Talos Rules 2021-11-16
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the exploit-kit, file-image, file-multimedia, file-other, malware-cnc, netbios, os-mobile, os-solaris, policy-other, protocol-imap, server-mysql and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2021-11-16 13:45:39 UTC

Snort Subscriber Rules Update

Date: 2021-11-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091801.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58556 <-> DISABLED <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt (os-mobile.rules)
 * 1:58557 <-> DISABLED <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt (os-mobile.rules)
 * 1:58558 <-> DISABLED <-> SERVER-WEBAPP EMC VMAX3 VASA Provider virtual appliance UploadConfigurator arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:58559 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt (server-webapp.rules)
 * 1:58560 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt (server-webapp.rules)
 * 1:58561 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt (server-webapp.rules)
 * 1:58562 <-> ENABLED <-> SERVER-WEBAPP Oracle WebLogic Server remote code execution attempt (server-webapp.rules)
 * 1:58563 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET CommandLineService arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58564 <-> DISABLED <-> MALWARE-CNC Win.Trojan.SquirrelWaffle beacon attempt (malware-cnc.rules)
 * 1:58567 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt (server-webapp.rules)
 * 1:58568 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt (server-webapp.rules)
 * 1:58569 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt (server-webapp.rules)
 * 3:58565 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1414 attack attempt (file-image.rules)
 * 3:58566 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1414 attack attempt (file-image.rules)

Modified Rules:


 * 1:1548 <-> DISABLED <-> SERVER-WEBAPP csSearch.cgi access (server-webapp.rules)
 * 1:2552 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache HEAD overflow attempt (server-other.rules)
 * 1:1547 <-> DISABLED <-> SERVER-WEBAPP csSearch.cgi arbitrary command execution attempt (server-webapp.rules)
 * 1:2551 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache GET overflow attempt (server-other.rules)
 * 1:2553 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache PUT overflow attempt (server-other.rules)
 * 1:2554 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache POST overflow attempt (server-other.rules)
 * 1:2555 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache TRACE overflow attempt (server-other.rules)
 * 1:2556 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache DELETE overflow attempt (server-other.rules)
 * 1:18985 <-> DISABLED <-> POLICY-OTHER CA ARCserve Axis2 default credential login attempt (policy-other.rules)
 * 1:2103 <-> DISABLED <-> NETBIOS SMB Trans2 OPEN2 unicode maximum param count overflow attempt (netbios.rules)
 * 1:2557 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache LOCK overflow attempt (server-other.rules)
 * 1:2558 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache MKCOL overflow attempt (server-other.rules)
 * 1:2559 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache COPY overflow attempt (server-other.rules)
 * 1:2560 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache MOVE overflow attempt (server-other.rules)
 * 1:2580 <-> DISABLED <-> SERVER-WEBAPP server negative Content-Length attempt (server-webapp.rules)
 * 1:2597 <-> DISABLED <-> SERVER-WEBAPP Samba SWAT Authorization overflow attempt (server-webapp.rules)
 * 1:2598 <-> DISABLED <-> SERVER-WEBAPP Samba SWAT Authorization port 901 overflow attempt (server-webapp.rules)
 * 1:2673 <-> DISABLED <-> FILE-IMAGE libpng tRNS overflow attempt (file-image.rules)
 * 1:29131 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt (exploit-kit.rules)
 * 1:3065 <-> DISABLED <-> PROTOCOL-IMAP append literal overflow attempt (protocol-imap.rules)
 * 1:3067 <-> DISABLED <-> PROTOCOL-IMAP examine literal overflow attempt (protocol-imap.rules)
 * 1:3069 <-> DISABLED <-> PROTOCOL-IMAP fetch literal overflow attempt (protocol-imap.rules)
 * 1:3071 <-> DISABLED <-> PROTOCOL-IMAP status literal overflow attempt (protocol-imap.rules)
 * 1:3075 <-> DISABLED <-> PROTOCOL-IMAP unsubscribe literal overflow attempt (protocol-imap.rules)
 * 1:3076 <-> DISABLED <-> PROTOCOL-IMAP UNSUBSCRIBE overflow attempt (protocol-imap.rules)
 * 1:3088 <-> DISABLED <-> FILE-MULTIMEDIA Nullsoft Winamp cda file name overflow attempt (file-multimedia.rules)
 * 1:3527 <-> DISABLED <-> OS-SOLARIS Oracle Solaris LPD overflow attempt (os-solaris.rules)
 * 1:3666 <-> DISABLED <-> SERVER-MYSQL server greeting finished (server-mysql.rules)
 * 1:49482 <-> DISABLED <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt (file-other.rules)
 * 1:49483 <-> DISABLED <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt (file-other.rules)
 * 1:58307 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree XML external entity injection attempt (server-webapp.rules)
 * 1:6702 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary Param Count overflow attempt (netbios.rules)
 * 1:6703 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode Param Count overflow attempt (netbios.rules)
 * 1:6704 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary Param Count overflow attempt (netbios.rules)
 * 1:6705 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary unicode Param Count overflow attempt (netbios.rules)
 * 1:6708 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary andx Param Count overflow attempt (netbios.rules)
 * 1:6709 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode andx Param Count overflow attempt (netbios.rules)
 * 1:6710 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary andx Param Count overflow attempt (netbios.rules)
 * 1:6711 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary unicode andx Param Count overflow attempt (netbios.rules)

2021-11-16 13:45:39 UTC

Snort Subscriber Rules Update

Date: 2021-11-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091800.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58561 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt (server-webapp.rules)
 * 1:58557 <-> DISABLED <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt (os-mobile.rules)
 * 1:58558 <-> DISABLED <-> SERVER-WEBAPP EMC VMAX3 VASA Provider virtual appliance UploadConfigurator arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:58559 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt (server-webapp.rules)
 * 1:58556 <-> DISABLED <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt (os-mobile.rules)
 * 1:58562 <-> ENABLED <-> SERVER-WEBAPP Oracle WebLogic Server remote code execution attempt (server-webapp.rules)
 * 1:58560 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt (server-webapp.rules)
 * 1:58563 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET CommandLineService arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58564 <-> DISABLED <-> MALWARE-CNC Win.Trojan.SquirrelWaffle beacon attempt (malware-cnc.rules)
 * 1:58567 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt (server-webapp.rules)
 * 1:58568 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt (server-webapp.rules)
 * 1:58569 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt (server-webapp.rules)
 * 3:58566 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1414 attack attempt (file-image.rules)
 * 3:58565 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1414 attack attempt (file-image.rules)

Modified Rules:


 * 1:2553 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache PUT overflow attempt (server-other.rules)
 * 1:1548 <-> DISABLED <-> SERVER-WEBAPP csSearch.cgi access (server-webapp.rules)
 * 1:1547 <-> DISABLED <-> SERVER-WEBAPP csSearch.cgi arbitrary command execution attempt (server-webapp.rules)
 * 1:2552 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache HEAD overflow attempt (server-other.rules)
 * 1:3527 <-> DISABLED <-> OS-SOLARIS Oracle Solaris LPD overflow attempt (os-solaris.rules)
 * 1:6703 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode Param Count overflow attempt (netbios.rules)
 * 1:49482 <-> DISABLED <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt (file-other.rules)
 * 1:58307 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree XML external entity injection attempt (server-webapp.rules)
 * 1:3666 <-> DISABLED <-> SERVER-MYSQL server greeting finished (server-mysql.rules)
 * 1:2557 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache LOCK overflow attempt (server-other.rules)
 * 1:2555 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache TRACE overflow attempt (server-other.rules)
 * 1:2556 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache DELETE overflow attempt (server-other.rules)
 * 1:18985 <-> DISABLED <-> POLICY-OTHER CA ARCserve Axis2 default credential login attempt (policy-other.rules)
 * 1:2103 <-> DISABLED <-> NETBIOS SMB Trans2 OPEN2 unicode maximum param count overflow attempt (netbios.rules)
 * 1:2551 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache GET overflow attempt (server-other.rules)
 * 1:2558 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache MKCOL overflow attempt (server-other.rules)
 * 1:2559 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache COPY overflow attempt (server-other.rules)
 * 1:2560 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache MOVE overflow attempt (server-other.rules)
 * 1:2580 <-> DISABLED <-> SERVER-WEBAPP server negative Content-Length attempt (server-webapp.rules)
 * 1:2597 <-> DISABLED <-> SERVER-WEBAPP Samba SWAT Authorization overflow attempt (server-webapp.rules)
 * 1:2598 <-> DISABLED <-> SERVER-WEBAPP Samba SWAT Authorization port 901 overflow attempt (server-webapp.rules)
 * 1:2673 <-> DISABLED <-> FILE-IMAGE libpng tRNS overflow attempt (file-image.rules)
 * 1:29131 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt (exploit-kit.rules)
 * 1:3065 <-> DISABLED <-> PROTOCOL-IMAP append literal overflow attempt (protocol-imap.rules)
 * 1:3071 <-> DISABLED <-> PROTOCOL-IMAP status literal overflow attempt (protocol-imap.rules)
 * 1:3067 <-> DISABLED <-> PROTOCOL-IMAP examine literal overflow attempt (protocol-imap.rules)
 * 1:3069 <-> DISABLED <-> PROTOCOL-IMAP fetch literal overflow attempt (protocol-imap.rules)
 * 1:2554 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache POST overflow attempt (server-other.rules)
 * 1:3075 <-> DISABLED <-> PROTOCOL-IMAP unsubscribe literal overflow attempt (protocol-imap.rules)
 * 1:3076 <-> DISABLED <-> PROTOCOL-IMAP UNSUBSCRIBE overflow attempt (protocol-imap.rules)
 * 1:3088 <-> DISABLED <-> FILE-MULTIMEDIA Nullsoft Winamp cda file name overflow attempt (file-multimedia.rules)
 * 1:49483 <-> DISABLED <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt (file-other.rules)
 * 1:6702 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary Param Count overflow attempt (netbios.rules)
 * 1:6704 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary Param Count overflow attempt (netbios.rules)
 * 1:6705 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary unicode Param Count overflow attempt (netbios.rules)
 * 1:6708 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary andx Param Count overflow attempt (netbios.rules)
 * 1:6709 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode andx Param Count overflow attempt (netbios.rules)
 * 1:6710 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary andx Param Count overflow attempt (netbios.rules)
 * 1:6711 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary unicode andx Param Count overflow attempt (netbios.rules)

2021-11-16 13:45:39 UTC

Snort Subscriber Rules Update

Date: 2021-11-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58563 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET CommandLineService arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58557 <-> DISABLED <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt (os-mobile.rules)
 * 1:58558 <-> DISABLED <-> SERVER-WEBAPP EMC VMAX3 VASA Provider virtual appliance UploadConfigurator arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:58559 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt (server-webapp.rules)
 * 1:58560 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt (server-webapp.rules)
 * 1:58567 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt (server-webapp.rules)
 * 1:58568 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt (server-webapp.rules)
 * 1:58564 <-> DISABLED <-> MALWARE-CNC Win.Trojan.SquirrelWaffle beacon attempt (malware-cnc.rules)
 * 1:58561 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt (server-webapp.rules)
 * 1:58562 <-> ENABLED <-> SERVER-WEBAPP Oracle WebLogic Server remote code execution attempt (server-webapp.rules)
 * 1:58556 <-> DISABLED <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt (os-mobile.rules)
 * 1:58569 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt (server-webapp.rules)
 * 3:58566 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1414 attack attempt (file-image.rules)
 * 3:58565 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1414 attack attempt (file-image.rules)

Modified Rules:


 * 1:1547 <-> DISABLED <-> SERVER-WEBAPP csSearch.cgi arbitrary command execution attempt (server-webapp.rules)
 * 1:2553 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache PUT overflow attempt (server-other.rules)
 * 1:58307 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree XML external entity injection attempt (server-webapp.rules)
 * 1:1548 <-> DISABLED <-> SERVER-WEBAPP csSearch.cgi access (server-webapp.rules)
 * 1:2557 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache LOCK overflow attempt (server-other.rules)
 * 1:6705 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary unicode Param Count overflow attempt (netbios.rules)
 * 1:2555 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache TRACE overflow attempt (server-other.rules)
 * 1:6709 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode andx Param Count overflow attempt (netbios.rules)
 * 1:6708 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary andx Param Count overflow attempt (netbios.rules)
 * 1:6711 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary unicode andx Param Count overflow attempt (netbios.rules)
 * 1:6703 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode Param Count overflow attempt (netbios.rules)
 * 1:49482 <-> DISABLED <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt (file-other.rules)
 * 1:2552 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache HEAD overflow attempt (server-other.rules)
 * 1:49483 <-> DISABLED <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt (file-other.rules)
 * 1:18985 <-> DISABLED <-> POLICY-OTHER CA ARCserve Axis2 default credential login attempt (policy-other.rules)
 * 1:2556 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache DELETE overflow attempt (server-other.rules)
 * 1:2103 <-> DISABLED <-> NETBIOS SMB Trans2 OPEN2 unicode maximum param count overflow attempt (netbios.rules)
 * 1:6704 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary Param Count overflow attempt (netbios.rules)
 * 1:6710 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary andx Param Count overflow attempt (netbios.rules)
 * 1:2551 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache GET overflow attempt (server-other.rules)
 * 1:2558 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache MKCOL overflow attempt (server-other.rules)
 * 1:2559 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache COPY overflow attempt (server-other.rules)
 * 1:2560 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache MOVE overflow attempt (server-other.rules)
 * 1:2580 <-> DISABLED <-> SERVER-WEBAPP server negative Content-Length attempt (server-webapp.rules)
 * 1:2597 <-> DISABLED <-> SERVER-WEBAPP Samba SWAT Authorization overflow attempt (server-webapp.rules)
 * 1:2598 <-> DISABLED <-> SERVER-WEBAPP Samba SWAT Authorization port 901 overflow attempt (server-webapp.rules)
 * 1:2673 <-> DISABLED <-> FILE-IMAGE libpng tRNS overflow attempt (file-image.rules)
 * 1:3065 <-> DISABLED <-> PROTOCOL-IMAP append literal overflow attempt (protocol-imap.rules)
 * 1:3071 <-> DISABLED <-> PROTOCOL-IMAP status literal overflow attempt (protocol-imap.rules)
 * 1:3067 <-> DISABLED <-> PROTOCOL-IMAP examine literal overflow attempt (protocol-imap.rules)
 * 1:3069 <-> DISABLED <-> PROTOCOL-IMAP fetch literal overflow attempt (protocol-imap.rules)
 * 1:2554 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache POST overflow attempt (server-other.rules)
 * 1:3075 <-> DISABLED <-> PROTOCOL-IMAP unsubscribe literal overflow attempt (protocol-imap.rules)
 * 1:3076 <-> DISABLED <-> PROTOCOL-IMAP UNSUBSCRIBE overflow attempt (protocol-imap.rules)
 * 1:3088 <-> DISABLED <-> FILE-MULTIMEDIA Nullsoft Winamp cda file name overflow attempt (file-multimedia.rules)
 * 1:3527 <-> DISABLED <-> OS-SOLARIS Oracle Solaris LPD overflow attempt (os-solaris.rules)
 * 1:3666 <-> DISABLED <-> SERVER-MYSQL server greeting finished (server-mysql.rules)
 * 1:6702 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary Param Count overflow attempt (netbios.rules)
 * 1:29131 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt (exploit-kit.rules)

