Talos Rules 2021-12-14
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2021-41333: A coding deficiency exists in Microsoft Windows Print Spooler that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 58752 through 58753.

Microsoft Vulnerability CVE-2021-43207: A coding deficiency exists in Microsoft Windows Common Log File System driver that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 58775 through 58776.

Microsoft Vulnerability CVE-2021-43226: A coding deficiency exists in Microsoft Windows Common Log File System driver that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 58754 through 58757.

Microsoft Vulnerability CVE-2021-43233: A coding deficiency exists in Remote Desktop Client that may lead to remote code execution.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 58774.

Microsoft Vulnerability CVE-2021-43883: A coding deficiency exists in Microsoft Windows Installer that may lead to an escalation of privilege.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 58635 through 58636.

Talos is releasing updates to Snort 2 SIDs: 58740-58741 and new Snort 2 SIDs: 58784-58790 to address CVE-2021-44228, an RCE vulnerability in the Apache Log4j API.

Talos has also added and modified multiple rules in the file-pdf, malware-cnc, malware-other, os-windows and server-other rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2021-12-14 18:34:35 UTC

Snort Subscriber Rules Update

Date: 2021-12-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091900.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58752 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt (os-windows.rules)
 * 1:58753 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt (os-windows.rules)
 * 1:58754 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:58755 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:58756 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:58757 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:58758 <-> ENABLED <-> MALWARE-OTHER Email.Dropper.Agent phishing email download attempt (malware-other.rules)
 * 1:58759 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant payload download attempt (malware-other.rules)
 * 1:58760 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt (malware-other.rules)
 * 1:58761 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt (malware-other.rules)
 * 1:58762 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt (malware-other.rules)
 * 1:58763 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt (malware-other.rules)
 * 1:58764 <-> ENABLED <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt (malware-other.rules)
 * 1:58765 <-> ENABLED <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt (malware-other.rules)
 * 1:58766 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58767 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58768 <-> DISABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58769 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58770 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58771 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection (malware-cnc.rules)
 * 1:58772 <-> DISABLED <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection (malware-cnc.rules)
 * 1:58773 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.AsyncRAT variant cnc connection (malware-cnc.rules)
 * 1:58774 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop Protocol remote code execution attempt (os-windows.rules)
 * 1:58775 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58776 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58777 <-> DISABLED <-> MALWARE-CNC Win.Trojan.FormBook outbound connection attempt (malware-cnc.rules)
 * 1:58778 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (malware-cnc.rules)
 * 1:58779 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (malware-cnc.rules)
 * 1:58780 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (malware-cnc.rules)
 * 1:58781 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (malware-cnc.rules)
 * 1:58782 <-> DISABLED <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt (file-pdf.rules)
 * 1:58783 <-> DISABLED <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt (file-pdf.rules)
 * 1:58784 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58785 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58786 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58787 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58788 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58789 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58790 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)

Modified Rules:


 * 1:24301 <-> DISABLED <-> PROTOCOL-ICMP IPv6 MLD multicast listener query attempt (protocol-icmp.rules)
 * 1:24302 <-> DISABLED <-> PROTOCOL-ICMP IPv6 multicast neighbor delete attempt (protocol-icmp.rules)
 * 1:24303 <-> DISABLED <-> PROTOCOL-ICMP IPv6 multicast neighbor add attempt (protocol-icmp.rules)
 * 1:58635 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (os-windows.rules)
 * 1:58636 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (os-windows.rules)
 * 1:58740 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58741 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)

2021-12-14 18:34:35 UTC

Snort Subscriber Rules Update

Date: 2021-12-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091801.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58781 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (malware-cnc.rules)
 * 1:58782 <-> DISABLED <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt (file-pdf.rules)
 * 1:58754 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:58755 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:58757 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:58758 <-> ENABLED <-> MALWARE-OTHER Email.Dropper.Agent phishing email download attempt (malware-other.rules)
 * 1:58759 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant payload download attempt (malware-other.rules)
 * 1:58760 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt (malware-other.rules)
 * 1:58761 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt (malware-other.rules)
 * 1:58762 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt (malware-other.rules)
 * 1:58763 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt (malware-other.rules)
 * 1:58764 <-> ENABLED <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt (malware-other.rules)
 * 1:58765 <-> ENABLED <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt (malware-other.rules)
 * 1:58766 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58767 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58768 <-> DISABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58769 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58770 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58771 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection (malware-cnc.rules)
 * 1:58772 <-> DISABLED <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection (malware-cnc.rules)
 * 1:58773 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.AsyncRAT variant cnc connection (malware-cnc.rules)
 * 1:58774 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop Protocol remote code execution attempt (os-windows.rules)
 * 1:58775 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58776 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58777 <-> DISABLED <-> MALWARE-CNC Win.Trojan.FormBook outbound connection attempt (malware-cnc.rules)
 * 1:58778 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (malware-cnc.rules)
 * 1:58779 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (malware-cnc.rules)
 * 1:58780 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (malware-cnc.rules)
 * 1:58783 <-> DISABLED <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt (file-pdf.rules)
 * 1:58752 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt (os-windows.rules)
 * 1:58784 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58785 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58786 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58787 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58788 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58789 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58790 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58756 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:58753 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt (os-windows.rules)

