Talos Rules 2021-12-09
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, browser-other, file-multimedia, file-office, file-other, file-pdf, malware-cnc, malware-other, os-windows, policy-other, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2021-12-09 13:10:00 UTC

Snort Subscriber Rules Update

Date: 2021-12-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091900.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58709 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt (server-webapp.rules)
 * 1:58710 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET Servlet XML external entity injection attempt (server-webapp.rules)
 * 1:58711 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.NewCon2 upload attempt (malware-other.rules)
 * 1:58712 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.NewCon2 download attempt (malware-other.rules)
 * 1:58713 <-> ENABLED <-> MALWARE-CNC Asp.Webshell.NewCon2 outbound connection attempt (malware-cnc.rules)
 * 1:58714 <-> DISABLED <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt (policy-other.rules)
 * 1:58715 <-> DISABLED <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt (policy-other.rules)
 * 3:58719 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1421 attack attempt (server-webapp.rules)
 * 3:58720 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1421 attack attempt (server-webapp.rules)
 * 3:58716 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2021-1427 attack attempt (file-multimedia.rules)
 * 3:58717 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2021-1427 attack attempt (file-multimedia.rules)
 * 3:58718 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1420 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:24425 <-> DISABLED <-> PROTOCOL-SCADA Sinapsi command injection attempt (protocol-scada.rules)
 * 1:24740 <-> DISABLED <-> SERVER-WEBAPP Oracle Business Transaction Management flashtunnelservice directory traversal attempt (server-webapp.rules)
 * 1:18066 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint integer underflow heap corruption attempt (file-office.rules)
 * 1:29576 <-> DISABLED <-> FILE-OTHER Oracle Outside In OS2 metafile parser stack buffer overflow attempt (file-other.rules)
 * 1:23385 <-> DISABLED <-> SERVER-WEBAPP Novell GroupWise Messenger nmma.exe login memory corruption attempt (server-webapp.rules)
 * 1:15115 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WebDAV pathname buffer overflow attempt (os-windows.rules)
 * 1:32127 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure livelog.htmlcommand injection attempt (server-webapp.rules)
 * 1:18792 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Configuration Management UploadServlet code execution attempt (server-webapp.rules)
 * 1:32128 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php command injection attempt (server-webapp.rules)
 * 1:32203 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure ldapsyncnow.php command injection attempt (server-webapp.rules)
 * 1:32261 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:32269 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php install license command injection attempt (server-webapp.rules)
 * 1:32786 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PDF JBIG2 remote code execution attempt (file-pdf.rules)
 * 1:35703 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager agentKey SQL injection attempt (server-webapp.rules)
 * 1:3689 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt (browser-ie.rules)
 * 1:37870 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt (browser-ie.rules)
 * 1:39412 <-> DISABLED <-> SERVER-WEBAPP WANem WAN emulator command injection attempt (server-webapp.rules)
 * 1:39706 <-> DISABLED <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt (browser-other.rules)
 * 1:41185 <-> DISABLED <-> POLICY-OTHER SunRPC Portmap GETPORT request detected (policy-other.rules)
 * 1:43409 <-> DISABLED <-> POLICY-OTHER MongoDB dropDatabase attempt (policy-other.rules)
 * 1:47794 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt (server-webapp.rules)
 * 1:47795 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt (server-webapp.rules)
 * 1:56550 <-> DISABLED <-> SERVER-WEBAPP Ruckus IoT Controller Web UI authentication bypass attempt (server-webapp.rules)
 * 1:606 <-> DISABLED <-> PROTOCOL-SERVICES rlogin root (protocol-services.rules)

2021-12-09 13:10:00 UTC

Snort Subscriber Rules Update

Date: 2021-12-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091801.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58709 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt (server-webapp.rules)
 * 1:58712 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.NewCon2 download attempt (malware-other.rules)
 * 1:58711 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.NewCon2 upload attempt (malware-other.rules)
 * 1:58710 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET Servlet XML external entity injection attempt (server-webapp.rules)
 * 1:58713 <-> ENABLED <-> MALWARE-CNC Asp.Webshell.NewCon2 outbound connection attempt (malware-cnc.rules)
 * 1:58714 <-> DISABLED <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt (policy-other.rules)
 * 1:58715 <-> DISABLED <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt (policy-other.rules)
 * 3:58718 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1420 attack attempt (server-webapp.rules)
 * 3:58719 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1421 attack attempt (server-webapp.rules)
 * 3:58717 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2021-1427 attack attempt (file-multimedia.rules)
 * 3:58716 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2021-1427 attack attempt (file-multimedia.rules)
 * 3:58720 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1421 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:47794 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt (server-webapp.rules)
 * 1:23385 <-> DISABLED <-> SERVER-WEBAPP Novell GroupWise Messenger nmma.exe login memory corruption attempt (server-webapp.rules)
 * 1:41185 <-> DISABLED <-> POLICY-OTHER SunRPC Portmap GETPORT request detected (policy-other.rules)
 * 1:32127 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure livelog.htmlcommand injection attempt (server-webapp.rules)
 * 1:15115 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WebDAV pathname buffer overflow attempt (os-windows.rules)
 * 1:29576 <-> DISABLED <-> FILE-OTHER Oracle Outside In OS2 metafile parser stack buffer overflow attempt (file-other.rules)
 * 1:18792 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Configuration Management UploadServlet code execution attempt (server-webapp.rules)
 * 1:24740 <-> DISABLED <-> SERVER-WEBAPP Oracle Business Transaction Management flashtunnelservice directory traversal attempt (server-webapp.rules)
 * 1:43409 <-> DISABLED <-> POLICY-OTHER MongoDB dropDatabase attempt (policy-other.rules)
 * 1:32128 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php command injection attempt (server-webapp.rules)
 * 1:47795 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt (server-webapp.rules)
 * 1:32786 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PDF JBIG2 remote code execution attempt (file-pdf.rules)
 * 1:32269 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php install license command injection attempt (server-webapp.rules)
 * 1:35703 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager agentKey SQL injection attempt (server-webapp.rules)
 * 1:3689 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt (browser-ie.rules)
 * 1:37870 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt (browser-ie.rules)
 * 1:39412 <-> DISABLED <-> SERVER-WEBAPP WANem WAN emulator command injection attempt (server-webapp.rules)
 * 1:39706 <-> DISABLED <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt (browser-other.rules)
 * 1:606 <-> DISABLED <-> PROTOCOL-SERVICES rlogin root (protocol-services.rules)
 * 1:56550 <-> DISABLED <-> SERVER-WEBAPP Ruckus IoT Controller Web UI authentication bypass attempt (server-webapp.rules)
 * 1:18066 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint integer underflow heap corruption attempt (file-office.rules)
 * 1:24425 <-> DISABLED <-> PROTOCOL-SCADA Sinapsi command injection attempt (protocol-scada.rules)
 * 1:32203 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure ldapsyncnow.php command injection attempt (server-webapp.rules)
 * 1:32261 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)

2021-12-09 13:10:00 UTC

Snort Subscriber Rules Update

Date: 2021-12-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58709 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt (server-webapp.rules)
 * 1:58710 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET Servlet XML external entity injection attempt (server-webapp.rules)
 * 1:58713 <-> ENABLED <-> MALWARE-CNC Asp.Webshell.NewCon2 outbound connection attempt (malware-cnc.rules)
 * 1:58712 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.NewCon2 download attempt (malware-other.rules)
 * 1:58711 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.NewCon2 upload attempt (malware-other.rules)
 * 1:58714 <-> DISABLED <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt (policy-other.rules)
 * 1:58715 <-> DISABLED <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt (policy-other.rules)
 * 3:58719 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1421 attack attempt (server-webapp.rules)
 * 3:58720 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1421 attack attempt (server-webapp.rules)
 * 3:58718 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1420 attack attempt (server-webapp.rules)
 * 3:58717 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2021-1427 attack attempt (file-multimedia.rules)
 * 3:58716 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2021-1427 attack attempt (file-multimedia.rules)

Modified Rules:


 * 1:18066 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint integer underflow heap corruption attempt (file-office.rules)
 * 1:32127 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure livelog.htmlcommand injection attempt (server-webapp.rules)
 * 1:24740 <-> DISABLED <-> SERVER-WEBAPP Oracle Business Transaction Management flashtunnelservice directory traversal attempt (server-webapp.rules)
 * 1:3689 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt (browser-ie.rules)
 * 1:47795 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt (server-webapp.rules)
 * 1:56550 <-> DISABLED <-> SERVER-WEBAPP Ruckus IoT Controller Web UI authentication bypass attempt (server-webapp.rules)
 * 1:39412 <-> DISABLED <-> SERVER-WEBAPP WANem WAN emulator command injection attempt (server-webapp.rules)
 * 1:29576 <-> DISABLED <-> FILE-OTHER Oracle Outside In OS2 metafile parser stack buffer overflow attempt (file-other.rules)
 * 1:18792 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Configuration Management UploadServlet code execution attempt (server-webapp.rules)
 * 1:606 <-> DISABLED <-> PROTOCOL-SERVICES rlogin root (protocol-services.rules)
 * 1:37870 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt (browser-ie.rules)
 * 1:35703 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager agentKey SQL injection attempt (server-webapp.rules)
 * 1:47794 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt (server-webapp.rules)
 * 1:32128 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php command injection attempt (server-webapp.rules)
 * 1:39706 <-> DISABLED <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt (browser-other.rules)
 * 1:32269 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php install license command injection attempt (server-webapp.rules)
 * 1:43409 <-> DISABLED <-> POLICY-OTHER MongoDB dropDatabase attempt (policy-other.rules)
 * 1:41185 <-> DISABLED <-> POLICY-OTHER SunRPC Portmap GETPORT request detected (policy-other.rules)
 * 1:23385 <-> DISABLED <-> SERVER-WEBAPP Novell GroupWise Messenger nmma.exe login memory corruption attempt (server-webapp.rules)
 * 1:24425 <-> DISABLED <-> PROTOCOL-SCADA Sinapsi command injection attempt (protocol-scada.rules)
 * 1:32261 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:32203 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure ldapsyncnow.php command injection attempt (server-webapp.rules)
 * 1:15115 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WebDAV pathname buffer overflow attempt (os-windows.rules)
 * 1:32786 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PDF JBIG2 remote code execution attempt (file-pdf.rules)