2021-11-16 13:45:39 UTC

Snort Subscriber Rules Update

Date: 2021-11-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58558 <-> DISABLED <-> SERVER-WEBAPP EMC VMAX3 VASA Provider virtual appliance UploadConfigurator arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:58567 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt (server-webapp.rules)
 * 1:58568 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt (server-webapp.rules)
 * 1:58561 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt (server-webapp.rules)
 * 1:58562 <-> ENABLED <-> SERVER-WEBAPP Oracle WebLogic Server remote code execution attempt (server-webapp.rules)
 * 1:58569 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt (server-webapp.rules)
 * 1:58556 <-> DISABLED <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt (os-mobile.rules)
 * 1:58563 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET CommandLineService arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58560 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt (server-webapp.rules)
 * 1:58557 <-> DISABLED <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt (os-mobile.rules)
 * 1:58559 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt (server-webapp.rules)
 * 1:58564 <-> DISABLED <-> MALWARE-CNC Win.Trojan.SquirrelWaffle beacon attempt (malware-cnc.rules)
 * 3:58565 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1414 attack attempt (file-image.rules)
 * 3:58566 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1414 attack attempt (file-image.rules)

Modified Rules:


 * 1:1548 <-> DISABLED <-> SERVER-WEBAPP csSearch.cgi access (server-webapp.rules)
 * 1:2552 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache HEAD overflow attempt (server-other.rules)
 * 1:2553 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache PUT overflow attempt (server-other.rules)
 * 1:1547 <-> DISABLED <-> SERVER-WEBAPP csSearch.cgi arbitrary command execution attempt (server-webapp.rules)
 * 1:3666 <-> DISABLED <-> SERVER-MYSQL server greeting finished (server-mysql.rules)
 * 1:3088 <-> DISABLED <-> FILE-MULTIMEDIA Nullsoft Winamp cda file name overflow attempt (file-multimedia.rules)
 * 1:2551 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache GET overflow attempt (server-other.rules)
 * 1:2103 <-> DISABLED <-> NETBIOS SMB Trans2 OPEN2 unicode maximum param count overflow attempt (netbios.rules)
 * 1:6709 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode andx Param Count overflow attempt (netbios.rules)
 * 1:18985 <-> DISABLED <-> POLICY-OTHER CA ARCserve Axis2 default credential login attempt (policy-other.rules)
 * 1:49483 <-> DISABLED <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt (file-other.rules)
 * 1:58307 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree XML external entity injection attempt (server-webapp.rules)
 * 1:6703 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode Param Count overflow attempt (netbios.rules)
 * 1:6710 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary andx Param Count overflow attempt (netbios.rules)
 * 1:6711 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary unicode andx Param Count overflow attempt (netbios.rules)
 * 1:49482 <-> DISABLED <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt (file-other.rules)
 * 1:3071 <-> DISABLED <-> PROTOCOL-IMAP status literal overflow attempt (protocol-imap.rules)
 * 1:2557 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache LOCK overflow attempt (server-other.rules)
 * 1:2555 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache TRACE overflow attempt (server-other.rules)
 * 1:2556 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache DELETE overflow attempt (server-other.rules)
 * 1:2559 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache COPY overflow attempt (server-other.rules)
 * 1:2580 <-> DISABLED <-> SERVER-WEBAPP server negative Content-Length attempt (server-webapp.rules)
 * 1:2560 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache MOVE overflow attempt (server-other.rules)
 * 1:2598 <-> DISABLED <-> SERVER-WEBAPP Samba SWAT Authorization port 901 overflow attempt (server-webapp.rules)
 * 1:2558 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache MKCOL overflow attempt (server-other.rules)
 * 1:29131 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt (exploit-kit.rules)
 * 1:2673 <-> DISABLED <-> FILE-IMAGE libpng tRNS overflow attempt (file-image.rules)
 * 1:2597 <-> DISABLED <-> SERVER-WEBAPP Samba SWAT Authorization overflow attempt (server-webapp.rules)
 * 1:3065 <-> DISABLED <-> PROTOCOL-IMAP append literal overflow attempt (protocol-imap.rules)
 * 1:6702 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary Param Count overflow attempt (netbios.rules)
 * 1:3527 <-> DISABLED <-> OS-SOLARIS Oracle Solaris LPD overflow attempt (os-solaris.rules)
 * 1:3067 <-> DISABLED <-> PROTOCOL-IMAP examine literal overflow attempt (protocol-imap.rules)
 * 1:3069 <-> DISABLED <-> PROTOCOL-IMAP fetch literal overflow attempt (protocol-imap.rules)
 * 1:2554 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache POST overflow attempt (server-other.rules)
 * 1:3076 <-> DISABLED <-> PROTOCOL-IMAP UNSUBSCRIBE overflow attempt (protocol-imap.rules)
 * 1:3075 <-> DISABLED <-> PROTOCOL-IMAP unsubscribe literal overflow attempt (protocol-imap.rules)
 * 1:6708 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary andx Param Count overflow attempt (netbios.rules)
 * 1:6704 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary Param Count overflow attempt (netbios.rules)
 * 1:6705 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary unicode Param Count overflow attempt (netbios.rules)

2021-11-16 13:45:39 UTC

Snort Subscriber Rules Update

Date: 2021-11-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58557 <-> DISABLED <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt (os-mobile.rules)
 * 1:58559 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt (server-webapp.rules)
 * 1:58560 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt (server-webapp.rules)
 * 1:58567 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt (server-webapp.rules)
 * 1:58562 <-> ENABLED <-> SERVER-WEBAPP Oracle WebLogic Server remote code execution attempt (server-webapp.rules)
 * 1:58569 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt (server-webapp.rules)
 * 1:58568 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt (server-webapp.rules)
 * 1:58564 <-> DISABLED <-> MALWARE-CNC Win.Trojan.SquirrelWaffle beacon attempt (malware-cnc.rules)
 * 1:58556 <-> DISABLED <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt (os-mobile.rules)
 * 1:58561 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt (server-webapp.rules)
 * 1:58558 <-> DISABLED <-> SERVER-WEBAPP EMC VMAX3 VASA Provider virtual appliance UploadConfigurator arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:58563 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET CommandLineService arbitrary Java object deserialization attempt (server-webapp.rules)
 * 3:58565 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1414 attack attempt (file-image.rules)
 * 3:58566 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1414 attack attempt (file-image.rules)

Modified Rules:


 * 1:2557 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache LOCK overflow attempt (server-other.rules)
 * 1:58307 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree XML external entity injection attempt (server-webapp.rules)
 * 1:1548 <-> DISABLED <-> SERVER-WEBAPP csSearch.cgi access (server-webapp.rules)
 * 1:2552 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache HEAD overflow attempt (server-other.rules)
 * 1:1547 <-> DISABLED <-> SERVER-WEBAPP csSearch.cgi arbitrary command execution attempt (server-webapp.rules)
 * 1:6705 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary unicode Param Count overflow attempt (netbios.rules)
 * 1:6704 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary Param Count overflow attempt (netbios.rules)
 * 1:6703 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode Param Count overflow attempt (netbios.rules)
 * 1:6709 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode andx Param Count overflow attempt (netbios.rules)
 * 1:3527 <-> DISABLED <-> OS-SOLARIS Oracle Solaris LPD overflow attempt (os-solaris.rules)
 * 1:49483 <-> DISABLED <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt (file-other.rules)
 * 1:18985 <-> DISABLED <-> POLICY-OTHER CA ARCserve Axis2 default credential login attempt (policy-other.rules)
 * 1:3666 <-> DISABLED <-> SERVER-MYSQL server greeting finished (server-mysql.rules)
 * 1:2558 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache MKCOL overflow attempt (server-other.rules)
 * 1:2556 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache DELETE overflow attempt (server-other.rules)
 * 1:29131 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt (exploit-kit.rules)
 * 1:2580 <-> DISABLED <-> SERVER-WEBAPP server negative Content-Length attempt (server-webapp.rules)
 * 1:2598 <-> DISABLED <-> SERVER-WEBAPP Samba SWAT Authorization port 901 overflow attempt (server-webapp.rules)
 * 1:2597 <-> DISABLED <-> SERVER-WEBAPP Samba SWAT Authorization overflow attempt (server-webapp.rules)
 * 1:2103 <-> DISABLED <-> NETBIOS SMB Trans2 OPEN2 unicode maximum param count overflow attempt (netbios.rules)
 * 1:6702 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary Param Count overflow attempt (netbios.rules)
 * 1:6711 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary unicode andx Param Count overflow attempt (netbios.rules)
 * 1:2554 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache POST overflow attempt (server-other.rules)
 * 1:2551 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache GET overflow attempt (server-other.rules)
 * 1:49482 <-> DISABLED <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt (file-other.rules)
 * 1:3075 <-> DISABLED <-> PROTOCOL-IMAP unsubscribe literal overflow attempt (protocol-imap.rules)
 * 1:2553 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache PUT overflow attempt (server-other.rules)
 * 1:2559 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache COPY overflow attempt (server-other.rules)
 * 1:2560 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache MOVE overflow attempt (server-other.rules)
 * 1:3071 <-> DISABLED <-> PROTOCOL-IMAP status literal overflow attempt (protocol-imap.rules)
 * 1:3067 <-> DISABLED <-> PROTOCOL-IMAP examine literal overflow attempt (protocol-imap.rules)
 * 1:3069 <-> DISABLED <-> PROTOCOL-IMAP fetch literal overflow attempt (protocol-imap.rules)
 * 1:2555 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache TRACE overflow attempt (server-other.rules)
 * 1:3088 <-> DISABLED <-> FILE-MULTIMEDIA Nullsoft Winamp cda file name overflow attempt (file-multimedia.rules)
 * 1:6708 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary andx Param Count overflow attempt (netbios.rules)
 * 1:3065 <-> DISABLED <-> PROTOCOL-IMAP append literal overflow attempt (protocol-imap.rules)
 * 1:3076 <-> DISABLED <-> PROTOCOL-IMAP UNSUBSCRIBE overflow attempt (protocol-imap.rules)
 * 1:2673 <-> DISABLED <-> FILE-IMAGE libpng tRNS overflow attempt (file-image.rules)
 * 1:6710 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary andx Param Count overflow attempt (netbios.rules)

2021-11-16 13:45:39 UTC

Snort Subscriber Rules Update

Date: 2021-11-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58556 <-> DISABLED <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt (os-mobile.rules)
 * 1:58557 <-> DISABLED <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt (os-mobile.rules)
 * 1:58558 <-> DISABLED <-> SERVER-WEBAPP EMC VMAX3 VASA Provider virtual appliance UploadConfigurator arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:58559 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt (server-webapp.rules)
 * 1:58560 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt (server-webapp.rules)
 * 1:58561 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt (server-webapp.rules)
 * 1:58562 <-> ENABLED <-> SERVER-WEBAPP Oracle WebLogic Server remote code execution attempt (server-webapp.rules)
 * 1:58563 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET CommandLineService arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58564 <-> DISABLED <-> MALWARE-CNC Win.Trojan.SquirrelWaffle beacon attempt (malware-cnc.rules)
 * 1:58567 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt (server-webapp.rules)
 * 1:58568 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt (server-webapp.rules)
 * 1:58569 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt (server-webapp.rules)
 * 3:58565 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1414 attack attempt (file-image.rules)
 * 3:58566 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1414 attack attempt (file-image.rules)

Modified Rules:


 * 1:3088 <-> DISABLED <-> FILE-MULTIMEDIA Nullsoft Winamp cda file name overflow attempt (file-multimedia.rules)
 * 1:2560 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache MOVE overflow attempt (server-other.rules)
 * 1:1548 <-> DISABLED <-> SERVER-WEBAPP csSearch.cgi access (server-webapp.rules)
 * 1:3076 <-> DISABLED <-> PROTOCOL-IMAP UNSUBSCRIBE overflow attempt (protocol-imap.rules)
 * 1:2597 <-> DISABLED <-> SERVER-WEBAPP Samba SWAT Authorization overflow attempt (server-webapp.rules)
 * 1:2552 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache HEAD overflow attempt (server-other.rules)
 * 1:49482 <-> DISABLED <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt (file-other.rules)
 * 1:6705 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary unicode Param Count overflow attempt (netbios.rules)
 * 1:1547 <-> DISABLED <-> SERVER-WEBAPP csSearch.cgi arbitrary command execution attempt (server-webapp.rules)
 * 1:6708 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary andx Param Count overflow attempt (netbios.rules)
 * 1:2559 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache COPY overflow attempt (server-other.rules)
 * 1:2558 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache MKCOL overflow attempt (server-other.rules)
 * 1:6703 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode Param Count overflow attempt (netbios.rules)
 * 1:6709 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode andx Param Count overflow attempt (netbios.rules)
 * 1:2673 <-> DISABLED <-> FILE-IMAGE libpng tRNS overflow attempt (file-image.rules)
 * 1:18985 <-> DISABLED <-> POLICY-OTHER CA ARCserve Axis2 default credential login attempt (policy-other.rules)
 * 1:2553 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache PUT overflow attempt (server-other.rules)
 * 1:2551 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache GET overflow attempt (server-other.rules)
 * 1:2103 <-> DISABLED <-> NETBIOS SMB Trans2 OPEN2 unicode maximum param count overflow attempt (netbios.rules)
 * 1:3071 <-> DISABLED <-> PROTOCOL-IMAP status literal overflow attempt (protocol-imap.rules)
 * 1:3069 <-> DISABLED <-> PROTOCOL-IMAP fetch literal overflow attempt (protocol-imap.rules)
 * 1:3067 <-> DISABLED <-> PROTOCOL-IMAP examine literal overflow attempt (protocol-imap.rules)
 * 1:3075 <-> DISABLED <-> PROTOCOL-IMAP unsubscribe literal overflow attempt (protocol-imap.rules)
 * 1:6710 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary andx Param Count overflow attempt (netbios.rules)
 * 1:6711 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary unicode andx Param Count overflow attempt (netbios.rules)
 * 1:3666 <-> DISABLED <-> SERVER-MYSQL server greeting finished (server-mysql.rules)
 * 1:58307 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree XML external entity injection attempt (server-webapp.rules)
 * 1:3065 <-> DISABLED <-> PROTOCOL-IMAP append literal overflow attempt (protocol-imap.rules)
 * 1:2555 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache TRACE overflow attempt (server-other.rules)
 * 1:2598 <-> DISABLED <-> SERVER-WEBAPP Samba SWAT Authorization port 901 overflow attempt (server-webapp.rules)
 * 1:6704 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary Param Count overflow attempt (netbios.rules)
 * 1:3527 <-> DISABLED <-> OS-SOLARIS Oracle Solaris LPD overflow attempt (os-solaris.rules)
 * 1:2556 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache DELETE overflow attempt (server-other.rules)
 * 1:2557 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache LOCK overflow attempt (server-other.rules)
 * 1:6702 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary Param Count overflow attempt (netbios.rules)
 * 1:29131 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt (exploit-kit.rules)
 * 1:2580 <-> DISABLED <-> SERVER-WEBAPP server negative Content-Length attempt (server-webapp.rules)
 * 1:49483 <-> DISABLED <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt (file-other.rules)
 * 1:2554 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache POST overflow attempt (server-other.rules)

2021-11-16 13:45:39 UTC

Snort Subscriber Rules Update

Date: 2021-11-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58556 <-> DISABLED <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt (os-mobile.rules)
 * 1:58557 <-> DISABLED <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt (os-mobile.rules)
 * 1:58558 <-> DISABLED <-> SERVER-WEBAPP EMC VMAX3 VASA Provider virtual appliance UploadConfigurator arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:58559 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt (server-webapp.rules)
 * 1:58560 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt (server-webapp.rules)
 * 1:58561 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt (server-webapp.rules)
 * 1:58562 <-> ENABLED <-> SERVER-WEBAPP Oracle WebLogic Server remote code execution attempt (server-webapp.rules)
 * 1:58563 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET CommandLineService arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58564 <-> DISABLED <-> MALWARE-CNC Win.Trojan.SquirrelWaffle beacon attempt (malware-cnc.rules)
 * 1:58567 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt (server-webapp.rules)
 * 1:58568 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt (server-webapp.rules)
 * 1:58569 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt (server-webapp.rules)
 * 3:58566 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1414 attack attempt (file-image.rules)
 * 3:58565 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1414 attack attempt (file-image.rules)

Modified Rules:


 * 1:1548 <-> DISABLED <-> SERVER-WEBAPP csSearch.cgi access (server-webapp.rules)
 * 1:1547 <-> DISABLED <-> SERVER-WEBAPP csSearch.cgi arbitrary command execution attempt (server-webapp.rules)
 * 1:6710 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary andx Param Count overflow attempt (netbios.rules)
 * 1:2557 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache LOCK overflow attempt (server-other.rules)
 * 1:49482 <-> DISABLED <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt (file-other.rules)
 * 1:3666 <-> DISABLED <-> SERVER-MYSQL server greeting finished (server-mysql.rules)
 * 1:6702 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary Param Count overflow attempt (netbios.rules)
 * 1:2597 <-> DISABLED <-> SERVER-WEBAPP Samba SWAT Authorization overflow attempt (server-webapp.rules)
 * 1:29131 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt (exploit-kit.rules)
 * 1:58307 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree XML external entity injection attempt (server-webapp.rules)
 * 1:2560 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache MOVE overflow attempt (server-other.rules)
 * 1:2598 <-> DISABLED <-> SERVER-WEBAPP Samba SWAT Authorization port 901 overflow attempt (server-webapp.rules)
 * 1:2103 <-> DISABLED <-> NETBIOS SMB Trans2 OPEN2 unicode maximum param count overflow attempt (netbios.rules)
 * 1:6703 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode Param Count overflow attempt (netbios.rules)
 * 1:2555 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache TRACE overflow attempt (server-other.rules)
 * 1:18985 <-> DISABLED <-> POLICY-OTHER CA ARCserve Axis2 default credential login attempt (policy-other.rules)
 * 1:2552 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache HEAD overflow attempt (server-other.rules)
 * 1:6711 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary unicode andx Param Count overflow attempt (netbios.rules)
 * 1:2556 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache DELETE overflow attempt (server-other.rules)
 * 1:3071 <-> DISABLED <-> PROTOCOL-IMAP status literal overflow attempt (protocol-imap.rules)
 * 1:2551 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache GET overflow attempt (server-other.rules)
 * 1:2558 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache MKCOL overflow attempt (server-other.rules)
 * 1:3069 <-> DISABLED <-> PROTOCOL-IMAP fetch literal overflow attempt (protocol-imap.rules)
 * 1:3067 <-> DISABLED <-> PROTOCOL-IMAP examine literal overflow attempt (protocol-imap.rules)
 * 1:6704 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary Param Count overflow attempt (netbios.rules)
 * 1:2580 <-> DISABLED <-> SERVER-WEBAPP server negative Content-Length attempt (server-webapp.rules)
 * 1:49483 <-> DISABLED <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt (file-other.rules)
 * 1:6705 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary unicode Param Count overflow attempt (netbios.rules)
 * 1:6709 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode andx Param Count overflow attempt (netbios.rules)
 * 1:2559 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache COPY overflow attempt (server-other.rules)
 * 1:2553 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache PUT overflow attempt (server-other.rules)
 * 1:3065 <-> DISABLED <-> PROTOCOL-IMAP append literal overflow attempt (protocol-imap.rules)
 * 1:6708 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary andx Param Count overflow attempt (netbios.rules)
 * 1:3527 <-> DISABLED <-> OS-SOLARIS Oracle Solaris LPD overflow attempt (os-solaris.rules)
 * 1:2673 <-> DISABLED <-> FILE-IMAGE libpng tRNS overflow attempt (file-image.rules)
 * 1:2554 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache POST overflow attempt (server-other.rules)
 * 1:3075 <-> DISABLED <-> PROTOCOL-IMAP unsubscribe literal overflow attempt (protocol-imap.rules)
 * 1:3076 <-> DISABLED <-> PROTOCOL-IMAP UNSUBSCRIBE overflow attempt (protocol-imap.rules)
 * 1:3088 <-> DISABLED <-> FILE-MULTIMEDIA Nullsoft Winamp cda file name overflow attempt (file-multimedia.rules)

2021-11-16 13:45:39 UTC

Snort Subscriber Rules Update

Date: 2021-11-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58556 <-> DISABLED <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt (os-mobile.rules)
 * 1:58557 <-> DISABLED <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt (os-mobile.rules)
 * 1:58558 <-> DISABLED <-> SERVER-WEBAPP EMC VMAX3 VASA Provider virtual appliance UploadConfigurator arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:58559 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt (server-webapp.rules)
 * 1:58560 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt (server-webapp.rules)
 * 1:58561 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt (server-webapp.rules)
 * 1:58562 <-> ENABLED <-> SERVER-WEBAPP Oracle WebLogic Server remote code execution attempt (server-webapp.rules)
 * 1:58563 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET CommandLineService arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58564 <-> DISABLED <-> MALWARE-CNC Win.Trojan.SquirrelWaffle beacon attempt (malware-cnc.rules)
 * 1:58567 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt (server-webapp.rules)
 * 1:58568 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt (server-webapp.rules)
 * 1:58569 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt (server-webapp.rules)
 * 3:58566 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1414 attack attempt (file-image.rules)
 * 3:58565 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1414 attack attempt (file-image.rules)

Modified Rules:


 * 1:1547 <-> DISABLED <-> SERVER-WEBAPP csSearch.cgi arbitrary command execution attempt (server-webapp.rules)
 * 1:1548 <-> DISABLED <-> SERVER-WEBAPP csSearch.cgi access (server-webapp.rules)
 * 1:49482 <-> DISABLED <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt (file-other.rules)
 * 1:3666 <-> DISABLED <-> SERVER-MYSQL server greeting finished (server-mysql.rules)
 * 1:2553 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache PUT overflow attempt (server-other.rules)
 * 1:2580 <-> DISABLED <-> SERVER-WEBAPP server negative Content-Length attempt (server-webapp.rules)
 * 1:29131 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt (exploit-kit.rules)
 * 1:6702 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary Param Count overflow attempt (netbios.rules)
 * 1:6709 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode andx Param Count overflow attempt (netbios.rules)
 * 1:2552 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache HEAD overflow attempt (server-other.rules)
 * 1:18985 <-> DISABLED <-> POLICY-OTHER CA ARCserve Axis2 default credential login attempt (policy-other.rules)
 * 1:3071 <-> DISABLED <-> PROTOCOL-IMAP status literal overflow attempt (protocol-imap.rules)
 * 1:2558 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache MKCOL overflow attempt (server-other.rules)
 * 1:6705 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary unicode Param Count overflow attempt (netbios.rules)
 * 1:3069 <-> DISABLED <-> PROTOCOL-IMAP fetch literal overflow attempt (protocol-imap.rules)
 * 1:3527 <-> DISABLED <-> OS-SOLARIS Oracle Solaris LPD overflow attempt (os-solaris.rules)
 * 1:6704 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary Param Count overflow attempt (netbios.rules)
 * 1:2551 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache GET overflow attempt (server-other.rules)
 * 1:2597 <-> DISABLED <-> SERVER-WEBAPP Samba SWAT Authorization overflow attempt (server-webapp.rules)
 * 1:2557 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache LOCK overflow attempt (server-other.rules)
 * 1:2560 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache MOVE overflow attempt (server-other.rules)
 * 1:49483 <-> DISABLED <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt (file-other.rules)
 * 1:2673 <-> DISABLED <-> FILE-IMAGE libpng tRNS overflow attempt (file-image.rules)
 * 1:3065 <-> DISABLED <-> PROTOCOL-IMAP append literal overflow attempt (protocol-imap.rules)
 * 1:2555 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache TRACE overflow attempt (server-other.rules)
 * 1:2556 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache DELETE overflow attempt (server-other.rules)
 * 1:58307 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree XML external entity injection attempt (server-webapp.rules)
 * 1:6710 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary andx Param Count overflow attempt (netbios.rules)
 * 1:6703 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode Param Count overflow attempt (netbios.rules)
 * 1:2598 <-> DISABLED <-> SERVER-WEBAPP Samba SWAT Authorization port 901 overflow attempt (server-webapp.rules)
 * 1:2554 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache POST overflow attempt (server-other.rules)
 * 1:3075 <-> DISABLED <-> PROTOCOL-IMAP unsubscribe literal overflow attempt (protocol-imap.rules)
 * 1:3076 <-> DISABLED <-> PROTOCOL-IMAP UNSUBSCRIBE overflow attempt (protocol-imap.rules)
 * 1:3088 <-> DISABLED <-> FILE-MULTIMEDIA Nullsoft Winamp cda file name overflow attempt (file-multimedia.rules)
 * 1:6711 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary unicode andx Param Count overflow attempt (netbios.rules)
 * 1:2103 <-> DISABLED <-> NETBIOS SMB Trans2 OPEN2 unicode maximum param count overflow attempt (netbios.rules)
 * 1:6708 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary andx Param Count overflow attempt (netbios.rules)
 * 1:3067 <-> DISABLED <-> PROTOCOL-IMAP examine literal overflow attempt (protocol-imap.rules)
 * 1:2559 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache COPY overflow attempt (server-other.rules)

2021-11-16 13:45:39 UTC

Snort Subscriber Rules Update

Date: 2021-11-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58557 <-> DISABLED <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt (os-mobile.rules)
 * 1:58558 <-> DISABLED <-> SERVER-WEBAPP EMC VMAX3 VASA Provider virtual appliance UploadConfigurator arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:58564 <-> DISABLED <-> MALWARE-CNC Win.Trojan.SquirrelWaffle beacon attempt (malware-cnc.rules)
 * 1:58567 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt (server-webapp.rules)
 * 1:58559 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt (server-webapp.rules)
 * 1:58568 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt (server-webapp.rules)
 * 1:58556 <-> DISABLED <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt (os-mobile.rules)
 * 1:58569 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt (server-webapp.rules)
 * 1:58563 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET CommandLineService arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58560 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt (server-webapp.rules)
 * 1:58561 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt (server-webapp.rules)
 * 1:58562 <-> ENABLED <-> SERVER-WEBAPP Oracle WebLogic Server remote code execution attempt (server-webapp.rules)
 * 3:58565 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1414 attack attempt (file-image.rules)
 * 3:58566 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1414 attack attempt (file-image.rules)

Modified Rules:


 * 1:6703 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode Param Count overflow attempt (netbios.rules)
 * 1:2553 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache PUT overflow attempt (server-other.rules)
 * 1:2673 <-> DISABLED <-> FILE-IMAGE libpng tRNS overflow attempt (file-image.rules)
 * 1:6705 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary unicode Param Count overflow attempt (netbios.rules)
 * 1:2557 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache LOCK overflow attempt (server-other.rules)
 * 1:49482 <-> DISABLED <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt (file-other.rules)
 * 1:1548 <-> DISABLED <-> SERVER-WEBAPP csSearch.cgi access (server-webapp.rules)
 * 1:49483 <-> DISABLED <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt (file-other.rules)
 * 1:2552 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache HEAD overflow attempt (server-other.rules)
 * 1:6710 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary andx Param Count overflow attempt (netbios.rules)
 * 1:1547 <-> DISABLED <-> SERVER-WEBAPP csSearch.cgi arbitrary command execution attempt (server-webapp.rules)
 * 1:6708 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary andx Param Count overflow attempt (netbios.rules)
 * 1:3065 <-> DISABLED <-> PROTOCOL-IMAP append literal overflow attempt (protocol-imap.rules)
 * 1:58307 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree XML external entity injection attempt (server-webapp.rules)
 * 1:6711 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary unicode andx Param Count overflow attempt (netbios.rules)
 * 1:18985 <-> DISABLED <-> POLICY-OTHER CA ARCserve Axis2 default credential login attempt (policy-other.rules)
 * 1:3666 <-> DISABLED <-> SERVER-MYSQL server greeting finished (server-mysql.rules)
 * 1:6704 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary Param Count overflow attempt (netbios.rules)
 * 1:2598 <-> DISABLED <-> SERVER-WEBAPP Samba SWAT Authorization port 901 overflow attempt (server-webapp.rules)
 * 1:2555 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache TRACE overflow attempt (server-other.rules)
 * 1:29131 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt (exploit-kit.rules)
 * 1:3088 <-> DISABLED <-> FILE-MULTIMEDIA Nullsoft Winamp cda file name overflow attempt (file-multimedia.rules)
 * 1:2556 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache DELETE overflow attempt (server-other.rules)
 * 1:2103 <-> DISABLED <-> NETBIOS SMB Trans2 OPEN2 unicode maximum param count overflow attempt (netbios.rules)
 * 1:3075 <-> DISABLED <-> PROTOCOL-IMAP unsubscribe literal overflow attempt (protocol-imap.rules)
 * 1:2554 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache POST overflow attempt (server-other.rules)
 * 1:6702 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary Param Count overflow attempt (netbios.rules)
 * 1:3071 <-> DISABLED <-> PROTOCOL-IMAP status literal overflow attempt (protocol-imap.rules)
 * 1:2558 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache MKCOL overflow attempt (server-other.rules)
 * 1:3527 <-> DISABLED <-> OS-SOLARIS Oracle Solaris LPD overflow attempt (os-solaris.rules)
 * 1:3067 <-> DISABLED <-> PROTOCOL-IMAP examine literal overflow attempt (protocol-imap.rules)
 * 1:3076 <-> DISABLED <-> PROTOCOL-IMAP UNSUBSCRIBE overflow attempt (protocol-imap.rules)
 * 1:2597 <-> DISABLED <-> SERVER-WEBAPP Samba SWAT Authorization overflow attempt (server-webapp.rules)
 * 1:6709 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode andx Param Count overflow attempt (netbios.rules)
 * 1:3069 <-> DISABLED <-> PROTOCOL-IMAP fetch literal overflow attempt (protocol-imap.rules)
 * 1:2551 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache GET overflow attempt (server-other.rules)
 * 1:2560 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache MOVE overflow attempt (server-other.rules)
 * 1:2580 <-> DISABLED <-> SERVER-WEBAPP server negative Content-Length attempt (server-webapp.rules)
 * 1:2559 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache COPY overflow attempt (server-other.rules)

2021-11-16 13:45:39 UTC

Snort Subscriber Rules Update

Date: 2021-11-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58568 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt (server-webapp.rules)
 * 1:58563 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET CommandLineService arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58564 <-> DISABLED <-> MALWARE-CNC Win.Trojan.SquirrelWaffle beacon attempt (malware-cnc.rules)
 * 1:58556 <-> DISABLED <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt (os-mobile.rules)
 * 1:58557 <-> DISABLED <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt (os-mobile.rules)
 * 1:58559 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt (server-webapp.rules)
 * 1:58562 <-> ENABLED <-> SERVER-WEBAPP Oracle WebLogic Server remote code execution attempt (server-webapp.rules)
 * 1:58567 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt (server-webapp.rules)
 * 1:58560 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt (server-webapp.rules)
 * 1:58569 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt (server-webapp.rules)
 * 1:58561 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt (server-webapp.rules)
 * 1:58558 <-> DISABLED <-> SERVER-WEBAPP EMC VMAX3 VASA Provider virtual appliance UploadConfigurator arbitrary JSP file upload attempt (server-webapp.rules)
 * 3:58566 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1414 attack attempt (file-image.rules)
 * 3:58565 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1414 attack attempt (file-image.rules)

Modified Rules:


 * 1:2557 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache LOCK overflow attempt (server-other.rules)
 * 1:2555 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache TRACE overflow attempt (server-other.rules)
 * 1:49483 <-> DISABLED <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt (file-other.rules)
 * 1:1547 <-> DISABLED <-> SERVER-WEBAPP csSearch.cgi arbitrary command execution attempt (server-webapp.rules)
 * 1:2556 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache DELETE overflow attempt (server-other.rules)
 * 1:1548 <-> DISABLED <-> SERVER-WEBAPP csSearch.cgi access (server-webapp.rules)
 * 1:6705 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary unicode Param Count overflow attempt (netbios.rules)
 * 1:3527 <-> DISABLED <-> OS-SOLARIS Oracle Solaris LPD overflow attempt (os-solaris.rules)
 * 1:2554 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache POST overflow attempt (server-other.rules)
 * 1:2552 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache HEAD overflow attempt (server-other.rules)
 * 1:49482 <-> DISABLED <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt (file-other.rules)
 * 1:6702 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary Param Count overflow attempt (netbios.rules)
 * 1:58307 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree XML external entity injection attempt (server-webapp.rules)
 * 1:6709 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode andx Param Count overflow attempt (netbios.rules)
 * 1:6703 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode Param Count overflow attempt (netbios.rules)
 * 1:2553 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache PUT overflow attempt (server-other.rules)
 * 1:3067 <-> DISABLED <-> PROTOCOL-IMAP examine literal overflow attempt (protocol-imap.rules)
 * 1:3666 <-> DISABLED <-> SERVER-MYSQL server greeting finished (server-mysql.rules)
 * 1:2551 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache GET overflow attempt (server-other.rules)
 * 1:2558 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache MKCOL overflow attempt (server-other.rules)
 * 1:2559 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache COPY overflow attempt (server-other.rules)
 * 1:2560 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache MOVE overflow attempt (server-other.rules)
 * 1:2580 <-> DISABLED <-> SERVER-WEBAPP server negative Content-Length attempt (server-webapp.rules)
 * 1:2597 <-> DISABLED <-> SERVER-WEBAPP Samba SWAT Authorization overflow attempt (server-webapp.rules)
 * 1:2598 <-> DISABLED <-> SERVER-WEBAPP Samba SWAT Authorization port 901 overflow attempt (server-webapp.rules)
 * 1:6704 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary Param Count overflow attempt (netbios.rules)
 * 1:2673 <-> DISABLED <-> FILE-IMAGE libpng tRNS overflow attempt (file-image.rules)
 * 1:2103 <-> DISABLED <-> NETBIOS SMB Trans2 OPEN2 unicode maximum param count overflow attempt (netbios.rules)
 * 1:29131 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt (exploit-kit.rules)
 * 1:3069 <-> DISABLED <-> PROTOCOL-IMAP fetch literal overflow attempt (protocol-imap.rules)
 * 1:3065 <-> DISABLED <-> PROTOCOL-IMAP append literal overflow attempt (protocol-imap.rules)
 * 1:3071 <-> DISABLED <-> PROTOCOL-IMAP status literal overflow attempt (protocol-imap.rules)
 * 1:18985 <-> DISABLED <-> POLICY-OTHER CA ARCserve Axis2 default credential login attempt (policy-other.rules)
 * 1:3075 <-> DISABLED <-> PROTOCOL-IMAP unsubscribe literal overflow attempt (protocol-imap.rules)
 * 1:3088 <-> DISABLED <-> FILE-MULTIMEDIA Nullsoft Winamp cda file name overflow attempt (file-multimedia.rules)
 * 1:6711 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary unicode andx Param Count overflow attempt (netbios.rules)
 * 1:3076 <-> DISABLED <-> PROTOCOL-IMAP UNSUBSCRIBE overflow attempt (protocol-imap.rules)
 * 1:6708 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary andx Param Count overflow attempt (netbios.rules)
 * 1:6710 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary andx Param Count overflow attempt (netbios.rules)

2021-11-16 13:45:39 UTC

Snort Subscriber Rules Update

Date: 2021-11-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58558 <-> DISABLED <-> SERVER-WEBAPP EMC VMAX3 VASA Provider virtual appliance UploadConfigurator arbitrary JSP file upload attempt (snort3-server-webapp.rules)
 * 1:58557 <-> DISABLED <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt (snort3-os-mobile.rules)
 * 1:58567 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt (snort3-server-webapp.rules)
 * 1:58563 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET CommandLineService arbitrary Java object deserialization attempt (snort3-server-webapp.rules)
 * 1:58556 <-> DISABLED <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt (snort3-os-mobile.rules)
 * 1:58562 <-> ENABLED <-> SERVER-WEBAPP Oracle WebLogic Server remote code execution attempt (snort3-server-webapp.rules)
 * 1:58560 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt (snort3-server-webapp.rules)
 * 1:58569 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt (snort3-server-webapp.rules)
 * 1:58568 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt (snort3-server-webapp.rules)
 * 1:58559 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt (snort3-server-webapp.rules)
 * 1:58564 <-> DISABLED <-> MALWARE-CNC Win.Trojan.SquirrelWaffle beacon attempt (snort3-malware-cnc.rules)
 * 1:58561 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt (snort3-server-webapp.rules)

Modified Rules:


 * 1:6705 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary unicode Param Count overflow attempt (snort3-netbios.rules)
 * 1:2103 <-> DISABLED <-> NETBIOS SMB Trans2 OPEN2 unicode maximum param count overflow attempt (snort3-netbios.rules)
 * 1:2553 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache PUT overflow attempt (snort3-server-other.rules)
 * 1:49483 <-> DISABLED <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt (snort3-file-other.rules)
 * 1:2557 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache LOCK overflow attempt (snort3-server-other.rules)
 * 1:3069 <-> DISABLED <-> PROTOCOL-IMAP fetch literal overflow attempt (snort3-protocol-imap.rules)
 * 1:2555 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache TRACE overflow attempt (snort3-server-other.rules)
 * 1:2556 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache DELETE overflow attempt (snort3-server-other.rules)
 * 1:58307 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree XML external entity injection attempt (snort3-server-webapp.rules)
 * 1:49482 <-> DISABLED <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt (snort3-file-other.rules)
 * 1:3071 <-> DISABLED <-> PROTOCOL-IMAP status literal overflow attempt (snort3-protocol-imap.rules)
 * 1:3088 <-> DISABLED <-> FILE-MULTIMEDIA Nullsoft Winamp cda file name overflow attempt (snort3-file-multimedia.rules)
 * 1:6708 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary andx Param Count overflow attempt (snort3-netbios.rules)
 * 1:6703 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode Param Count overflow attempt (snort3-netbios.rules)
 * 1:6702 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary Param Count overflow attempt (snort3-netbios.rules)
 * 1:3666 <-> DISABLED <-> SERVER-MYSQL server greeting finished (snort3-server-mysql.rules)
 * 1:3527 <-> DISABLED <-> OS-SOLARIS Oracle Solaris LPD overflow attempt (snort3-os-solaris.rules)
 * 1:3067 <-> DISABLED <-> PROTOCOL-IMAP examine literal overflow attempt (snort3-protocol-imap.rules)
 * 1:2558 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache MKCOL overflow attempt (snort3-server-other.rules)
 * 1:6710 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary andx Param Count overflow attempt (snort3-netbios.rules)
 * 1:2559 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache COPY overflow attempt (snort3-server-other.rules)
 * 1:2560 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache MOVE overflow attempt (snort3-server-other.rules)
 * 1:2580 <-> DISABLED <-> SERVER-WEBAPP server negative Content-Length attempt (snort3-server-webapp.rules)
 * 1:6709 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode andx Param Count overflow attempt (snort3-netbios.rules)
 * 1:2597 <-> DISABLED <-> SERVER-WEBAPP Samba SWAT Authorization overflow attempt (snort3-server-webapp.rules)
 * 1:2598 <-> DISABLED <-> SERVER-WEBAPP Samba SWAT Authorization port 901 overflow attempt (snort3-server-webapp.rules)
 * 1:1547 <-> DISABLED <-> SERVER-WEBAPP csSearch.cgi arbitrary command execution attempt (snort3-server-webapp.rules)
 * 1:2673 <-> DISABLED <-> FILE-IMAGE libpng tRNS overflow attempt (snort3-file-image.rules)
 * 1:29131 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt (snort3-exploit-kit.rules)
 * 1:6704 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary Param Count overflow attempt (snort3-netbios.rules)
 * 1:3065 <-> DISABLED <-> PROTOCOL-IMAP append literal overflow attempt (snort3-protocol-imap.rules)
 * 1:6711 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary unicode andx Param Count overflow attempt (snort3-netbios.rules)
 * 1:3076 <-> DISABLED <-> PROTOCOL-IMAP UNSUBSCRIBE overflow attempt (snort3-protocol-imap.rules)
 * 1:2552 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache HEAD overflow attempt (snort3-server-other.rules)
 * 1:18985 <-> DISABLED <-> POLICY-OTHER CA ARCserve Axis2 default credential login attempt (snort3-policy-other.rules)
 * 1:2554 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache POST overflow attempt (snort3-server-other.rules)
 * 1:3075 <-> DISABLED <-> PROTOCOL-IMAP unsubscribe literal overflow attempt (snort3-protocol-imap.rules)
 * 1:2551 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache GET overflow attempt (snort3-server-other.rules)
 * 1:1548 <-> DISABLED <-> SERVER-WEBAPP csSearch.cgi access (snort3-server-webapp.rules)