Modified Rules:


 * 1:24303 <-> DISABLED <-> PROTOCOL-ICMP IPv6 multicast neighbor add attempt (protocol-icmp.rules)
 * 1:58635 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (os-windows.rules)
 * 1:58636 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (os-windows.rules)
 * 1:58740 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58741 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:24301 <-> DISABLED <-> PROTOCOL-ICMP IPv6 MLD multicast listener query attempt (protocol-icmp.rules)
 * 1:24302 <-> DISABLED <-> PROTOCOL-ICMP IPv6 multicast neighbor delete attempt (protocol-icmp.rules)

2021-12-14 18:34:35 UTC

Snort Subscriber Rules Update

Date: 2021-12-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58779 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (malware-cnc.rules)
 * 1:58770 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58754 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:58783 <-> DISABLED <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt (file-pdf.rules)
 * 1:58782 <-> DISABLED <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt (file-pdf.rules)
 * 1:58752 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt (os-windows.rules)
 * 1:58781 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (malware-cnc.rules)
 * 1:58786 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58784 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58785 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58787 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58755 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:58788 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58789 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58790 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58772 <-> DISABLED <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection (malware-cnc.rules)
 * 1:58753 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt (os-windows.rules)
 * 1:58764 <-> ENABLED <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt (malware-other.rules)
 * 1:58756 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:58765 <-> ENABLED <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt (malware-other.rules)
 * 1:58766 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58767 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58768 <-> DISABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58769 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58774 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop Protocol remote code execution attempt (os-windows.rules)
 * 1:58773 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.AsyncRAT variant cnc connection (malware-cnc.rules)
 * 1:58771 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection (malware-cnc.rules)
 * 1:58775 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58776 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58777 <-> DISABLED <-> MALWARE-CNC Win.Trojan.FormBook outbound connection attempt (malware-cnc.rules)
 * 1:58778 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (malware-cnc.rules)
 * 1:58757 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:58758 <-> ENABLED <-> MALWARE-OTHER Email.Dropper.Agent phishing email download attempt (malware-other.rules)
 * 1:58760 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt (malware-other.rules)
 * 1:58759 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant payload download attempt (malware-other.rules)
 * 1:58762 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt (malware-other.rules)
 * 1:58761 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt (malware-other.rules)
 * 1:58763 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt (malware-other.rules)
 * 1:58780 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:58740 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58635 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (os-windows.rules)
 * 1:24301 <-> DISABLED <-> PROTOCOL-ICMP IPv6 MLD multicast listener query attempt (protocol-icmp.rules)
 * 1:58741 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58636 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (os-windows.rules)
 * 1:24303 <-> DISABLED <-> PROTOCOL-ICMP IPv6 multicast neighbor add attempt (protocol-icmp.rules)
 * 1:24302 <-> DISABLED <-> PROTOCOL-ICMP IPv6 multicast neighbor delete attempt (protocol-icmp.rules)

2021-12-14 18:34:35 UTC

Snort Subscriber Rules Update

Date: 2021-12-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58789 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58753 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt (os-windows.rules)
 * 1:58790 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58781 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (malware-cnc.rules)
 * 1:58788 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58780 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (malware-cnc.rules)
 * 1:58752 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt (os-windows.rules)
 * 1:58757 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:58758 <-> ENABLED <-> MALWARE-OTHER Email.Dropper.Agent phishing email download attempt (malware-other.rules)
 * 1:58782 <-> DISABLED <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt (file-pdf.rules)
 * 1:58783 <-> DISABLED <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt (file-pdf.rules)
 * 1:58785 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58786 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58760 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt (malware-other.rules)
 * 1:58762 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt (malware-other.rules)
 * 1:58764 <-> ENABLED <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt (malware-other.rules)
 * 1:58784 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58765 <-> ENABLED <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt (malware-other.rules)
 * 1:58766 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58767 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58768 <-> DISABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58769 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58770 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58771 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection (malware-cnc.rules)
 * 1:58756 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:58754 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:58755 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:58779 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (malware-cnc.rules)
 * 1:58763 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt (malware-other.rules)
 * 1:58772 <-> DISABLED <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection (malware-cnc.rules)
 * 1:58773 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.AsyncRAT variant cnc connection (malware-cnc.rules)
 * 1:58774 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop Protocol remote code execution attempt (os-windows.rules)
 * 1:58775 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58776 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58777 <-> DISABLED <-> MALWARE-CNC Win.Trojan.FormBook outbound connection attempt (malware-cnc.rules)
 * 1:58778 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (malware-cnc.rules)
 * 1:58761 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt (malware-other.rules)
 * 1:58759 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant payload download attempt (malware-other.rules)
 * 1:58787 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)

Modified Rules:


 * 1:58741 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:24301 <-> DISABLED <-> PROTOCOL-ICMP IPv6 MLD multicast listener query attempt (protocol-icmp.rules)
 * 1:24302 <-> DISABLED <-> PROTOCOL-ICMP IPv6 multicast neighbor delete attempt (protocol-icmp.rules)
 * 1:58636 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (os-windows.rules)
 * 1:58740 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:24303 <-> DISABLED <-> PROTOCOL-ICMP IPv6 multicast neighbor add attempt (protocol-icmp.rules)
 * 1:58635 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (os-windows.rules)

