Talos Rules 2021-11-09
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2021-38666: A coding deficiency exists in Remote Desktop Client that may lead to remote code execution.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 58541.

Microsoft Vulnerability CVE-2021-42292: A coding deficiency exists in Microsoft Excel that may lead to security feature bypass.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 58539 through 58540, or GID 1 SID 300054 for Snort3.

Microsoft Vulnerability CVE-2021-42298: A coding deficiency exists in Microsoft Defender that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 58519 through 58520.

Talos also has added and modified multiple rules in the browser-ie, file-image, file-office, file-other, malware-cnc, os-windows, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2021-11-09 22:19:02 UTC

Snort Subscriber Rules Update

Date: 2021-11-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091801.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58496 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection (malware-cnc.rules)
 * 1:58497 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection (malware-cnc.rules)
 * 1:58498 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection (malware-cnc.rules)
 * 1:58499 <-> DISABLED <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt (server-webapp.rules)
 * 1:58500 <-> DISABLED <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt (server-webapp.rules)
 * 1:58501 <-> DISABLED <-> SERVER-OTHER Zyxel Unified Security Gateway undocumented administrator account login attempt (server-other.rules)
 * 1:58502 <-> DISABLED <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt (server-webapp.rules)
 * 1:58503 <-> DISABLED <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt (server-webapp.rules)
 * 1:58504 <-> DISABLED <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt (server-webapp.rules)
 * 1:58505 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (server-webapp.rules)
 * 1:58506 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (server-webapp.rules)
 * 1:58507 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (server-webapp.rules)
 * 1:58508 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (server-webapp.rules)
 * 1:58509 <-> DISABLED <-> SERVER-WEBAPP Accellion File Transfer Appliance SQL injection attempt (server-webapp.rules)
 * 1:58510 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt (server-webapp.rules)
 * 1:58511 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt (server-webapp.rules)
 * 1:58512 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt (server-webapp.rules)
 * 1:58513 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (server-webapp.rules)
 * 1:58514 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt (server-webapp.rules)
 * 1:58515 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt (server-webapp.rules)
 * 1:58516 <-> DISABLED <-> SERVER-WEBAPP SAP NetWeaver AS JAVA XML external entity injection attempt (server-webapp.rules)
 * 1:58517 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET IntegrationXMLProcessorServlet AlarmActions XML external entity injection attempt (server-webapp.rules)
 * 1:58518 <-> ENABLED <-> SERVER-OTHER D-Link DIR-825 R1 buffer overflow attempt (server-other.rules)
 * 1:58519 <-> ENABLED <-> BROWSER-IE Microsoft Defender memory corruption attempt (browser-ie.rules)
 * 1:58520 <-> ENABLED <-> BROWSER-IE Microsoft Defender memory corruption attempt (browser-ie.rules)
 * 1:58521 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfInsListServer Java expression language injection attempt (server-webapp.rules)
 * 1:58522 <-> DISABLED <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt (server-webapp.rules)
 * 1:58523 <-> DISABLED <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt (server-webapp.rules)
 * 1:58524 <-> ENABLED <-> FILE-OTHER Apple Safari Type 1 fonts RCE attempt (file-other.rules)
 * 1:58525 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center directory traversal attempt (server-webapp.rules)
 * 1:58526 <-> ENABLED <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection (malware-cnc.rules)
 * 1:58527 <-> ENABLED <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection (malware-cnc.rules)
 * 1:58528 <-> DISABLED <-> SERVER-OTHER OpenLDAP IssuerAndThisUpdateCheck integer underflow attempt (server-other.rules)
 * 1:58529 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58530 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58531 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58532 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58533 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58538 <-> DISABLED <-> SERVER-WEBAPP Arcadyan routers path traversal attempt (server-webapp.rules)
 * 1:58539 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel protected view bypass attempt (file-office.rules)
 * 1:58540 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel protected view bypass attempt (file-office.rules)
 * 1:58541 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RDP client memory corruption attempt (os-windows.rules)
 * 3:58534 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1405 attack attempt (file-other.rules)
 * 3:58535 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1405 attack attempt (file-other.rules)
 * 3:58536 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1404 attack attempt (file-other.rules)
 * 3:58537 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1404 attack attempt (file-other.rules)

Modified Rules:


 * 1:53769 <-> ENABLED <-> SERVER-MAIL iOS MobileMail Maild heap overflow attempt (server-mail.rules)
 * 1:41455 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (server-webapp.rules)
 * 1:41808 <-> DISABLED <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt (file-image.rules)
 * 1:56162 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway information disclosure attempt (server-webapp.rules)
 * 1:57275 <-> DISABLED <-> SERVER-WEBAPP ysoserial TypeConfuseDelegate deserialization exploit attempt (server-webapp.rules)
 * 1:58471 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt (server-webapp.rules)
 * 1:58472 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt (server-webapp.rules)
 * 1:53733 <-> ENABLED <-> SERVER-WEBAPP IBM Data Risk Manager directory traversal attempt (server-webapp.rules)
 * 1:41454 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (server-webapp.rules)
 * 1:41809 <-> DISABLED <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt (file-image.rules)
 * 1:58473 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt (server-webapp.rules)

2021-11-09 22:19:02 UTC

Snort Subscriber Rules Update

Date: 2021-11-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091800.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58526 <-> ENABLED <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection (malware-cnc.rules)
 * 1:58540 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel protected view bypass attempt (file-office.rules)
 * 1:58525 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center directory traversal attempt (server-webapp.rules)
 * 1:58527 <-> ENABLED <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection (malware-cnc.rules)
 * 1:58541 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RDP client memory corruption attempt (os-windows.rules)
 * 1:58506 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (server-webapp.rules)
 * 1:58499 <-> DISABLED <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt (server-webapp.rules)
 * 1:58496 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection (malware-cnc.rules)
 * 1:58504 <-> DISABLED <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt (server-webapp.rules)
 * 1:58505 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (server-webapp.rules)
 * 1:58497 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection (malware-cnc.rules)
 * 1:58500 <-> DISABLED <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt (server-webapp.rules)
 * 1:58498 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection (malware-cnc.rules)
 * 1:58517 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET IntegrationXMLProcessorServlet AlarmActions XML external entity injection attempt (server-webapp.rules)
 * 1:58515 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt (server-webapp.rules)
 * 1:58516 <-> DISABLED <-> SERVER-WEBAPP SAP NetWeaver AS JAVA XML external entity injection attempt (server-webapp.rules)
 * 1:58518 <-> ENABLED <-> SERVER-OTHER D-Link DIR-825 R1 buffer overflow attempt (server-other.rules)
 * 1:58519 <-> ENABLED <-> BROWSER-IE Microsoft Defender memory corruption attempt (browser-ie.rules)
 * 1:58520 <-> ENABLED <-> BROWSER-IE Microsoft Defender memory corruption attempt (browser-ie.rules)
 * 1:58521 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfInsListServer Java expression language injection attempt (server-webapp.rules)
 * 1:58522 <-> DISABLED <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt (server-webapp.rules)
 * 1:58523 <-> DISABLED <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt (server-webapp.rules)
 * 1:58524 <-> ENABLED <-> FILE-OTHER Apple Safari Type 1 fonts RCE attempt (file-other.rules)
 * 1:58503 <-> DISABLED <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt (server-webapp.rules)
 * 1:58528 <-> DISABLED <-> SERVER-OTHER OpenLDAP IssuerAndThisUpdateCheck integer underflow attempt (server-other.rules)
 * 1:58529 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58530 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58531 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58532 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58533 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58538 <-> DISABLED <-> SERVER-WEBAPP Arcadyan routers path traversal attempt (server-webapp.rules)
 * 1:58539 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel protected view bypass attempt (file-office.rules)
 * 1:58502 <-> DISABLED <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt (server-webapp.rules)
 * 1:58501 <-> DISABLED <-> SERVER-OTHER Zyxel Unified Security Gateway undocumented administrator account login attempt (server-other.rules)
 * 1:58507 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (server-webapp.rules)
 * 1:58509 <-> DISABLED <-> SERVER-WEBAPP Accellion File Transfer Appliance SQL injection attempt (server-webapp.rules)
 * 1:58508 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (server-webapp.rules)
 * 1:58511 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt (server-webapp.rules)
 * 1:58510 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt (server-webapp.rules)
 * 1:58513 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (server-webapp.rules)
 * 1:58512 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt (server-webapp.rules)
 * 1:58514 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt (server-webapp.rules)
 * 3:58534 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1405 attack attempt (file-other.rules)
 * 3:58535 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1405 attack attempt (file-other.rules)
 * 3:58536 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1404 attack attempt (file-other.rules)
 * 3:58537 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1404 attack attempt (file-other.rules)

Modified Rules:


 * 1:41454 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (server-webapp.rules)
 * 1:53769 <-> ENABLED <-> SERVER-MAIL iOS MobileMail Maild heap overflow attempt (server-mail.rules)
 * 1:53733 <-> ENABLED <-> SERVER-WEBAPP IBM Data Risk Manager directory traversal attempt (server-webapp.rules)
 * 1:41455 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (server-webapp.rules)
 * 1:56162 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway information disclosure attempt (server-webapp.rules)
 * 1:57275 <-> DISABLED <-> SERVER-WEBAPP ysoserial TypeConfuseDelegate deserialization exploit attempt (server-webapp.rules)
 * 1:58471 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt (server-webapp.rules)
 * 1:41809 <-> DISABLED <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt (file-image.rules)
 * 1:58473 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt (server-webapp.rules)
 * 1:41808 <-> DISABLED <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt (file-image.rules)
 * 1:58472 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt (server-webapp.rules)