2021-12-09 13:10:00 UTC

Snort Subscriber Rules Update

Date: 2021-12-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58710 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET Servlet XML external entity injection attempt (server-webapp.rules)
 * 1:58709 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt (server-webapp.rules)
 * 1:58715 <-> DISABLED <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt (policy-other.rules)
 * 1:58713 <-> ENABLED <-> MALWARE-CNC Asp.Webshell.NewCon2 outbound connection attempt (malware-cnc.rules)
 * 1:58712 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.NewCon2 download attempt (malware-other.rules)
 * 1:58711 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.NewCon2 upload attempt (malware-other.rules)
 * 1:58714 <-> DISABLED <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt (policy-other.rules)
 * 3:58720 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1421 attack attempt (server-webapp.rules)
 * 3:58719 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1421 attack attempt (server-webapp.rules)
 * 3:58718 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1420 attack attempt (server-webapp.rules)
 * 3:58717 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2021-1427 attack attempt (file-multimedia.rules)
 * 3:58716 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2021-1427 attack attempt (file-multimedia.rules)

Modified Rules:


 * 1:47794 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt (server-webapp.rules)
 * 1:39412 <-> DISABLED <-> SERVER-WEBAPP WANem WAN emulator command injection attempt (server-webapp.rules)
 * 1:24425 <-> DISABLED <-> PROTOCOL-SCADA Sinapsi command injection attempt (protocol-scada.rules)
 * 1:23385 <-> DISABLED <-> SERVER-WEBAPP Novell GroupWise Messenger nmma.exe login memory corruption attempt (server-webapp.rules)
 * 1:56550 <-> DISABLED <-> SERVER-WEBAPP Ruckus IoT Controller Web UI authentication bypass attempt (server-webapp.rules)
 * 1:15115 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WebDAV pathname buffer overflow attempt (os-windows.rules)
 * 1:18066 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint integer underflow heap corruption attempt (file-office.rules)
 * 1:43409 <-> DISABLED <-> POLICY-OTHER MongoDB dropDatabase attempt (policy-other.rules)
 * 1:32127 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure livelog.htmlcommand injection attempt (server-webapp.rules)
 * 1:24740 <-> DISABLED <-> SERVER-WEBAPP Oracle Business Transaction Management flashtunnelservice directory traversal attempt (server-webapp.rules)
 * 1:32128 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php command injection attempt (server-webapp.rules)
 * 1:606 <-> DISABLED <-> PROTOCOL-SERVICES rlogin root (protocol-services.rules)
 * 1:32203 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure ldapsyncnow.php command injection attempt (server-webapp.rules)
 * 1:32786 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PDF JBIG2 remote code execution attempt (file-pdf.rules)
 * 1:32269 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php install license command injection attempt (server-webapp.rules)
 * 1:18792 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Configuration Management UploadServlet code execution attempt (server-webapp.rules)
 * 1:29576 <-> DISABLED <-> FILE-OTHER Oracle Outside In OS2 metafile parser stack buffer overflow attempt (file-other.rules)
 * 1:41185 <-> DISABLED <-> POLICY-OTHER SunRPC Portmap GETPORT request detected (policy-other.rules)
 * 1:35703 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager agentKey SQL injection attempt (server-webapp.rules)
 * 1:32261 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:37870 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt (browser-ie.rules)
 * 1:39706 <-> DISABLED <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt (browser-other.rules)
 * 1:3689 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt (browser-ie.rules)
 * 1:47795 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt (server-webapp.rules)

2021-12-09 13:10:00 UTC

Snort Subscriber Rules Update

Date: 2021-12-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58709 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt (server-webapp.rules)
 * 1:58713 <-> ENABLED <-> MALWARE-CNC Asp.Webshell.NewCon2 outbound connection attempt (malware-cnc.rules)
 * 1:58715 <-> DISABLED <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt (policy-other.rules)
 * 1:58710 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET Servlet XML external entity injection attempt (server-webapp.rules)
 * 1:58712 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.NewCon2 download attempt (malware-other.rules)
 * 1:58711 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.NewCon2 upload attempt (malware-other.rules)
 * 1:58714 <-> DISABLED <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt (policy-other.rules)
 * 3:58719 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1421 attack attempt (server-webapp.rules)
 * 3:58720 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1421 attack attempt (server-webapp.rules)
 * 3:58718 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1420 attack attempt (server-webapp.rules)
 * 3:58717 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2021-1427 attack attempt (file-multimedia.rules)
 * 3:58716 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2021-1427 attack attempt (file-multimedia.rules)

Modified Rules:


 * 1:41185 <-> DISABLED <-> POLICY-OTHER SunRPC Portmap GETPORT request detected (policy-other.rules)
 * 1:32127 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure livelog.htmlcommand injection attempt (server-webapp.rules)
 * 1:606 <-> DISABLED <-> PROTOCOL-SERVICES rlogin root (protocol-services.rules)
 * 1:43409 <-> DISABLED <-> POLICY-OTHER MongoDB dropDatabase attempt (policy-other.rules)
 * 1:18792 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Configuration Management UploadServlet code execution attempt (server-webapp.rules)
 * 1:29576 <-> DISABLED <-> FILE-OTHER Oracle Outside In OS2 metafile parser stack buffer overflow attempt (file-other.rules)
 * 1:23385 <-> DISABLED <-> SERVER-WEBAPP Novell GroupWise Messenger nmma.exe login memory corruption attempt (server-webapp.rules)
 * 1:18066 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint integer underflow heap corruption attempt (file-office.rules)
 * 1:15115 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WebDAV pathname buffer overflow attempt (os-windows.rules)
 * 1:32128 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php command injection attempt (server-webapp.rules)
 * 1:3689 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt (browser-ie.rules)
 * 1:32269 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php install license command injection attempt (server-webapp.rules)
 * 1:39412 <-> DISABLED <-> SERVER-WEBAPP WANem WAN emulator command injection attempt (server-webapp.rules)
 * 1:35703 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager agentKey SQL injection attempt (server-webapp.rules)
 * 1:37870 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt (browser-ie.rules)
 * 1:56550 <-> DISABLED <-> SERVER-WEBAPP Ruckus IoT Controller Web UI authentication bypass attempt (server-webapp.rules)
 * 1:32786 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PDF JBIG2 remote code execution attempt (file-pdf.rules)
 * 1:24425 <-> DISABLED <-> PROTOCOL-SCADA Sinapsi command injection attempt (protocol-scada.rules)
 * 1:32261 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:39706 <-> DISABLED <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt (browser-other.rules)
 * 1:47794 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt (server-webapp.rules)
 * 1:32203 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure ldapsyncnow.php command injection attempt (server-webapp.rules)
 * 1:24740 <-> DISABLED <-> SERVER-WEBAPP Oracle Business Transaction Management flashtunnelservice directory traversal attempt (server-webapp.rules)
 * 1:47795 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt (server-webapp.rules)

2021-12-09 13:10:00 UTC

Snort Subscriber Rules Update

Date: 2021-12-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58714 <-> DISABLED <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt (policy-other.rules)
 * 1:58710 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET Servlet XML external entity injection attempt (server-webapp.rules)
 * 1:58709 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt (server-webapp.rules)
 * 1:58713 <-> ENABLED <-> MALWARE-CNC Asp.Webshell.NewCon2 outbound connection attempt (malware-cnc.rules)
 * 1:58715 <-> DISABLED <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt (policy-other.rules)
 * 1:58712 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.NewCon2 download attempt (malware-other.rules)
 * 1:58711 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.NewCon2 upload attempt (malware-other.rules)
 * 3:58720 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1421 attack attempt (server-webapp.rules)
 * 3:58719 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1421 attack attempt (server-webapp.rules)
 * 3:58716 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2021-1427 attack attempt (file-multimedia.rules)
 * 3:58717 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2021-1427 attack attempt (file-multimedia.rules)
 * 3:58718 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1420 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:32786 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PDF JBIG2 remote code execution attempt (file-pdf.rules)
 * 1:47794 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt (server-webapp.rules)
 * 1:39706 <-> DISABLED <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt (browser-other.rules)
 * 1:606 <-> DISABLED <-> PROTOCOL-SERVICES rlogin root (protocol-services.rules)
 * 1:24425 <-> DISABLED <-> PROTOCOL-SCADA Sinapsi command injection attempt (protocol-scada.rules)
 * 1:39412 <-> DISABLED <-> SERVER-WEBAPP WANem WAN emulator command injection attempt (server-webapp.rules)
 * 1:32127 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure livelog.htmlcommand injection attempt (server-webapp.rules)
 * 1:15115 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WebDAV pathname buffer overflow attempt (os-windows.rules)
 * 1:23385 <-> DISABLED <-> SERVER-WEBAPP Novell GroupWise Messenger nmma.exe login memory corruption attempt (server-webapp.rules)
 * 1:29576 <-> DISABLED <-> FILE-OTHER Oracle Outside In OS2 metafile parser stack buffer overflow attempt (file-other.rules)
 * 1:18066 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint integer underflow heap corruption attempt (file-office.rules)
 * 1:56550 <-> DISABLED <-> SERVER-WEBAPP Ruckus IoT Controller Web UI authentication bypass attempt (server-webapp.rules)
 * 1:18792 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Configuration Management UploadServlet code execution attempt (server-webapp.rules)
 * 1:43409 <-> DISABLED <-> POLICY-OTHER MongoDB dropDatabase attempt (policy-other.rules)
 * 1:37870 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt (browser-ie.rules)
 * 1:24740 <-> DISABLED <-> SERVER-WEBAPP Oracle Business Transaction Management flashtunnelservice directory traversal attempt (server-webapp.rules)
 * 1:47795 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt (server-webapp.rules)
 * 1:32128 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php command injection attempt (server-webapp.rules)
 * 1:32269 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php install license command injection attempt (server-webapp.rules)
 * 1:32261 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:41185 <-> DISABLED <-> POLICY-OTHER SunRPC Portmap GETPORT request detected (policy-other.rules)
 * 1:35703 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager agentKey SQL injection attempt (server-webapp.rules)
 * 1:32203 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure ldapsyncnow.php command injection attempt (server-webapp.rules)
 * 1:3689 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt (browser-ie.rules)

