:35624 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:35713 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt (file-multimedia.rules)
 * 1:35625 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:55829 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:19559 <-> DISABLED <-> INDICATOR-SCAN SSH brute force login attempt (indicator-scan.rules)
 * 1:35627 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:35715 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:35626 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:12710 <-> DISABLED <-> SERVER-OTHER ASN.1 constructed bit string (server-other.rules)
 * 1:55828 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:35717 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)

2021-10-28 12:40:05 UTC

Snort Subscriber Rules Update

Date: 2021-10-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58424 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt (server-webapp.rules)
 * 1:58420 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt (server-webapp.rules)
 * 1:58429 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58425 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt (server-webapp.rules)
 * 1:58422 <-> DISABLED <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt (server-webapp.rules)
 * 1:58423 <-> DISABLED <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt (server-webapp.rules)
 * 1:58428 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager Widget modDLPViolationCntdrildown.php directory traversal attempt (server-webapp.rules)
 * 1:58426 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt (server-webapp.rules)
 * 1:58438 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic upload attempt (malware-other.rules)
 * 1:58434 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic download attempt (malware-other.rules)
 * 1:58419 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt (server-webapp.rules)
 * 1:58432 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58421 <-> DISABLED <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt (server-webapp.rules)
 * 1:58430 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58437 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic download attempt (malware-other.rules)
 * 1:58418 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt (server-webapp.rules)
 * 1:58447 <-> DISABLED <-> SERVER-APACHE Apache Druid remote code execution attempt (server-apache.rules)
 * 1:58427 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager widget_old_SP1 dlp_policy directory traversal attempt (server-webapp.rules)
 * 1:58435 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic upload attempt (malware-other.rules)
 * 1:58436 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic upload attempt (malware-other.rules)
 * 1:58439 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic download attempt (malware-other.rules)
 * 1:58431 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58433 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 3:58444 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt (server-webapp.rules)
 * 3:58440 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services stack buffer overflow attempt (server-webapp.rules)
 * 3:58441 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt (server-webapp.rules)
 * 3:58445 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt (server-webapp.rules)
 * 3:58446 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center directory traversal attempt (server-webapp.rules)
 * 3:58442 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD denial of service attempt (server-other.rules)
 * 3:58443 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt (server-webapp.rules)

Modified Rules:


 * 1:55829 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:55827 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:35714 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt (file-multimedia.rules)
 * 1:35712 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt (file-multimedia.rules)
 * 1:35626 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:35624 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:35713 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt (file-multimedia.rules)
 * 1:55828 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:12710 <-> DISABLED <-> SERVER-OTHER ASN.1 constructed bit string (server-other.rules)
 * 1:19559 <-> DISABLED <-> INDICATOR-SCAN SSH brute force login attempt (indicator-scan.rules)
 * 1:35715 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:35718 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:35716 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:35711 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt (file-multimedia.rules)
 * 1:35627 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:35717 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:35625 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)

2021-10-28 12:40:05 UTC

Snort Subscriber Rules Update

Date: 2021-10-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58437 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic download attempt (malware-other.rules)
 * 1:58447 <-> DISABLED <-> SERVER-APACHE Apache Druid remote code execution attempt (server-apache.rules)
 * 1:58432 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58430 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58427 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager widget_old_SP1 dlp_policy directory traversal attempt (server-webapp.rules)
 * 1:58424 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt (server-webapp.rules)
 * 1:58428 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager Widget modDLPViolationCntdrildown.php directory traversal attempt (server-webapp.rules)
 * 1:58433 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58419 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt (server-webapp.rules)
 * 1:58435 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic upload attempt (malware-other.rules)
 * 1:58422 <-> DISABLED <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt (server-webapp.rules)
 * 1:58439 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic download attempt (malware-other.rules)
 * 1:58418 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt (server-webapp.rules)
 * 1:58426 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt (server-webapp.rules)
 * 1:58421 <-> DISABLED <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt (server-webapp.rules)
 * 1:58425 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt (server-webapp.rules)
 * 1:58431 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58438 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic upload attempt (malware-other.rules)
 * 1:58420 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt (server-webapp.rules)
 * 1:58434 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic download attempt (malware-other.rules)
 * 1:58423 <-> DISABLED <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt (server-webapp.rules)
 * 1:58429 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58436 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic upload attempt (malware-other.rules)
 * 3:58443 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt (server-webapp.rules)
 * 3:58446 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center directory traversal attempt (server-webapp.rules)
 * 3:58440 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services stack buffer overflow attempt (server-webapp.rules)
 * 3:58445 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt (server-webapp.rules)
 * 3:58441 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt (server-webapp.rules)
 * 3:58444 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt (server-webapp.rules)
 * 3:58442 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD denial of service attempt (server-other.rules)