2021-11-09 22:19:02 UTC

Snort Subscriber Rules Update

Date: 2021-11-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58505 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (server-webapp.rules)
 * 1:58498 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection (malware-cnc.rules)
 * 1:58528 <-> DISABLED <-> SERVER-OTHER OpenLDAP IssuerAndThisUpdateCheck integer underflow attempt (server-other.rules)
 * 1:58530 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58531 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58532 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58502 <-> DISABLED <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt (server-webapp.rules)
 * 1:58538 <-> DISABLED <-> SERVER-WEBAPP Arcadyan routers path traversal attempt (server-webapp.rules)
 * 1:58533 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58539 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel protected view bypass attempt (file-office.rules)
 * 1:58540 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel protected view bypass attempt (file-office.rules)
 * 1:58541 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RDP client memory corruption attempt (os-windows.rules)
 * 1:58497 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection (malware-cnc.rules)
 * 1:58512 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt (server-webapp.rules)
 * 1:58503 <-> DISABLED <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt (server-webapp.rules)
 * 1:58508 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (server-webapp.rules)
 * 1:58509 <-> DISABLED <-> SERVER-WEBAPP Accellion File Transfer Appliance SQL injection attempt (server-webapp.rules)
 * 1:58510 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt (server-webapp.rules)
 * 1:58506 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (server-webapp.rules)
 * 1:58513 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (server-webapp.rules)
 * 1:58514 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt (server-webapp.rules)
 * 1:58515 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt (server-webapp.rules)
 * 1:58516 <-> DISABLED <-> SERVER-WEBAPP SAP NetWeaver AS JAVA XML external entity injection attempt (server-webapp.rules)
 * 1:58500 <-> DISABLED <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt (server-webapp.rules)
 * 1:58507 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (server-webapp.rules)
 * 1:58499 <-> DISABLED <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt (server-webapp.rules)
 * 1:58501 <-> DISABLED <-> SERVER-OTHER Zyxel Unified Security Gateway undocumented administrator account login attempt (server-other.rules)
 * 1:58518 <-> ENABLED <-> SERVER-OTHER D-Link DIR-825 R1 buffer overflow attempt (server-other.rules)
 * 1:58517 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET IntegrationXMLProcessorServlet AlarmActions XML external entity injection attempt (server-webapp.rules)
 * 1:58519 <-> ENABLED <-> BROWSER-IE Microsoft Defender memory corruption attempt (browser-ie.rules)
 * 1:58504 <-> DISABLED <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt (server-webapp.rules)
 * 1:58529 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58511 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt (server-webapp.rules)
 * 1:58496 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection (malware-cnc.rules)
 * 1:58521 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfInsListServer Java expression language injection attempt (server-webapp.rules)
 * 1:58520 <-> ENABLED <-> BROWSER-IE Microsoft Defender memory corruption attempt (browser-ie.rules)
 * 1:58523 <-> DISABLED <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt (server-webapp.rules)
 * 1:58522 <-> DISABLED <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt (server-webapp.rules)
 * 1:58525 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center directory traversal attempt (server-webapp.rules)
 * 1:58524 <-> ENABLED <-> FILE-OTHER Apple Safari Type 1 fonts RCE attempt (file-other.rules)
 * 1:58527 <-> ENABLED <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection (malware-cnc.rules)
 * 1:58526 <-> ENABLED <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection (malware-cnc.rules)
 * 3:58534 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1405 attack attempt (file-other.rules)
 * 3:58535 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1405 attack attempt (file-other.rules)
 * 3:58536 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1404 attack attempt (file-other.rules)
 * 3:58537 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1404 attack attempt (file-other.rules)

Modified Rules:


 * 1:41809 <-> DISABLED <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt (file-image.rules)
 * 1:53769 <-> ENABLED <-> SERVER-MAIL iOS MobileMail Maild heap overflow attempt (server-mail.rules)
 * 1:41455 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (server-webapp.rules)
 * 1:41808 <-> DISABLED <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt (file-image.rules)
 * 1:56162 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway information disclosure attempt (server-webapp.rules)
 * 1:57275 <-> DISABLED <-> SERVER-WEBAPP ysoserial TypeConfuseDelegate deserialization exploit attempt (server-webapp.rules)
 * 1:41454 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (server-webapp.rules)
 * 1:58471 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt (server-webapp.rules)
 * 1:53733 <-> ENABLED <-> SERVER-WEBAPP IBM Data Risk Manager directory traversal attempt (server-webapp.rules)
 * 1:58473 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt (server-webapp.rules)
 * 1:58472 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt (server-webapp.rules)

2021-11-09 22:19:02 UTC

Snort Subscriber Rules Update

Date: 2021-11-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58517 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET IntegrationXMLProcessorServlet AlarmActions XML external entity injection attempt (server-webapp.rules)
 * 1:58541 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RDP client memory corruption attempt (os-windows.rules)
 * 1:58529 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58527 <-> ENABLED <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection (malware-cnc.rules)
 * 1:58525 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center directory traversal attempt (server-webapp.rules)
 * 1:58524 <-> ENABLED <-> FILE-OTHER Apple Safari Type 1 fonts RCE attempt (file-other.rules)
 * 1:58500 <-> DISABLED <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt (server-webapp.rules)
 * 1:58505 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (server-webapp.rules)
 * 1:58528 <-> DISABLED <-> SERVER-OTHER OpenLDAP IssuerAndThisUpdateCheck integer underflow attempt (server-other.rules)
 * 1:58533 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58516 <-> DISABLED <-> SERVER-WEBAPP SAP NetWeaver AS JAVA XML external entity injection attempt (server-webapp.rules)
 * 1:58530 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58531 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58532 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58519 <-> ENABLED <-> BROWSER-IE Microsoft Defender memory corruption attempt (browser-ie.rules)
 * 1:58521 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfInsListServer Java expression language injection attempt (server-webapp.rules)
 * 1:58518 <-> ENABLED <-> SERVER-OTHER D-Link DIR-825 R1 buffer overflow attempt (server-other.rules)
 * 1:58523 <-> DISABLED <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt (server-webapp.rules)
 * 1:58520 <-> ENABLED <-> BROWSER-IE Microsoft Defender memory corruption attempt (browser-ie.rules)
 * 1:58522 <-> DISABLED <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt (server-webapp.rules)
 * 1:58526 <-> ENABLED <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection (malware-cnc.rules)
 * 1:58506 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (server-webapp.rules)
 * 1:58497 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection (malware-cnc.rules)
 * 1:58499 <-> DISABLED <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt (server-webapp.rules)
 * 1:58496 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection (malware-cnc.rules)
 * 1:58539 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel protected view bypass attempt (file-office.rules)
 * 1:58515 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt (server-webapp.rules)
 * 1:58502 <-> DISABLED <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt (server-webapp.rules)
 * 1:58501 <-> DISABLED <-> SERVER-OTHER Zyxel Unified Security Gateway undocumented administrator account login attempt (server-other.rules)
 * 1:58498 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection (malware-cnc.rules)
 * 1:58504 <-> DISABLED <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt (server-webapp.rules)
 * 1:58509 <-> DISABLED <-> SERVER-WEBAPP Accellion File Transfer Appliance SQL injection attempt (server-webapp.rules)
 * 1:58508 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (server-webapp.rules)
 * 1:58507 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (server-webapp.rules)
 * 1:58510 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt (server-webapp.rules)
 * 1:58513 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (server-webapp.rules)
 * 1:58512 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt (server-webapp.rules)
 * 1:58511 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt (server-webapp.rules)
 * 1:58514 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt (server-webapp.rules)
 * 1:58538 <-> DISABLED <-> SERVER-WEBAPP Arcadyan routers path traversal attempt (server-webapp.rules)
 * 1:58540 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel protected view bypass attempt (file-office.rules)
 * 1:58503 <-> DISABLED <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt (server-webapp.rules)
 * 3:58535 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1405 attack attempt (file-other.rules)
 * 3:58534 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1405 attack attempt (file-other.rules)
 * 3:58537 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1404 attack attempt (file-other.rules)
 * 3:58536 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1404 attack attempt (file-other.rules)

Modified Rules:


 * 1:41809 <-> DISABLED <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt (file-image.rules)
 * 1:53769 <-> ENABLED <-> SERVER-MAIL iOS MobileMail Maild heap overflow attempt (server-mail.rules)
 * 1:56162 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway information disclosure attempt (server-webapp.rules)
 * 1:41808 <-> DISABLED <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt (file-image.rules)
 * 1:58471 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt (server-webapp.rules)
 * 1:58473 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt (server-webapp.rules)
 * 1:58472 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt (server-webapp.rules)
 * 1:57275 <-> DISABLED <-> SERVER-WEBAPP ysoserial TypeConfuseDelegate deserialization exploit attempt (server-webapp.rules)
 * 1:41454 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (server-webapp.rules)
 * 1:41455 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (server-webapp.rules)
 * 1:53733 <-> ENABLED <-> SERVER-WEBAPP IBM Data Risk Manager directory traversal attempt (server-webapp.rules)

2021-11-09 22:19:02 UTC

Snort Subscriber Rules Update

Date: 2021-11-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58508 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (server-webapp.rules)
 * 1:58529 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58501 <-> DISABLED <-> SERVER-OTHER Zyxel Unified Security Gateway undocumented administrator account login attempt (server-other.rules)
 * 1:58528 <-> DISABLED <-> SERVER-OTHER OpenLDAP IssuerAndThisUpdateCheck integer underflow attempt (server-other.rules)
 * 1:58541 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RDP client memory corruption attempt (os-windows.rules)
 * 1:58531 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58526 <-> ENABLED <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection (malware-cnc.rules)
 * 1:58505 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (server-webapp.rules)
 * 1:58533 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58538 <-> DISABLED <-> SERVER-WEBAPP Arcadyan routers path traversal attempt (server-webapp.rules)
 * 1:58496 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection (malware-cnc.rules)
 * 1:58540 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel protected view bypass attempt (file-office.rules)
 * 1:58509 <-> DISABLED <-> SERVER-WEBAPP Accellion File Transfer Appliance SQL injection attempt (server-webapp.rules)
 * 1:58521 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfInsListServer Java expression language injection attempt (server-webapp.rules)
 * 1:58520 <-> ENABLED <-> BROWSER-IE Microsoft Defender memory corruption attempt (browser-ie.rules)
 * 1:58517 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET IntegrationXMLProcessorServlet AlarmActions XML external entity injection attempt (server-webapp.rules)
 * 1:58510 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt (server-webapp.rules)
 * 1:58511 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt (server-webapp.rules)
 * 1:58512 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt (server-webapp.rules)
 * 1:58513 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (server-webapp.rules)
 * 1:58522 <-> DISABLED <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt (server-webapp.rules)
 * 1:58514 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt (server-webapp.rules)
 * 1:58518 <-> ENABLED <-> SERVER-OTHER D-Link DIR-825 R1 buffer overflow attempt (server-other.rules)
 * 1:58527 <-> ENABLED <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection (malware-cnc.rules)
 * 1:58498 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection (malware-cnc.rules)
 * 1:58515 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt (server-webapp.rules)
 * 1:58530 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58497 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection (malware-cnc.rules)
 * 1:58504 <-> DISABLED <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt (server-webapp.rules)
 * 1:58503 <-> DISABLED <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt (server-webapp.rules)
 * 1:58500 <-> DISABLED <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt (server-webapp.rules)
 * 1:58519 <-> ENABLED <-> BROWSER-IE Microsoft Defender memory corruption attempt (browser-ie.rules)
 * 1:58516 <-> DISABLED <-> SERVER-WEBAPP SAP NetWeaver AS JAVA XML external entity injection attempt (server-webapp.rules)
 * 1:58502 <-> DISABLED <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt (server-webapp.rules)
 * 1:58539 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel protected view bypass attempt (file-office.rules)
 * 1:58524 <-> ENABLED <-> FILE-OTHER Apple Safari Type 1 fonts RCE attempt (file-other.rules)
 * 1:58525 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center directory traversal attempt (server-webapp.rules)
 * 1:58506 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (server-webapp.rules)
 * 1:58507 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (server-webapp.rules)
 * 1:58532 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58523 <-> DISABLED <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt (server-webapp.rules)
 * 1:58499 <-> DISABLED <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt (server-webapp.rules)
 * 3:58534 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1405 attack attempt (file-other.rules)
 * 3:58536 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1404 attack attempt (file-other.rules)
 * 3:58535 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1405 attack attempt (file-other.rules)
 * 3:58537 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1404 attack attempt (file-other.rules)

Modified Rules:


 * 1:41454 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (server-webapp.rules)
 * 1:41809 <-> DISABLED <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt (file-image.rules)
 * 1:53769 <-> ENABLED <-> SERVER-MAIL iOS MobileMail Maild heap overflow attempt (server-mail.rules)
 * 1:41808 <-> DISABLED <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt (file-image.rules)
 * 1:58473 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt (server-webapp.rules)
 * 1:58472 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt (server-webapp.rules)
 * 1:57275 <-> DISABLED <-> SERVER-WEBAPP ysoserial TypeConfuseDelegate deserialization exploit attempt (server-webapp.rules)
 * 1:41455 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (server-webapp.rules)
 * 1:53733 <-> ENABLED <-> SERVER-WEBAPP IBM Data Risk Manager directory traversal attempt (server-webapp.rules)
 * 1:56162 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway information disclosure attempt (server-webapp.rules)
 * 1:58471 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt (server-webapp.rules)

2021-11-09 22:19:02 UTC

Snort Subscriber Rules Update

Date: 2021-11-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58514 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt (server-webapp.rules)
 * 1:58529 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58532 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58496 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection (malware-cnc.rules)
 * 1:58518 <-> ENABLED <-> SERVER-OTHER D-Link DIR-825 R1 buffer overflow attempt (server-other.rules)
 * 1:58539 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel protected view bypass attempt (file-office.rules)
 * 1:58509 <-> DISABLED <-> SERVER-WEBAPP Accellion File Transfer Appliance SQL injection attempt (server-webapp.rules)
 * 1:58499 <-> DISABLED <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt (server-webapp.rules)
 * 1:58531 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58515 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt (server-webapp.rules)
 * 1:58497 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection (malware-cnc.rules)
 * 1:58516 <-> DISABLED <-> SERVER-WEBAPP SAP NetWeaver AS JAVA XML external entity injection attempt (server-webapp.rules)
 * 1:58505 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (server-webapp.rules)
 * 1:58504 <-> DISABLED <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt (server-webapp.rules)
 * 1:58498 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection (malware-cnc.rules)
 * 1:58500 <-> DISABLED <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt (server-webapp.rules)
 * 1:58508 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (server-webapp.rules)
 * 1:58503 <-> DISABLED <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt (server-webapp.rules)
 * 1:58519 <-> ENABLED <-> BROWSER-IE Microsoft Defender memory corruption attempt (browser-ie.rules)
 * 1:58520 <-> ENABLED <-> BROWSER-IE Microsoft Defender memory corruption attempt (browser-ie.rules)
 * 1:58523 <-> DISABLED <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt (server-webapp.rules)
 * 1:58521 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfInsListServer Java expression language injection attempt (server-webapp.rules)
 * 1:58525 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center directory traversal attempt (server-webapp.rules)
 * 1:58522 <-> DISABLED <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt (server-webapp.rules)
 * 1:58527 <-> ENABLED <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection (malware-cnc.rules)
 * 1:58524 <-> ENABLED <-> FILE-OTHER Apple Safari Type 1 fonts RCE attempt (file-other.rules)
 * 1:58526 <-> ENABLED <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection (malware-cnc.rules)
 * 1:58528 <-> DISABLED <-> SERVER-OTHER OpenLDAP IssuerAndThisUpdateCheck integer underflow attempt (server-other.rules)
 * 1:58507 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (server-webapp.rules)
 * 1:58501 <-> DISABLED <-> SERVER-OTHER Zyxel Unified Security Gateway undocumented administrator account login attempt (server-other.rules)
 * 1:58510 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt (server-webapp.rules)
 * 1:58512 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt (server-webapp.rules)
 * 1:58533 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58513 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (server-webapp.rules)
 * 1:58538 <-> DISABLED <-> SERVER-WEBAPP Arcadyan routers path traversal attempt (server-webapp.rules)
 * 1:58511 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt (server-webapp.rules)
 * 1:58530 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58506 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (server-webapp.rules)
 * 1:58540 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel protected view bypass attempt (file-office.rules)
 * 1:58517 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET IntegrationXMLProcessorServlet AlarmActions XML external entity injection attempt (server-webapp.rules)
 * 1:58502 <-> DISABLED <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt (server-webapp.rules)
 * 1:58541 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RDP client memory corruption attempt (os-windows.rules)
 * 3:58534 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1405 attack attempt (file-other.rules)
 * 3:58535 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1405 attack attempt (file-other.rules)
 * 3:58536 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1404 attack attempt (file-other.rules)
 * 3:58537 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1404 attack attempt (file-other.rules)

Modified Rules:


 * 1:41455 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (server-webapp.rules)
 * 1:53733 <-> ENABLED <-> SERVER-WEBAPP IBM Data Risk Manager directory traversal attempt (server-webapp.rules)
 * 1:58473 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt (server-webapp.rules)
 * 1:56162 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway information disclosure attempt (server-webapp.rules)
 * 1:57275 <-> DISABLED <-> SERVER-WEBAPP ysoserial TypeConfuseDelegate deserialization exploit attempt (server-webapp.rules)
 * 1:58471 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt (server-webapp.rules)
 * 1:41454 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (server-webapp.rules)
 * 1:41809 <-> DISABLED <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt (file-image.rules)
 * 1:58472 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt (server-webapp.rules)
 * 1:41808 <-> DISABLED <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt (file-image.rules)
 * 1:53769 <-> ENABLED <-> SERVER-MAIL iOS MobileMail Maild heap overflow attempt (server-mail.rules)

2021-11-09 22:19:02 UTC

Snort Subscriber Rules Update

Date: 2021-11-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58526 <-> ENABLED <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection (malware-cnc.rules)
 * 1:58503 <-> DISABLED <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt (server-webapp.rules)
 * 1:58496 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection (malware-cnc.rules)
 * 1:58500 <-> DISABLED <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt (server-webapp.rules)
 * 1:58530 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58541 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RDP client memory corruption attempt (os-windows.rules)
 * 1:58504 <-> DISABLED <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt (server-webapp.rules)
 * 1:58508 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (server-webapp.rules)
 * 1:58540 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel protected view bypass attempt (file-office.rules)
 * 1:58513 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (server-webapp.rules)
 * 1:58533 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58531 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58499 <-> DISABLED <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt (server-webapp.rules)
 * 1:58528 <-> DISABLED <-> SERVER-OTHER OpenLDAP IssuerAndThisUpdateCheck integer underflow attempt (server-other.rules)
 * 1:58502 <-> DISABLED <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt (server-webapp.rules)
 * 1:58512 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt (server-webapp.rules)
 * 1:58514 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt (server-webapp.rules)
 * 1:58525 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center directory traversal attempt (server-webapp.rules)
 * 1:58506 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (server-webapp.rules)
 * 1:58497 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection (malware-cnc.rules)
 * 1:58501 <-> DISABLED <-> SERVER-OTHER Zyxel Unified Security Gateway undocumented administrator account login attempt (server-other.rules)
 * 1:58505 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (server-webapp.rules)
 * 1:58507 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (server-webapp.rules)
 * 1:58515 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt (server-webapp.rules)
 * 1:58538 <-> DISABLED <-> SERVER-WEBAPP Arcadyan routers path traversal attempt (server-webapp.rules)
 * 1:58516 <-> DISABLED <-> SERVER-WEBAPP SAP NetWeaver AS JAVA XML external entity injection attempt (server-webapp.rules)
 * 1:58517 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET IntegrationXMLProcessorServlet AlarmActions XML external entity injection attempt (server-webapp.rules)
 * 1:58529 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58498 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection (malware-cnc.rules)
 * 1:58518 <-> ENABLED <-> SERVER-OTHER D-Link DIR-825 R1 buffer overflow attempt (server-other.rules)
 * 1:58527 <-> ENABLED <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection (malware-cnc.rules)
 * 1:58519 <-> ENABLED <-> BROWSER-IE Microsoft Defender memory corruption attempt (browser-ie.rules)
 * 1:58520 <-> ENABLED <-> BROWSER-IE Microsoft Defender memory corruption attempt (browser-ie.rules)
 * 1:58510 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt (server-webapp.rules)
 * 1:58521 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfInsListServer Java expression language injection attempt (server-webapp.rules)
 * 1:58522 <-> DISABLED <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt (server-webapp.rules)
 * 1:58509 <-> DISABLED <-> SERVER-WEBAPP Accellion File Transfer Appliance SQL injection attempt (server-webapp.rules)
 * 1:58523 <-> DISABLED <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt (server-webapp.rules)
 * 1:58511 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt (server-webapp.rules)
 * 1:58532 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58524 <-> ENABLED <-> FILE-OTHER Apple Safari Type 1 fonts RCE attempt (file-other.rules)
 * 1:58539 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel protected view bypass attempt (file-office.rules)
 * 3:58534 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1405 attack attempt (file-other.rules)
 * 3:58536 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1404 attack attempt (file-other.rules)
 * 3:58537 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1404 attack attempt (file-other.rules)
 * 3:58535 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1405 attack attempt (file-other.rules)

Modified Rules:


 * 1:41809 <-> DISABLED <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt (file-image.rules)
 * 1:58471 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt (server-webapp.rules)
 * 1:53769 <-> ENABLED <-> SERVER-MAIL iOS MobileMail Maild heap overflow attempt (server-mail.rules)
 * 1:53733 <-> ENABLED <-> SERVER-WEBAPP IBM Data Risk Manager directory traversal attempt (server-webapp.rules)
 * 1:58472 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt (server-webapp.rules)
 * 1:58473 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt (server-webapp.rules)
 * 1:41454 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (server-webapp.rules)
 * 1:41808 <-> DISABLED <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt (file-image.rules)
 * 1:56162 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway information disclosure attempt (server-webapp.rules)
 * 1:57275 <-> DISABLED <-> SERVER-WEBAPP ysoserial TypeConfuseDelegate deserialization exploit attempt (server-webapp.rules)
 * 1:41455 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (server-webapp.rules)