2021-12-09 13:10:00 UTC

Snort Subscriber Rules Update

Date: 2021-12-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58711 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.NewCon2 upload attempt (malware-other.rules)
 * 1:58714 <-> DISABLED <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt (policy-other.rules)
 * 1:58713 <-> ENABLED <-> MALWARE-CNC Asp.Webshell.NewCon2 outbound connection attempt (malware-cnc.rules)
 * 1:58710 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET Servlet XML external entity injection attempt (server-webapp.rules)
 * 1:58715 <-> DISABLED <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt (policy-other.rules)
 * 1:58712 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.NewCon2 download attempt (malware-other.rules)
 * 1:58709 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt (server-webapp.rules)
 * 3:58719 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1421 attack attempt (server-webapp.rules)
 * 3:58720 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1421 attack attempt (server-webapp.rules)
 * 3:58716 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2021-1427 attack attempt (file-multimedia.rules)
 * 3:58717 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2021-1427 attack attempt (file-multimedia.rules)
 * 3:58718 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1420 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:606 <-> DISABLED <-> PROTOCOL-SERVICES rlogin root (protocol-services.rules)
 * 1:47795 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt (server-webapp.rules)
 * 1:3689 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt (browser-ie.rules)
 * 1:32127 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure livelog.htmlcommand injection attempt (server-webapp.rules)
 * 1:32786 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PDF JBIG2 remote code execution attempt (file-pdf.rules)
 * 1:24740 <-> DISABLED <-> SERVER-WEBAPP Oracle Business Transaction Management flashtunnelservice directory traversal attempt (server-webapp.rules)
 * 1:24425 <-> DISABLED <-> PROTOCOL-SCADA Sinapsi command injection attempt (protocol-scada.rules)
 * 1:47794 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt (server-webapp.rules)
 * 1:43409 <-> DISABLED <-> POLICY-OTHER MongoDB dropDatabase attempt (policy-other.rules)
 * 1:32203 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure ldapsyncnow.php command injection attempt (server-webapp.rules)
 * 1:32261 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:29576 <-> DISABLED <-> FILE-OTHER Oracle Outside In OS2 metafile parser stack buffer overflow attempt (file-other.rules)
 * 1:18792 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Configuration Management UploadServlet code execution attempt (server-webapp.rules)
 * 1:39412 <-> DISABLED <-> SERVER-WEBAPP WANem WAN emulator command injection attempt (server-webapp.rules)
 * 1:56550 <-> DISABLED <-> SERVER-WEBAPP Ruckus IoT Controller Web UI authentication bypass attempt (server-webapp.rules)
 * 1:35703 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager agentKey SQL injection attempt (server-webapp.rules)
 * 1:15115 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WebDAV pathname buffer overflow attempt (os-windows.rules)
 * 1:39706 <-> DISABLED <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt (browser-other.rules)
 * 1:18066 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint integer underflow heap corruption attempt (file-office.rules)
 * 1:32128 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php command injection attempt (server-webapp.rules)
 * 1:23385 <-> DISABLED <-> SERVER-WEBAPP Novell GroupWise Messenger nmma.exe login memory corruption attempt (server-webapp.rules)
 * 1:32269 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php install license command injection attempt (server-webapp.rules)
 * 1:37870 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt (browser-ie.rules)
 * 1:41185 <-> DISABLED <-> POLICY-OTHER SunRPC Portmap GETPORT request detected (policy-other.rules)

2021-12-09 13:10:00 UTC

Snort Subscriber Rules Update

Date: 2021-12-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58711 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.NewCon2 upload attempt (malware-other.rules)
 * 1:58709 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt (server-webapp.rules)
 * 1:58712 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.NewCon2 download attempt (malware-other.rules)
 * 1:58715 <-> DISABLED <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt (policy-other.rules)
 * 1:58714 <-> DISABLED <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt (policy-other.rules)
 * 1:58710 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET Servlet XML external entity injection attempt (server-webapp.rules)
 * 1:58713 <-> ENABLED <-> MALWARE-CNC Asp.Webshell.NewCon2 outbound connection attempt (malware-cnc.rules)
 * 3:58718 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1420 attack attempt (server-webapp.rules)
 * 3:58719 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1421 attack attempt (server-webapp.rules)
 * 3:58717 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2021-1427 attack attempt (file-multimedia.rules)
 * 3:58716 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2021-1427 attack attempt (file-multimedia.rules)
 * 3:58720 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1421 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:41185 <-> DISABLED <-> POLICY-OTHER SunRPC Portmap GETPORT request detected (policy-other.rules)
 * 1:29576 <-> DISABLED <-> FILE-OTHER Oracle Outside In OS2 metafile parser stack buffer overflow attempt (file-other.rules)
 * 1:18066 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint integer underflow heap corruption attempt (file-office.rules)
 * 1:37870 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt (browser-ie.rules)
 * 1:47795 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt (server-webapp.rules)
 * 1:23385 <-> DISABLED <-> SERVER-WEBAPP Novell GroupWise Messenger nmma.exe login memory corruption attempt (server-webapp.rules)
 * 1:24740 <-> DISABLED <-> SERVER-WEBAPP Oracle Business Transaction Management flashtunnelservice directory traversal attempt (server-webapp.rules)
 * 1:24425 <-> DISABLED <-> PROTOCOL-SCADA Sinapsi command injection attempt (protocol-scada.rules)
 * 1:32127 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure livelog.htmlcommand injection attempt (server-webapp.rules)
 * 1:606 <-> DISABLED <-> PROTOCOL-SERVICES rlogin root (protocol-services.rules)
 * 1:3689 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt (browser-ie.rules)
 * 1:32128 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php command injection attempt (server-webapp.rules)
 * 1:32269 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php install license command injection attempt (server-webapp.rules)
 * 1:32786 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PDF JBIG2 remote code execution attempt (file-pdf.rules)
 * 1:56550 <-> DISABLED <-> SERVER-WEBAPP Ruckus IoT Controller Web UI authentication bypass attempt (server-webapp.rules)
 * 1:35703 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager agentKey SQL injection attempt (server-webapp.rules)
 * 1:43409 <-> DISABLED <-> POLICY-OTHER MongoDB dropDatabase attempt (policy-other.rules)
 * 1:47794 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt (server-webapp.rules)
 * 1:15115 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WebDAV pathname buffer overflow attempt (os-windows.rules)
 * 1:32203 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure ldapsyncnow.php command injection attempt (server-webapp.rules)
 * 1:39412 <-> DISABLED <-> SERVER-WEBAPP WANem WAN emulator command injection attempt (server-webapp.rules)
 * 1:18792 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Configuration Management UploadServlet code execution attempt (server-webapp.rules)
 * 1:32261 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:39706 <-> DISABLED <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt (browser-other.rules)