2021-11-16 13:45:39 UTC

Snort Subscriber Rules Update

Date: 2021-11-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58569 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt (server-webapp.rules)
 * 1:58558 <-> DISABLED <-> SERVER-WEBAPP EMC VMAX3 VASA Provider virtual appliance UploadConfigurator arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:58559 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt (server-webapp.rules)
 * 1:58567 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt (server-webapp.rules)
 * 1:58560 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt (server-webapp.rules)
 * 1:58564 <-> DISABLED <-> MALWARE-CNC Win.Trojan.SquirrelWaffle beacon attempt (malware-cnc.rules)
 * 1:58568 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt (server-webapp.rules)
 * 1:58561 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt (server-webapp.rules)
 * 1:58556 <-> DISABLED <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt (os-mobile.rules)
 * 1:58563 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET CommandLineService arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58562 <-> ENABLED <-> SERVER-WEBAPP Oracle WebLogic Server remote code execution attempt (server-webapp.rules)
 * 1:58557 <-> DISABLED <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt (os-mobile.rules)

Modified Rules:


 * 1:3065 <-> DISABLED <-> PROTOCOL-IMAP append literal overflow attempt (protocol-imap.rules)
 * 1:2552 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache HEAD overflow attempt (server-other.rules)
 * 1:2553 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache PUT overflow attempt (server-other.rules)
 * 1:2673 <-> DISABLED <-> FILE-IMAGE libpng tRNS overflow attempt (file-image.rules)
 * 1:6705 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary unicode Param Count overflow attempt (netbios.rules)
 * 1:6710 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary andx Param Count overflow attempt (netbios.rules)
 * 1:6704 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary Param Count overflow attempt (netbios.rules)
 * 1:1547 <-> DISABLED <-> SERVER-WEBAPP csSearch.cgi arbitrary command execution attempt (server-webapp.rules)
 * 1:2556 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache DELETE overflow attempt (server-other.rules)
 * 1:2554 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache POST overflow attempt (server-other.rules)
 * 1:6702 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary Param Count overflow attempt (netbios.rules)
 * 1:3088 <-> DISABLED <-> FILE-MULTIMEDIA Nullsoft Winamp cda file name overflow attempt (file-multimedia.rules)
 * 1:6709 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode andx Param Count overflow attempt (netbios.rules)
 * 1:2597 <-> DISABLED <-> SERVER-WEBAPP Samba SWAT Authorization overflow attempt (server-webapp.rules)
 * 1:58307 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree XML external entity injection attempt (server-webapp.rules)
 * 1:3076 <-> DISABLED <-> PROTOCOL-IMAP UNSUBSCRIBE overflow attempt (protocol-imap.rules)
 * 1:2555 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache TRACE overflow attempt (server-other.rules)
 * 1:2598 <-> DISABLED <-> SERVER-WEBAPP Samba SWAT Authorization port 901 overflow attempt (server-webapp.rules)
 * 1:1548 <-> DISABLED <-> SERVER-WEBAPP csSearch.cgi access (server-webapp.rules)
 * 1:2103 <-> DISABLED <-> NETBIOS SMB Trans2 OPEN2 unicode maximum param count overflow attempt (netbios.rules)
 * 1:6703 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode Param Count overflow attempt (netbios.rules)
 * 1:2551 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache GET overflow attempt (server-other.rules)
 * 1:3666 <-> DISABLED <-> SERVER-MYSQL server greeting finished (server-mysql.rules)
 * 1:3071 <-> DISABLED <-> PROTOCOL-IMAP status literal overflow attempt (protocol-imap.rules)
 * 1:3067 <-> DISABLED <-> PROTOCOL-IMAP examine literal overflow attempt (protocol-imap.rules)
 * 1:29131 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt (exploit-kit.rules)
 * 1:3069 <-> DISABLED <-> PROTOCOL-IMAP fetch literal overflow attempt (protocol-imap.rules)
 * 1:3527 <-> DISABLED <-> OS-SOLARIS Oracle Solaris LPD overflow attempt (os-solaris.rules)
 * 1:3075 <-> DISABLED <-> PROTOCOL-IMAP unsubscribe literal overflow attempt (protocol-imap.rules)
 * 1:49483 <-> DISABLED <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt (file-other.rules)
 * 1:2558 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache MKCOL overflow attempt (server-other.rules)
 * 1:2560 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache MOVE overflow attempt (server-other.rules)
 * 1:2557 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache LOCK overflow attempt (server-other.rules)
 * 1:2580 <-> DISABLED <-> SERVER-WEBAPP server negative Content-Length attempt (server-webapp.rules)
 * 1:2559 <-> DISABLED <-> SERVER-OTHER Oracle Web Cache COPY overflow attempt (server-other.rules)
 * 1:6711 <-> DISABLED <-> NETBIOS SMB-DS NT Trans Secondary unicode andx Param Count overflow attempt (netbios.rules)
 * 1:49482 <-> DISABLED <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt (file-other.rules)
 * 1:6708 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary andx Param Count overflow attempt (netbios.rules)
 * 1:18985 <-> DISABLED <-> POLICY-OTHER CA ARCserve Axis2 default credential login attempt (policy-other.rules)

2021-11-16 13:56:22 UTC

Snort Subscriber Rules Update

Date: 2021-11-15-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58556 <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt
* 1:58557 <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt
* 1:58558 <-> SERVER-WEBAPP EMC VMAX3 VASA Provider virtual appliance UploadConfigurator arbitrary JSP file upload attempt
* 1:58559 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt
* 1:58560 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt
* 1:58561 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt
* 1:58562 <-> SERVER-WEBAPP Oracle WebLogic Server remote code execution attempt
* 1:58563 <-> SERVER-WEBAPP GE MDS PulseNET CommandLineService arbitrary Java object deserialization attempt
* 1:58564 <-> MALWARE-CNC Win.Trojan.SquirrelWaffle beacon attempt
* 3:58565 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1414 attack attempt
* 3:58566 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1414 attack attempt
* 1:58567 <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt
* 1:58568 <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt
* 1:58569 <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt

Modified Rules:

* 1:1547 <-> SERVER-WEBAPP csSearch.cgi arbitrary command execution attempt
* 1:1548 <-> SERVER-WEBAPP csSearch.cgi access
* 1:18985 <-> POLICY-OTHER CA ARCserve Axis2 default credential login attempt
* 1:2103 <-> NETBIOS SMB Trans2 OPEN2 unicode maximum param count overflow attempt
* 1:2551 <-> SERVER-OTHER Oracle Web Cache GET overflow attempt
* 1:2552 <-> SERVER-OTHER Oracle Web Cache HEAD overflow attempt
* 1:2553 <-> SERVER-OTHER Oracle Web Cache PUT overflow attempt
* 1:2554 <-> SERVER-OTHER Oracle Web Cache POST overflow attempt
* 1:2555 <-> SERVER-OTHER Oracle Web Cache TRACE overflow attempt
* 1:2556 <-> SERVER-OTHER Oracle Web Cache DELETE overflow attempt
* 1:2557 <-> SERVER-OTHER Oracle Web Cache LOCK overflow attempt
* 1:2558 <-> SERVER-OTHER Oracle Web Cache MKCOL overflow attempt
* 1:2559 <-> SERVER-OTHER Oracle Web Cache COPY overflow attempt
* 1:2560 <-> SERVER-OTHER Oracle Web Cache MOVE overflow attempt
* 1:2580 <-> SERVER-WEBAPP server negative Content-Length attempt
* 1:2597 <-> SERVER-WEBAPP Samba SWAT Authorization overflow attempt
* 1:2598 <-> SERVER-WEBAPP Samba SWAT Authorization port 901 overflow attempt
* 1:2673 <-> FILE-IMAGE libpng tRNS overflow attempt
* 1:29131 <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt
* 1:3065 <-> PROTOCOL-IMAP append literal overflow attempt
* 1:3067 <-> PROTOCOL-IMAP examine literal overflow attempt
* 1:3069 <-> PROTOCOL-IMAP fetch literal overflow attempt
* 1:3071 <-> PROTOCOL-IMAP status literal overflow attempt
* 1:3075 <-> PROTOCOL-IMAP unsubscribe literal overflow attempt
* 1:3076 <-> PROTOCOL-IMAP UNSUBSCRIBE overflow attempt
* 1:3088 <-> FILE-MULTIMEDIA Nullsoft Winamp cda file name overflow attempt
* 1:3527 <-> OS-SOLARIS Oracle Solaris LPD overflow attempt
* 1:49482 <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt
* 1:49483 <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt
* 1:58307 <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree XML external entity injection attempt
* 1:6702 <-> NETBIOS SMB NT Trans Secondary Param Count overflow attempt
* 1:6703 <-> NETBIOS SMB NT Trans Secondary unicode Param Count overflow attempt
* 1:6704 <-> NETBIOS SMB-DS NT Trans Secondary Param Count overflow attempt
* 1:6705 <-> NETBIOS SMB-DS NT Trans Secondary unicode Param Count overflow attempt
* 1:6708 <-> NETBIOS SMB NT Trans Secondary andx Param Count overflow attempt
* 1:6709 <-> NETBIOS SMB NT Trans Secondary unicode andx Param Count overflow attempt
* 1:6710 <-> NETBIOS SMB-DS NT Trans Secondary andx Param Count overflow attempt
* 1:6711 <-> NETBIOS SMB-DS NT Trans Secondary unicode andx Param Count overflow attempt


2021-11-16 13:56:22 UTC

Snort Subscriber Rules Update

Date: 2021-11-15-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.4.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58556 <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt
* 1:58557 <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt
* 1:58558 <-> SERVER-WEBAPP EMC VMAX3 VASA Provider virtual appliance UploadConfigurator arbitrary JSP file upload attempt
* 1:58559 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt
* 1:58560 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt
* 1:58561 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt
* 1:58562 <-> SERVER-WEBAPP Oracle WebLogic Server remote code execution attempt
* 1:58563 <-> SERVER-WEBAPP GE MDS PulseNET CommandLineService arbitrary Java object deserialization attempt
* 1:58564 <-> MALWARE-CNC Win.Trojan.SquirrelWaffle beacon attempt
* 3:58565 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1414 attack attempt
* 3:58566 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1414 attack attempt
* 1:58567 <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt
* 1:58568 <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt
* 1:58569 <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt

Modified Rules:

* 1:1547 <-> SERVER-WEBAPP csSearch.cgi arbitrary command execution attempt
* 1:1548 <-> SERVER-WEBAPP csSearch.cgi access
* 1:18985 <-> POLICY-OTHER CA ARCserve Axis2 default credential login attempt
* 1:2103 <-> NETBIOS SMB Trans2 OPEN2 unicode maximum param count overflow attempt
* 1:2551 <-> SERVER-OTHER Oracle Web Cache GET overflow attempt
* 1:2552 <-> SERVER-OTHER Oracle Web Cache HEAD overflow attempt
* 1:2553 <-> SERVER-OTHER Oracle Web Cache PUT overflow attempt
* 1:2554 <-> SERVER-OTHER Oracle Web Cache POST overflow attempt
* 1:2555 <-> SERVER-OTHER Oracle Web Cache TRACE overflow attempt
* 1:2556 <-> SERVER-OTHER Oracle Web Cache DELETE overflow attempt
* 1:2557 <-> SERVER-OTHER Oracle Web Cache LOCK overflow attempt
* 1:2558 <-> SERVER-OTHER Oracle Web Cache MKCOL overflow attempt
* 1:2559 <-> SERVER-OTHER Oracle Web Cache COPY overflow attempt
* 1:2560 <-> SERVER-OTHER Oracle Web Cache MOVE overflow attempt
* 1:2580 <-> SERVER-WEBAPP server negative Content-Length attempt
* 1:2597 <-> SERVER-WEBAPP Samba SWAT Authorization overflow attempt
* 1:2598 <-> SERVER-WEBAPP Samba SWAT Authorization port 901 overflow attempt
* 1:2673 <-> FILE-IMAGE libpng tRNS overflow attempt
* 1:29131 <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt
* 1:3065 <-> PROTOCOL-IMAP append literal overflow attempt
* 1:3067 <-> PROTOCOL-IMAP examine literal overflow attempt
* 1:3069 <-> PROTOCOL-IMAP fetch literal overflow attempt
* 1:3071 <-> PROTOCOL-IMAP status literal overflow attempt
* 1:3075 <-> PROTOCOL-IMAP unsubscribe literal overflow attempt
* 1:3076 <-> PROTOCOL-IMAP UNSUBSCRIBE overflow attempt
* 1:3088 <-> FILE-MULTIMEDIA Nullsoft Winamp cda file name overflow attempt
* 1:3527 <-> OS-SOLARIS Oracle Solaris LPD overflow attempt
* 1:49482 <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt
* 1:49483 <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt
* 1:58307 <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree XML external entity injection attempt
* 1:6702 <-> NETBIOS SMB NT Trans Secondary Param Count overflow attempt
* 1:6703 <-> NETBIOS SMB NT Trans Secondary unicode Param Count overflow attempt
* 1:6704 <-> NETBIOS SMB-DS NT Trans Secondary Param Count overflow attempt
* 1:6705 <-> NETBIOS SMB-DS NT Trans Secondary unicode Param Count overflow attempt
* 1:6708 <-> NETBIOS SMB NT Trans Secondary andx Param Count overflow attempt
* 1:6709 <-> NETBIOS SMB NT Trans Secondary unicode andx Param Count overflow attempt
* 1:6710 <-> NETBIOS SMB-DS NT Trans Secondary andx Param Count overflow attempt
* 1:6711 <-> NETBIOS SMB-DS NT Trans Secondary unicode andx Param Count overflow attempt