2021-11-09 22:19:02 UTC

Snort Subscriber Rules Update

Date: 2021-11-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58520 <-> ENABLED <-> BROWSER-IE Microsoft Defender memory corruption attempt (browser-ie.rules)
 * 1:58501 <-> DISABLED <-> SERVER-OTHER Zyxel Unified Security Gateway undocumented administrator account login attempt (server-other.rules)
 * 1:58498 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection (malware-cnc.rules)
 * 1:58528 <-> DISABLED <-> SERVER-OTHER OpenLDAP IssuerAndThisUpdateCheck integer underflow attempt (server-other.rules)
 * 1:58499 <-> DISABLED <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt (server-webapp.rules)
 * 1:58503 <-> DISABLED <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt (server-webapp.rules)
 * 1:58533 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58508 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (server-webapp.rules)
 * 1:58507 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (server-webapp.rules)
 * 1:58530 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58526 <-> ENABLED <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection (malware-cnc.rules)
 * 1:58529 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58532 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58505 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (server-webapp.rules)
 * 1:58538 <-> DISABLED <-> SERVER-WEBAPP Arcadyan routers path traversal attempt (server-webapp.rules)
 * 1:58518 <-> ENABLED <-> SERVER-OTHER D-Link DIR-825 R1 buffer overflow attempt (server-other.rules)
 * 1:58531 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58510 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt (server-webapp.rules)
 * 1:58511 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt (server-webapp.rules)
 * 1:58512 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt (server-webapp.rules)
 * 1:58500 <-> DISABLED <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt (server-webapp.rules)
 * 1:58513 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (server-webapp.rules)
 * 1:58514 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt (server-webapp.rules)
 * 1:58515 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt (server-webapp.rules)
 * 1:58516 <-> DISABLED <-> SERVER-WEBAPP SAP NetWeaver AS JAVA XML external entity injection attempt (server-webapp.rules)
 * 1:58517 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET IntegrationXMLProcessorServlet AlarmActions XML external entity injection attempt (server-webapp.rules)
 * 1:58519 <-> ENABLED <-> BROWSER-IE Microsoft Defender memory corruption attempt (browser-ie.rules)
 * 1:58522 <-> DISABLED <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt (server-webapp.rules)
 * 1:58527 <-> ENABLED <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection (malware-cnc.rules)
 * 1:58502 <-> DISABLED <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt (server-webapp.rules)
 * 1:58506 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (server-webapp.rules)
 * 1:58524 <-> ENABLED <-> FILE-OTHER Apple Safari Type 1 fonts RCE attempt (file-other.rules)
 * 1:58539 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel protected view bypass attempt (file-office.rules)
 * 1:58509 <-> DISABLED <-> SERVER-WEBAPP Accellion File Transfer Appliance SQL injection attempt (server-webapp.rules)
 * 1:58521 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfInsListServer Java expression language injection attempt (server-webapp.rules)
 * 1:58496 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection (malware-cnc.rules)
 * 1:58540 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel protected view bypass attempt (file-office.rules)
 * 1:58541 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RDP client memory corruption attempt (os-windows.rules)
 * 1:58497 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection (malware-cnc.rules)
 * 1:58525 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center directory traversal attempt (server-webapp.rules)
 * 1:58504 <-> DISABLED <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt (server-webapp.rules)
 * 1:58523 <-> DISABLED <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt (server-webapp.rules)
 * 3:58534 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1405 attack attempt (file-other.rules)
 * 3:58535 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1405 attack attempt (file-other.rules)
 * 3:58537 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1404 attack attempt (file-other.rules)
 * 3:58536 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1404 attack attempt (file-other.rules)

Modified Rules:


 * 1:41455 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (server-webapp.rules)
 * 1:41454 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (server-webapp.rules)
 * 1:41809 <-> DISABLED <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt (file-image.rules)
 * 1:56162 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway information disclosure attempt (server-webapp.rules)
 * 1:58473 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt (server-webapp.rules)
 * 1:41808 <-> DISABLED <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt (file-image.rules)
 * 1:53769 <-> ENABLED <-> SERVER-MAIL iOS MobileMail Maild heap overflow attempt (server-mail.rules)
 * 1:57275 <-> DISABLED <-> SERVER-WEBAPP ysoserial TypeConfuseDelegate deserialization exploit attempt (server-webapp.rules)
 * 1:53733 <-> ENABLED <-> SERVER-WEBAPP IBM Data Risk Manager directory traversal attempt (server-webapp.rules)
 * 1:58472 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt (server-webapp.rules)
 * 1:58471 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt (server-webapp.rules)

2021-11-09 22:19:02 UTC

Snort Subscriber Rules Update

Date: 2021-11-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58503 <-> DISABLED <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt (server-webapp.rules)
 * 1:58525 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center directory traversal attempt (server-webapp.rules)
 * 1:58505 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (server-webapp.rules)
 * 1:58498 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection (malware-cnc.rules)
 * 1:58507 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (server-webapp.rules)
 * 1:58531 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58530 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58499 <-> DISABLED <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt (server-webapp.rules)
 * 1:58522 <-> DISABLED <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt (server-webapp.rules)
 * 1:58516 <-> DISABLED <-> SERVER-WEBAPP SAP NetWeaver AS JAVA XML external entity injection attempt (server-webapp.rules)
 * 1:58527 <-> ENABLED <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection (malware-cnc.rules)
 * 1:58529 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58533 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58526 <-> ENABLED <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection (malware-cnc.rules)
 * 1:58518 <-> ENABLED <-> SERVER-OTHER D-Link DIR-825 R1 buffer overflow attempt (server-other.rules)
 * 1:58510 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt (server-webapp.rules)
 * 1:58511 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt (server-webapp.rules)
 * 1:58496 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection (malware-cnc.rules)
 * 1:58528 <-> DISABLED <-> SERVER-OTHER OpenLDAP IssuerAndThisUpdateCheck integer underflow attempt (server-other.rules)
 * 1:58504 <-> DISABLED <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt (server-webapp.rules)
 * 1:58508 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (server-webapp.rules)
 * 1:58540 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel protected view bypass attempt (file-office.rules)
 * 1:58515 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt (server-webapp.rules)
 * 1:58500 <-> DISABLED <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt (server-webapp.rules)
 * 1:58501 <-> DISABLED <-> SERVER-OTHER Zyxel Unified Security Gateway undocumented administrator account login attempt (server-other.rules)
 * 1:58514 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt (server-webapp.rules)
 * 1:58519 <-> ENABLED <-> BROWSER-IE Microsoft Defender memory corruption attempt (browser-ie.rules)
 * 1:58509 <-> DISABLED <-> SERVER-WEBAPP Accellion File Transfer Appliance SQL injection attempt (server-webapp.rules)
 * 1:58506 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (server-webapp.rules)
 * 1:58532 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58497 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection (malware-cnc.rules)
 * 1:58513 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (server-webapp.rules)
 * 1:58502 <-> DISABLED <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt (server-webapp.rules)
 * 1:58512 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt (server-webapp.rules)
 * 1:58539 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel protected view bypass attempt (file-office.rules)
 * 1:58538 <-> DISABLED <-> SERVER-WEBAPP Arcadyan routers path traversal attempt (server-webapp.rules)
 * 1:58541 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RDP client memory corruption attempt (os-windows.rules)
 * 1:58517 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET IntegrationXMLProcessorServlet AlarmActions XML external entity injection attempt (server-webapp.rules)
 * 1:58520 <-> ENABLED <-> BROWSER-IE Microsoft Defender memory corruption attempt (browser-ie.rules)
 * 1:58524 <-> ENABLED <-> FILE-OTHER Apple Safari Type 1 fonts RCE attempt (file-other.rules)
 * 1:58521 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfInsListServer Java expression language injection attempt (server-webapp.rules)
 * 1:58523 <-> DISABLED <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt (server-webapp.rules)
 * 3:58534 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1405 attack attempt (file-other.rules)
 * 3:58535 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1405 attack attempt (file-other.rules)
 * 3:58536 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1404 attack attempt (file-other.rules)
 * 3:58537 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1404 attack attempt (file-other.rules)

Modified Rules:


 * 1:41454 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (server-webapp.rules)
 * 1:53769 <-> ENABLED <-> SERVER-MAIL iOS MobileMail Maild heap overflow attempt (server-mail.rules)
 * 1:41455 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (server-webapp.rules)
 * 1:56162 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway information disclosure attempt (server-webapp.rules)
 * 1:57275 <-> DISABLED <-> SERVER-WEBAPP ysoserial TypeConfuseDelegate deserialization exploit attempt (server-webapp.rules)
 * 1:58471 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt (server-webapp.rules)
 * 1:53733 <-> ENABLED <-> SERVER-WEBAPP IBM Data Risk Manager directory traversal attempt (server-webapp.rules)
 * 1:41808 <-> DISABLED <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt (file-image.rules)
 * 1:58472 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt (server-webapp.rules)
 * 1:41809 <-> DISABLED <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt (file-image.rules)
 * 1:58473 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt (server-webapp.rules)

2021-11-09 22:19:02 UTC

Snort Subscriber Rules Update

Date: 2021-11-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58507 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (server-webapp.rules)
 * 1:58501 <-> DISABLED <-> SERVER-OTHER Zyxel Unified Security Gateway undocumented administrator account login attempt (server-other.rules)
 * 1:58529 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58532 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58518 <-> ENABLED <-> SERVER-OTHER D-Link DIR-825 R1 buffer overflow attempt (server-other.rules)
 * 1:58509 <-> DISABLED <-> SERVER-WEBAPP Accellion File Transfer Appliance SQL injection attempt (server-webapp.rules)
 * 1:58506 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (server-webapp.rules)
 * 1:58515 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt (server-webapp.rules)
 * 1:58512 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt (server-webapp.rules)
 * 1:58525 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center directory traversal attempt (server-webapp.rules)
 * 1:58530 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58517 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET IntegrationXMLProcessorServlet AlarmActions XML external entity injection attempt (server-webapp.rules)
 * 1:58496 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection (malware-cnc.rules)
 * 1:58539 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel protected view bypass attempt (file-office.rules)
 * 1:58497 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection (malware-cnc.rules)
 * 1:58522 <-> DISABLED <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt (server-webapp.rules)
 * 1:58502 <-> DISABLED <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt (server-webapp.rules)
 * 1:58498 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection (malware-cnc.rules)
 * 1:58540 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel protected view bypass attempt (file-office.rules)
 * 1:58528 <-> DISABLED <-> SERVER-OTHER OpenLDAP IssuerAndThisUpdateCheck integer underflow attempt (server-other.rules)
 * 1:58521 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfInsListServer Java expression language injection attempt (server-webapp.rules)
 * 1:58505 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (server-webapp.rules)
 * 1:58499 <-> DISABLED <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt (server-webapp.rules)
 * 1:58533 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58520 <-> ENABLED <-> BROWSER-IE Microsoft Defender memory corruption attempt (browser-ie.rules)
 * 1:58531 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58504 <-> DISABLED <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt (server-webapp.rules)
 * 1:58523 <-> DISABLED <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt (server-webapp.rules)
 * 1:58519 <-> ENABLED <-> BROWSER-IE Microsoft Defender memory corruption attempt (browser-ie.rules)
 * 1:58516 <-> DISABLED <-> SERVER-WEBAPP SAP NetWeaver AS JAVA XML external entity injection attempt (server-webapp.rules)
 * 1:58541 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RDP client memory corruption attempt (os-windows.rules)
 * 1:58503 <-> DISABLED <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt (server-webapp.rules)
 * 1:58524 <-> ENABLED <-> FILE-OTHER Apple Safari Type 1 fonts RCE attempt (file-other.rules)
 * 1:58514 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt (server-webapp.rules)
 * 1:58513 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (server-webapp.rules)
 * 1:58510 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt (server-webapp.rules)
 * 1:58538 <-> DISABLED <-> SERVER-WEBAPP Arcadyan routers path traversal attempt (server-webapp.rules)
 * 1:58508 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (server-webapp.rules)
 * 1:58526 <-> ENABLED <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection (malware-cnc.rules)
 * 1:58511 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt (server-webapp.rules)
 * 1:58500 <-> DISABLED <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt (server-webapp.rules)
 * 1:58527 <-> ENABLED <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection (malware-cnc.rules)
 * 3:58534 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1405 attack attempt (file-other.rules)
 * 3:58535 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1405 attack attempt (file-other.rules)
 * 3:58536 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1404 attack attempt (file-other.rules)
 * 3:58537 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1404 attack attempt (file-other.rules)

Modified Rules:


 * 1:41454 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (server-webapp.rules)
 * 1:53733 <-> ENABLED <-> SERVER-WEBAPP IBM Data Risk Manager directory traversal attempt (server-webapp.rules)
 * 1:41455 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (server-webapp.rules)
 * 1:56162 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway information disclosure attempt (server-webapp.rules)
 * 1:57275 <-> DISABLED <-> SERVER-WEBAPP ysoserial TypeConfuseDelegate deserialization exploit attempt (server-webapp.rules)
 * 1:58471 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt (server-webapp.rules)
 * 1:53769 <-> ENABLED <-> SERVER-MAIL iOS MobileMail Maild heap overflow attempt (server-mail.rules)
 * 1:41809 <-> DISABLED <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt (file-image.rules)
 * 1:58473 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt (server-webapp.rules)
 * 1:41808 <-> DISABLED <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt (file-image.rules)
 * 1:58472 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt (server-webapp.rules)

2021-11-09 22:19:02 UTC

Snort Subscriber Rules Update

Date: 2021-11-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58513 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (snort3-server-webapp.rules)
 * 1:58517 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET IntegrationXMLProcessorServlet AlarmActions XML external entity injection attempt (snort3-server-webapp.rules)
 * 1:58533 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (snort3-server-webapp.rules)
 * 1:58500 <-> DISABLED <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt (snort3-server-webapp.rules)
 * 1:58505 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (snort3-server-webapp.rules)
 * 1:58538 <-> DISABLED <-> SERVER-WEBAPP Arcadyan routers path traversal attempt (snort3-server-webapp.rules)
 * 1:58518 <-> ENABLED <-> SERVER-OTHER D-Link DIR-825 R1 buffer overflow attempt (snort3-server-other.rules)
 * 1:58530 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (snort3-server-webapp.rules)
 * 1:58507 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (snort3-server-webapp.rules)
 * 1:58514 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt (snort3-server-webapp.rules)
 * 1:58532 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (snort3-server-webapp.rules)
 * 1:58540 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel protected view bypass attempt (snort3-file-office.rules)
 * 1:58503 <-> DISABLED <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt (snort3-server-webapp.rules)
 * 1:58506 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (snort3-server-webapp.rules)
 * 1:58511 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt (snort3-server-webapp.rules)
 * 1:58510 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt (snort3-server-webapp.rules)
 * 1:58508 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (snort3-server-webapp.rules)
 * 1:58501 <-> DISABLED <-> SERVER-OTHER Zyxel Unified Security Gateway undocumented administrator account login attempt (snort3-server-other.rules)
 * 1:58541 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RDP client memory corruption attempt (snort3-os-windows.rules)
 * 1:58499 <-> DISABLED <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt (snort3-server-webapp.rules)
 * 1:58519 <-> ENABLED <-> BROWSER-IE Microsoft Defender memory corruption attempt (snort3-browser-ie.rules)
 * 1:58520 <-> ENABLED <-> BROWSER-IE Microsoft Defender memory corruption attempt (snort3-browser-ie.rules)
 * 1:58502 <-> DISABLED <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt (snort3-server-webapp.rules)
 * 1:58521 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfInsListServer Java expression language injection attempt (snort3-server-webapp.rules)
 * 1:58515 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt (snort3-server-webapp.rules)
 * 1:58531 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (snort3-server-webapp.rules)
 * 1:58516 <-> DISABLED <-> SERVER-WEBAPP SAP NetWeaver AS JAVA XML external entity injection attempt (snort3-server-webapp.rules)
 * 1:58496 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection (snort3-malware-cnc.rules)
 * 1:58529 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (snort3-server-webapp.rules)
 * 1:58498 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection (snort3-malware-cnc.rules)
 * 1:58512 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt (snort3-server-webapp.rules)
 * 1:58504 <-> DISABLED <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt (snort3-server-webapp.rules)
 * 1:58497 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection (snort3-malware-cnc.rules)
 * 1:58522 <-> DISABLED <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt (snort3-server-webapp.rules)
 * 1:58523 <-> DISABLED <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt (snort3-server-webapp.rules)
 * 1:58524 <-> ENABLED <-> FILE-OTHER Apple Safari Type 1 fonts RCE attempt (snort3-file-other.rules)
 * 1:58525 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center directory traversal attempt (snort3-server-webapp.rules)
 * 1:58526 <-> ENABLED <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection (snort3-malware-cnc.rules)
 * 1:58527 <-> ENABLED <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection (snort3-malware-cnc.rules)
 * 1:58528 <-> DISABLED <-> SERVER-OTHER OpenLDAP IssuerAndThisUpdateCheck integer underflow attempt (snort3-server-other.rules)
 * 1:58539 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel protected view bypass attempt (snort3-file-office.rules)
 * 1:58509 <-> DISABLED <-> SERVER-WEBAPP Accellion File Transfer Appliance SQL injection attempt (snort3-server-webapp.rules)

Modified Rules:


 * 1:57275 <-> DISABLED <-> SERVER-WEBAPP ysoserial TypeConfuseDelegate deserialization exploit attempt (snort3-server-webapp.rules)
 * 1:56162 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway information disclosure attempt (snort3-server-webapp.rules)
 * 1:41455 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (snort3-server-webapp.rules)
 * 1:58472 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt (snort3-server-webapp.rules)
 * 1:53733 <-> ENABLED <-> SERVER-WEBAPP IBM Data Risk Manager directory traversal attempt (snort3-server-webapp.rules)
 * 1:41454 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (snort3-server-webapp.rules)
 * 1:58473 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt (snort3-server-webapp.rules)
 * 1:58471 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt (snort3-server-webapp.rules)
 * 1:41809 <-> DISABLED <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt (snort3-file-image.rules)
 * 1:53769 <-> ENABLED <-> SERVER-MAIL iOS MobileMail Maild heap overflow attempt (snort3-server-mail.rules)
 * 1:41808 <-> DISABLED <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt (snort3-file-image.rules)

2021-11-09 22:19:02 UTC

Snort Subscriber Rules Update

Date: 2021-11-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58501 <-> DISABLED <-> SERVER-OTHER Zyxel Unified Security Gateway undocumented administrator account login attempt (server-other.rules)
 * 1:58498 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection (malware-cnc.rules)
 * 1:58508 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (server-webapp.rules)
 * 1:58511 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt (server-webapp.rules)
 * 1:58505 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (server-webapp.rules)
 * 1:58515 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt (server-webapp.rules)
 * 1:58528 <-> DISABLED <-> SERVER-OTHER OpenLDAP IssuerAndThisUpdateCheck integer underflow attempt (server-other.rules)
 * 1:58496 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection (malware-cnc.rules)
 * 1:58506 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (server-webapp.rules)
 * 1:58529 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58507 <-> DISABLED <-> SERVER-WEBAPP Tenda Router command injection attempt (server-webapp.rules)
 * 1:58538 <-> DISABLED <-> SERVER-WEBAPP Arcadyan routers path traversal attempt (server-webapp.rules)
 * 1:58539 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel protected view bypass attempt (file-office.rules)
 * 1:58540 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel protected view bypass attempt (file-office.rules)
 * 1:58500 <-> DISABLED <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt (server-webapp.rules)
 * 1:58513 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (server-webapp.rules)
 * 1:58527 <-> ENABLED <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection (malware-cnc.rules)
 * 1:58521 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfInsListServer Java expression language injection attempt (server-webapp.rules)
 * 1:58518 <-> ENABLED <-> SERVER-OTHER D-Link DIR-825 R1 buffer overflow attempt (server-other.rules)
 * 1:58502 <-> DISABLED <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt (server-webapp.rules)
 * 1:58497 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection (malware-cnc.rules)
 * 1:58503 <-> DISABLED <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt (server-webapp.rules)
 * 1:58509 <-> DISABLED <-> SERVER-WEBAPP Accellion File Transfer Appliance SQL injection attempt (server-webapp.rules)
 * 1:58525 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center directory traversal attempt (server-webapp.rules)
 * 1:58533 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58504 <-> DISABLED <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt (server-webapp.rules)
 * 1:58520 <-> ENABLED <-> BROWSER-IE Microsoft Defender memory corruption attempt (browser-ie.rules)
 * 1:58523 <-> DISABLED <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt (server-webapp.rules)
 * 1:58530 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58531 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58541 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RDP client memory corruption attempt (os-windows.rules)
 * 1:58512 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt (server-webapp.rules)
 * 1:58516 <-> DISABLED <-> SERVER-WEBAPP SAP NetWeaver AS JAVA XML external entity injection attempt (server-webapp.rules)
 * 1:58532 <-> DISABLED <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt (server-webapp.rules)
 * 1:58522 <-> DISABLED <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt (server-webapp.rules)
 * 1:58510 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt (server-webapp.rules)
 * 1:58519 <-> ENABLED <-> BROWSER-IE Microsoft Defender memory corruption attempt (browser-ie.rules)
 * 1:58526 <-> ENABLED <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection (malware-cnc.rules)
 * 1:58499 <-> DISABLED <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt (server-webapp.rules)
 * 1:58517 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET IntegrationXMLProcessorServlet AlarmActions XML external entity injection attempt (server-webapp.rules)
 * 1:58514 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt (server-webapp.rules)
 * 1:58524 <-> ENABLED <-> FILE-OTHER Apple Safari Type 1 fonts RCE attempt (file-other.rules)

Modified Rules:


 * 1:41454 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (server-webapp.rules)
 * 1:41455 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (server-webapp.rules)
 * 1:41808 <-> DISABLED <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt (file-image.rules)
 * 1:41809 <-> DISABLED <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt (file-image.rules)
 * 1:53733 <-> ENABLED <-> SERVER-WEBAPP IBM Data Risk Manager directory traversal attempt (server-webapp.rules)
 * 1:53769 <-> ENABLED <-> SERVER-MAIL iOS MobileMail Maild heap overflow attempt (server-mail.rules)
 * 1:56162 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway information disclosure attempt (server-webapp.rules)
 * 1:57275 <-> DISABLED <-> SERVER-WEBAPP ysoserial TypeConfuseDelegate deserialization exploit attempt (server-webapp.rules)
 * 1:58471 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt (server-webapp.rules)
 * 1:58472 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt (server-webapp.rules)
 * 1:58473 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt (server-webapp.rules)

2021-11-09 22:21:37 UTC

Snort Subscriber Rules Update

Date: 2021-11-09-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300054 <-> FILE-OFFICE Microsoft Office Excel protected view bypass attempt
* 1:58496 <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection
* 1:58497 <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection
* 1:58498 <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection
* 1:58499 <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt
* 1:58500 <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt
* 1:58501 <-> SERVER-OTHER Zyxel Unified Security Gateway undocumented administrator account login attempt
* 1:58502 <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt
* 1:58503 <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt
* 1:58504 <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt
* 1:58505 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58506 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58507 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58508 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58509 <-> SERVER-WEBAPP Accellion File Transfer Appliance SQL injection attempt
* 1:58510 <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt
* 1:58511 <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt
* 1:58512 <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt
* 1:58513 <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt
* 1:58514 <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt
* 1:58515 <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt
* 1:58516 <-> SERVER-WEBAPP SAP NetWeaver AS JAVA XML external entity injection attempt
* 1:58517 <-> SERVER-WEBAPP GE MDS PulseNET IntegrationXMLProcessorServlet AlarmActions XML external entity injection attempt
* 1:58518 <-> SERVER-OTHER D-Link DIR-825 R1 buffer overflow attempt
* 1:58519 <-> BROWSER-IE Microsoft Defender memory corruption attempt
* 1:58520 <-> BROWSER-IE Microsoft Defender memory corruption attempt
* 1:58521 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfInsListServer Java expression language injection attempt
* 1:58522 <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt
* 1:58523 <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt
* 1:58524 <-> FILE-OTHER Apple Safari Type 1 fonts RCE attempt
* 1:58525 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center directory traversal attempt
* 1:58526 <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection
* 1:58527 <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection
* 1:58528 <-> SERVER-OTHER OpenLDAP IssuerAndThisUpdateCheck integer underflow attempt
* 1:58529 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58530 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58531 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58532 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58533 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 3:58534 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1405 attack attempt
* 3:58535 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1405 attack attempt
* 3:58536 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1404 attack attempt
* 3:58537 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1404 attack attempt
* 1:58538 <-> SERVER-WEBAPP Arcadyan routers path traversal attempt
* 1:58541 <-> OS-WINDOWS Microsoft Windows RDP client memory corruption attempt