2021-12-09 13:10:00 UTC

Snort Subscriber Rules Update

Date: 2021-12-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58712 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.NewCon2 download attempt (malware-other.rules)
 * 1:58711 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.NewCon2 upload attempt (malware-other.rules)
 * 1:58715 <-> DISABLED <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt (policy-other.rules)
 * 1:58710 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET Servlet XML external entity injection attempt (server-webapp.rules)
 * 1:58714 <-> DISABLED <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt (policy-other.rules)
 * 1:58713 <-> ENABLED <-> MALWARE-CNC Asp.Webshell.NewCon2 outbound connection attempt (malware-cnc.rules)
 * 1:58709 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt (server-webapp.rules)
 * 3:58719 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1421 attack attempt (server-webapp.rules)
 * 3:58716 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2021-1427 attack attempt (file-multimedia.rules)
 * 3:58717 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2021-1427 attack attempt (file-multimedia.rules)
 * 3:58720 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1421 attack attempt (server-webapp.rules)
 * 3:58718 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1420 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:32269 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php install license command injection attempt (server-webapp.rules)
 * 1:24425 <-> DISABLED <-> PROTOCOL-SCADA Sinapsi command injection attempt (protocol-scada.rules)
 * 1:39706 <-> DISABLED <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt (browser-other.rules)
 * 1:15115 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WebDAV pathname buffer overflow attempt (os-windows.rules)
 * 1:24740 <-> DISABLED <-> SERVER-WEBAPP Oracle Business Transaction Management flashtunnelservice directory traversal attempt (server-webapp.rules)
 * 1:29576 <-> DISABLED <-> FILE-OTHER Oracle Outside In OS2 metafile parser stack buffer overflow attempt (file-other.rules)
 * 1:32127 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure livelog.htmlcommand injection attempt (server-webapp.rules)
 * 1:43409 <-> DISABLED <-> POLICY-OTHER MongoDB dropDatabase attempt (policy-other.rules)
 * 1:18792 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Configuration Management UploadServlet code execution attempt (server-webapp.rules)
 * 1:41185 <-> DISABLED <-> POLICY-OTHER SunRPC Portmap GETPORT request detected (policy-other.rules)
 * 1:32203 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure ldapsyncnow.php command injection attempt (server-webapp.rules)
 * 1:606 <-> DISABLED <-> PROTOCOL-SERVICES rlogin root (protocol-services.rules)
 * 1:23385 <-> DISABLED <-> SERVER-WEBAPP Novell GroupWise Messenger nmma.exe login memory corruption attempt (server-webapp.rules)
 * 1:37870 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt (browser-ie.rules)
 * 1:35703 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager agentKey SQL injection attempt (server-webapp.rules)
 * 1:32786 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PDF JBIG2 remote code execution attempt (file-pdf.rules)
 * 1:47794 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt (server-webapp.rules)
 * 1:32261 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:32128 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php command injection attempt (server-webapp.rules)
 * 1:39412 <-> DISABLED <-> SERVER-WEBAPP WANem WAN emulator command injection attempt (server-webapp.rules)
 * 1:56550 <-> DISABLED <-> SERVER-WEBAPP Ruckus IoT Controller Web UI authentication bypass attempt (server-webapp.rules)
 * 1:47795 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt (server-webapp.rules)
 * 1:3689 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt (browser-ie.rules)
 * 1:18066 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint integer underflow heap corruption attempt (file-office.rules)

2021-12-09 13:10:00 UTC

Snort Subscriber Rules Update

Date: 2021-12-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58714 <-> DISABLED <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt (policy-other.rules)
 * 1:58713 <-> ENABLED <-> MALWARE-CNC Asp.Webshell.NewCon2 outbound connection attempt (malware-cnc.rules)
 * 1:58715 <-> DISABLED <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt (policy-other.rules)
 * 1:58711 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.NewCon2 upload attempt (malware-other.rules)
 * 1:58712 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.NewCon2 download attempt (malware-other.rules)
 * 1:58709 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt (server-webapp.rules)
 * 1:58710 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET Servlet XML external entity injection attempt (server-webapp.rules)
 * 3:58718 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1420 attack attempt (server-webapp.rules)
 * 3:58720 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1421 attack attempt (server-webapp.rules)
 * 3:58716 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2021-1427 attack attempt (file-multimedia.rules)
 * 3:58717 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2021-1427 attack attempt (file-multimedia.rules)
 * 3:58719 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1421 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:41185 <-> DISABLED <-> POLICY-OTHER SunRPC Portmap GETPORT request detected (policy-other.rules)
 * 1:24425 <-> DISABLED <-> PROTOCOL-SCADA Sinapsi command injection attempt (protocol-scada.rules)
 * 1:39412 <-> DISABLED <-> SERVER-WEBAPP WANem WAN emulator command injection attempt (server-webapp.rules)
 * 1:43409 <-> DISABLED <-> POLICY-OTHER MongoDB dropDatabase attempt (policy-other.rules)
 * 1:29576 <-> DISABLED <-> FILE-OTHER Oracle Outside In OS2 metafile parser stack buffer overflow attempt (file-other.rules)
 * 1:37870 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt (browser-ie.rules)
 * 1:606 <-> DISABLED <-> PROTOCOL-SERVICES rlogin root (protocol-services.rules)
 * 1:3689 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt (browser-ie.rules)
 * 1:39706 <-> DISABLED <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt (browser-other.rules)
 * 1:32128 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php command injection attempt (server-webapp.rules)
 * 1:47794 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt (server-webapp.rules)
 * 1:47795 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt (server-webapp.rules)
 * 1:18066 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint integer underflow heap corruption attempt (file-office.rules)
 * 1:24740 <-> DISABLED <-> SERVER-WEBAPP Oracle Business Transaction Management flashtunnelservice directory traversal attempt (server-webapp.rules)
 * 1:35703 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager agentKey SQL injection attempt (server-webapp.rules)
 * 1:32127 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure livelog.htmlcommand injection attempt (server-webapp.rules)
 * 1:32269 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php install license command injection attempt (server-webapp.rules)
 * 1:32786 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PDF JBIG2 remote code execution attempt (file-pdf.rules)
 * 1:15115 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WebDAV pathname buffer overflow attempt (os-windows.rules)
 * 1:32261 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:56550 <-> DISABLED <-> SERVER-WEBAPP Ruckus IoT Controller Web UI authentication bypass attempt (server-webapp.rules)
 * 1:18792 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Configuration Management UploadServlet code execution attempt (server-webapp.rules)
 * 1:32203 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure ldapsyncnow.php command injection attempt (server-webapp.rules)
 * 1:23385 <-> DISABLED <-> SERVER-WEBAPP Novell GroupWise Messenger nmma.exe login memory corruption attempt (server-webapp.rules)

2021-12-09 13:10:00 UTC

Snort Subscriber Rules Update

Date: 2021-12-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58715 <-> DISABLED <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt (snort3-policy-other.rules)
 * 1:58712 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.NewCon2 download attempt (snort3-malware-other.rules)
 * 1:58709 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt (snort3-server-webapp.rules)
 * 1:58713 <-> ENABLED <-> MALWARE-CNC Asp.Webshell.NewCon2 outbound connection attempt (snort3-malware-cnc.rules)
 * 1:58710 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET Servlet XML external entity injection attempt (snort3-server-webapp.rules)
 * 1:58714 <-> DISABLED <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt (snort3-policy-other.rules)
 * 1:58711 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.NewCon2 upload attempt (snort3-malware-other.rules)

Modified Rules:


 * 1:24740 <-> DISABLED <-> SERVER-WEBAPP Oracle Business Transaction Management flashtunnelservice directory traversal attempt (snort3-server-webapp.rules)
 * 1:32269 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php install license command injection attempt (snort3-server-webapp.rules)
 * 1:39706 <-> DISABLED <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt (snort3-browser-other.rules)
 * 1:39412 <-> DISABLED <-> SERVER-WEBAPP WANem WAN emulator command injection attempt (snort3-server-webapp.rules)
 * 1:18066 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint integer underflow heap corruption attempt (snort3-file-office.rules)
 * 1:24425 <-> DISABLED <-> PROTOCOL-SCADA Sinapsi command injection attempt (snort3-protocol-scada.rules)
 * 1:29576 <-> DISABLED <-> FILE-OTHER Oracle Outside In OS2 metafile parser stack buffer overflow attempt (snort3-file-other.rules)
 * 1:43409 <-> DISABLED <-> POLICY-OTHER MongoDB dropDatabase attempt (snort3-policy-other.rules)
 * 1:15115 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WebDAV pathname buffer overflow attempt (snort3-os-windows.rules)
 * 1:47794 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt (snort3-server-webapp.rules)
 * 1:41185 <-> DISABLED <-> POLICY-OTHER SunRPC Portmap GETPORT request detected (snort3-policy-other.rules)
 * 1:23385 <-> DISABLED <-> SERVER-WEBAPP Novell GroupWise Messenger nmma.exe login memory corruption attempt (snort3-server-webapp.rules)
 * 1:606 <-> DISABLED <-> PROTOCOL-SERVICES rlogin root (snort3-protocol-services.rules)
 * 1:32127 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure livelog.htmlcommand injection attempt (snort3-server-webapp.rules)
 * 1:47795 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt (snort3-server-webapp.rules)
 * 1:32261 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (snort3-server-webapp.rules)
 * 1:32786 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PDF JBIG2 remote code execution attempt (snort3-file-pdf.rules)
 * 1:18792 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Configuration Management UploadServlet code execution attempt (snort3-server-webapp.rules)
 * 1:32128 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php command injection attempt (snort3-server-webapp.rules)
 * 1:37870 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt (snort3-browser-ie.rules)
 * 1:3689 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt (snort3-browser-ie.rules)
 * 1:35703 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager agentKey SQL injection attempt (snort3-server-webapp.rules)
 * 1:32203 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure ldapsyncnow.php command injection attempt (snort3-server-webapp.rules)
 * 1:56550 <-> DISABLED <-> SERVER-WEBAPP Ruckus IoT Controller Web UI authentication bypass attempt (snort3-server-webapp.rules)

2021-12-09 13:10:00 UTC

Snort Subscriber Rules Update

Date: 2021-12-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58712 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.NewCon2 download attempt (malware-other.rules)
 * 1:58711 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.NewCon2 upload attempt (malware-other.rules)
 * 1:58709 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt (server-webapp.rules)
 * 1:58713 <-> ENABLED <-> MALWARE-CNC Asp.Webshell.NewCon2 outbound connection attempt (malware-cnc.rules)
 * 1:58710 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET Servlet XML external entity injection attempt (server-webapp.rules)
 * 1:58714 <-> DISABLED <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt (policy-other.rules)
 * 1:58715 <-> DISABLED <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt (policy-other.rules)

Modified Rules:


 * 1:41185 <-> DISABLED <-> POLICY-OTHER SunRPC Portmap GETPORT request detected (policy-other.rules)
 * 1:32261 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:29576 <-> DISABLED <-> FILE-OTHER Oracle Outside In OS2 metafile parser stack buffer overflow attempt (file-other.rules)
 * 1:47794 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt (server-webapp.rules)
 * 1:39412 <-> DISABLED <-> SERVER-WEBAPP WANem WAN emulator command injection attempt (server-webapp.rules)
 * 1:39706 <-> DISABLED <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt (browser-other.rules)
 * 1:15115 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WebDAV pathname buffer overflow attempt (os-windows.rules)
 * 1:32127 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure livelog.htmlcommand injection attempt (server-webapp.rules)
 * 1:37870 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt (browser-ie.rules)
 * 1:24740 <-> DISABLED <-> SERVER-WEBAPP Oracle Business Transaction Management flashtunnelservice directory traversal attempt (server-webapp.rules)
 * 1:606 <-> DISABLED <-> PROTOCOL-SERVICES rlogin root (protocol-services.rules)
 * 1:32128 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php command injection attempt (server-webapp.rules)
 * 1:32786 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PDF JBIG2 remote code execution attempt (file-pdf.rules)
 * 1:43409 <-> DISABLED <-> POLICY-OTHER MongoDB dropDatabase attempt (policy-other.rules)
 * 1:23385 <-> DISABLED <-> SERVER-WEBAPP Novell GroupWise Messenger nmma.exe login memory corruption attempt (server-webapp.rules)
 * 1:32203 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure ldapsyncnow.php command injection attempt (server-webapp.rules)
 * 1:24425 <-> DISABLED <-> PROTOCOL-SCADA Sinapsi command injection attempt (protocol-scada.rules)
 * 1:47795 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt (server-webapp.rules)
 * 1:18066 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint integer underflow heap corruption attempt (file-office.rules)
 * 1:18792 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Configuration Management UploadServlet code execution attempt (server-webapp.rules)
 * 1:32269 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php install license command injection attempt (server-webapp.rules)
 * 1:35703 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager agentKey SQL injection attempt (server-webapp.rules)
 * 1:3689 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt (browser-ie.rules)
 * 1:56550 <-> DISABLED <-> SERVER-WEBAPP Ruckus IoT Controller Web UI authentication bypass attempt (server-webapp.rules)

2021-12-09 13:14:32 UTC

Snort Subscriber Rules Update

Date: 2021-12-08-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58709 <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt
* 1:58710 <-> SERVER-WEBAPP GE MDS PulseNET Servlet XML external entity injection attempt
* 1:58711 <-> MALWARE-OTHER Asp.Webshell.NewCon2 upload attempt
* 1:58712 <-> MALWARE-OTHER Asp.Webshell.NewCon2 download attempt
* 1:58713 <-> MALWARE-CNC Asp.Webshell.NewCon2 outbound connection attempt
* 1:58714 <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt
* 1:58715 <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt
* 3:58716 <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2021-1427 attack attempt
* 3:58717 <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2021-1427 attack attempt
* 3:58718 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1420 attack attempt
* 3:58719 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1421 attack attempt
* 3:58720 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1421 attack attempt

Modified Rules:

* 1:15115 <-> OS-WINDOWS Microsoft Windows WebDAV pathname buffer overflow attempt
* 1:18066 <-> FILE-OFFICE Microsoft Office PowerPoint integer underflow heap corruption attempt
* 1:18792 <-> SERVER-WEBAPP Novell ZENworks Configuration Management UploadServlet code execution attempt
* 1:23385 <-> SERVER-WEBAPP Novell GroupWise Messenger nmma.exe login memory corruption attempt
* 1:24425 <-> PROTOCOL-SCADA Sinapsi command injection attempt
* 1:24740 <-> SERVER-WEBAPP Oracle Business Transaction Management flashtunnelservice directory traversal attempt
* 1:29576 <-> FILE-OTHER Oracle Outside In OS2 metafile parser stack buffer overflow attempt
* 1:32127 <-> SERVER-WEBAPP PineApp Mail-SeCure livelog.htmlcommand injection attempt
* 1:32128 <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php command injection attempt
* 1:32203 <-> SERVER-WEBAPP PineApp Mail-SeCure ldapsyncnow.php command injection attempt
* 1:32261 <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt
* 1:32269 <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php install license command injection attempt
* 1:32786 <-> FILE-PDF Adobe Acrobat Reader PDF JBIG2 remote code execution attempt
* 1:35703 <-> SERVER-WEBAPP ManageEngine OpManager agentKey SQL injection attempt
* 1:3689 <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt
* 1:37870 <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt
* 1:39412 <-> SERVER-WEBAPP WANem WAN emulator command injection attempt
* 1:39706 <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt
* 1:41185 <-> POLICY-OTHER SunRPC Portmap GETPORT request detected
* 1:43409 <-> POLICY-OTHER MongoDB dropDatabase attempt
* 1:47794 <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt
* 1:47795 <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt
* 1:56550 <-> SERVER-WEBAPP Ruckus IoT Controller Web UI authentication bypass attempt
* 1:606 <-> PROTOCOL-SERVICES rlogin root


2021-12-09 13:14:32 UTC

Snort Subscriber Rules Update

Date: 2021-12-08-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.4.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58709 <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt
* 1:58710 <-> SERVER-WEBAPP GE MDS PulseNET Servlet XML external entity injection attempt
* 1:58711 <-> MALWARE-OTHER Asp.Webshell.NewCon2 upload attempt
* 1:58712 <-> MALWARE-OTHER Asp.Webshell.NewCon2 download attempt
* 1:58713 <-> MALWARE-CNC Asp.Webshell.NewCon2 outbound connection attempt
* 1:58714 <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt
* 1:58715 <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt
* 3:58716 <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2021-1427 attack attempt
* 3:58717 <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2021-1427 attack attempt
* 3:58718 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1420 attack attempt
* 3:58719 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1421 attack attempt
* 3:58720 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1421 attack attempt

Modified Rules:

* 1:15115 <-> OS-WINDOWS Microsoft Windows WebDAV pathname buffer overflow attempt
* 1:18066 <-> FILE-OFFICE Microsoft Office PowerPoint integer underflow heap corruption attempt
* 1:18792 <-> SERVER-WEBAPP Novell ZENworks Configuration Management UploadServlet code execution attempt
* 1:23385 <-> SERVER-WEBAPP Novell GroupWise Messenger nmma.exe login memory corruption attempt
* 1:24425 <-> PROTOCOL-SCADA Sinapsi command injection attempt
* 1:24740 <-> SERVER-WEBAPP Oracle Business Transaction Management flashtunnelservice directory traversal attempt
* 1:29576 <-> FILE-OTHER Oracle Outside In OS2 metafile parser stack buffer overflow attempt
* 1:32127 <-> SERVER-WEBAPP PineApp Mail-SeCure livelog.htmlcommand injection attempt
* 1:32128 <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php command injection attempt
* 1:32203 <-> SERVER-WEBAPP PineApp Mail-SeCure ldapsyncnow.php command injection attempt
* 1:32261 <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt
* 1:32269 <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php install license command injection attempt
* 1:32786 <-> FILE-PDF Adobe Acrobat Reader PDF JBIG2 remote code execution attempt
* 1:35703 <-> SERVER-WEBAPP ManageEngine OpManager agentKey SQL injection attempt
* 1:3689 <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt
* 1:37870 <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt
* 1:39412 <-> SERVER-WEBAPP WANem WAN emulator command injection attempt
* 1:39706 <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt
* 1:41185 <-> POLICY-OTHER SunRPC Portmap GETPORT request detected
* 1:43409 <-> POLICY-OTHER MongoDB dropDatabase attempt
* 1:47794 <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt
* 1:47795 <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt
* 1:56550 <-> SERVER-WEBAPP Ruckus IoT Controller Web UI authentication bypass attempt
* 1:606 <-> PROTOCOL-SERVICES rlogin root


2021-12-09 13:14:32 UTC

Snort Subscriber Rules Update

Date: 2021-12-08-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58709 <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt
* 1:58710 <-> SERVER-WEBAPP GE MDS PulseNET Servlet XML external entity injection attempt
* 1:58711 <-> MALWARE-OTHER Asp.Webshell.NewCon2 upload attempt
* 1:58712 <-> MALWARE-OTHER Asp.Webshell.NewCon2 download attempt
* 1:58713 <-> MALWARE-CNC Asp.Webshell.NewCon2 outbound connection attempt
* 1:58714 <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt
* 1:58715 <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt
* 3:58716 <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2021-1427 attack attempt
* 3:58717 <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2021-1427 attack attempt
* 3:58718 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1420 attack attempt
* 3:58719 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1421 attack attempt
* 3:58720 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1421 attack attempt

Modified Rules:

* 1:15115 <-> OS-WINDOWS Microsoft Windows WebDAV pathname buffer overflow attempt
* 1:18066 <-> FILE-OFFICE Microsoft Office PowerPoint integer underflow heap corruption attempt
* 1:18792 <-> SERVER-WEBAPP Novell ZENworks Configuration Management UploadServlet code execution attempt
* 1:23385 <-> SERVER-WEBAPP Novell GroupWise Messenger nmma.exe login memory corruption attempt
* 1:24425 <-> PROTOCOL-SCADA Sinapsi command injection attempt
* 1:24740 <-> SERVER-WEBAPP Oracle Business Transaction Management flashtunnelservice directory traversal attempt
* 1:29576 <-> FILE-OTHER Oracle Outside In OS2 metafile parser stack buffer overflow attempt
* 1:32127 <-> SERVER-WEBAPP PineApp Mail-SeCure livelog.htmlcommand injection attempt
* 1:32128 <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php command injection attempt
* 1:32203 <-> SERVER-WEBAPP PineApp Mail-SeCure ldapsyncnow.php command injection attempt
* 1:32261 <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt
* 1:32269 <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php install license command injection attempt
* 1:32786 <-> FILE-PDF Adobe Acrobat Reader PDF JBIG2 remote code execution attempt
* 1:35703 <-> SERVER-WEBAPP ManageEngine OpManager agentKey SQL injection attempt
* 1:3689 <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt
* 1:37870 <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt
* 1:39412 <-> SERVER-WEBAPP WANem WAN emulator command injection attempt
* 1:39706 <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt
* 1:41185 <-> POLICY-OTHER SunRPC Portmap GETPORT request detected
* 1:43409 <-> POLICY-OTHER MongoDB dropDatabase attempt
* 1:47794 <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt
* 1:47795 <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt
* 1:56550 <-> SERVER-WEBAPP Ruckus IoT Controller Web UI authentication bypass attempt
* 1:606 <-> PROTOCOL-SERVICES rlogin root