Modified Rules:


 * 1:55829 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:35626 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:35714 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt (file-multimedia.rules)
 * 1:35712 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt (file-multimedia.rules)
 * 1:35715 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:35713 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt (file-multimedia.rules)
 * 1:35711 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt (file-multimedia.rules)
 * 1:35716 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:35717 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:12710 <-> DISABLED <-> SERVER-OTHER ASN.1 constructed bit string (server-other.rules)
 * 1:35624 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:19559 <-> DISABLED <-> INDICATOR-SCAN SSH brute force login attempt (indicator-scan.rules)
 * 1:55828 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:55827 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:35625 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:35627 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:35718 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)

2021-10-28 12:40:05 UTC

Snort Subscriber Rules Update

Date: 2021-10-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58422 <-> DISABLED <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt (snort3-server-webapp.rules)
 * 1:58434 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic download attempt (snort3-malware-other.rules)
 * 1:58437 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic download attempt (snort3-malware-other.rules)
 * 1:58435 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic upload attempt (snort3-malware-other.rules)
 * 1:58427 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager widget_old_SP1 dlp_policy directory traversal attempt (snort3-server-webapp.rules)
 * 1:58418 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt (snort3-server-webapp.rules)
 * 1:58432 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (snort3-malware-cnc.rules)
 * 1:58420 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt (snort3-server-webapp.rules)
 * 1:58428 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager Widget modDLPViolationCntdrildown.php directory traversal attempt (snort3-server-webapp.rules)
 * 1:58425 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt (snort3-server-webapp.rules)
 * 1:58436 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic upload attempt (snort3-malware-other.rules)
 * 1:58421 <-> DISABLED <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt (snort3-server-webapp.rules)
 * 1:58419 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt (snort3-server-webapp.rules)
 * 1:58430 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (snort3-malware-cnc.rules)
 * 1:58439 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic download attempt (snort3-malware-other.rules)
 * 1:58447 <-> DISABLED <-> SERVER-APACHE Apache Druid remote code execution attempt (snort3-server-apache.rules)
 * 1:58423 <-> DISABLED <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt (snort3-server-webapp.rules)
 * 1:58433 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (snort3-malware-cnc.rules)
 * 1:58424 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt (snort3-server-webapp.rules)
 * 1:58429 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (snort3-malware-cnc.rules)
 * 1:58431 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (snort3-malware-cnc.rules)
 * 1:58438 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic upload attempt (snort3-malware-other.rules)
 * 1:58426 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt (snort3-server-webapp.rules)

Modified Rules:


 * 1:55827 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (snort3-server-webapp.rules)
 * 1:35624 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (snort3-file-multimedia.rules)
 * 1:55829 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (snort3-server-webapp.rules)
 * 1:35625 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (snort3-file-multimedia.rules)
 * 1:35716 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (snort3-file-multimedia.rules)
 * 1:19559 <-> DISABLED <-> INDICATOR-SCAN SSH brute force login attempt (snort3-indicator-scan.rules)
 * 1:35717 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (snort3-file-multimedia.rules)
 * 1:35718 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (snort3-file-multimedia.rules)
 * 1:35713 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt (snort3-file-multimedia.rules)
 * 1:55828 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (snort3-server-webapp.rules)
 * 1:35711 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt (snort3-file-multimedia.rules)
 * 1:12710 <-> DISABLED <-> SERVER-OTHER ASN.1 constructed bit string (snort3-server-other.rules)
 * 1:35715 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (snort3-file-multimedia.rules)
 * 1:35626 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (snort3-file-multimedia.rules)
 * 1:35627 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (snort3-file-multimedia.rules)
 * 1:35714 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt (snort3-file-multimedia.rules)
 * 1:35712 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt (snort3-file-multimedia.rules)