2021-12-14 18:34:35 UTC

Snort Subscriber Rules Update

Date: 2021-12-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58781 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (malware-cnc.rules)
 * 1:58770 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58788 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58789 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58767 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58754 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:58752 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt (os-windows.rules)
 * 1:58753 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt (os-windows.rules)
 * 1:58785 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58786 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58782 <-> DISABLED <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt (file-pdf.rules)
 * 1:58780 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (malware-cnc.rules)
 * 1:58755 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:58756 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:58757 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:58759 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant payload download attempt (malware-other.rules)
 * 1:58758 <-> ENABLED <-> MALWARE-OTHER Email.Dropper.Agent phishing email download attempt (malware-other.rules)
 * 1:58761 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt (malware-other.rules)
 * 1:58763 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt (malware-other.rules)
 * 1:58760 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt (malware-other.rules)
 * 1:58762 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt (malware-other.rules)
 * 1:58768 <-> DISABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58769 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58779 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (malware-cnc.rules)
 * 1:58771 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection (malware-cnc.rules)
 * 1:58764 <-> ENABLED <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt (malware-other.rules)
 * 1:58766 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58773 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.AsyncRAT variant cnc connection (malware-cnc.rules)
 * 1:58772 <-> DISABLED <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection (malware-cnc.rules)
 * 1:58775 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58765 <-> ENABLED <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt (malware-other.rules)
 * 1:58776 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58774 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop Protocol remote code execution attempt (os-windows.rules)
 * 1:58777 <-> DISABLED <-> MALWARE-CNC Win.Trojan.FormBook outbound connection attempt (malware-cnc.rules)
 * 1:58778 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (malware-cnc.rules)
 * 1:58790 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58783 <-> DISABLED <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt (file-pdf.rules)
 * 1:58787 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58784 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)

Modified Rules:


 * 1:24301 <-> DISABLED <-> PROTOCOL-ICMP IPv6 MLD multicast listener query attempt (protocol-icmp.rules)
 * 1:58635 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (os-windows.rules)
 * 1:58636 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (os-windows.rules)
 * 1:24303 <-> DISABLED <-> PROTOCOL-ICMP IPv6 multicast neighbor add attempt (protocol-icmp.rules)
 * 1:24302 <-> DISABLED <-> PROTOCOL-ICMP IPv6 multicast neighbor delete attempt (protocol-icmp.rules)
 * 1:58740 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58741 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)

2021-12-14 18:34:35 UTC

Snort Subscriber Rules Update

Date: 2021-12-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58782 <-> DISABLED <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt (file-pdf.rules)
 * 1:58790 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58783 <-> DISABLED <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt (file-pdf.rules)
 * 1:58753 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt (os-windows.rules)
 * 1:58757 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:58789 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58788 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58784 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58754 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:58785 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58786 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58787 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58759 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant payload download attempt (malware-other.rules)
 * 1:58752 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt (os-windows.rules)
 * 1:58758 <-> ENABLED <-> MALWARE-OTHER Email.Dropper.Agent phishing email download attempt (malware-other.rules)
 * 1:58755 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:58774 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop Protocol remote code execution attempt (os-windows.rules)
 * 1:58760 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt (malware-other.rules)
 * 1:58761 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt (malware-other.rules)
 * 1:58762 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt (malware-other.rules)
 * 1:58763 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt (malware-other.rules)
 * 1:58764 <-> ENABLED <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt (malware-other.rules)
 * 1:58770 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58771 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection (malware-cnc.rules)
 * 1:58765 <-> ENABLED <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt (malware-other.rules)
 * 1:58775 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58773 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.AsyncRAT variant cnc connection (malware-cnc.rules)
 * 1:58777 <-> DISABLED <-> MALWARE-CNC Win.Trojan.FormBook outbound connection attempt (malware-cnc.rules)
 * 1:58767 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58769 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58772 <-> DISABLED <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection (malware-cnc.rules)
 * 1:58766 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58756 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:58780 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (malware-cnc.rules)
 * 1:58781 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (malware-cnc.rules)
 * 1:58776 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58778 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (malware-cnc.rules)
 * 1:58779 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (malware-cnc.rules)
 * 1:58768 <-> DISABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)

Modified Rules:


 * 1:58741 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58636 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (os-windows.rules)
 * 1:24301 <-> DISABLED <-> PROTOCOL-ICMP IPv6 MLD multicast listener query attempt (protocol-icmp.rules)
 * 1:58635 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (os-windows.rules)
 * 1:24302 <-> DISABLED <-> PROTOCOL-ICMP IPv6 multicast neighbor delete attempt (protocol-icmp.rules)
 * 1:24303 <-> DISABLED <-> PROTOCOL-ICMP IPv6 multicast neighbor add attempt (protocol-icmp.rules)
 * 1:58740 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)