2021-12-09 13:14:33 UTC

Snort Subscriber Rules Update

Date: 2021-12-08-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58709 <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt
* 1:58710 <-> SERVER-WEBAPP GE MDS PulseNET Servlet XML external entity injection attempt
* 1:58711 <-> MALWARE-OTHER Asp.Webshell.NewCon2 upload attempt
* 1:58712 <-> MALWARE-OTHER Asp.Webshell.NewCon2 download attempt
* 1:58713 <-> MALWARE-CNC Asp.Webshell.NewCon2 outbound connection attempt
* 1:58714 <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt
* 1:58715 <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt
* 3:58716 <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2021-1427 attack attempt
* 3:58717 <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2021-1427 attack attempt
* 3:58718 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1420 attack attempt
* 3:58719 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1421 attack attempt
* 3:58720 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1421 attack attempt

Modified Rules:

* 1:15115 <-> OS-WINDOWS Microsoft Windows WebDAV pathname buffer overflow attempt
* 1:18066 <-> FILE-OFFICE Microsoft Office PowerPoint integer underflow heap corruption attempt
* 1:18792 <-> SERVER-WEBAPP Novell ZENworks Configuration Management UploadServlet code execution attempt
* 1:23385 <-> SERVER-WEBAPP Novell GroupWise Messenger nmma.exe login memory corruption attempt
* 1:24425 <-> PROTOCOL-SCADA Sinapsi command injection attempt
* 1:24740 <-> SERVER-WEBAPP Oracle Business Transaction Management flashtunnelservice directory traversal attempt
* 1:29576 <-> FILE-OTHER Oracle Outside In OS2 metafile parser stack buffer overflow attempt
* 1:32127 <-> SERVER-WEBAPP PineApp Mail-SeCure livelog.htmlcommand injection attempt
* 1:32128 <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php command injection attempt
* 1:32203 <-> SERVER-WEBAPP PineApp Mail-SeCure ldapsyncnow.php command injection attempt
* 1:32261 <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt
* 1:32269 <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php install license command injection attempt
* 1:32786 <-> FILE-PDF Adobe Acrobat Reader PDF JBIG2 remote code execution attempt
* 1:35703 <-> SERVER-WEBAPP ManageEngine OpManager agentKey SQL injection attempt
* 1:3689 <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt
* 1:37870 <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt
* 1:39412 <-> SERVER-WEBAPP WANem WAN emulator command injection attempt
* 1:39706 <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt
* 1:41185 <-> POLICY-OTHER SunRPC Portmap GETPORT request detected
* 1:43409 <-> POLICY-OTHER MongoDB dropDatabase attempt
* 1:47794 <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt
* 1:47795 <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt
* 1:56550 <-> SERVER-WEBAPP Ruckus IoT Controller Web UI authentication bypass attempt
* 1:606 <-> PROTOCOL-SERVICES rlogin root


2021-12-09 13:14:33 UTC

Snort Subscriber Rules Update

Date: 2021-12-08-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.1.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58709 <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt
* 1:58710 <-> SERVER-WEBAPP GE MDS PulseNET Servlet XML external entity injection attempt
* 1:58711 <-> MALWARE-OTHER Asp.Webshell.NewCon2 upload attempt
* 1:58712 <-> MALWARE-OTHER Asp.Webshell.NewCon2 download attempt
* 1:58713 <-> MALWARE-CNC Asp.Webshell.NewCon2 outbound connection attempt
* 1:58714 <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt
* 1:58715 <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt
* 3:58716 <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2021-1427 attack attempt
* 3:58717 <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2021-1427 attack attempt
* 3:58718 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1420 attack attempt
* 3:58719 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1421 attack attempt
* 3:58720 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1421 attack attempt

Modified Rules:

* 1:15115 <-> OS-WINDOWS Microsoft Windows WebDAV pathname buffer overflow attempt
* 1:18066 <-> FILE-OFFICE Microsoft Office PowerPoint integer underflow heap corruption attempt
* 1:18792 <-> SERVER-WEBAPP Novell ZENworks Configuration Management UploadServlet code execution attempt
* 1:23385 <-> SERVER-WEBAPP Novell GroupWise Messenger nmma.exe login memory corruption attempt
* 1:24425 <-> PROTOCOL-SCADA Sinapsi command injection attempt
* 1:24740 <-> SERVER-WEBAPP Oracle Business Transaction Management flashtunnelservice directory traversal attempt
* 1:29576 <-> FILE-OTHER Oracle Outside In OS2 metafile parser stack buffer overflow attempt
* 1:32127 <-> SERVER-WEBAPP PineApp Mail-SeCure livelog.htmlcommand injection attempt
* 1:32128 <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php command injection attempt
* 1:32203 <-> SERVER-WEBAPP PineApp Mail-SeCure ldapsyncnow.php command injection attempt
* 1:32261 <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt
* 1:32269 <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php install license command injection attempt
* 1:32786 <-> FILE-PDF Adobe Acrobat Reader PDF JBIG2 remote code execution attempt
* 1:35703 <-> SERVER-WEBAPP ManageEngine OpManager agentKey SQL injection attempt
* 1:3689 <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt
* 1:37870 <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt
* 1:39412 <-> SERVER-WEBAPP WANem WAN emulator command injection attempt
* 1:39706 <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt
* 1:41185 <-> POLICY-OTHER SunRPC Portmap GETPORT request detected
* 1:43409 <-> POLICY-OTHER MongoDB dropDatabase attempt
* 1:47794 <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt
* 1:47795 <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt
* 1:56550 <-> SERVER-WEBAPP Ruckus IoT Controller Web UI authentication bypass attempt
* 1:606 <-> PROTOCOL-SERVICES rlogin root


2021-12-09 13:14:33 UTC

Snort Subscriber Rules Update

Date: 2021-12-08-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.3.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58709 <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt
* 1:58710 <-> SERVER-WEBAPP GE MDS PulseNET Servlet XML external entity injection attempt
* 1:58711 <-> MALWARE-OTHER Asp.Webshell.NewCon2 upload attempt
* 1:58712 <-> MALWARE-OTHER Asp.Webshell.NewCon2 download attempt
* 1:58713 <-> MALWARE-CNC Asp.Webshell.NewCon2 outbound connection attempt
* 1:58714 <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt
* 1:58715 <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt
* 3:58716 <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2021-1427 attack attempt
* 3:58717 <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2021-1427 attack attempt
* 3:58718 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1420 attack attempt
* 3:58719 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1421 attack attempt
* 3:58720 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1421 attack attempt

Modified Rules:

* 1:15115 <-> OS-WINDOWS Microsoft Windows WebDAV pathname buffer overflow attempt
* 1:18066 <-> FILE-OFFICE Microsoft Office PowerPoint integer underflow heap corruption attempt
* 1:18792 <-> SERVER-WEBAPP Novell ZENworks Configuration Management UploadServlet code execution attempt
* 1:23385 <-> SERVER-WEBAPP Novell GroupWise Messenger nmma.exe login memory corruption attempt
* 1:24425 <-> PROTOCOL-SCADA Sinapsi command injection attempt
* 1:24740 <-> SERVER-WEBAPP Oracle Business Transaction Management flashtunnelservice directory traversal attempt
* 1:29576 <-> FILE-OTHER Oracle Outside In OS2 metafile parser stack buffer overflow attempt
* 1:32127 <-> SERVER-WEBAPP PineApp Mail-SeCure livelog.htmlcommand injection attempt
* 1:32128 <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php command injection attempt
* 1:32203 <-> SERVER-WEBAPP PineApp Mail-SeCure ldapsyncnow.php command injection attempt
* 1:32261 <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt
* 1:32269 <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php install license command injection attempt
* 1:32786 <-> FILE-PDF Adobe Acrobat Reader PDF JBIG2 remote code execution attempt
* 1:35703 <-> SERVER-WEBAPP ManageEngine OpManager agentKey SQL injection attempt
* 1:3689 <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt
* 1:37870 <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt
* 1:39412 <-> SERVER-WEBAPP WANem WAN emulator command injection attempt
* 1:39706 <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt
* 1:41185 <-> POLICY-OTHER SunRPC Portmap GETPORT request detected
* 1:43409 <-> POLICY-OTHER MongoDB dropDatabase attempt
* 1:47794 <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt
* 1:47795 <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt
* 1:56550 <-> SERVER-WEBAPP Ruckus IoT Controller Web UI authentication bypass attempt
* 1:606 <-> PROTOCOL-SERVICES rlogin root


2021-12-09 13:14:33 UTC

Snort Subscriber Rules Update

Date: 2021-12-08-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.4.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58709 <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt
* 1:58710 <-> SERVER-WEBAPP GE MDS PulseNET Servlet XML external entity injection attempt
* 1:58711 <-> MALWARE-OTHER Asp.Webshell.NewCon2 upload attempt
* 1:58712 <-> MALWARE-OTHER Asp.Webshell.NewCon2 download attempt
* 1:58713 <-> MALWARE-CNC Asp.Webshell.NewCon2 outbound connection attempt
* 1:58714 <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt
* 1:58715 <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt
* 3:58716 <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2021-1427 attack attempt
* 3:58717 <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2021-1427 attack attempt
* 3:58718 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1420 attack attempt
* 3:58719 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1421 attack attempt
* 3:58720 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1421 attack attempt