2021-11-16 13:56:22 UTC

Snort Subscriber Rules Update

Date: 2021-11-15-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58556 <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt
* 1:58557 <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt
* 1:58558 <-> SERVER-WEBAPP EMC VMAX3 VASA Provider virtual appliance UploadConfigurator arbitrary JSP file upload attempt
* 1:58559 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt
* 1:58560 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt
* 1:58561 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt
* 1:58562 <-> SERVER-WEBAPP Oracle WebLogic Server remote code execution attempt
* 1:58563 <-> SERVER-WEBAPP GE MDS PulseNET CommandLineService arbitrary Java object deserialization attempt
* 1:58564 <-> MALWARE-CNC Win.Trojan.SquirrelWaffle beacon attempt
* 3:58565 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1414 attack attempt
* 3:58566 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1414 attack attempt
* 1:58567 <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt
* 1:58568 <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt
* 1:58569 <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt

Modified Rules:

* 1:1547 <-> SERVER-WEBAPP csSearch.cgi arbitrary command execution attempt
* 1:1548 <-> SERVER-WEBAPP csSearch.cgi access
* 1:18985 <-> POLICY-OTHER CA ARCserve Axis2 default credential login attempt
* 1:2103 <-> NETBIOS SMB Trans2 OPEN2 unicode maximum param count overflow attempt
* 1:2551 <-> SERVER-OTHER Oracle Web Cache GET overflow attempt
* 1:2552 <-> SERVER-OTHER Oracle Web Cache HEAD overflow attempt
* 1:2553 <-> SERVER-OTHER Oracle Web Cache PUT overflow attempt
* 1:2554 <-> SERVER-OTHER Oracle Web Cache POST overflow attempt
* 1:2555 <-> SERVER-OTHER Oracle Web Cache TRACE overflow attempt
* 1:2556 <-> SERVER-OTHER Oracle Web Cache DELETE overflow attempt
* 1:2557 <-> SERVER-OTHER Oracle Web Cache LOCK overflow attempt
* 1:2558 <-> SERVER-OTHER Oracle Web Cache MKCOL overflow attempt
* 1:2559 <-> SERVER-OTHER Oracle Web Cache COPY overflow attempt
* 1:2560 <-> SERVER-OTHER Oracle Web Cache MOVE overflow attempt
* 1:2580 <-> SERVER-WEBAPP server negative Content-Length attempt
* 1:2597 <-> SERVER-WEBAPP Samba SWAT Authorization overflow attempt
* 1:2598 <-> SERVER-WEBAPP Samba SWAT Authorization port 901 overflow attempt
* 1:2673 <-> FILE-IMAGE libpng tRNS overflow attempt
* 1:29131 <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt
* 1:3065 <-> PROTOCOL-IMAP append literal overflow attempt
* 1:3067 <-> PROTOCOL-IMAP examine literal overflow attempt
* 1:3069 <-> PROTOCOL-IMAP fetch literal overflow attempt
* 1:3071 <-> PROTOCOL-IMAP status literal overflow attempt
* 1:3075 <-> PROTOCOL-IMAP unsubscribe literal overflow attempt
* 1:3076 <-> PROTOCOL-IMAP UNSUBSCRIBE overflow attempt
* 1:3088 <-> FILE-MULTIMEDIA Nullsoft Winamp cda file name overflow attempt
* 1:3527 <-> OS-SOLARIS Oracle Solaris LPD overflow attempt
* 1:49482 <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt
* 1:49483 <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt
* 1:58307 <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree XML external entity injection attempt
* 1:6702 <-> NETBIOS SMB NT Trans Secondary Param Count overflow attempt
* 1:6703 <-> NETBIOS SMB NT Trans Secondary unicode Param Count overflow attempt
* 1:6704 <-> NETBIOS SMB-DS NT Trans Secondary Param Count overflow attempt
* 1:6705 <-> NETBIOS SMB-DS NT Trans Secondary unicode Param Count overflow attempt
* 1:6708 <-> NETBIOS SMB NT Trans Secondary andx Param Count overflow attempt
* 1:6709 <-> NETBIOS SMB NT Trans Secondary unicode andx Param Count overflow attempt
* 1:6710 <-> NETBIOS SMB-DS NT Trans Secondary andx Param Count overflow attempt
* 1:6711 <-> NETBIOS SMB-DS NT Trans Secondary unicode andx Param Count overflow attempt


2021-11-16 13:56:22 UTC

Snort Subscriber Rules Update

Date: 2021-11-15-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58556 <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt
* 1:58557 <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt
* 1:58558 <-> SERVER-WEBAPP EMC VMAX3 VASA Provider virtual appliance UploadConfigurator arbitrary JSP file upload attempt
* 1:58559 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt
* 1:58560 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt
* 1:58561 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt
* 1:58562 <-> SERVER-WEBAPP Oracle WebLogic Server remote code execution attempt
* 1:58563 <-> SERVER-WEBAPP GE MDS PulseNET CommandLineService arbitrary Java object deserialization attempt
* 1:58564 <-> MALWARE-CNC Win.Trojan.SquirrelWaffle beacon attempt
* 3:58565 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1414 attack attempt
* 3:58566 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1414 attack attempt
* 1:58567 <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt
* 1:58568 <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt
* 1:58569 <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt

Modified Rules:

* 1:1547 <-> SERVER-WEBAPP csSearch.cgi arbitrary command execution attempt
* 1:1548 <-> SERVER-WEBAPP csSearch.cgi access
* 1:18985 <-> POLICY-OTHER CA ARCserve Axis2 default credential login attempt
* 1:2103 <-> NETBIOS SMB Trans2 OPEN2 unicode maximum param count overflow attempt
* 1:2551 <-> SERVER-OTHER Oracle Web Cache GET overflow attempt
* 1:2552 <-> SERVER-OTHER Oracle Web Cache HEAD overflow attempt
* 1:2553 <-> SERVER-OTHER Oracle Web Cache PUT overflow attempt
* 1:2554 <-> SERVER-OTHER Oracle Web Cache POST overflow attempt
* 1:2555 <-> SERVER-OTHER Oracle Web Cache TRACE overflow attempt
* 1:2556 <-> SERVER-OTHER Oracle Web Cache DELETE overflow attempt
* 1:2557 <-> SERVER-OTHER Oracle Web Cache LOCK overflow attempt
* 1:2558 <-> SERVER-OTHER Oracle Web Cache MKCOL overflow attempt
* 1:2559 <-> SERVER-OTHER Oracle Web Cache COPY overflow attempt
* 1:2560 <-> SERVER-OTHER Oracle Web Cache MOVE overflow attempt
* 1:2580 <-> SERVER-WEBAPP server negative Content-Length attempt
* 1:2597 <-> SERVER-WEBAPP Samba SWAT Authorization overflow attempt
* 1:2598 <-> SERVER-WEBAPP Samba SWAT Authorization port 901 overflow attempt
* 1:2673 <-> FILE-IMAGE libpng tRNS overflow attempt
* 1:29131 <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt
* 1:3065 <-> PROTOCOL-IMAP append literal overflow attempt
* 1:3067 <-> PROTOCOL-IMAP examine literal overflow attempt
* 1:3069 <-> PROTOCOL-IMAP fetch literal overflow attempt
* 1:3071 <-> PROTOCOL-IMAP status literal overflow attempt
* 1:3075 <-> PROTOCOL-IMAP unsubscribe literal overflow attempt
* 1:3076 <-> PROTOCOL-IMAP UNSUBSCRIBE overflow attempt
* 1:3088 <-> FILE-MULTIMEDIA Nullsoft Winamp cda file name overflow attempt
* 1:3527 <-> OS-SOLARIS Oracle Solaris LPD overflow attempt
* 1:49482 <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt
* 1:49483 <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt
* 1:58307 <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree XML external entity injection attempt
* 1:6702 <-> NETBIOS SMB NT Trans Secondary Param Count overflow attempt
* 1:6703 <-> NETBIOS SMB NT Trans Secondary unicode Param Count overflow attempt
* 1:6704 <-> NETBIOS SMB-DS NT Trans Secondary Param Count overflow attempt
* 1:6705 <-> NETBIOS SMB-DS NT Trans Secondary unicode Param Count overflow attempt
* 1:6708 <-> NETBIOS SMB NT Trans Secondary andx Param Count overflow attempt
* 1:6709 <-> NETBIOS SMB NT Trans Secondary unicode andx Param Count overflow attempt
* 1:6710 <-> NETBIOS SMB-DS NT Trans Secondary andx Param Count overflow attempt
* 1:6711 <-> NETBIOS SMB-DS NT Trans Secondary unicode andx Param Count overflow attempt


2021-11-16 13:56:22 UTC

Snort Subscriber Rules Update

Date: 2021-11-15-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.1.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58556 <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt
* 1:58557 <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt
* 1:58558 <-> SERVER-WEBAPP EMC VMAX3 VASA Provider virtual appliance UploadConfigurator arbitrary JSP file upload attempt
* 1:58559 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt
* 1:58560 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt
* 1:58561 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt
* 1:58562 <-> SERVER-WEBAPP Oracle WebLogic Server remote code execution attempt
* 1:58563 <-> SERVER-WEBAPP GE MDS PulseNET CommandLineService arbitrary Java object deserialization attempt
* 1:58564 <-> MALWARE-CNC Win.Trojan.SquirrelWaffle beacon attempt
* 3:58565 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1414 attack attempt
* 3:58566 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1414 attack attempt
* 1:58567 <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt
* 1:58568 <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt
* 1:58569 <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt

Modified Rules:

* 1:1547 <-> SERVER-WEBAPP csSearch.cgi arbitrary command execution attempt
* 1:1548 <-> SERVER-WEBAPP csSearch.cgi access
* 1:18985 <-> POLICY-OTHER CA ARCserve Axis2 default credential login attempt
* 1:2103 <-> NETBIOS SMB Trans2 OPEN2 unicode maximum param count overflow attempt
* 1:2551 <-> SERVER-OTHER Oracle Web Cache GET overflow attempt
* 1:2552 <-> SERVER-OTHER Oracle Web Cache HEAD overflow attempt
* 1:2553 <-> SERVER-OTHER Oracle Web Cache PUT overflow attempt
* 1:2554 <-> SERVER-OTHER Oracle Web Cache POST overflow attempt
* 1:2555 <-> SERVER-OTHER Oracle Web Cache TRACE overflow attempt
* 1:2556 <-> SERVER-OTHER Oracle Web Cache DELETE overflow attempt
* 1:2557 <-> SERVER-OTHER Oracle Web Cache LOCK overflow attempt
* 1:2558 <-> SERVER-OTHER Oracle Web Cache MKCOL overflow attempt
* 1:2559 <-> SERVER-OTHER Oracle Web Cache COPY overflow attempt
* 1:2560 <-> SERVER-OTHER Oracle Web Cache MOVE overflow attempt
* 1:2580 <-> SERVER-WEBAPP server negative Content-Length attempt
* 1:2597 <-> SERVER-WEBAPP Samba SWAT Authorization overflow attempt
* 1:2598 <-> SERVER-WEBAPP Samba SWAT Authorization port 901 overflow attempt
* 1:2673 <-> FILE-IMAGE libpng tRNS overflow attempt
* 1:29131 <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt
* 1:3065 <-> PROTOCOL-IMAP append literal overflow attempt
* 1:3067 <-> PROTOCOL-IMAP examine literal overflow attempt
* 1:3069 <-> PROTOCOL-IMAP fetch literal overflow attempt
* 1:3071 <-> PROTOCOL-IMAP status literal overflow attempt
* 1:3075 <-> PROTOCOL-IMAP unsubscribe literal overflow attempt
* 1:3076 <-> PROTOCOL-IMAP UNSUBSCRIBE overflow attempt
* 1:3088 <-> FILE-MULTIMEDIA Nullsoft Winamp cda file name overflow attempt
* 1:3527 <-> OS-SOLARIS Oracle Solaris LPD overflow attempt
* 1:49482 <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt
* 1:49483 <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt
* 1:58307 <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree XML external entity injection attempt
* 1:6702 <-> NETBIOS SMB NT Trans Secondary Param Count overflow attempt
* 1:6703 <-> NETBIOS SMB NT Trans Secondary unicode Param Count overflow attempt
* 1:6704 <-> NETBIOS SMB-DS NT Trans Secondary Param Count overflow attempt
* 1:6705 <-> NETBIOS SMB-DS NT Trans Secondary unicode Param Count overflow attempt
* 1:6708 <-> NETBIOS SMB NT Trans Secondary andx Param Count overflow attempt
* 1:6709 <-> NETBIOS SMB NT Trans Secondary unicode andx Param Count overflow attempt
* 1:6710 <-> NETBIOS SMB-DS NT Trans Secondary andx Param Count overflow attempt
* 1:6711 <-> NETBIOS SMB-DS NT Trans Secondary unicode andx Param Count overflow attempt


2021-11-16 13:56:22 UTC

Snort Subscriber Rules Update

Date: 2021-11-15-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.3.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58556 <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt
* 1:58557 <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt
* 1:58558 <-> SERVER-WEBAPP EMC VMAX3 VASA Provider virtual appliance UploadConfigurator arbitrary JSP file upload attempt
* 1:58559 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt
* 1:58560 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt
* 1:58561 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt
* 1:58562 <-> SERVER-WEBAPP Oracle WebLogic Server remote code execution attempt
* 1:58563 <-> SERVER-WEBAPP GE MDS PulseNET CommandLineService arbitrary Java object deserialization attempt
* 1:58564 <-> MALWARE-CNC Win.Trojan.SquirrelWaffle beacon attempt
* 3:58565 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1414 attack attempt
* 3:58566 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1414 attack attempt
* 1:58567 <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt
* 1:58568 <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt
* 1:58569 <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt

Modified Rules:

* 1:1547 <-> SERVER-WEBAPP csSearch.cgi arbitrary command execution attempt
* 1:1548 <-> SERVER-WEBAPP csSearch.cgi access
* 1:18985 <-> POLICY-OTHER CA ARCserve Axis2 default credential login attempt
* 1:2103 <-> NETBIOS SMB Trans2 OPEN2 unicode maximum param count overflow attempt
* 1:2551 <-> SERVER-OTHER Oracle Web Cache GET overflow attempt
* 1:2552 <-> SERVER-OTHER Oracle Web Cache HEAD overflow attempt
* 1:2553 <-> SERVER-OTHER Oracle Web Cache PUT overflow attempt
* 1:2554 <-> SERVER-OTHER Oracle Web Cache POST overflow attempt
* 1:2555 <-> SERVER-OTHER Oracle Web Cache TRACE overflow attempt
* 1:2556 <-> SERVER-OTHER Oracle Web Cache DELETE overflow attempt
* 1:2557 <-> SERVER-OTHER Oracle Web Cache LOCK overflow attempt
* 1:2558 <-> SERVER-OTHER Oracle Web Cache MKCOL overflow attempt
* 1:2559 <-> SERVER-OTHER Oracle Web Cache COPY overflow attempt
* 1:2560 <-> SERVER-OTHER Oracle Web Cache MOVE overflow attempt
* 1:2580 <-> SERVER-WEBAPP server negative Content-Length attempt
* 1:2597 <-> SERVER-WEBAPP Samba SWAT Authorization overflow attempt
* 1:2598 <-> SERVER-WEBAPP Samba SWAT Authorization port 901 overflow attempt
* 1:2673 <-> FILE-IMAGE libpng tRNS overflow attempt
* 1:29131 <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt
* 1:3065 <-> PROTOCOL-IMAP append literal overflow attempt
* 1:3067 <-> PROTOCOL-IMAP examine literal overflow attempt
* 1:3069 <-> PROTOCOL-IMAP fetch literal overflow attempt
* 1:3071 <-> PROTOCOL-IMAP status literal overflow attempt
* 1:3075 <-> PROTOCOL-IMAP unsubscribe literal overflow attempt
* 1:3076 <-> PROTOCOL-IMAP UNSUBSCRIBE overflow attempt
* 1:3088 <-> FILE-MULTIMEDIA Nullsoft Winamp cda file name overflow attempt
* 1:3527 <-> OS-SOLARIS Oracle Solaris LPD overflow attempt
* 1:49482 <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt
* 1:49483 <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt
* 1:58307 <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree XML external entity injection attempt
* 1:6702 <-> NETBIOS SMB NT Trans Secondary Param Count overflow attempt
* 1:6703 <-> NETBIOS SMB NT Trans Secondary unicode Param Count overflow attempt
* 1:6704 <-> NETBIOS SMB-DS NT Trans Secondary Param Count overflow attempt
* 1:6705 <-> NETBIOS SMB-DS NT Trans Secondary unicode Param Count overflow attempt
* 1:6708 <-> NETBIOS SMB NT Trans Secondary andx Param Count overflow attempt
* 1:6709 <-> NETBIOS SMB NT Trans Secondary unicode andx Param Count overflow attempt
* 1:6710 <-> NETBIOS SMB-DS NT Trans Secondary andx Param Count overflow attempt
* 1:6711 <-> NETBIOS SMB-DS NT Trans Secondary unicode andx Param Count overflow attempt


2021-11-16 13:56:22 UTC

Snort Subscriber Rules Update

Date: 2021-11-15-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.4.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58556 <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt
* 1:58557 <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt
* 1:58558 <-> SERVER-WEBAPP EMC VMAX3 VASA Provider virtual appliance UploadConfigurator arbitrary JSP file upload attempt
* 1:58559 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt
* 1:58560 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt
* 1:58561 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt
* 1:58562 <-> SERVER-WEBAPP Oracle WebLogic Server remote code execution attempt
* 1:58563 <-> SERVER-WEBAPP GE MDS PulseNET CommandLineService arbitrary Java object deserialization attempt
* 1:58564 <-> MALWARE-CNC Win.Trojan.SquirrelWaffle beacon attempt
* 3:58565 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1414 attack attempt
* 3:58566 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1414 attack attempt
* 1:58567 <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt
* 1:58568 <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt
* 1:58569 <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt

Modified Rules:

* 1:1547 <-> SERVER-WEBAPP csSearch.cgi arbitrary command execution attempt
* 1:1548 <-> SERVER-WEBAPP csSearch.cgi access
* 1:18985 <-> POLICY-OTHER CA ARCserve Axis2 default credential login attempt
* 1:2103 <-> NETBIOS SMB Trans2 OPEN2 unicode maximum param count overflow attempt
* 1:2551 <-> SERVER-OTHER Oracle Web Cache GET overflow attempt
* 1:2552 <-> SERVER-OTHER Oracle Web Cache HEAD overflow attempt
* 1:2553 <-> SERVER-OTHER Oracle Web Cache PUT overflow attempt
* 1:2554 <-> SERVER-OTHER Oracle Web Cache POST overflow attempt
* 1:2555 <-> SERVER-OTHER Oracle Web Cache TRACE overflow attempt
* 1:2556 <-> SERVER-OTHER Oracle Web Cache DELETE overflow attempt
* 1:2557 <-> SERVER-OTHER Oracle Web Cache LOCK overflow attempt
* 1:2558 <-> SERVER-OTHER Oracle Web Cache MKCOL overflow attempt
* 1:2559 <-> SERVER-OTHER Oracle Web Cache COPY overflow attempt
* 1:2560 <-> SERVER-OTHER Oracle Web Cache MOVE overflow attempt
* 1:2580 <-> SERVER-WEBAPP server negative Content-Length attempt
* 1:2597 <-> SERVER-WEBAPP Samba SWAT Authorization overflow attempt
* 1:2598 <-> SERVER-WEBAPP Samba SWAT Authorization port 901 overflow attempt
* 1:2673 <-> FILE-IMAGE libpng tRNS overflow attempt
* 1:29131 <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt
* 1:3065 <-> PROTOCOL-IMAP append literal overflow attempt
* 1:3067 <-> PROTOCOL-IMAP examine literal overflow attempt
* 1:3069 <-> PROTOCOL-IMAP fetch literal overflow attempt
* 1:3071 <-> PROTOCOL-IMAP status literal overflow attempt
* 1:3075 <-> PROTOCOL-IMAP unsubscribe literal overflow attempt
* 1:3076 <-> PROTOCOL-IMAP UNSUBSCRIBE overflow attempt
* 1:3088 <-> FILE-MULTIMEDIA Nullsoft Winamp cda file name overflow attempt
* 1:3527 <-> OS-SOLARIS Oracle Solaris LPD overflow attempt
* 1:49482 <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt
* 1:49483 <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt
* 1:58307 <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree XML external entity injection attempt
* 1:6702 <-> NETBIOS SMB NT Trans Secondary Param Count overflow attempt
* 1:6703 <-> NETBIOS SMB NT Trans Secondary unicode Param Count overflow attempt
* 1:6704 <-> NETBIOS SMB-DS NT Trans Secondary Param Count overflow attempt
* 1:6705 <-> NETBIOS SMB-DS NT Trans Secondary unicode Param Count overflow attempt
* 1:6708 <-> NETBIOS SMB NT Trans Secondary andx Param Count overflow attempt
* 1:6709 <-> NETBIOS SMB NT Trans Secondary unicode andx Param Count overflow attempt
* 1:6710 <-> NETBIOS SMB-DS NT Trans Secondary andx Param Count overflow attempt
* 1:6711 <-> NETBIOS SMB-DS NT Trans Secondary unicode andx Param Count overflow attempt


2021-11-16 13:56:22 UTC

Snort Subscriber Rules Update

Date: 2021-11-15-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.5.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58556 <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt
* 1:58557 <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt
* 1:58558 <-> SERVER-WEBAPP EMC VMAX3 VASA Provider virtual appliance UploadConfigurator arbitrary JSP file upload attempt
* 1:58559 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt
* 1:58560 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt
* 1:58561 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt
* 1:58562 <-> SERVER-WEBAPP Oracle WebLogic Server remote code execution attempt
* 1:58563 <-> SERVER-WEBAPP GE MDS PulseNET CommandLineService arbitrary Java object deserialization attempt
* 1:58564 <-> MALWARE-CNC Win.Trojan.SquirrelWaffle beacon attempt
* 3:58565 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1414 attack attempt
* 3:58566 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1414 attack attempt
* 1:58567 <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt
* 1:58568 <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt
* 1:58569 <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt

Modified Rules:

* 1:1547 <-> SERVER-WEBAPP csSearch.cgi arbitrary command execution attempt
* 1:1548 <-> SERVER-WEBAPP csSearch.cgi access
* 1:18985 <-> POLICY-OTHER CA ARCserve Axis2 default credential login attempt
* 1:2103 <-> NETBIOS SMB Trans2 OPEN2 unicode maximum param count overflow attempt
* 1:2551 <-> SERVER-OTHER Oracle Web Cache GET overflow attempt
* 1:2552 <-> SERVER-OTHER Oracle Web Cache HEAD overflow attempt
* 1:2553 <-> SERVER-OTHER Oracle Web Cache PUT overflow attempt
* 1:2554 <-> SERVER-OTHER Oracle Web Cache POST overflow attempt
* 1:2555 <-> SERVER-OTHER Oracle Web Cache TRACE overflow attempt
* 1:2556 <-> SERVER-OTHER Oracle Web Cache DELETE overflow attempt
* 1:2557 <-> SERVER-OTHER Oracle Web Cache LOCK overflow attempt
* 1:2558 <-> SERVER-OTHER Oracle Web Cache MKCOL overflow attempt
* 1:2559 <-> SERVER-OTHER Oracle Web Cache COPY overflow attempt
* 1:2560 <-> SERVER-OTHER Oracle Web Cache MOVE overflow attempt
* 1:2580 <-> SERVER-WEBAPP server negative Content-Length attempt
* 1:2597 <-> SERVER-WEBAPP Samba SWAT Authorization overflow attempt
* 1:2598 <-> SERVER-WEBAPP Samba SWAT Authorization port 901 overflow attempt
* 1:2673 <-> FILE-IMAGE libpng tRNS overflow attempt
* 1:29131 <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt
* 1:3065 <-> PROTOCOL-IMAP append literal overflow attempt
* 1:3067 <-> PROTOCOL-IMAP examine literal overflow attempt
* 1:3069 <-> PROTOCOL-IMAP fetch literal overflow attempt
* 1:3071 <-> PROTOCOL-IMAP status literal overflow attempt
* 1:3075 <-> PROTOCOL-IMAP unsubscribe literal overflow attempt
* 1:3076 <-> PROTOCOL-IMAP UNSUBSCRIBE overflow attempt
* 1:3088 <-> FILE-MULTIMEDIA Nullsoft Winamp cda file name overflow attempt
* 1:3527 <-> OS-SOLARIS Oracle Solaris LPD overflow attempt
* 1:49482 <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt
* 1:49483 <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt
* 1:58307 <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree XML external entity injection attempt
* 1:6702 <-> NETBIOS SMB NT Trans Secondary Param Count overflow attempt
* 1:6703 <-> NETBIOS SMB NT Trans Secondary unicode Param Count overflow attempt
* 1:6704 <-> NETBIOS SMB-DS NT Trans Secondary Param Count overflow attempt
* 1:6705 <-> NETBIOS SMB-DS NT Trans Secondary unicode Param Count overflow attempt
* 1:6708 <-> NETBIOS SMB NT Trans Secondary andx Param Count overflow attempt
* 1:6709 <-> NETBIOS SMB NT Trans Secondary unicode andx Param Count overflow attempt
* 1:6710 <-> NETBIOS SMB-DS NT Trans Secondary andx Param Count overflow attempt
* 1:6711 <-> NETBIOS SMB-DS NT Trans Secondary unicode andx Param Count overflow attempt


2021-11-16 13:56:22 UTC

Snort Subscriber Rules Update

Date: 2021-11-15-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.7.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58556 <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt
* 1:58557 <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt
* 1:58558 <-> SERVER-WEBAPP EMC VMAX3 VASA Provider virtual appliance UploadConfigurator arbitrary JSP file upload attempt
* 1:58559 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt
* 1:58560 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt
* 1:58561 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt
* 1:58562 <-> SERVER-WEBAPP Oracle WebLogic Server remote code execution attempt
* 1:58563 <-> SERVER-WEBAPP GE MDS PulseNET CommandLineService arbitrary Java object deserialization attempt
* 1:58564 <-> MALWARE-CNC Win.Trojan.SquirrelWaffle beacon attempt
* 3:58565 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1414 attack attempt
* 3:58566 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1414 attack attempt
* 1:58567 <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt
* 1:58568 <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt
* 1:58569 <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt

Modified Rules:

* 1:1547 <-> SERVER-WEBAPP csSearch.cgi arbitrary command execution attempt
* 1:1548 <-> SERVER-WEBAPP csSearch.cgi access
* 1:18985 <-> POLICY-OTHER CA ARCserve Axis2 default credential login attempt
* 1:2103 <-> NETBIOS SMB Trans2 OPEN2 unicode maximum param count overflow attempt
* 1:2551 <-> SERVER-OTHER Oracle Web Cache GET overflow attempt
* 1:2552 <-> SERVER-OTHER Oracle Web Cache HEAD overflow attempt
* 1:2553 <-> SERVER-OTHER Oracle Web Cache PUT overflow attempt
* 1:2554 <-> SERVER-OTHER Oracle Web Cache POST overflow attempt
* 1:2555 <-> SERVER-OTHER Oracle Web Cache TRACE overflow attempt
* 1:2556 <-> SERVER-OTHER Oracle Web Cache DELETE overflow attempt
* 1:2557 <-> SERVER-OTHER Oracle Web Cache LOCK overflow attempt
* 1:2558 <-> SERVER-OTHER Oracle Web Cache MKCOL overflow attempt
* 1:2559 <-> SERVER-OTHER Oracle Web Cache COPY overflow attempt
* 1:2560 <-> SERVER-OTHER Oracle Web Cache MOVE overflow attempt
* 1:2580 <-> SERVER-WEBAPP server negative Content-Length attempt
* 1:2597 <-> SERVER-WEBAPP Samba SWAT Authorization overflow attempt
* 1:2598 <-> SERVER-WEBAPP Samba SWAT Authorization port 901 overflow attempt
* 1:2673 <-> FILE-IMAGE libpng tRNS overflow attempt
* 1:29131 <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt
* 1:3065 <-> PROTOCOL-IMAP append literal overflow attempt
* 1:3067 <-> PROTOCOL-IMAP examine literal overflow attempt
* 1:3069 <-> PROTOCOL-IMAP fetch literal overflow attempt
* 1:3071 <-> PROTOCOL-IMAP status literal overflow attempt
* 1:3075 <-> PROTOCOL-IMAP unsubscribe literal overflow attempt
* 1:3076 <-> PROTOCOL-IMAP UNSUBSCRIBE overflow attempt
* 1:3088 <-> FILE-MULTIMEDIA Nullsoft Winamp cda file name overflow attempt
* 1:3527 <-> OS-SOLARIS Oracle Solaris LPD overflow attempt
* 1:49482 <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt
* 1:49483 <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt
* 1:58307 <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree XML external entity injection attempt
* 1:6702 <-> NETBIOS SMB NT Trans Secondary Param Count overflow attempt
* 1:6703 <-> NETBIOS SMB NT Trans Secondary unicode Param Count overflow attempt
* 1:6704 <-> NETBIOS SMB-DS NT Trans Secondary Param Count overflow attempt
* 1:6705 <-> NETBIOS SMB-DS NT Trans Secondary unicode Param Count overflow attempt
* 1:6708 <-> NETBIOS SMB NT Trans Secondary andx Param Count overflow attempt
* 1:6709 <-> NETBIOS SMB NT Trans Secondary unicode andx Param Count overflow attempt
* 1:6710 <-> NETBIOS SMB-DS NT Trans Secondary andx Param Count overflow attempt
* 1:6711 <-> NETBIOS SMB-DS NT Trans Secondary unicode andx Param Count overflow attempt