2021-12-14 18:34:35 UTC

Snort Subscriber Rules Update

Date: 2021-12-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58760 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt (malware-other.rules)
 * 1:58787 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58756 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:58784 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58754 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:58783 <-> DISABLED <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt (file-pdf.rules)
 * 1:58758 <-> ENABLED <-> MALWARE-OTHER Email.Dropper.Agent phishing email download attempt (malware-other.rules)
 * 1:58789 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58790 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58782 <-> DISABLED <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt (file-pdf.rules)
 * 1:58753 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt (os-windows.rules)
 * 1:58752 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt (os-windows.rules)
 * 1:58759 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant payload download attempt (malware-other.rules)
 * 1:58757 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:58761 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt (malware-other.rules)
 * 1:58755 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:58766 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58764 <-> ENABLED <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt (malware-other.rules)
 * 1:58762 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt (malware-other.rules)
 * 1:58765 <-> ENABLED <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt (malware-other.rules)
 * 1:58767 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58768 <-> DISABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58769 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58770 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58771 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection (malware-cnc.rules)
 * 1:58772 <-> DISABLED <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection (malware-cnc.rules)
 * 1:58773 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.AsyncRAT variant cnc connection (malware-cnc.rules)
 * 1:58774 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop Protocol remote code execution attempt (os-windows.rules)
 * 1:58775 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58788 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58763 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt (malware-other.rules)
 * 1:58776 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58786 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58777 <-> DISABLED <-> MALWARE-CNC Win.Trojan.FormBook outbound connection attempt (malware-cnc.rules)
 * 1:58778 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (malware-cnc.rules)
 * 1:58785 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58779 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (malware-cnc.rules)
 * 1:58780 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (malware-cnc.rules)
 * 1:58781 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:24303 <-> DISABLED <-> PROTOCOL-ICMP IPv6 multicast neighbor add attempt (protocol-icmp.rules)
 * 1:24301 <-> DISABLED <-> PROTOCOL-ICMP IPv6 MLD multicast listener query attempt (protocol-icmp.rules)
 * 1:58741 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58636 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (os-windows.rules)
 * 1:58740 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:24302 <-> DISABLED <-> PROTOCOL-ICMP IPv6 multicast neighbor delete attempt (protocol-icmp.rules)
 * 1:58635 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (os-windows.rules)

2021-12-14 18:34:35 UTC

Snort Subscriber Rules Update

Date: 2021-12-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58783 <-> DISABLED <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt (file-pdf.rules)
 * 1:58787 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58785 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58782 <-> DISABLED <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt (file-pdf.rules)
 * 1:58752 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt (os-windows.rules)
 * 1:58781 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (malware-cnc.rules)
 * 1:58786 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58784 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58753 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt (os-windows.rules)
 * 1:58778 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (malware-cnc.rules)
 * 1:58755 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:58757 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:58758 <-> ENABLED <-> MALWARE-OTHER Email.Dropper.Agent phishing email download attempt (malware-other.rules)
 * 1:58760 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt (malware-other.rules)
 * 1:58788 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58763 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt (malware-other.rules)
 * 1:58766 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58754 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:58764 <-> ENABLED <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt (malware-other.rules)
 * 1:58775 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58765 <-> ENABLED <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt (malware-other.rules)
 * 1:58770 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58768 <-> DISABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58769 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58777 <-> DISABLED <-> MALWARE-CNC Win.Trojan.FormBook outbound connection attempt (malware-cnc.rules)
 * 1:58767 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58774 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop Protocol remote code execution attempt (os-windows.rules)
 * 1:58776 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58771 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection (malware-cnc.rules)
 * 1:58780 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (malware-cnc.rules)
 * 1:58779 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (malware-cnc.rules)
 * 1:58773 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.AsyncRAT variant cnc connection (malware-cnc.rules)
 * 1:58789 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58772 <-> DISABLED <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection (malware-cnc.rules)
 * 1:58756 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:58790 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58759 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant payload download attempt (malware-other.rules)
 * 1:58761 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt (malware-other.rules)
 * 1:58762 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt (malware-other.rules)

Modified Rules:


 * 1:24303 <-> DISABLED <-> PROTOCOL-ICMP IPv6 multicast neighbor add attempt (protocol-icmp.rules)
 * 1:24301 <-> DISABLED <-> PROTOCOL-ICMP IPv6 MLD multicast listener query attempt (protocol-icmp.rules)
 * 1:58740 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58636 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (os-windows.rules)
 * 1:24302 <-> DISABLED <-> PROTOCOL-ICMP IPv6 multicast neighbor delete attempt (protocol-icmp.rules)
 * 1:58635 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (os-windows.rules)
 * 1:58741 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)

2021-12-14 18:34:35 UTC

Snort Subscriber Rules Update

Date: 2021-12-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58760 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt (malware-other.rules)
 * 1:58753 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt (os-windows.rules)
 * 1:58782 <-> DISABLED <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt (file-pdf.rules)
 * 1:58781 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (malware-cnc.rules)
 * 1:58777 <-> DISABLED <-> MALWARE-CNC Win.Trojan.FormBook outbound connection attempt (malware-cnc.rules)
 * 1:58754 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:58758 <-> ENABLED <-> MALWARE-OTHER Email.Dropper.Agent phishing email download attempt (malware-other.rules)
 * 1:58757 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:58790 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58752 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt (os-windows.rules)
 * 1:58755 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:58763 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt (malware-other.rules)
 * 1:58756 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:58783 <-> DISABLED <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt (file-pdf.rules)
 * 1:58786 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58789 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58779 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (malware-cnc.rules)
 * 1:58785 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58788 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58768 <-> DISABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58765 <-> ENABLED <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt (malware-other.rules)
 * 1:58766 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58778 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (malware-cnc.rules)
 * 1:58775 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58787 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58771 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection (malware-cnc.rules)
 * 1:58780 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (malware-cnc.rules)
 * 1:58776 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58774 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop Protocol remote code execution attempt (os-windows.rules)
 * 1:58769 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58764 <-> ENABLED <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt (malware-other.rules)
 * 1:58761 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt (malware-other.rules)
 * 1:58759 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant payload download attempt (malware-other.rules)
 * 1:58762 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt (malware-other.rules)
 * 1:58770 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58772 <-> DISABLED <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection (malware-cnc.rules)
 * 1:58767 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58784 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58773 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.AsyncRAT variant cnc connection (malware-cnc.rules)