Modified Rules:

* 1:15115 <-> OS-WINDOWS Microsoft Windows WebDAV pathname buffer overflow attempt
* 1:18066 <-> FILE-OFFICE Microsoft Office PowerPoint integer underflow heap corruption attempt
* 1:18792 <-> SERVER-WEBAPP Novell ZENworks Configuration Management UploadServlet code execution attempt
* 1:23385 <-> SERVER-WEBAPP Novell GroupWise Messenger nmma.exe login memory corruption attempt
* 1:24425 <-> PROTOCOL-SCADA Sinapsi command injection attempt
* 1:24740 <-> SERVER-WEBAPP Oracle Business Transaction Management flashtunnelservice directory traversal attempt
* 1:29576 <-> FILE-OTHER Oracle Outside In OS2 metafile parser stack buffer overflow attempt
* 1:32127 <-> SERVER-WEBAPP PineApp Mail-SeCure livelog.htmlcommand injection attempt
* 1:32128 <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php command injection attempt
* 1:32203 <-> SERVER-WEBAPP PineApp Mail-SeCure ldapsyncnow.php command injection attempt
* 1:32261 <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt
* 1:32269 <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php install license command injection attempt
* 1:32786 <-> FILE-PDF Adobe Acrobat Reader PDF JBIG2 remote code execution attempt
* 1:35703 <-> SERVER-WEBAPP ManageEngine OpManager agentKey SQL injection attempt
* 1:3689 <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt
* 1:37870 <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt
* 1:39412 <-> SERVER-WEBAPP WANem WAN emulator command injection attempt
* 1:39706 <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt
* 1:41185 <-> POLICY-OTHER SunRPC Portmap GETPORT request detected
* 1:43409 <-> POLICY-OTHER MongoDB dropDatabase attempt
* 1:47794 <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt
* 1:47795 <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt
* 1:56550 <-> SERVER-WEBAPP Ruckus IoT Controller Web UI authentication bypass attempt
* 1:606 <-> PROTOCOL-SERVICES rlogin root


2021-12-09 13:14:33 UTC

Snort Subscriber Rules Update

Date: 2021-12-08-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.5.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58709 <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt
* 1:58710 <-> SERVER-WEBAPP GE MDS PulseNET Servlet XML external entity injection attempt
* 1:58711 <-> MALWARE-OTHER Asp.Webshell.NewCon2 upload attempt
* 1:58712 <-> MALWARE-OTHER Asp.Webshell.NewCon2 download attempt
* 1:58713 <-> MALWARE-CNC Asp.Webshell.NewCon2 outbound connection attempt
* 1:58714 <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt
* 1:58715 <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt
* 3:58716 <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2021-1427 attack attempt
* 3:58717 <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2021-1427 attack attempt
* 3:58718 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1420 attack attempt
* 3:58719 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1421 attack attempt
* 3:58720 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1421 attack attempt

Modified Rules:

* 1:15115 <-> OS-WINDOWS Microsoft Windows WebDAV pathname buffer overflow attempt
* 1:18066 <-> FILE-OFFICE Microsoft Office PowerPoint integer underflow heap corruption attempt
* 1:18792 <-> SERVER-WEBAPP Novell ZENworks Configuration Management UploadServlet code execution attempt
* 1:23385 <-> SERVER-WEBAPP Novell GroupWise Messenger nmma.exe login memory corruption attempt
* 1:24425 <-> PROTOCOL-SCADA Sinapsi command injection attempt
* 1:24740 <-> SERVER-WEBAPP Oracle Business Transaction Management flashtunnelservice directory traversal attempt
* 1:29576 <-> FILE-OTHER Oracle Outside In OS2 metafile parser stack buffer overflow attempt
* 1:32127 <-> SERVER-WEBAPP PineApp Mail-SeCure livelog.htmlcommand injection attempt
* 1:32128 <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php command injection attempt
* 1:32203 <-> SERVER-WEBAPP PineApp Mail-SeCure ldapsyncnow.php command injection attempt
* 1:32261 <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt
* 1:32269 <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php install license command injection attempt
* 1:32786 <-> FILE-PDF Adobe Acrobat Reader PDF JBIG2 remote code execution attempt
* 1:35703 <-> SERVER-WEBAPP ManageEngine OpManager agentKey SQL injection attempt
* 1:3689 <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt
* 1:37870 <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt
* 1:39412 <-> SERVER-WEBAPP WANem WAN emulator command injection attempt
* 1:39706 <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt
* 1:41185 <-> POLICY-OTHER SunRPC Portmap GETPORT request detected
* 1:43409 <-> POLICY-OTHER MongoDB dropDatabase attempt
* 1:47794 <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt
* 1:47795 <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt
* 1:56550 <-> SERVER-WEBAPP Ruckus IoT Controller Web UI authentication bypass attempt
* 1:606 <-> PROTOCOL-SERVICES rlogin root


2021-12-09 13:14:33 UTC

Snort Subscriber Rules Update

Date: 2021-12-08-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.7.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58709 <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt
* 1:58710 <-> SERVER-WEBAPP GE MDS PulseNET Servlet XML external entity injection attempt
* 1:58711 <-> MALWARE-OTHER Asp.Webshell.NewCon2 upload attempt
* 1:58712 <-> MALWARE-OTHER Asp.Webshell.NewCon2 download attempt
* 1:58713 <-> MALWARE-CNC Asp.Webshell.NewCon2 outbound connection attempt
* 1:58714 <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt
* 1:58715 <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt
* 3:58716 <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2021-1427 attack attempt
* 3:58717 <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2021-1427 attack attempt
* 3:58718 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1420 attack attempt
* 3:58719 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1421 attack attempt
* 3:58720 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1421 attack attempt

Modified Rules:

* 1:15115 <-> OS-WINDOWS Microsoft Windows WebDAV pathname buffer overflow attempt
* 1:18066 <-> FILE-OFFICE Microsoft Office PowerPoint integer underflow heap corruption attempt
* 1:18792 <-> SERVER-WEBAPP Novell ZENworks Configuration Management UploadServlet code execution attempt
* 1:23385 <-> SERVER-WEBAPP Novell GroupWise Messenger nmma.exe login memory corruption attempt
* 1:24425 <-> PROTOCOL-SCADA Sinapsi command injection attempt
* 1:24740 <-> SERVER-WEBAPP Oracle Business Transaction Management flashtunnelservice directory traversal attempt
* 1:29576 <-> FILE-OTHER Oracle Outside In OS2 metafile parser stack buffer overflow attempt
* 1:32127 <-> SERVER-WEBAPP PineApp Mail-SeCure livelog.htmlcommand injection attempt
* 1:32128 <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php command injection attempt
* 1:32203 <-> SERVER-WEBAPP PineApp Mail-SeCure ldapsyncnow.php command injection attempt
* 1:32261 <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt
* 1:32269 <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php install license command injection attempt
* 1:32786 <-> FILE-PDF Adobe Acrobat Reader PDF JBIG2 remote code execution attempt
* 1:35703 <-> SERVER-WEBAPP ManageEngine OpManager agentKey SQL injection attempt
* 1:3689 <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt
* 1:37870 <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt
* 1:39412 <-> SERVER-WEBAPP WANem WAN emulator command injection attempt
* 1:39706 <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt
* 1:41185 <-> POLICY-OTHER SunRPC Portmap GETPORT request detected
* 1:43409 <-> POLICY-OTHER MongoDB dropDatabase attempt
* 1:47794 <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt
* 1:47795 <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt
* 1:56550 <-> SERVER-WEBAPP Ruckus IoT Controller Web UI authentication bypass attempt
* 1:606 <-> PROTOCOL-SERVICES rlogin root


2021-12-09 13:14:33 UTC

Snort Subscriber Rules Update

Date: 2021-12-08-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.9.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58709 <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt
* 1:58710 <-> SERVER-WEBAPP GE MDS PulseNET Servlet XML external entity injection attempt
* 1:58711 <-> MALWARE-OTHER Asp.Webshell.NewCon2 upload attempt
* 1:58712 <-> MALWARE-OTHER Asp.Webshell.NewCon2 download attempt
* 1:58713 <-> MALWARE-CNC Asp.Webshell.NewCon2 outbound connection attempt
* 1:58714 <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt
* 1:58715 <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt
* 3:58716 <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2021-1427 attack attempt
* 3:58717 <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2021-1427 attack attempt
* 3:58718 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1420 attack attempt
* 3:58719 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1421 attack attempt
* 3:58720 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1421 attack attempt

Modified Rules:

* 1:15115 <-> OS-WINDOWS Microsoft Windows WebDAV pathname buffer overflow attempt
* 1:18066 <-> FILE-OFFICE Microsoft Office PowerPoint integer underflow heap corruption attempt
* 1:18792 <-> SERVER-WEBAPP Novell ZENworks Configuration Management UploadServlet code execution attempt
* 1:23385 <-> SERVER-WEBAPP Novell GroupWise Messenger nmma.exe login memory corruption attempt
* 1:24425 <-> PROTOCOL-SCADA Sinapsi command injection attempt
* 1:24740 <-> SERVER-WEBAPP Oracle Business Transaction Management flashtunnelservice directory traversal attempt
* 1:29576 <-> FILE-OTHER Oracle Outside In OS2 metafile parser stack buffer overflow attempt
* 1:32127 <-> SERVER-WEBAPP PineApp Mail-SeCure livelog.htmlcommand injection attempt
* 1:32128 <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php command injection attempt
* 1:32203 <-> SERVER-WEBAPP PineApp Mail-SeCure ldapsyncnow.php command injection attempt
* 1:32261 <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt
* 1:32269 <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php install license command injection attempt
* 1:32786 <-> FILE-PDF Adobe Acrobat Reader PDF JBIG2 remote code execution attempt
* 1:35703 <-> SERVER-WEBAPP ManageEngine OpManager agentKey SQL injection attempt
* 1:3689 <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt
* 1:37870 <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt
* 1:39412 <-> SERVER-WEBAPP WANem WAN emulator command injection attempt
* 1:39706 <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt
* 1:41185 <-> POLICY-OTHER SunRPC Portmap GETPORT request detected
* 1:43409 <-> POLICY-OTHER MongoDB dropDatabase attempt
* 1:47794 <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt
* 1:47795 <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt
* 1:56550 <-> SERVER-WEBAPP Ruckus IoT Controller Web UI authentication bypass attempt
* 1:606 <-> PROTOCOL-SERVICES rlogin root


2021-12-09 13:14:33 UTC

Snort Subscriber Rules Update

Date: 2021-12-08-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.11.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58709 <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt
* 1:58710 <-> SERVER-WEBAPP GE MDS PulseNET Servlet XML external entity injection attempt
* 1:58711 <-> MALWARE-OTHER Asp.Webshell.NewCon2 upload attempt
* 1:58712 <-> MALWARE-OTHER Asp.Webshell.NewCon2 download attempt
* 1:58713 <-> MALWARE-CNC Asp.Webshell.NewCon2 outbound connection attempt
* 1:58714 <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt
* 1:58715 <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt
* 3:58716 <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2021-1427 attack attempt
* 3:58717 <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2021-1427 attack attempt
* 3:58718 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1420 attack attempt
* 3:58719 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1421 attack attempt
* 3:58720 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1421 attack attempt

Modified Rules:

* 1:15115 <-> OS-WINDOWS Microsoft Windows WebDAV pathname buffer overflow attempt
* 1:18066 <-> FILE-OFFICE Microsoft Office PowerPoint integer underflow heap corruption attempt
* 1:18792 <-> SERVER-WEBAPP Novell ZENworks Configuration Management UploadServlet code execution attempt
* 1:23385 <-> SERVER-WEBAPP Novell GroupWise Messenger nmma.exe login memory corruption attempt
* 1:24425 <-> PROTOCOL-SCADA Sinapsi command injection attempt
* 1:24740 <-> SERVER-WEBAPP Oracle Business Transaction Management flashtunnelservice directory traversal attempt
* 1:29576 <-> FILE-OTHER Oracle Outside In OS2 metafile parser stack buffer overflow attempt
* 1:32127 <-> SERVER-WEBAPP PineApp Mail-SeCure livelog.htmlcommand injection attempt
* 1:32128 <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php command injection attempt
* 1:32203 <-> SERVER-WEBAPP PineApp Mail-SeCure ldapsyncnow.php command injection attempt
* 1:32261 <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt
* 1:32269 <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php install license command injection attempt
* 1:32786 <-> FILE-PDF Adobe Acrobat Reader PDF JBIG2 remote code execution attempt
* 1:35703 <-> SERVER-WEBAPP ManageEngine OpManager agentKey SQL injection attempt
* 1:3689 <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt
* 1:37870 <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt
* 1:39412 <-> SERVER-WEBAPP WANem WAN emulator command injection attempt
* 1:39706 <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt
* 1:41185 <-> POLICY-OTHER SunRPC Portmap GETPORT request detected
* 1:43409 <-> POLICY-OTHER MongoDB dropDatabase attempt
* 1:47794 <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt
* 1:47795 <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt
* 1:56550 <-> SERVER-WEBAPP Ruckus IoT Controller Web UI authentication bypass attempt
* 1:606 <-> PROTOCOL-SERVICES rlogin root


2021-12-09 13:14:33 UTC

Snort Subscriber Rules Update

Date: 2021-12-08-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.15.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58709 <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt
* 1:58710 <-> SERVER-WEBAPP GE MDS PulseNET Servlet XML external entity injection attempt
* 1:58711 <-> MALWARE-OTHER Asp.Webshell.NewCon2 upload attempt
* 1:58712 <-> MALWARE-OTHER Asp.Webshell.NewCon2 download attempt
* 1:58713 <-> MALWARE-CNC Asp.Webshell.NewCon2 outbound connection attempt
* 1:58714 <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt
* 1:58715 <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt
* 3:58716 <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2021-1427 attack attempt
* 3:58717 <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2021-1427 attack attempt
* 3:58718 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1420 attack attempt
* 3:58719 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1421 attack attempt
* 3:58720 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1421 attack attempt

Modified Rules:

* 1:15115 <-> OS-WINDOWS Microsoft Windows WebDAV pathname buffer overflow attempt
* 1:18066 <-> FILE-OFFICE Microsoft Office PowerPoint integer underflow heap corruption attempt
* 1:18792 <-> SERVER-WEBAPP Novell ZENworks Configuration Management UploadServlet code execution attempt
* 1:23385 <-> SERVER-WEBAPP Novell GroupWise Messenger nmma.exe login memory corruption attempt
* 1:24425 <-> PROTOCOL-SCADA Sinapsi command injection attempt
* 1:24740 <-> SERVER-WEBAPP Oracle Business Transaction Management flashtunnelservice directory traversal attempt
* 1:29576 <-> FILE-OTHER Oracle Outside In OS2 metafile parser stack buffer overflow attempt
* 1:32127 <-> SERVER-WEBAPP PineApp Mail-SeCure livelog.htmlcommand injection attempt
* 1:32128 <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php command injection attempt
* 1:32203 <-> SERVER-WEBAPP PineApp Mail-SeCure ldapsyncnow.php command injection attempt
* 1:32261 <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt
* 1:32269 <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php install license command injection attempt
* 1:32786 <-> FILE-PDF Adobe Acrobat Reader PDF JBIG2 remote code execution attempt
* 1:35703 <-> SERVER-WEBAPP ManageEngine OpManager agentKey SQL injection attempt
* 1:3689 <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt
* 1:37870 <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt
* 1:39412 <-> SERVER-WEBAPP WANem WAN emulator command injection attempt
* 1:39706 <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt
* 1:41185 <-> POLICY-OTHER SunRPC Portmap GETPORT request detected
* 1:43409 <-> POLICY-OTHER MongoDB dropDatabase attempt
* 1:47794 <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt
* 1:47795 <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt
* 1:56550 <-> SERVER-WEBAPP Ruckus IoT Controller Web UI authentication bypass attempt
* 1:606 <-> PROTOCOL-SERVICES rlogin root


2021-12-09 13:14:33 UTC

Snort Subscriber Rules Update

Date: 2021-12-08-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.18.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58709 <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt
* 1:58710 <-> SERVER-WEBAPP GE MDS PulseNET Servlet XML external entity injection attempt
* 1:58711 <-> MALWARE-OTHER Asp.Webshell.NewCon2 upload attempt
* 1:58712 <-> MALWARE-OTHER Asp.Webshell.NewCon2 download attempt
* 1:58713 <-> MALWARE-CNC Asp.Webshell.NewCon2 outbound connection attempt
* 1:58714 <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt
* 1:58715 <-> POLICY-OTHER Zoho ManageEngine Site24x7 agent installation attempt
* 3:58716 <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2021-1427 attack attempt
* 3:58717 <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2021-1427 attack attempt
* 3:58718 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1420 attack attempt
* 3:58719 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1421 attack attempt
* 3:58720 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1421 attack attempt

Modified Rules:

* 1:15115 <-> OS-WINDOWS Microsoft Windows WebDAV pathname buffer overflow attempt
* 1:18066 <-> FILE-OFFICE Microsoft Office PowerPoint integer underflow heap corruption attempt
* 1:18792 <-> SERVER-WEBAPP Novell ZENworks Configuration Management UploadServlet code execution attempt
* 1:23385 <-> SERVER-WEBAPP Novell GroupWise Messenger nmma.exe login memory corruption attempt
* 1:24425 <-> PROTOCOL-SCADA Sinapsi command injection attempt
* 1:24740 <-> SERVER-WEBAPP Oracle Business Transaction Management flashtunnelservice directory traversal attempt
* 1:29576 <-> FILE-OTHER Oracle Outside In OS2 metafile parser stack buffer overflow attempt
* 1:32127 <-> SERVER-WEBAPP PineApp Mail-SeCure livelog.htmlcommand injection attempt
* 1:32128 <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php command injection attempt
* 1:32203 <-> SERVER-WEBAPP PineApp Mail-SeCure ldapsyncnow.php command injection attempt
* 1:32261 <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt
* 1:32269 <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php install license command injection attempt
* 1:32786 <-> FILE-PDF Adobe Acrobat Reader PDF JBIG2 remote code execution attempt
* 1:35703 <-> SERVER-WEBAPP ManageEngine OpManager agentKey SQL injection attempt
* 1:3689 <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt
* 1:37870 <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt
* 1:39412 <-> SERVER-WEBAPP WANem WAN emulator command injection attempt
* 1:39706 <-> BROWSER-OTHER Novell Messenger Client folder name buffer overflow attempt
* 1:41185 <-> POLICY-OTHER SunRPC Portmap GETPORT request detected
* 1:43409 <-> POLICY-OTHER MongoDB dropDatabase attempt
* 1:47794 <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt
* 1:47795 <-> SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt
* 1:56550 <-> SERVER-WEBAPP Ruckus IoT Controller Web UI authentication bypass attempt
* 1:606 <-> PROTOCOL-SERVICES rlogin root