Modified Rules:

* 1:41454 <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt
* 1:41455 <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt
* 1:41808 <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt
* 1:41809 <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt
* 1:53733 <-> SERVER-WEBAPP IBM Data Risk Manager directory traversal attempt
* 1:53769 <-> SERVER-MAIL iOS MobileMail Maild heap overflow attempt
* 1:56162 <-> SERVER-WEBAPP Citrix ADC and Gateway information disclosure attempt
* 1:57275 <-> SERVER-WEBAPP ysoserial TypeConfuseDelegate deserialization exploit attempt
* 1:58471 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt
* 1:58472 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt
* 1:58473 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt


2021-11-09 22:21:38 UTC

Snort Subscriber Rules Update

Date: 2021-11-09-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.4.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300054 <-> FILE-OFFICE Microsoft Office Excel protected view bypass attempt
* 1:58496 <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection
* 1:58497 <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection
* 1:58498 <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection
* 1:58499 <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt
* 1:58500 <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt
* 1:58501 <-> SERVER-OTHER Zyxel Unified Security Gateway undocumented administrator account login attempt
* 1:58502 <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt
* 1:58503 <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt
* 1:58504 <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt
* 1:58505 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58506 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58507 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58508 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58509 <-> SERVER-WEBAPP Accellion File Transfer Appliance SQL injection attempt
* 1:58510 <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt
* 1:58511 <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt
* 1:58512 <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt
* 1:58513 <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt
* 1:58514 <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt
* 1:58515 <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt
* 1:58516 <-> SERVER-WEBAPP SAP NetWeaver AS JAVA XML external entity injection attempt
* 1:58517 <-> SERVER-WEBAPP GE MDS PulseNET IntegrationXMLProcessorServlet AlarmActions XML external entity injection attempt
* 1:58518 <-> SERVER-OTHER D-Link DIR-825 R1 buffer overflow attempt
* 1:58519 <-> BROWSER-IE Microsoft Defender memory corruption attempt
* 1:58520 <-> BROWSER-IE Microsoft Defender memory corruption attempt
* 1:58521 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfInsListServer Java expression language injection attempt
* 1:58522 <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt
* 1:58523 <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt
* 1:58524 <-> FILE-OTHER Apple Safari Type 1 fonts RCE attempt
* 1:58525 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center directory traversal attempt
* 1:58526 <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection
* 1:58527 <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection
* 1:58528 <-> SERVER-OTHER OpenLDAP IssuerAndThisUpdateCheck integer underflow attempt
* 1:58529 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58530 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58531 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58532 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58533 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 3:58534 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1405 attack attempt
* 3:58535 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1405 attack attempt
* 3:58536 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1404 attack attempt
* 3:58537 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1404 attack attempt
* 1:58538 <-> SERVER-WEBAPP Arcadyan routers path traversal attempt
* 1:58541 <-> OS-WINDOWS Microsoft Windows RDP client memory corruption attempt

Modified Rules:

* 1:41454 <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt
* 1:41455 <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt
* 1:41808 <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt
* 1:41809 <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt
* 1:53733 <-> SERVER-WEBAPP IBM Data Risk Manager directory traversal attempt
* 1:53769 <-> SERVER-MAIL iOS MobileMail Maild heap overflow attempt
* 1:56162 <-> SERVER-WEBAPP Citrix ADC and Gateway information disclosure attempt
* 1:57275 <-> SERVER-WEBAPP ysoserial TypeConfuseDelegate deserialization exploit attempt
* 1:58471 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt
* 1:58472 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt
* 1:58473 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt


2021-11-09 22:21:38 UTC

Snort Subscriber Rules Update

Date: 2021-11-09-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300054 <-> FILE-OFFICE Microsoft Office Excel protected view bypass attempt
* 1:58496 <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection
* 1:58497 <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection
* 1:58498 <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection
* 1:58499 <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt
* 1:58500 <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt
* 1:58501 <-> SERVER-OTHER Zyxel Unified Security Gateway undocumented administrator account login attempt
* 1:58502 <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt
* 1:58503 <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt
* 1:58504 <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt
* 1:58505 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58506 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58507 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58508 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58509 <-> SERVER-WEBAPP Accellion File Transfer Appliance SQL injection attempt
* 1:58510 <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt
* 1:58511 <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt
* 1:58512 <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt
* 1:58513 <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt
* 1:58514 <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt
* 1:58515 <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt
* 1:58516 <-> SERVER-WEBAPP SAP NetWeaver AS JAVA XML external entity injection attempt
* 1:58517 <-> SERVER-WEBAPP GE MDS PulseNET IntegrationXMLProcessorServlet AlarmActions XML external entity injection attempt
* 1:58518 <-> SERVER-OTHER D-Link DIR-825 R1 buffer overflow attempt
* 1:58519 <-> BROWSER-IE Microsoft Defender memory corruption attempt
* 1:58520 <-> BROWSER-IE Microsoft Defender memory corruption attempt
* 1:58521 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfInsListServer Java expression language injection attempt
* 1:58522 <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt
* 1:58523 <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt
* 1:58524 <-> FILE-OTHER Apple Safari Type 1 fonts RCE attempt
* 1:58525 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center directory traversal attempt
* 1:58526 <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection
* 1:58527 <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection
* 1:58528 <-> SERVER-OTHER OpenLDAP IssuerAndThisUpdateCheck integer underflow attempt
* 1:58529 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58530 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58531 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58532 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58533 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 3:58534 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1405 attack attempt
* 3:58535 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1405 attack attempt
* 3:58536 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1404 attack attempt
* 3:58537 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1404 attack attempt
* 1:58538 <-> SERVER-WEBAPP Arcadyan routers path traversal attempt
* 1:58541 <-> OS-WINDOWS Microsoft Windows RDP client memory corruption attempt

Modified Rules:

* 1:41454 <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt
* 1:41455 <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt
* 1:41808 <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt
* 1:41809 <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt
* 1:53733 <-> SERVER-WEBAPP IBM Data Risk Manager directory traversal attempt
* 1:53769 <-> SERVER-MAIL iOS MobileMail Maild heap overflow attempt
* 1:56162 <-> SERVER-WEBAPP Citrix ADC and Gateway information disclosure attempt
* 1:57275 <-> SERVER-WEBAPP ysoserial TypeConfuseDelegate deserialization exploit attempt
* 1:58471 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt
* 1:58472 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt
* 1:58473 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt


2021-11-09 22:21:38 UTC

Snort Subscriber Rules Update

Date: 2021-11-09-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300054 <-> FILE-OFFICE Microsoft Office Excel protected view bypass attempt
* 1:58496 <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection
* 1:58497 <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection
* 1:58498 <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection
* 1:58499 <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt
* 1:58500 <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt
* 1:58501 <-> SERVER-OTHER Zyxel Unified Security Gateway undocumented administrator account login attempt
* 1:58502 <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt
* 1:58503 <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt
* 1:58504 <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt
* 1:58505 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58506 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58507 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58508 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58509 <-> SERVER-WEBAPP Accellion File Transfer Appliance SQL injection attempt
* 1:58510 <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt
* 1:58511 <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt
* 1:58512 <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt
* 1:58513 <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt
* 1:58514 <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt
* 1:58515 <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt
* 1:58516 <-> SERVER-WEBAPP SAP NetWeaver AS JAVA XML external entity injection attempt
* 1:58517 <-> SERVER-WEBAPP GE MDS PulseNET IntegrationXMLProcessorServlet AlarmActions XML external entity injection attempt
* 1:58518 <-> SERVER-OTHER D-Link DIR-825 R1 buffer overflow attempt
* 1:58519 <-> BROWSER-IE Microsoft Defender memory corruption attempt
* 1:58520 <-> BROWSER-IE Microsoft Defender memory corruption attempt
* 1:58521 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfInsListServer Java expression language injection attempt
* 1:58522 <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt
* 1:58523 <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt
* 1:58524 <-> FILE-OTHER Apple Safari Type 1 fonts RCE attempt
* 1:58525 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center directory traversal attempt
* 1:58526 <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection
* 1:58527 <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection
* 1:58528 <-> SERVER-OTHER OpenLDAP IssuerAndThisUpdateCheck integer underflow attempt
* 1:58529 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58530 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58531 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58532 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58533 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 3:58534 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1405 attack attempt
* 3:58535 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1405 attack attempt
* 3:58536 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1404 attack attempt
* 3:58537 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1404 attack attempt
* 1:58538 <-> SERVER-WEBAPP Arcadyan routers path traversal attempt
* 1:58541 <-> OS-WINDOWS Microsoft Windows RDP client memory corruption attempt

Modified Rules:

* 1:41454 <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt
* 1:41455 <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt
* 1:41808 <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt
* 1:41809 <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt
* 1:53733 <-> SERVER-WEBAPP IBM Data Risk Manager directory traversal attempt
* 1:53769 <-> SERVER-MAIL iOS MobileMail Maild heap overflow attempt
* 1:56162 <-> SERVER-WEBAPP Citrix ADC and Gateway information disclosure attempt
* 1:57275 <-> SERVER-WEBAPP ysoserial TypeConfuseDelegate deserialization exploit attempt
* 1:58471 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt
* 1:58472 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt
* 1:58473 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt


2021-11-09 22:21:38 UTC

Snort Subscriber Rules Update

Date: 2021-11-09-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.1.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300054 <-> FILE-OFFICE Microsoft Office Excel protected view bypass attempt
* 1:58496 <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection
* 1:58497 <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection
* 1:58498 <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection
* 1:58499 <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt
* 1:58500 <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt
* 1:58501 <-> SERVER-OTHER Zyxel Unified Security Gateway undocumented administrator account login attempt
* 1:58502 <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt
* 1:58503 <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt
* 1:58504 <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt
* 1:58505 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58506 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58507 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58508 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58509 <-> SERVER-WEBAPP Accellion File Transfer Appliance SQL injection attempt
* 1:58510 <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt
* 1:58511 <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt
* 1:58512 <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt
* 1:58513 <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt
* 1:58514 <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt
* 1:58515 <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt
* 1:58516 <-> SERVER-WEBAPP SAP NetWeaver AS JAVA XML external entity injection attempt
* 1:58517 <-> SERVER-WEBAPP GE MDS PulseNET IntegrationXMLProcessorServlet AlarmActions XML external entity injection attempt
* 1:58518 <-> SERVER-OTHER D-Link DIR-825 R1 buffer overflow attempt
* 1:58519 <-> BROWSER-IE Microsoft Defender memory corruption attempt
* 1:58520 <-> BROWSER-IE Microsoft Defender memory corruption attempt
* 1:58521 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfInsListServer Java expression language injection attempt
* 1:58522 <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt
* 1:58523 <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt
* 1:58524 <-> FILE-OTHER Apple Safari Type 1 fonts RCE attempt
* 1:58525 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center directory traversal attempt
* 1:58526 <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection
* 1:58527 <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection
* 1:58528 <-> SERVER-OTHER OpenLDAP IssuerAndThisUpdateCheck integer underflow attempt
* 1:58529 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58530 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58531 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58532 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58533 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 3:58534 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1405 attack attempt
* 3:58535 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1405 attack attempt
* 3:58536 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1404 attack attempt
* 3:58537 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1404 attack attempt
* 1:58538 <-> SERVER-WEBAPP Arcadyan routers path traversal attempt
* 1:58541 <-> OS-WINDOWS Microsoft Windows RDP client memory corruption attempt

Modified Rules:

* 1:41454 <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt
* 1:41455 <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt
* 1:41808 <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt
* 1:41809 <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt
* 1:53733 <-> SERVER-WEBAPP IBM Data Risk Manager directory traversal attempt
* 1:53769 <-> SERVER-MAIL iOS MobileMail Maild heap overflow attempt
* 1:56162 <-> SERVER-WEBAPP Citrix ADC and Gateway information disclosure attempt
* 1:57275 <-> SERVER-WEBAPP ysoserial TypeConfuseDelegate deserialization exploit attempt
* 1:58471 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt
* 1:58472 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt
* 1:58473 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt


2021-11-09 22:21:38 UTC

Snort Subscriber Rules Update

Date: 2021-11-09-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.3.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300054 <-> FILE-OFFICE Microsoft Office Excel protected view bypass attempt
* 1:58496 <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection
* 1:58497 <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection
* 1:58498 <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection
* 1:58499 <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt
* 1:58500 <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt
* 1:58501 <-> SERVER-OTHER Zyxel Unified Security Gateway undocumented administrator account login attempt
* 1:58502 <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt
* 1:58503 <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt
* 1:58504 <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt
* 1:58505 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58506 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58507 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58508 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58509 <-> SERVER-WEBAPP Accellion File Transfer Appliance SQL injection attempt
* 1:58510 <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt
* 1:58511 <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt
* 1:58512 <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt
* 1:58513 <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt
* 1:58514 <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt
* 1:58515 <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt
* 1:58516 <-> SERVER-WEBAPP SAP NetWeaver AS JAVA XML external entity injection attempt
* 1:58517 <-> SERVER-WEBAPP GE MDS PulseNET IntegrationXMLProcessorServlet AlarmActions XML external entity injection attempt
* 1:58518 <-> SERVER-OTHER D-Link DIR-825 R1 buffer overflow attempt
* 1:58519 <-> BROWSER-IE Microsoft Defender memory corruption attempt
* 1:58520 <-> BROWSER-IE Microsoft Defender memory corruption attempt
* 1:58521 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfInsListServer Java expression language injection attempt
* 1:58522 <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt
* 1:58523 <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt
* 1:58524 <-> FILE-OTHER Apple Safari Type 1 fonts RCE attempt
* 1:58525 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center directory traversal attempt
* 1:58526 <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection
* 1:58527 <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection
* 1:58528 <-> SERVER-OTHER OpenLDAP IssuerAndThisUpdateCheck integer underflow attempt
* 1:58529 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58530 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58531 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58532 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58533 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 3:58534 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1405 attack attempt
* 3:58535 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1405 attack attempt
* 3:58536 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1404 attack attempt
* 3:58537 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1404 attack attempt
* 1:58538 <-> SERVER-WEBAPP Arcadyan routers path traversal attempt
* 1:58541 <-> OS-WINDOWS Microsoft Windows RDP client memory corruption attempt

Modified Rules:

* 1:41454 <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt
* 1:41455 <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt
* 1:41808 <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt
* 1:41809 <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt
* 1:53733 <-> SERVER-WEBAPP IBM Data Risk Manager directory traversal attempt
* 1:53769 <-> SERVER-MAIL iOS MobileMail Maild heap overflow attempt
* 1:56162 <-> SERVER-WEBAPP Citrix ADC and Gateway information disclosure attempt
* 1:57275 <-> SERVER-WEBAPP ysoserial TypeConfuseDelegate deserialization exploit attempt
* 1:58471 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt
* 1:58472 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt
* 1:58473 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt


2021-11-09 22:21:38 UTC

Snort Subscriber Rules Update

Date: 2021-11-09-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.4.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300054 <-> FILE-OFFICE Microsoft Office Excel protected view bypass attempt
* 1:58496 <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection
* 1:58497 <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection
* 1:58498 <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection
* 1:58499 <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt
* 1:58500 <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt
* 1:58501 <-> SERVER-OTHER Zyxel Unified Security Gateway undocumented administrator account login attempt
* 1:58502 <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt
* 1:58503 <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt
* 1:58504 <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt
* 1:58505 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58506 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58507 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58508 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58509 <-> SERVER-WEBAPP Accellion File Transfer Appliance SQL injection attempt
* 1:58510 <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt
* 1:58511 <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt
* 1:58512 <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt
* 1:58513 <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt
* 1:58514 <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt
* 1:58515 <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt
* 1:58516 <-> SERVER-WEBAPP SAP NetWeaver AS JAVA XML external entity injection attempt
* 1:58517 <-> SERVER-WEBAPP GE MDS PulseNET IntegrationXMLProcessorServlet AlarmActions XML external entity injection attempt
* 1:58518 <-> SERVER-OTHER D-Link DIR-825 R1 buffer overflow attempt
* 1:58519 <-> BROWSER-IE Microsoft Defender memory corruption attempt
* 1:58520 <-> BROWSER-IE Microsoft Defender memory corruption attempt
* 1:58521 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfInsListServer Java expression language injection attempt
* 1:58522 <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt
* 1:58523 <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt
* 1:58524 <-> FILE-OTHER Apple Safari Type 1 fonts RCE attempt
* 1:58525 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center directory traversal attempt
* 1:58526 <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection
* 1:58527 <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection
* 1:58528 <-> SERVER-OTHER OpenLDAP IssuerAndThisUpdateCheck integer underflow attempt
* 1:58529 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58530 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58531 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58532 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58533 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 3:58534 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1405 attack attempt
* 3:58535 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1405 attack attempt
* 3:58536 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1404 attack attempt
* 3:58537 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1404 attack attempt
* 1:58538 <-> SERVER-WEBAPP Arcadyan routers path traversal attempt
* 1:58541 <-> OS-WINDOWS Microsoft Windows RDP client memory corruption attempt

Modified Rules:

* 1:41454 <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt
* 1:41455 <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt
* 1:41808 <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt
* 1:41809 <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt
* 1:53733 <-> SERVER-WEBAPP IBM Data Risk Manager directory traversal attempt
* 1:53769 <-> SERVER-MAIL iOS MobileMail Maild heap overflow attempt
* 1:56162 <-> SERVER-WEBAPP Citrix ADC and Gateway information disclosure attempt
* 1:57275 <-> SERVER-WEBAPP ysoserial TypeConfuseDelegate deserialization exploit attempt
* 1:58471 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt
* 1:58472 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt
* 1:58473 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt


2021-11-09 22:21:38 UTC

Snort Subscriber Rules Update

Date: 2021-11-09-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.5.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300054 <-> FILE-OFFICE Microsoft Office Excel protected view bypass attempt
* 1:58496 <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection
* 1:58497 <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection
* 1:58498 <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection
* 1:58499 <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt
* 1:58500 <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt
* 1:58501 <-> SERVER-OTHER Zyxel Unified Security Gateway undocumented administrator account login attempt
* 1:58502 <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt
* 1:58503 <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt
* 1:58504 <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt
* 1:58505 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58506 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58507 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58508 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58509 <-> SERVER-WEBAPP Accellion File Transfer Appliance SQL injection attempt
* 1:58510 <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt
* 1:58511 <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt
* 1:58512 <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt
* 1:58513 <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt
* 1:58514 <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt
* 1:58515 <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt
* 1:58516 <-> SERVER-WEBAPP SAP NetWeaver AS JAVA XML external entity injection attempt
* 1:58517 <-> SERVER-WEBAPP GE MDS PulseNET IntegrationXMLProcessorServlet AlarmActions XML external entity injection attempt
* 1:58518 <-> SERVER-OTHER D-Link DIR-825 R1 buffer overflow attempt
* 1:58519 <-> BROWSER-IE Microsoft Defender memory corruption attempt
* 1:58520 <-> BROWSER-IE Microsoft Defender memory corruption attempt
* 1:58521 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfInsListServer Java expression language injection attempt
* 1:58522 <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt
* 1:58523 <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt
* 1:58524 <-> FILE-OTHER Apple Safari Type 1 fonts RCE attempt
* 1:58525 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center directory traversal attempt
* 1:58526 <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection
* 1:58527 <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection
* 1:58528 <-> SERVER-OTHER OpenLDAP IssuerAndThisUpdateCheck integer underflow attempt
* 1:58529 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58530 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58531 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58532 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58533 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 3:58534 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1405 attack attempt
* 3:58535 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1405 attack attempt
* 3:58536 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1404 attack attempt
* 3:58537 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1404 attack attempt
* 1:58538 <-> SERVER-WEBAPP Arcadyan routers path traversal attempt
* 1:58541 <-> OS-WINDOWS Microsoft Windows RDP client memory corruption attempt

Modified Rules:

* 1:41454 <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt
* 1:41455 <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt
* 1:41808 <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt
* 1:41809 <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt
* 1:53733 <-> SERVER-WEBAPP IBM Data Risk Manager directory traversal attempt
* 1:53769 <-> SERVER-MAIL iOS MobileMail Maild heap overflow attempt
* 1:56162 <-> SERVER-WEBAPP Citrix ADC and Gateway information disclosure attempt
* 1:57275 <-> SERVER-WEBAPP ysoserial TypeConfuseDelegate deserialization exploit attempt
* 1:58471 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt
* 1:58472 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt
* 1:58473 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt


2021-11-09 22:21:38 UTC

Snort Subscriber Rules Update

Date: 2021-11-09-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.7.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300054 <-> FILE-OFFICE Microsoft Office Excel protected view bypass attempt
* 1:58496 <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection
* 1:58497 <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection
* 1:58498 <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection
* 1:58499 <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt
* 1:58500 <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt
* 1:58501 <-> SERVER-OTHER Zyxel Unified Security Gateway undocumented administrator account login attempt
* 1:58502 <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt
* 1:58503 <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt
* 1:58504 <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt
* 1:58505 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58506 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58507 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58508 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58509 <-> SERVER-WEBAPP Accellion File Transfer Appliance SQL injection attempt
* 1:58510 <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt
* 1:58511 <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt
* 1:58512 <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt
* 1:58513 <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt
* 1:58514 <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt
* 1:58515 <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt
* 1:58516 <-> SERVER-WEBAPP SAP NetWeaver AS JAVA XML external entity injection attempt
* 1:58517 <-> SERVER-WEBAPP GE MDS PulseNET IntegrationXMLProcessorServlet AlarmActions XML external entity injection attempt
* 1:58518 <-> SERVER-OTHER D-Link DIR-825 R1 buffer overflow attempt
* 1:58519 <-> BROWSER-IE Microsoft Defender memory corruption attempt
* 1:58520 <-> BROWSER-IE Microsoft Defender memory corruption attempt
* 1:58521 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfInsListServer Java expression language injection attempt
* 1:58522 <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt
* 1:58523 <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt
* 1:58524 <-> FILE-OTHER Apple Safari Type 1 fonts RCE attempt
* 1:58525 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center directory traversal attempt
* 1:58526 <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection
* 1:58527 <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection
* 1:58528 <-> SERVER-OTHER OpenLDAP IssuerAndThisUpdateCheck integer underflow attempt
* 1:58529 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58530 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58531 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58532 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58533 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 3:58534 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1405 attack attempt
* 3:58535 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1405 attack attempt
* 3:58536 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1404 attack attempt
* 3:58537 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1404 attack attempt
* 1:58538 <-> SERVER-WEBAPP Arcadyan routers path traversal attempt
* 1:58541 <-> OS-WINDOWS Microsoft Windows RDP client memory corruption attempt

Modified Rules:

* 1:41454 <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt
* 1:41455 <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt
* 1:41808 <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt
* 1:41809 <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt
* 1:53733 <-> SERVER-WEBAPP IBM Data Risk Manager directory traversal attempt
* 1:53769 <-> SERVER-MAIL iOS MobileMail Maild heap overflow attempt
* 1:56162 <-> SERVER-WEBAPP Citrix ADC and Gateway information disclosure attempt
* 1:57275 <-> SERVER-WEBAPP ysoserial TypeConfuseDelegate deserialization exploit attempt
* 1:58471 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt
* 1:58472 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt
* 1:58473 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt


2021-11-09 22:21:38 UTC

Snort Subscriber Rules Update

Date: 2021-11-09-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.9.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300054 <-> FILE-OFFICE Microsoft Office Excel protected view bypass attempt
* 1:58496 <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection
* 1:58497 <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection
* 1:58498 <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection
* 1:58499 <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt
* 1:58500 <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt
* 1:58501 <-> SERVER-OTHER Zyxel Unified Security Gateway undocumented administrator account login attempt
* 1:58502 <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt
* 1:58503 <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt
* 1:58504 <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt
* 1:58505 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58506 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58507 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58508 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58509 <-> SERVER-WEBAPP Accellion File Transfer Appliance SQL injection attempt
* 1:58510 <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt
* 1:58511 <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt
* 1:58512 <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt
* 1:58513 <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt
* 1:58514 <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt
* 1:58515 <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt
* 1:58516 <-> SERVER-WEBAPP SAP NetWeaver AS JAVA XML external entity injection attempt
* 1:58517 <-> SERVER-WEBAPP GE MDS PulseNET IntegrationXMLProcessorServlet AlarmActions XML external entity injection attempt
* 1:58518 <-> SERVER-OTHER D-Link DIR-825 R1 buffer overflow attempt
* 1:58519 <-> BROWSER-IE Microsoft Defender memory corruption attempt
* 1:58520 <-> BROWSER-IE Microsoft Defender memory corruption attempt
* 1:58521 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfInsListServer Java expression language injection attempt
* 1:58522 <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt
* 1:58523 <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt
* 1:58524 <-> FILE-OTHER Apple Safari Type 1 fonts RCE attempt
* 1:58525 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center directory traversal attempt
* 1:58526 <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection
* 1:58527 <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection
* 1:58528 <-> SERVER-OTHER OpenLDAP IssuerAndThisUpdateCheck integer underflow attempt
* 1:58529 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58530 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58531 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58532 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58533 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 3:58534 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1405 attack attempt
* 3:58535 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1405 attack attempt
* 3:58536 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1404 attack attempt
* 3:58537 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1404 attack attempt
* 1:58538 <-> SERVER-WEBAPP Arcadyan routers path traversal attempt
* 1:58541 <-> OS-WINDOWS Microsoft Windows RDP client memory corruption attempt

Modified Rules:

* 1:41454 <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt
* 1:41455 <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt
* 1:41808 <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt
* 1:41809 <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt
* 1:53733 <-> SERVER-WEBAPP IBM Data Risk Manager directory traversal attempt
* 1:53769 <-> SERVER-MAIL iOS MobileMail Maild heap overflow attempt
* 1:56162 <-> SERVER-WEBAPP Citrix ADC and Gateway information disclosure attempt
* 1:57275 <-> SERVER-WEBAPP ysoserial TypeConfuseDelegate deserialization exploit attempt
* 1:58471 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt
* 1:58472 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt
* 1:58473 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt


2021-11-09 22:21:38 UTC

Snort Subscriber Rules Update

Date: 2021-11-09-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.11.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300054 <-> FILE-OFFICE Microsoft Office Excel protected view bypass attempt
* 1:58496 <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection
* 1:58497 <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection
* 1:58498 <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection
* 1:58499 <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt
* 1:58500 <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt
* 1:58501 <-> SERVER-OTHER Zyxel Unified Security Gateway undocumented administrator account login attempt
* 1:58502 <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt
* 1:58503 <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt
* 1:58504 <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt
* 1:58505 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58506 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58507 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58508 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58509 <-> SERVER-WEBAPP Accellion File Transfer Appliance SQL injection attempt
* 1:58510 <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt
* 1:58511 <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt
* 1:58512 <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt
* 1:58513 <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt
* 1:58514 <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt
* 1:58515 <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt
* 1:58516 <-> SERVER-WEBAPP SAP NetWeaver AS JAVA XML external entity injection attempt
* 1:58517 <-> SERVER-WEBAPP GE MDS PulseNET IntegrationXMLProcessorServlet AlarmActions XML external entity injection attempt
* 1:58518 <-> SERVER-OTHER D-Link DIR-825 R1 buffer overflow attempt
* 1:58519 <-> BROWSER-IE Microsoft Defender memory corruption attempt
* 1:58520 <-> BROWSER-IE Microsoft Defender memory corruption attempt
* 1:58521 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfInsListServer Java expression language injection attempt
* 1:58522 <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt
* 1:58523 <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt
* 1:58524 <-> FILE-OTHER Apple Safari Type 1 fonts RCE attempt
* 1:58525 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center directory traversal attempt
* 1:58526 <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection
* 1:58527 <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection
* 1:58528 <-> SERVER-OTHER OpenLDAP IssuerAndThisUpdateCheck integer underflow attempt
* 1:58529 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58530 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58531 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58532 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58533 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 3:58534 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1405 attack attempt
* 3:58535 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1405 attack attempt
* 3:58536 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1404 attack attempt
* 3:58537 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1404 attack attempt
* 1:58538 <-> SERVER-WEBAPP Arcadyan routers path traversal attempt
* 1:58541 <-> OS-WINDOWS Microsoft Windows RDP client memory corruption attempt

Modified Rules:

* 1:41454 <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt
* 1:41455 <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt
* 1:41808 <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt
* 1:41809 <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt
* 1:53733 <-> SERVER-WEBAPP IBM Data Risk Manager directory traversal attempt
* 1:53769 <-> SERVER-MAIL iOS MobileMail Maild heap overflow attempt
* 1:56162 <-> SERVER-WEBAPP Citrix ADC and Gateway information disclosure attempt
* 1:57275 <-> SERVER-WEBAPP ysoserial TypeConfuseDelegate deserialization exploit attempt
* 1:58471 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt
* 1:58472 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt
* 1:58473 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt


2021-11-09 22:21:38 UTC

Snort Subscriber Rules Update

Date: 2021-11-09-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.15.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300054 <-> FILE-OFFICE Microsoft Office Excel protected view bypass attempt
* 1:58496 <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection
* 1:58497 <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection
* 1:58498 <-> MALWARE-CNC Win.Trojan.Kimsuky outbound connection
* 1:58499 <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt
* 1:58500 <-> SERVER-WEBAPP Zyxel Unified Security Gateway undocumented administrator account login attempt
* 1:58501 <-> SERVER-OTHER Zyxel Unified Security Gateway undocumented administrator account login attempt
* 1:58502 <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt
* 1:58503 <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt
* 1:58504 <-> SERVER-WEBAPP SonicWall Email Security directory traversal attempt
* 1:58505 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58506 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58507 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58508 <-> SERVER-WEBAPP Tenda Router command injection attempt
* 1:58509 <-> SERVER-WEBAPP Accellion File Transfer Appliance SQL injection attempt
* 1:58510 <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt
* 1:58511 <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt
* 1:58512 <-> SERVER-WEBAPP EyesOfNetwork SQL injection attempt
* 1:58513 <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt
* 1:58514 <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt
* 1:58515 <-> SERVER-WEBAPP EyesOfNetwork autodiscovery command injection attempt
* 1:58516 <-> SERVER-WEBAPP SAP NetWeaver AS JAVA XML external entity injection attempt
* 1:58517 <-> SERVER-WEBAPP GE MDS PulseNET IntegrationXMLProcessorServlet AlarmActions XML external entity injection attempt
* 1:58518 <-> SERVER-OTHER D-Link DIR-825 R1 buffer overflow attempt
* 1:58519 <-> BROWSER-IE Microsoft Defender memory corruption attempt
* 1:58520 <-> BROWSER-IE Microsoft Defender memory corruption attempt
* 1:58521 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center perfInsListServer Java expression language injection attempt
* 1:58522 <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt
* 1:58523 <-> SERVER-WEBAPP rConfig ajaxAddTemplate.php command injection attempt
* 1:58524 <-> FILE-OTHER Apple Safari Type 1 fonts RCE attempt
* 1:58525 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center directory traversal attempt
* 1:58526 <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection
* 1:58527 <-> MALWARE-CNC Win.Trojan.STRRAT variant outbound connection
* 1:58528 <-> SERVER-OTHER OpenLDAP IssuerAndThisUpdateCheck integer underflow attempt
* 1:58529 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58530 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58531 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58532 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 1:58533 <-> SERVER-WEBAPP Buffalo WSR router configuration injection attempt
* 3:58534 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1405 attack attempt
* 3:58535 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1405 attack attempt
* 3:58536 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1404 attack attempt
* 3:58537 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2021-1404 attack attempt
* 1:58538 <-> SERVER-WEBAPP Arcadyan routers path traversal attempt
* 1:58541 <-> OS-WINDOWS Microsoft Windows RDP client memory corruption attempt

Modified Rules:

* 1:41454 <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt
* 1:41455 <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt
* 1:41808 <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt
* 1:41809 <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt
* 1:53733 <-> SERVER-WEBAPP IBM Data Risk Manager directory traversal attempt
* 1:53769 <-> SERVER-MAIL iOS MobileMail Maild heap overflow attempt
* 1:56162 <-> SERVER-WEBAPP Citrix ADC and Gateway information disclosure attempt
* 1:57275 <-> SERVER-WEBAPP ysoserial TypeConfuseDelegate deserialization exploit attempt
* 1:58471 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt
* 1:58472 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt
* 1:58473 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet SQL injection attempt