Modified Rules:


 * 1:58740 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58635 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (os-windows.rules)
 * 1:24301 <-> DISABLED <-> PROTOCOL-ICMP IPv6 MLD multicast listener query attempt (protocol-icmp.rules)
 * 1:58741 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58636 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (os-windows.rules)
 * 1:24303 <-> DISABLED <-> PROTOCOL-ICMP IPv6 multicast neighbor add attempt (protocol-icmp.rules)
 * 1:24302 <-> DISABLED <-> PROTOCOL-ICMP IPv6 multicast neighbor delete attempt (protocol-icmp.rules)

2021-12-14 18:34:35 UTC

Snort Subscriber Rules Update

Date: 2021-12-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58782 <-> DISABLED <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt (file-pdf.rules)
 * 1:58754 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:58787 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58784 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58790 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58780 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (malware-cnc.rules)
 * 1:58753 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt (os-windows.rules)
 * 1:58775 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58766 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58788 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58783 <-> DISABLED <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt (file-pdf.rules)
 * 1:58770 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58752 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt (os-windows.rules)
 * 1:58772 <-> DISABLED <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection (malware-cnc.rules)
 * 1:58755 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:58778 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (malware-cnc.rules)
 * 1:58763 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt (malware-other.rules)
 * 1:58756 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:58771 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection (malware-cnc.rules)
 * 1:58776 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58785 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58767 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58762 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt (malware-other.rules)
 * 1:58769 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58765 <-> ENABLED <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt (malware-other.rules)
 * 1:58764 <-> ENABLED <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt (malware-other.rules)
 * 1:58768 <-> DISABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58757 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:58781 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (malware-cnc.rules)
 * 1:58758 <-> ENABLED <-> MALWARE-OTHER Email.Dropper.Agent phishing email download attempt (malware-other.rules)
 * 1:58774 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop Protocol remote code execution attempt (os-windows.rules)
 * 1:58759 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant payload download attempt (malware-other.rules)
 * 1:58760 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt (malware-other.rules)
 * 1:58761 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt (malware-other.rules)
 * 1:58786 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58773 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.AsyncRAT variant cnc connection (malware-cnc.rules)
 * 1:58779 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (malware-cnc.rules)
 * 1:58789 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58777 <-> DISABLED <-> MALWARE-CNC Win.Trojan.FormBook outbound connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:24303 <-> DISABLED <-> PROTOCOL-ICMP IPv6 multicast neighbor add attempt (protocol-icmp.rules)
 * 1:58635 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (os-windows.rules)
 * 1:58741 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:24302 <-> DISABLED <-> PROTOCOL-ICMP IPv6 multicast neighbor delete attempt (protocol-icmp.rules)
 * 1:24301 <-> DISABLED <-> PROTOCOL-ICMP IPv6 MLD multicast listener query attempt (protocol-icmp.rules)
 * 1:58740 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58636 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (os-windows.rules)

2021-12-14 18:34:35 UTC

Snort Subscriber Rules Update

Date: 2021-12-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58788 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (snort3-server-other.rules)
 * 1:58758 <-> ENABLED <-> MALWARE-OTHER Email.Dropper.Agent phishing email download attempt (snort3-malware-other.rules)
 * 1:58783 <-> DISABLED <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt (snort3-file-pdf.rules)
 * 1:58756 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (snort3-os-windows.rules)
 * 1:58790 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (snort3-server-other.rules)
 * 1:58784 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (snort3-server-other.rules)
 * 1:58763 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt (snort3-malware-other.rules)
 * 1:58755 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (snort3-os-windows.rules)
 * 1:58785 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (snort3-server-other.rules)
 * 1:58753 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt (snort3-os-windows.rules)
 * 1:58764 <-> ENABLED <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt (snort3-malware-other.rules)
 * 1:58789 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (snort3-server-other.rules)
 * 1:58754 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (snort3-os-windows.rules)
 * 1:58765 <-> ENABLED <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt (snort3-malware-other.rules)
 * 1:58767 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (snort3-malware-cnc.rules)
 * 1:58782 <-> DISABLED <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt (snort3-file-pdf.rules)
 * 1:58768 <-> DISABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (snort3-malware-cnc.rules)
 * 1:58769 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (snort3-malware-cnc.rules)
 * 1:58770 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (snort3-malware-cnc.rules)
 * 1:58766 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (snort3-malware-cnc.rules)
 * 1:58771 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection (snort3-malware-cnc.rules)
 * 1:58772 <-> DISABLED <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection (snort3-malware-cnc.rules)
 * 1:58773 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.AsyncRAT variant cnc connection (snort3-malware-cnc.rules)
 * 1:58774 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop Protocol remote code execution attempt (snort3-os-windows.rules)
 * 1:58775 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (snort3-os-windows.rules)
 * 1:58757 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (snort3-os-windows.rules)
 * 1:58776 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (snort3-os-windows.rules)
 * 1:58777 <-> DISABLED <-> MALWARE-CNC Win.Trojan.FormBook outbound connection attempt (snort3-malware-cnc.rules)
 * 1:58786 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (snort3-server-other.rules)
 * 1:58778 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (snort3-malware-cnc.rules)
 * 1:58787 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (snort3-server-other.rules)
 * 1:58779 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (snort3-malware-cnc.rules)
 * 1:58780 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (snort3-malware-cnc.rules)
 * 1:58759 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant payload download attempt (snort3-malware-other.rules)
 * 1:58752 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt (snort3-os-windows.rules)
 * 1:58761 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt (snort3-malware-other.rules)
 * 1:58760 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt (snort3-malware-other.rules)
 * 1:58781 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (snort3-malware-cnc.rules)
 * 1:58762 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt (snort3-malware-other.rules)