2021-11-16 13:56:23 UTC

Snort Subscriber Rules Update

Date: 2021-11-15-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.9.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58556 <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt
* 1:58557 <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt
* 1:58558 <-> SERVER-WEBAPP EMC VMAX3 VASA Provider virtual appliance UploadConfigurator arbitrary JSP file upload attempt
* 1:58559 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt
* 1:58560 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt
* 1:58561 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt
* 1:58562 <-> SERVER-WEBAPP Oracle WebLogic Server remote code execution attempt
* 1:58563 <-> SERVER-WEBAPP GE MDS PulseNET CommandLineService arbitrary Java object deserialization attempt
* 1:58564 <-> MALWARE-CNC Win.Trojan.SquirrelWaffle beacon attempt
* 3:58565 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1414 attack attempt
* 3:58566 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1414 attack attempt
* 1:58567 <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt
* 1:58568 <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt
* 1:58569 <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt

Modified Rules:

* 1:1547 <-> SERVER-WEBAPP csSearch.cgi arbitrary command execution attempt
* 1:1548 <-> SERVER-WEBAPP csSearch.cgi access
* 1:18985 <-> POLICY-OTHER CA ARCserve Axis2 default credential login attempt
* 1:2103 <-> NETBIOS SMB Trans2 OPEN2 unicode maximum param count overflow attempt
* 1:2551 <-> SERVER-OTHER Oracle Web Cache GET overflow attempt
* 1:2552 <-> SERVER-OTHER Oracle Web Cache HEAD overflow attempt
* 1:2553 <-> SERVER-OTHER Oracle Web Cache PUT overflow attempt
* 1:2554 <-> SERVER-OTHER Oracle Web Cache POST overflow attempt
* 1:2555 <-> SERVER-OTHER Oracle Web Cache TRACE overflow attempt
* 1:2556 <-> SERVER-OTHER Oracle Web Cache DELETE overflow attempt
* 1:2557 <-> SERVER-OTHER Oracle Web Cache LOCK overflow attempt
* 1:2558 <-> SERVER-OTHER Oracle Web Cache MKCOL overflow attempt
* 1:2559 <-> SERVER-OTHER Oracle Web Cache COPY overflow attempt
* 1:2560 <-> SERVER-OTHER Oracle Web Cache MOVE overflow attempt
* 1:2580 <-> SERVER-WEBAPP server negative Content-Length attempt
* 1:2597 <-> SERVER-WEBAPP Samba SWAT Authorization overflow attempt
* 1:2598 <-> SERVER-WEBAPP Samba SWAT Authorization port 901 overflow attempt
* 1:2673 <-> FILE-IMAGE libpng tRNS overflow attempt
* 1:29131 <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt
* 1:3065 <-> PROTOCOL-IMAP append literal overflow attempt
* 1:3067 <-> PROTOCOL-IMAP examine literal overflow attempt
* 1:3069 <-> PROTOCOL-IMAP fetch literal overflow attempt
* 1:3071 <-> PROTOCOL-IMAP status literal overflow attempt
* 1:3075 <-> PROTOCOL-IMAP unsubscribe literal overflow attempt
* 1:3076 <-> PROTOCOL-IMAP UNSUBSCRIBE overflow attempt
* 1:3088 <-> FILE-MULTIMEDIA Nullsoft Winamp cda file name overflow attempt
* 1:3527 <-> OS-SOLARIS Oracle Solaris LPD overflow attempt
* 1:49482 <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt
* 1:49483 <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt
* 1:58307 <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree XML external entity injection attempt
* 1:6702 <-> NETBIOS SMB NT Trans Secondary Param Count overflow attempt
* 1:6703 <-> NETBIOS SMB NT Trans Secondary unicode Param Count overflow attempt
* 1:6704 <-> NETBIOS SMB-DS NT Trans Secondary Param Count overflow attempt
* 1:6705 <-> NETBIOS SMB-DS NT Trans Secondary unicode Param Count overflow attempt
* 1:6708 <-> NETBIOS SMB NT Trans Secondary andx Param Count overflow attempt
* 1:6709 <-> NETBIOS SMB NT Trans Secondary unicode andx Param Count overflow attempt
* 1:6710 <-> NETBIOS SMB-DS NT Trans Secondary andx Param Count overflow attempt
* 1:6711 <-> NETBIOS SMB-DS NT Trans Secondary unicode andx Param Count overflow attempt


2021-11-16 13:56:23 UTC

Snort Subscriber Rules Update

Date: 2021-11-15-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.11.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58556 <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt
* 1:58557 <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt
* 1:58558 <-> SERVER-WEBAPP EMC VMAX3 VASA Provider virtual appliance UploadConfigurator arbitrary JSP file upload attempt
* 1:58559 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt
* 1:58560 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt
* 1:58561 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt
* 1:58562 <-> SERVER-WEBAPP Oracle WebLogic Server remote code execution attempt
* 1:58563 <-> SERVER-WEBAPP GE MDS PulseNET CommandLineService arbitrary Java object deserialization attempt
* 1:58564 <-> MALWARE-CNC Win.Trojan.SquirrelWaffle beacon attempt
* 3:58565 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1414 attack attempt
* 3:58566 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1414 attack attempt
* 1:58567 <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt
* 1:58568 <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt
* 1:58569 <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt

Modified Rules:

* 1:1547 <-> SERVER-WEBAPP csSearch.cgi arbitrary command execution attempt
* 1:1548 <-> SERVER-WEBAPP csSearch.cgi access
* 1:18985 <-> POLICY-OTHER CA ARCserve Axis2 default credential login attempt
* 1:2103 <-> NETBIOS SMB Trans2 OPEN2 unicode maximum param count overflow attempt
* 1:2551 <-> SERVER-OTHER Oracle Web Cache GET overflow attempt
* 1:2552 <-> SERVER-OTHER Oracle Web Cache HEAD overflow attempt
* 1:2553 <-> SERVER-OTHER Oracle Web Cache PUT overflow attempt
* 1:2554 <-> SERVER-OTHER Oracle Web Cache POST overflow attempt
* 1:2555 <-> SERVER-OTHER Oracle Web Cache TRACE overflow attempt
* 1:2556 <-> SERVER-OTHER Oracle Web Cache DELETE overflow attempt
* 1:2557 <-> SERVER-OTHER Oracle Web Cache LOCK overflow attempt
* 1:2558 <-> SERVER-OTHER Oracle Web Cache MKCOL overflow attempt
* 1:2559 <-> SERVER-OTHER Oracle Web Cache COPY overflow attempt
* 1:2560 <-> SERVER-OTHER Oracle Web Cache MOVE overflow attempt
* 1:2580 <-> SERVER-WEBAPP server negative Content-Length attempt
* 1:2597 <-> SERVER-WEBAPP Samba SWAT Authorization overflow attempt
* 1:2598 <-> SERVER-WEBAPP Samba SWAT Authorization port 901 overflow attempt
* 1:2673 <-> FILE-IMAGE libpng tRNS overflow attempt
* 1:29131 <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt
* 1:3065 <-> PROTOCOL-IMAP append literal overflow attempt
* 1:3067 <-> PROTOCOL-IMAP examine literal overflow attempt
* 1:3069 <-> PROTOCOL-IMAP fetch literal overflow attempt
* 1:3071 <-> PROTOCOL-IMAP status literal overflow attempt
* 1:3075 <-> PROTOCOL-IMAP unsubscribe literal overflow attempt
* 1:3076 <-> PROTOCOL-IMAP UNSUBSCRIBE overflow attempt
* 1:3088 <-> FILE-MULTIMEDIA Nullsoft Winamp cda file name overflow attempt
* 1:3527 <-> OS-SOLARIS Oracle Solaris LPD overflow attempt
* 1:49482 <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt
* 1:49483 <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt
* 1:58307 <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree XML external entity injection attempt
* 1:6702 <-> NETBIOS SMB NT Trans Secondary Param Count overflow attempt
* 1:6703 <-> NETBIOS SMB NT Trans Secondary unicode Param Count overflow attempt
* 1:6704 <-> NETBIOS SMB-DS NT Trans Secondary Param Count overflow attempt
* 1:6705 <-> NETBIOS SMB-DS NT Trans Secondary unicode Param Count overflow attempt
* 1:6708 <-> NETBIOS SMB NT Trans Secondary andx Param Count overflow attempt
* 1:6709 <-> NETBIOS SMB NT Trans Secondary unicode andx Param Count overflow attempt
* 1:6710 <-> NETBIOS SMB-DS NT Trans Secondary andx Param Count overflow attempt
* 1:6711 <-> NETBIOS SMB-DS NT Trans Secondary unicode andx Param Count overflow attempt


2021-11-16 13:56:23 UTC

Snort Subscriber Rules Update

Date: 2021-11-15-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.15.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58556 <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt
* 1:58557 <-> OS-MOBILE ARM Mali GPU kernel use-after-free attempt
* 1:58558 <-> SERVER-WEBAPP EMC VMAX3 VASA Provider virtual appliance UploadConfigurator arbitrary JSP file upload attempt
* 1:58559 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt
* 1:58560 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt
* 1:58561 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet ID_HIDDEN_RED_ALERT_TASK_ID SQL injection attempt
* 1:58562 <-> SERVER-WEBAPP Oracle WebLogic Server remote code execution attempt
* 1:58563 <-> SERVER-WEBAPP GE MDS PulseNET CommandLineService arbitrary Java object deserialization attempt
* 1:58564 <-> MALWARE-CNC Win.Trojan.SquirrelWaffle beacon attempt
* 3:58565 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1414 attack attempt
* 3:58566 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1414 attack attempt
* 1:58567 <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt
* 1:58568 <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt
* 1:58569 <-> SERVER-WEBAPP Roundcube Webmail file disclosure attempt

Modified Rules:

* 1:1547 <-> SERVER-WEBAPP csSearch.cgi arbitrary command execution attempt
* 1:1548 <-> SERVER-WEBAPP csSearch.cgi access
* 1:18985 <-> POLICY-OTHER CA ARCserve Axis2 default credential login attempt
* 1:2103 <-> NETBIOS SMB Trans2 OPEN2 unicode maximum param count overflow attempt
* 1:2551 <-> SERVER-OTHER Oracle Web Cache GET overflow attempt
* 1:2552 <-> SERVER-OTHER Oracle Web Cache HEAD overflow attempt
* 1:2553 <-> SERVER-OTHER Oracle Web Cache PUT overflow attempt
* 1:2554 <-> SERVER-OTHER Oracle Web Cache POST overflow attempt
* 1:2555 <-> SERVER-OTHER Oracle Web Cache TRACE overflow attempt
* 1:2556 <-> SERVER-OTHER Oracle Web Cache DELETE overflow attempt
* 1:2557 <-> SERVER-OTHER Oracle Web Cache LOCK overflow attempt
* 1:2558 <-> SERVER-OTHER Oracle Web Cache MKCOL overflow attempt
* 1:2559 <-> SERVER-OTHER Oracle Web Cache COPY overflow attempt
* 1:2560 <-> SERVER-OTHER Oracle Web Cache MOVE overflow attempt
* 1:2580 <-> SERVER-WEBAPP server negative Content-Length attempt
* 1:2597 <-> SERVER-WEBAPP Samba SWAT Authorization overflow attempt
* 1:2598 <-> SERVER-WEBAPP Samba SWAT Authorization port 901 overflow attempt
* 1:2673 <-> FILE-IMAGE libpng tRNS overflow attempt
* 1:29131 <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt
* 1:3065 <-> PROTOCOL-IMAP append literal overflow attempt
* 1:3067 <-> PROTOCOL-IMAP examine literal overflow attempt
* 1:3069 <-> PROTOCOL-IMAP fetch literal overflow attempt
* 1:3071 <-> PROTOCOL-IMAP status literal overflow attempt
* 1:3075 <-> PROTOCOL-IMAP unsubscribe literal overflow attempt
* 1:3076 <-> PROTOCOL-IMAP UNSUBSCRIBE overflow attempt
* 1:3088 <-> FILE-MULTIMEDIA Nullsoft Winamp cda file name overflow attempt
* 1:3527 <-> OS-SOLARIS Oracle Solaris LPD overflow attempt
* 1:49482 <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt
* 1:49483 <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt
* 1:58307 <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree XML external entity injection attempt
* 1:6702 <-> NETBIOS SMB NT Trans Secondary Param Count overflow attempt
* 1:6703 <-> NETBIOS SMB NT Trans Secondary unicode Param Count overflow attempt
* 1:6704 <-> NETBIOS SMB-DS NT Trans Secondary Param Count overflow attempt
* 1:6705 <-> NETBIOS SMB-DS NT Trans Secondary unicode Param Count overflow attempt
* 1:6708 <-> NETBIOS SMB NT Trans Secondary andx Param Count overflow attempt
* 1:6709 <-> NETBIOS SMB NT Trans Secondary unicode andx Param Count overflow attempt
* 1:6710 <-> NETBIOS SMB-DS NT Trans Secondary andx Param Count overflow attempt
* 1:6711 <-> NETBIOS SMB-DS NT Trans Secondary unicode andx Param Count overflow attempt