2021-10-28 12:40:05 UTC

Snort Subscriber Rules Update

Date: 2021-10-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58433 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58435 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic upload attempt (malware-other.rules)
 * 1:58427 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager widget_old_SP1 dlp_policy directory traversal attempt (server-webapp.rules)
 * 1:58434 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic download attempt (malware-other.rules)
 * 1:58421 <-> DISABLED <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt (server-webapp.rules)
 * 1:58426 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt (server-webapp.rules)
 * 1:58438 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic upload attempt (malware-other.rules)
 * 1:58428 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager Widget modDLPViolationCntdrildown.php directory traversal attempt (server-webapp.rules)
 * 1:58447 <-> DISABLED <-> SERVER-APACHE Apache Druid remote code execution attempt (server-apache.rules)
 * 1:58439 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic download attempt (malware-other.rules)
 * 1:58423 <-> DISABLED <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt (server-webapp.rules)
 * 1:58424 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt (server-webapp.rules)
 * 1:58425 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt (server-webapp.rules)
 * 1:58418 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt (server-webapp.rules)
 * 1:58432 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58431 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58429 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)
 * 1:58419 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt (server-webapp.rules)
 * 1:58422 <-> DISABLED <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt (server-webapp.rules)
 * 1:58436 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic upload attempt (malware-other.rules)
 * 1:58420 <-> DISABLED <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt (server-webapp.rules)
 * 1:58437 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.Generic download attempt (malware-other.rules)
 * 1:58430 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:35625 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:35715 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:12710 <-> DISABLED <-> SERVER-OTHER ASN.1 constructed bit string (server-other.rules)
 * 1:35711 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt (file-multimedia.rules)
 * 1:19559 <-> DISABLED <-> INDICATOR-SCAN SSH brute force login attempt (indicator-scan.rules)
 * 1:55828 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:35718 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:35713 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt (file-multimedia.rules)
 * 1:35717 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:35716 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:55829 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:35714 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt (file-multimedia.rules)
 * 1:35626 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:35624 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:35627 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:55827 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt (server-webapp.rules)
 * 1:35712 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt (file-multimedia.rules)

2021-10-28 12:49:52 UTC

Snort Subscriber Rules Update

Date: 2021-10-27-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58418 <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt
* 1:58419 <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt
* 1:58420 <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt
* 1:58421 <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt
* 1:58422 <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt
* 1:58423 <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt
* 1:58424 <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt
* 1:58425 <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt
* 1:58426 <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt
* 1:58427 <-> SERVER-WEBAPP Trend Micro Control Manager widget_old_SP1 dlp_policy directory traversal attempt
* 1:58428 <-> SERVER-WEBAPP Trend Micro Control Manager Widget modDLPViolationCntdrildown.php directory traversal attempt
* 1:58429 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58430 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58431 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58432 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58433 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58434 <-> MALWARE-OTHER Php.Webshell.Generic download attempt
* 1:58435 <-> MALWARE-OTHER Php.Webshell.Generic upload attempt
* 1:58436 <-> MALWARE-OTHER Php.Webshell.Generic upload attempt
* 1:58437 <-> MALWARE-OTHER Php.Webshell.Generic download attempt
* 1:58438 <-> MALWARE-OTHER Php.Webshell.Generic upload attempt
* 1:58439 <-> MALWARE-OTHER Php.Webshell.Generic download attempt
* 3:58440 <-> SERVER-WEBAPP Cisco ASA and FTD web services stack buffer overflow attempt
* 3:58441 <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt
* 3:58442 <-> SERVER-OTHER Cisco ASA and FTD denial of service attempt
* 3:58443 <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt
* 3:58444 <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt
* 3:58445 <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt
* 3:58446 <-> SERVER-WEBAPP Cisco Firepower Management Center directory traversal attempt
* 1:58447 <-> SERVER-APACHE Apache Druid remote code execution attempt

Modified Rules:

* 1:12710 <-> SERVER-OTHER ASN.1 constructed bit string
* 1:19559 <-> INDICATOR-SCAN SSH brute force login attempt
* 1:35624 <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt
* 1:35625 <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt
* 1:35626 <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt
* 1:35627 <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt
* 1:35711 <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt
* 1:35712 <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt
* 1:35713 <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt
* 1:35714 <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt
* 1:35715 <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt
* 1:35716 <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt
* 1:35717 <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt
* 1:35718 <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt
* 1:55827 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55828 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55829 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt


2021-10-28 12:49:52 UTC

Snort Subscriber Rules Update

Date: 2021-10-27-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.4.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58418 <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt
* 1:58419 <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt
* 1:58420 <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt
* 1:58421 <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt
* 1:58422 <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt
* 1:58423 <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt
* 1:58424 <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt
* 1:58425 <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt
* 1:58426 <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt
* 1:58427 <-> SERVER-WEBAPP Trend Micro Control Manager widget_old_SP1 dlp_policy directory traversal attempt
* 1:58428 <-> SERVER-WEBAPP Trend Micro Control Manager Widget modDLPViolationCntdrildown.php directory traversal attempt
* 1:58429 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58430 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58431 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58432 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58433 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58434 <-> MALWARE-OTHER Php.Webshell.Generic download attempt
* 1:58435 <-> MALWARE-OTHER Php.Webshell.Generic upload attempt
* 1:58436 <-> MALWARE-OTHER Php.Webshell.Generic upload attempt
* 1:58437 <-> MALWARE-OTHER Php.Webshell.Generic download attempt
* 1:58438 <-> MALWARE-OTHER Php.Webshell.Generic upload attempt
* 1:58439 <-> MALWARE-OTHER Php.Webshell.Generic download attempt
* 3:58440 <-> SERVER-WEBAPP Cisco ASA and FTD web services stack buffer overflow attempt
* 3:58441 <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt
* 3:58442 <-> SERVER-OTHER Cisco ASA and FTD denial of service attempt
* 3:58443 <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt
* 3:58444 <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt
* 3:58445 <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt
* 3:58446 <-> SERVER-WEBAPP Cisco Firepower Management Center directory traversal attempt
* 1:58447 <-> SERVER-APACHE Apache Druid remote code execution attempt

Modified Rules:

* 1:12710 <-> SERVER-OTHER ASN.1 constructed bit string
* 1:19559 <-> INDICATOR-SCAN SSH brute force login attempt
* 1:35624 <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt
* 1:35625 <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt
* 1:35626 <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt
* 1:35627 <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt
* 1:35711 <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt
* 1:35712 <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt
* 1:35713 <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt
* 1:35714 <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt
* 1:35715 <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt
* 1:35716 <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt
* 1:35717 <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt
* 1:35718 <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt
* 1:55827 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55828 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55829 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt


2021-10-28 12:49:52 UTC

Snort Subscriber Rules Update

Date: 2021-10-27-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58418 <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt
* 1:58419 <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt
* 1:58420 <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt
* 1:58421 <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt
* 1:58422 <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt
* 1:58423 <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt
* 1:58424 <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt
* 1:58425 <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt
* 1:58426 <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt
* 1:58427 <-> SERVER-WEBAPP Trend Micro Control Manager widget_old_SP1 dlp_policy directory traversal attempt
* 1:58428 <-> SERVER-WEBAPP Trend Micro Control Manager Widget modDLPViolationCntdrildown.php directory traversal attempt
* 1:58429 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58430 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58431 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58432 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58433 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58434 <-> MALWARE-OTHER Php.Webshell.Generic download attempt
* 1:58435 <-> MALWARE-OTHER Php.Webshell.Generic upload attempt
* 1:58436 <-> MALWARE-OTHER Php.Webshell.Generic upload attempt
* 1:58437 <-> MALWARE-OTHER Php.Webshell.Generic download attempt
* 1:58438 <-> MALWARE-OTHER Php.Webshell.Generic upload attempt
* 1:58439 <-> MALWARE-OTHER Php.Webshell.Generic download attempt
* 3:58440 <-> SERVER-WEBAPP Cisco ASA and FTD web services stack buffer overflow attempt
* 3:58441 <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt
* 3:58442 <-> SERVER-OTHER Cisco ASA and FTD denial of service attempt
* 3:58443 <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt
* 3:58444 <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt
* 3:58445 <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt
* 3:58446 <-> SERVER-WEBAPP Cisco Firepower Management Center directory traversal attempt
* 1:58447 <-> SERVER-APACHE Apache Druid remote code execution attempt

Modified Rules:

* 1:12710 <-> SERVER-OTHER ASN.1 constructed bit string
* 1:19559 <-> INDICATOR-SCAN SSH brute force login attempt
* 1:35624 <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt
* 1:35625 <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt
* 1:35626 <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt
* 1:35627 <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt
* 1:35711 <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt
* 1:35712 <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt
* 1:35713 <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt
* 1:35714 <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt
* 1:35715 <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt
* 1:35716 <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt
* 1:35717 <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt
* 1:35718 <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt
* 1:55827 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55828 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55829 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt


2021-10-28 12:49:52 UTC

Snort Subscriber Rules Update

Date: 2021-10-27-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58418 <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt
* 1:58419 <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt
* 1:58420 <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt
* 1:58421 <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt
* 1:58422 <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt
* 1:58423 <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt
* 1:58424 <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt
* 1:58425 <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt
* 1:58426 <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt
* 1:58427 <-> SERVER-WEBAPP Trend Micro Control Manager widget_old_SP1 dlp_policy directory traversal attempt
* 1:58428 <-> SERVER-WEBAPP Trend Micro Control Manager Widget modDLPViolationCntdrildown.php directory traversal attempt
* 1:58429 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58430 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58431 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58432 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58433 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58434 <-> MALWARE-OTHER Php.Webshell.Generic download attempt
* 1:58435 <-> MALWARE-OTHER Php.Webshell.Generic upload attempt
* 1:58436 <-> MALWARE-OTHER Php.Webshell.Generic upload attempt
* 1:58437 <-> MALWARE-OTHER Php.Webshell.Generic download attempt
* 1:58438 <-> MALWARE-OTHER Php.Webshell.Generic upload attempt
* 1:58439 <-> MALWARE-OTHER Php.Webshell.Generic download attempt
* 3:58440 <-> SERVER-WEBAPP Cisco ASA and FTD web services stack buffer overflow attempt
* 3:58441 <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt
* 3:58442 <-> SERVER-OTHER Cisco ASA and FTD denial of service attempt
* 3:58443 <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt
* 3:58444 <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt
* 3:58445 <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt
* 3:58446 <-> SERVER-WEBAPP Cisco Firepower Management Center directory traversal attempt
* 1:58447 <-> SERVER-APACHE Apache Druid remote code execution attempt

Modified Rules:

* 1:12710 <-> SERVER-OTHER ASN.1 constructed bit string
* 1:19559 <-> INDICATOR-SCAN SSH brute force login attempt
* 1:35624 <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt
* 1:35625 <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt
* 1:35626 <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt
* 1:35627 <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt
* 1:35711 <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt
* 1:35712 <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt
* 1:35713 <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt
* 1:35714 <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt
* 1:35715 <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt
* 1:35716 <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt
* 1:35717 <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt
* 1:35718 <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt
* 1:55827 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55828 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55829 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt


2021-10-28 12:49:52 UTC

Snort Subscriber Rules Update

Date: 2021-10-27-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.1.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58418 <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt
* 1:58419 <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt
* 1:58420 <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt
* 1:58421 <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt
* 1:58422 <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt
* 1:58423 <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt
* 1:58424 <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt
* 1:58425 <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt
* 1:58426 <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt
* 1:58427 <-> SERVER-WEBAPP Trend Micro Control Manager widget_old_SP1 dlp_policy directory traversal attempt
* 1:58428 <-> SERVER-WEBAPP Trend Micro Control Manager Widget modDLPViolationCntdrildown.php directory traversal attempt
* 1:58429 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58430 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58431 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58432 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58433 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58434 <-> MALWARE-OTHER Php.Webshell.Generic download attempt
* 1:58435 <-> MALWARE-OTHER Php.Webshell.Generic upload attempt
* 1:58436 <-> MALWARE-OTHER Php.Webshell.Generic upload attempt
* 1:58437 <-> MALWARE-OTHER Php.Webshell.Generic download attempt
* 1:58438 <-> MALWARE-OTHER Php.Webshell.Generic upload attempt
* 1:58439 <-> MALWARE-OTHER Php.Webshell.Generic download attempt
* 3:58440 <-> SERVER-WEBAPP Cisco ASA and FTD web services stack buffer overflow attempt
* 3:58441 <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt
* 3:58442 <-> SERVER-OTHER Cisco ASA and FTD denial of service attempt
* 3:58443 <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt
* 3:58444 <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt
* 3:58445 <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt
* 3:58446 <-> SERVER-WEBAPP Cisco Firepower Management Center directory traversal attempt
* 1:58447 <-> SERVER-APACHE Apache Druid remote code execution attempt

Modified Rules:

* 1:12710 <-> SERVER-OTHER ASN.1 constructed bit string
* 1:19559 <-> INDICATOR-SCAN SSH brute force login attempt
* 1:35624 <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt
* 1:35625 <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt
* 1:35626 <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt
* 1:35627 <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt
* 1:35711 <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt
* 1:35712 <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt
* 1:35713 <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt
* 1:35714 <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt
* 1:35715 <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt
* 1:35716 <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt
* 1:35717 <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt
* 1:35718 <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt
* 1:55827 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55828 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55829 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt


2021-10-28 12:49:52 UTC

Snort Subscriber Rules Update

Date: 2021-10-27-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.3.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58418 <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt
* 1:58419 <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt
* 1:58420 <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt
* 1:58421 <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt
* 1:58422 <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt
* 1:58423 <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt
* 1:58424 <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt
* 1:58425 <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt
* 1:58426 <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt
* 1:58427 <-> SERVER-WEBAPP Trend Micro Control Manager widget_old_SP1 dlp_policy directory traversal attempt
* 1:58428 <-> SERVER-WEBAPP Trend Micro Control Manager Widget modDLPViolationCntdrildown.php directory traversal attempt
* 1:58429 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58430 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58431 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58432 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58433 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58434 <-> MALWARE-OTHER Php.Webshell.Generic download attempt
* 1:58435 <-> MALWARE-OTHER Php.Webshell.Generic upload attempt
* 1:58436 <-> MALWARE-OTHER Php.Webshell.Generic upload attempt
* 1:58437 <-> MALWARE-OTHER Php.Webshell.Generic download attempt
* 1:58438 <-> MALWARE-OTHER Php.Webshell.Generic upload attempt
* 1:58439 <-> MALWARE-OTHER Php.Webshell.Generic download attempt
* 3:58440 <-> SERVER-WEBAPP Cisco ASA and FTD web services stack buffer overflow attempt
* 3:58441 <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt
* 3:58442 <-> SERVER-OTHER Cisco ASA and FTD denial of service attempt
* 3:58443 <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt
* 3:58444 <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt
* 3:58445 <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt
* 3:58446 <-> SERVER-WEBAPP Cisco Firepower Management Center directory traversal attempt
* 1:58447 <-> SERVER-APACHE Apache Druid remote code execution attempt

Modified Rules:

* 1:12710 <-> SERVER-OTHER ASN.1 constructed bit string
* 1:19559 <-> INDICATOR-SCAN SSH brute force login attempt
* 1:35624 <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt
* 1:35625 <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt
* 1:35626 <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt
* 1:35627 <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt
* 1:35711 <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt
* 1:35712 <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt
* 1:35713 <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt
* 1:35714 <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt
* 1:35715 <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt
* 1:35716 <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt
* 1:35717 <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt
* 1:35718 <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt
* 1:55827 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55828 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55829 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt


2021-10-28 12:49:53 UTC

Snort Subscriber Rules Update

Date: 2021-10-27-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.4.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58418 <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt
* 1:58419 <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt
* 1:58420 <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt
* 1:58421 <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt
* 1:58422 <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt
* 1:58423 <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt
* 1:58424 <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt
* 1:58425 <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt
* 1:58426 <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt
* 1:58427 <-> SERVER-WEBAPP Trend Micro Control Manager widget_old_SP1 dlp_policy directory traversal attempt
* 1:58428 <-> SERVER-WEBAPP Trend Micro Control Manager Widget modDLPViolationCntdrildown.php directory traversal attempt
* 1:58429 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58430 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58431 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58432 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58433 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58434 <-> MALWARE-OTHER Php.Webshell.Generic download attempt
* 1:58435 <-> MALWARE-OTHER Php.Webshell.Generic upload attempt
* 1:58436 <-> MALWARE-OTHER Php.Webshell.Generic upload attempt
* 1:58437 <-> MALWARE-OTHER Php.Webshell.Generic download attempt
* 1:58438 <-> MALWARE-OTHER Php.Webshell.Generic upload attempt
* 1:58439 <-> MALWARE-OTHER Php.Webshell.Generic download attempt
* 3:58440 <-> SERVER-WEBAPP Cisco ASA and FTD web services stack buffer overflow attempt
* 3:58441 <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt
* 3:58442 <-> SERVER-OTHER Cisco ASA and FTD denial of service attempt
* 3:58443 <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt
* 3:58444 <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt
* 3:58445 <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt
* 3:58446 <-> SERVER-WEBAPP Cisco Firepower Management Center directory traversal attempt
* 1:58447 <-> SERVER-APACHE Apache Druid remote code execution attempt

Modified Rules:

* 1:12710 <-> SERVER-OTHER ASN.1 constructed bit string
* 1:19559 <-> INDICATOR-SCAN SSH brute force login attempt
* 1:35624 <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt
* 1:35625 <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt
* 1:35626 <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt
* 1:35627 <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt
* 1:35711 <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt
* 1:35712 <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt
* 1:35713 <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt
* 1:35714 <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt
* 1:35715 <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt
* 1:35716 <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt
* 1:35717 <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt
* 1:35718 <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt
* 1:55827 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55828 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55829 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt


2021-10-28 12:49:53 UTC

Snort Subscriber Rules Update

Date: 2021-10-27-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.5.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58418 <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt
* 1:58419 <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt
* 1:58420 <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt
* 1:58421 <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt
* 1:58422 <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt
* 1:58423 <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt
* 1:58424 <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt
* 1:58425 <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt
* 1:58426 <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt
* 1:58427 <-> SERVER-WEBAPP Trend Micro Control Manager widget_old_SP1 dlp_policy directory traversal attempt
* 1:58428 <-> SERVER-WEBAPP Trend Micro Control Manager Widget modDLPViolationCntdrildown.php directory traversal attempt
* 1:58429 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58430 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58431 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58432 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58433 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58434 <-> MALWARE-OTHER Php.Webshell.Generic download attempt
* 1:58435 <-> MALWARE-OTHER Php.Webshell.Generic upload attempt
* 1:58436 <-> MALWARE-OTHER Php.Webshell.Generic upload attempt
* 1:58437 <-> MALWARE-OTHER Php.Webshell.Generic download attempt
* 1:58438 <-> MALWARE-OTHER Php.Webshell.Generic upload attempt
* 1:58439 <-> MALWARE-OTHER Php.Webshell.Generic download attempt
* 3:58440 <-> SERVER-WEBAPP Cisco ASA and FTD web services stack buffer overflow attempt
* 3:58441 <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt
* 3:58442 <-> SERVER-OTHER Cisco ASA and FTD denial of service attempt
* 3:58443 <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt
* 3:58444 <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt
* 3:58445 <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt
* 3:58446 <-> SERVER-WEBAPP Cisco Firepower Management Center directory traversal attempt
* 1:58447 <-> SERVER-APACHE Apache Druid remote code execution attempt

Modified Rules:

* 1:12710 <-> SERVER-OTHER ASN.1 constructed bit string
* 1:19559 <-> INDICATOR-SCAN SSH brute force login attempt
* 1:35624 <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt
* 1:35625 <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt
* 1:35626 <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt
* 1:35627 <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt
* 1:35711 <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt
* 1:35712 <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt
* 1:35713 <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt
* 1:35714 <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt
* 1:35715 <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt
* 1:35716 <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt
* 1:35717 <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt
* 1:35718 <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt
* 1:55827 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55828 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55829 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt


2021-10-28 12:49:53 UTC

Snort Subscriber Rules Update

Date: 2021-10-27-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.7.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58418 <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt
* 1:58419 <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt
* 1:58420 <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt
* 1:58421 <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt
* 1:58422 <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt
* 1:58423 <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt
* 1:58424 <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt
* 1:58425 <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt
* 1:58426 <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt
* 1:58427 <-> SERVER-WEBAPP Trend Micro Control Manager widget_old_SP1 dlp_policy directory traversal attempt
* 1:58428 <-> SERVER-WEBAPP Trend Micro Control Manager Widget modDLPViolationCntdrildown.php directory traversal attempt
* 1:58429 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58430 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58431 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58432 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58433 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58434 <-> MALWARE-OTHER Php.Webshell.Generic download attempt
* 1:58435 <-> MALWARE-OTHER Php.Webshell.Generic upload attempt
* 1:58436 <-> MALWARE-OTHER Php.Webshell.Generic upload attempt
* 1:58437 <-> MALWARE-OTHER Php.Webshell.Generic download attempt
* 1:58438 <-> MALWARE-OTHER Php.Webshell.Generic upload attempt
* 1:58439 <-> MALWARE-OTHER Php.Webshell.Generic download attempt
* 3:58440 <-> SERVER-WEBAPP Cisco ASA and FTD web services stack buffer overflow attempt
* 3:58441 <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt
* 3:58442 <-> SERVER-OTHER Cisco ASA and FTD denial of service attempt
* 3:58443 <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt
* 3:58444 <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt
* 3:58445 <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt
* 3:58446 <-> SERVER-WEBAPP Cisco Firepower Management Center directory traversal attempt
* 1:58447 <-> SERVER-APACHE Apache Druid remote code execution attempt

Modified Rules:

* 1:12710 <-> SERVER-OTHER ASN.1 constructed bit string
* 1:19559 <-> INDICATOR-SCAN SSH brute force login attempt
* 1:35624 <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt
* 1:35625 <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt
* 1:35626 <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt
* 1:35627 <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt
* 1:35711 <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt
* 1:35712 <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt
* 1:35713 <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt
* 1:35714 <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt
* 1:35715 <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt
* 1:35716 <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt
* 1:35717 <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt
* 1:35718 <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt
* 1:55827 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55828 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55829 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt


2021-10-28 12:49:53 UTC

Snort Subscriber Rules Update

Date: 2021-10-27-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.9.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58418 <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt
* 1:58419 <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt
* 1:58420 <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt
* 1:58421 <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt
* 1:58422 <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt
* 1:58423 <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt
* 1:58424 <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt
* 1:58425 <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt
* 1:58426 <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt
* 1:58427 <-> SERVER-WEBAPP Trend Micro Control Manager widget_old_SP1 dlp_policy directory traversal attempt
* 1:58428 <-> SERVER-WEBAPP Trend Micro Control Manager Widget modDLPViolationCntdrildown.php directory traversal attempt
* 1:58429 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58430 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58431 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58432 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58433 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58434 <-> MALWARE-OTHER Php.Webshell.Generic download attempt
* 1:58435 <-> MALWARE-OTHER Php.Webshell.Generic upload attempt
* 1:58436 <-> MALWARE-OTHER Php.Webshell.Generic upload attempt
* 1:58437 <-> MALWARE-OTHER Php.Webshell.Generic download attempt
* 1:58438 <-> MALWARE-OTHER Php.Webshell.Generic upload attempt
* 1:58439 <-> MALWARE-OTHER Php.Webshell.Generic download attempt
* 3:58440 <-> SERVER-WEBAPP Cisco ASA and FTD web services stack buffer overflow attempt
* 3:58441 <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt
* 3:58442 <-> SERVER-OTHER Cisco ASA and FTD denial of service attempt
* 3:58443 <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt
* 3:58444 <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt
* 3:58445 <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt
* 3:58446 <-> SERVER-WEBAPP Cisco Firepower Management Center directory traversal attempt
* 1:58447 <-> SERVER-APACHE Apache Druid remote code execution attempt

Modified Rules:

* 1:12710 <-> SERVER-OTHER ASN.1 constructed bit string
* 1:19559 <-> INDICATOR-SCAN SSH brute force login attempt
* 1:35624 <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt
* 1:35625 <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt
* 1:35626 <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt
* 1:35627 <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt
* 1:35711 <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt
* 1:35712 <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt
* 1:35713 <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt
* 1:35714 <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt
* 1:35715 <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt
* 1:35716 <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt
* 1:35717 <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt
* 1:35718 <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt
* 1:55827 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55828 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55829 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt


2021-10-28 12:49:53 UTC

Snort Subscriber Rules Update

Date: 2021-10-27-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.11.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58418 <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt
* 1:58419 <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt
* 1:58420 <-> SERVER-WEBAPP ReadyDesk 9.1 OpenAttach2 directory traversal attempt
* 1:58421 <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt
* 1:58422 <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt
* 1:58423 <-> SERVER-WEBAPP BillQuick Web Suite SQL injection attempt
* 1:58424 <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt
* 1:58425 <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt
* 1:58426 <-> SERVER-WEBAPP Schneider Electric Umotion Builder Virtual Appliance Css directory traversal attempt
* 1:58427 <-> SERVER-WEBAPP Trend Micro Control Manager widget_old_SP1 dlp_policy directory traversal attempt
* 1:58428 <-> SERVER-WEBAPP Trend Micro Control Manager Widget modDLPViolationCntdrildown.php directory traversal attempt
* 1:58429 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58430 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58431 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58432 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58433 <-> MALWARE-CNC Win.Trojan.MirrorBlast outbound connection
* 1:58434 <-> MALWARE-OTHER Php.Webshell.Generic download attempt
* 1:58435 <-> MALWARE-OTHER Php.Webshell.Generic upload attempt
* 1:58436 <-> MALWARE-OTHER Php.Webshell.Generic upload attempt
* 1:58437 <-> MALWARE-OTHER Php.Webshell.Generic download attempt
* 1:58438 <-> MALWARE-OTHER Php.Webshell.Generic upload attempt
* 1:58439 <-> MALWARE-OTHER Php.Webshell.Generic download attempt
* 3:58440 <-> SERVER-WEBAPP Cisco ASA and FTD web services stack buffer overflow attempt
* 3:58441 <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt
* 3:58442 <-> SERVER-OTHER Cisco ASA and FTD denial of service attempt
* 3:58443 <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt
* 3:58444 <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt
* 3:58445 <-> SERVER-WEBAPP Cisco ASA and FTD web services denial of service attempt
* 3:58446 <-> SERVER-WEBAPP Cisco Firepower Management Center directory traversal attempt
* 1:58447 <-> SERVER-APACHE Apache Druid remote code execution attempt

Modified Rules:

* 1:12710 <-> SERVER-OTHER ASN.1 constructed bit string
* 1:19559 <-> INDICATOR-SCAN SSH brute force login attempt
* 1:35624 <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt
* 1:35625 <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt
* 1:35626 <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt
* 1:35627 <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt
* 1:35711 <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt
* 1:35712 <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt
* 1:35713 <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt
* 1:35714 <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt
* 1:35715 <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt
* 1:35716 <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt
* 1:35717 <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt
* 1:35718 <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt
* 1:55827 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55828 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt
* 1:55829 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet multiple functions SQL injection attempt