Modified Rules:


 * 1:24302 <-> DISABLED <-> PROTOCOL-ICMP IPv6 multicast neighbor delete attempt (snort3-protocol-icmp.rules)
 * 1:24301 <-> DISABLED <-> PROTOCOL-ICMP IPv6 MLD multicast listener query attempt (snort3-protocol-icmp.rules)
 * 1:58741 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (snort3-server-other.rules)
 * 1:58635 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (snort3-os-windows.rules)
 * 1:58636 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (snort3-os-windows.rules)
 * 1:58740 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (snort3-server-other.rules)
 * 1:24303 <-> DISABLED <-> PROTOCOL-ICMP IPv6 multicast neighbor add attempt (snort3-protocol-icmp.rules)

2021-12-14 18:34:35 UTC

Snort Subscriber Rules Update

Date: 2021-12-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58779 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (malware-cnc.rules)
 * 1:58765 <-> ENABLED <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt (malware-other.rules)
 * 1:58772 <-> DISABLED <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection (malware-cnc.rules)
 * 1:58771 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection (malware-cnc.rules)
 * 1:58770 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58788 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58780 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (malware-cnc.rules)
 * 1:58775 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58781 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (malware-cnc.rules)
 * 1:58790 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58789 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58755 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:58782 <-> DISABLED <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt (file-pdf.rules)
 * 1:58784 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58759 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant payload download attempt (malware-other.rules)
 * 1:58752 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt (os-windows.rules)
 * 1:58763 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt (malware-other.rules)
 * 1:58785 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58777 <-> DISABLED <-> MALWARE-CNC Win.Trojan.FormBook outbound connection attempt (malware-cnc.rules)
 * 1:58778 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection (malware-cnc.rules)
 * 1:58756 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:58758 <-> ENABLED <-> MALWARE-OTHER Email.Dropper.Agent phishing email download attempt (malware-other.rules)
 * 1:58757 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:58753 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt (os-windows.rules)
 * 1:58769 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58774 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop Protocol remote code execution attempt (os-windows.rules)
 * 1:58762 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt (malware-other.rules)
 * 1:58786 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58787 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58764 <-> ENABLED <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt (malware-other.rules)
 * 1:58754 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:58776 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58767 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58760 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt (malware-other.rules)
 * 1:58766 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)
 * 1:58761 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt (malware-other.rules)
 * 1:58773 <-> ENABLED <-> MALWARE-CNC Rat.Trojan.AsyncRAT variant cnc connection (malware-cnc.rules)
 * 1:58783 <-> DISABLED <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt (file-pdf.rules)
 * 1:58768 <-> DISABLED <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection (malware-cnc.rules)

Modified Rules:


 * 1:24303 <-> DISABLED <-> PROTOCOL-ICMP IPv6 multicast neighbor add attempt (protocol-icmp.rules)
 * 1:58740 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:58635 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (os-windows.rules)
 * 1:58741 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (server-other.rules)
 * 1:24301 <-> DISABLED <-> PROTOCOL-ICMP IPv6 MLD multicast listener query attempt (protocol-icmp.rules)
 * 1:58636 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (os-windows.rules)
 * 1:24302 <-> DISABLED <-> PROTOCOL-ICMP IPv6 multicast neighbor delete attempt (protocol-icmp.rules)

2021-12-14 18:36:51 UTC

Snort Subscriber Rules Update

Date: 2021-12-14-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58752 <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt
* 1:58753 <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt
* 1:58754 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58755 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58756 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58757 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58758 <-> MALWARE-OTHER Email.Dropper.Agent phishing email download attempt
* 1:58759 <-> MALWARE-OTHER Win.Trojan.Agent variant payload download attempt
* 1:58760 <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt
* 1:58761 <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt
* 1:58762 <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt
* 1:58763 <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt
* 1:58764 <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt
* 1:58765 <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt
* 1:58766 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58767 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58768 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58769 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58770 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58771 <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection
* 1:58772 <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection
* 1:58773 <-> MALWARE-CNC Rat.Trojan.AsyncRAT variant cnc connection
* 1:58774 <-> OS-WINDOWS Microsoft Windows Remote Desktop Protocol remote code execution attempt
* 1:58775 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58776 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58777 <-> MALWARE-CNC Win.Trojan.FormBook outbound connection attempt
* 1:58778 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58779 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58780 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58781 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58782 <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt
* 1:58783 <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt
* 1:58784 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58785 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58786 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58787 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58788 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58789 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58790 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt

Modified Rules:

* 1:58635 <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt
* 1:58636 <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt
* 1:58740 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58741 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt


2021-12-14 18:36:51 UTC

Snort Subscriber Rules Update

Date: 2021-12-14-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.4.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58752 <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt
* 1:58753 <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt
* 1:58754 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58755 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58756 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58757 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58758 <-> MALWARE-OTHER Email.Dropper.Agent phishing email download attempt
* 1:58759 <-> MALWARE-OTHER Win.Trojan.Agent variant payload download attempt
* 1:58760 <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt
* 1:58761 <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt
* 1:58762 <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt
* 1:58763 <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt
* 1:58764 <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt
* 1:58765 <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt
* 1:58766 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58767 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58768 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58769 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58770 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58771 <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection
* 1:58772 <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection
* 1:58773 <-> MALWARE-CNC Rat.Trojan.AsyncRAT variant cnc connection
* 1:58774 <-> OS-WINDOWS Microsoft Windows Remote Desktop Protocol remote code execution attempt
* 1:58775 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58776 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58777 <-> MALWARE-CNC Win.Trojan.FormBook outbound connection attempt
* 1:58778 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58779 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58780 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58781 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58782 <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt
* 1:58783 <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt
* 1:58784 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58785 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58786 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58787 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58788 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58789 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58790 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt

Modified Rules:

* 1:58635 <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt
* 1:58636 <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt
* 1:58740 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58741 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt


2021-12-14 18:36:51 UTC

Snort Subscriber Rules Update

Date: 2021-12-14-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58752 <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt
* 1:58753 <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt
* 1:58754 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58755 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58756 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58757 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58758 <-> MALWARE-OTHER Email.Dropper.Agent phishing email download attempt
* 1:58759 <-> MALWARE-OTHER Win.Trojan.Agent variant payload download attempt
* 1:58760 <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt
* 1:58761 <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt
* 1:58762 <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt
* 1:58763 <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt
* 1:58764 <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt
* 1:58765 <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt
* 1:58766 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58767 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58768 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58769 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58770 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58771 <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection
* 1:58772 <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection
* 1:58773 <-> MALWARE-CNC Rat.Trojan.AsyncRAT variant cnc connection
* 1:58774 <-> OS-WINDOWS Microsoft Windows Remote Desktop Protocol remote code execution attempt
* 1:58775 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58776 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58777 <-> MALWARE-CNC Win.Trojan.FormBook outbound connection attempt
* 1:58778 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58779 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58780 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58781 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58782 <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt
* 1:58783 <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt
* 1:58784 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58785 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58786 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58787 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58788 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58789 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58790 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt

Modified Rules:

* 1:58635 <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt
* 1:58636 <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt
* 1:58740 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58741 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt


2021-12-14 18:36:51 UTC

Snort Subscriber Rules Update

Date: 2021-12-14-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58752 <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt
* 1:58753 <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt
* 1:58754 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58755 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58756 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58757 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58758 <-> MALWARE-OTHER Email.Dropper.Agent phishing email download attempt
* 1:58759 <-> MALWARE-OTHER Win.Trojan.Agent variant payload download attempt
* 1:58760 <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt
* 1:58761 <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt
* 1:58762 <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt
* 1:58763 <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt
* 1:58764 <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt
* 1:58765 <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt
* 1:58766 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58767 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58768 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58769 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58770 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58771 <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection
* 1:58772 <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection
* 1:58773 <-> MALWARE-CNC Rat.Trojan.AsyncRAT variant cnc connection
* 1:58774 <-> OS-WINDOWS Microsoft Windows Remote Desktop Protocol remote code execution attempt
* 1:58775 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58776 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58777 <-> MALWARE-CNC Win.Trojan.FormBook outbound connection attempt
* 1:58778 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58779 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58780 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58781 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58782 <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt
* 1:58783 <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt
* 1:58784 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58785 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58786 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58787 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58788 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58789 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58790 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt

Modified Rules:

* 1:58635 <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt
* 1:58636 <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt
* 1:58740 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58741 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt


2021-12-14 18:36:51 UTC

Snort Subscriber Rules Update

Date: 2021-12-14-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.1.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58752 <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt
* 1:58753 <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt
* 1:58754 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58755 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58756 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58757 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58758 <-> MALWARE-OTHER Email.Dropper.Agent phishing email download attempt
* 1:58759 <-> MALWARE-OTHER Win.Trojan.Agent variant payload download attempt
* 1:58760 <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt
* 1:58761 <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt
* 1:58762 <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt
* 1:58763 <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt
* 1:58764 <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt
* 1:58765 <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt
* 1:58766 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58767 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58768 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58769 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58770 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58771 <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection
* 1:58772 <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection
* 1:58773 <-> MALWARE-CNC Rat.Trojan.AsyncRAT variant cnc connection
* 1:58774 <-> OS-WINDOWS Microsoft Windows Remote Desktop Protocol remote code execution attempt
* 1:58775 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58776 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58777 <-> MALWARE-CNC Win.Trojan.FormBook outbound connection attempt
* 1:58778 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58779 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58780 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58781 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58782 <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt
* 1:58783 <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt
* 1:58784 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58785 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58786 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58787 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58788 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58789 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58790 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt

Modified Rules:

* 1:58635 <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt
* 1:58636 <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt
* 1:58740 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58741 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt


2021-12-14 18:36:51 UTC

Snort Subscriber Rules Update

Date: 2021-12-14-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.3.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58752 <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt
* 1:58753 <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt
* 1:58754 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58755 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58756 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58757 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58758 <-> MALWARE-OTHER Email.Dropper.Agent phishing email download attempt
* 1:58759 <-> MALWARE-OTHER Win.Trojan.Agent variant payload download attempt
* 1:58760 <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt
* 1:58761 <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt
* 1:58762 <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt
* 1:58763 <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt
* 1:58764 <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt
* 1:58765 <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt
* 1:58766 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58767 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58768 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58769 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58770 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58771 <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection
* 1:58772 <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection
* 1:58773 <-> MALWARE-CNC Rat.Trojan.AsyncRAT variant cnc connection
* 1:58774 <-> OS-WINDOWS Microsoft Windows Remote Desktop Protocol remote code execution attempt
* 1:58775 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58776 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58777 <-> MALWARE-CNC Win.Trojan.FormBook outbound connection attempt
* 1:58778 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58779 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58780 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58781 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58782 <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt
* 1:58783 <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt
* 1:58784 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58785 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58786 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58787 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58788 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58789 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58790 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt

Modified Rules:

* 1:58635 <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt
* 1:58636 <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt
* 1:58740 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58741 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt


2021-12-14 18:36:51 UTC

Snort Subscriber Rules Update

Date: 2021-12-14-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.4.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58752 <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt
* 1:58753 <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt
* 1:58754 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58755 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58756 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58757 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58758 <-> MALWARE-OTHER Email.Dropper.Agent phishing email download attempt
* 1:58759 <-> MALWARE-OTHER Win.Trojan.Agent variant payload download attempt
* 1:58760 <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt
* 1:58761 <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt
* 1:58762 <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt
* 1:58763 <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt
* 1:58764 <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt
* 1:58765 <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt
* 1:58766 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58767 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58768 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58769 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58770 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58771 <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection
* 1:58772 <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection
* 1:58773 <-> MALWARE-CNC Rat.Trojan.AsyncRAT variant cnc connection
* 1:58774 <-> OS-WINDOWS Microsoft Windows Remote Desktop Protocol remote code execution attempt
* 1:58775 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58776 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58777 <-> MALWARE-CNC Win.Trojan.FormBook outbound connection attempt
* 1:58778 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58779 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58780 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58781 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58782 <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt
* 1:58783 <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt
* 1:58784 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58785 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58786 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58787 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58788 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58789 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58790 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt

Modified Rules:

* 1:58635 <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt
* 1:58636 <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt
* 1:58740 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58741 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt


2021-12-14 18:36:51 UTC

Snort Subscriber Rules Update

Date: 2021-12-14-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.5.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58752 <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt
* 1:58753 <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt
* 1:58754 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58755 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58756 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58757 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58758 <-> MALWARE-OTHER Email.Dropper.Agent phishing email download attempt
* 1:58759 <-> MALWARE-OTHER Win.Trojan.Agent variant payload download attempt
* 1:58760 <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt
* 1:58761 <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt
* 1:58762 <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt
* 1:58763 <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt
* 1:58764 <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt
* 1:58765 <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt
* 1:58766 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58767 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58768 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58769 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58770 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58771 <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection
* 1:58772 <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection
* 1:58773 <-> MALWARE-CNC Rat.Trojan.AsyncRAT variant cnc connection
* 1:58774 <-> OS-WINDOWS Microsoft Windows Remote Desktop Protocol remote code execution attempt
* 1:58775 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58776 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58777 <-> MALWARE-CNC Win.Trojan.FormBook outbound connection attempt
* 1:58778 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58779 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58780 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58781 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58782 <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt
* 1:58783 <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt
* 1:58784 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58785 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58786 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58787 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58788 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58789 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58790 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt

Modified Rules:

* 1:58635 <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt
* 1:58636 <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt
* 1:58740 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58741 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt


2021-12-14 18:36:51 UTC

Snort Subscriber Rules Update

Date: 2021-12-14-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.7.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58752 <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt
* 1:58753 <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt
* 1:58754 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58755 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58756 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58757 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58758 <-> MALWARE-OTHER Email.Dropper.Agent phishing email download attempt
* 1:58759 <-> MALWARE-OTHER Win.Trojan.Agent variant payload download attempt
* 1:58760 <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt
* 1:58761 <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt
* 1:58762 <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt
* 1:58763 <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt
* 1:58764 <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt
* 1:58765 <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt
* 1:58766 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58767 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58768 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58769 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58770 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58771 <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection
* 1:58772 <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection
* 1:58773 <-> MALWARE-CNC Rat.Trojan.AsyncRAT variant cnc connection
* 1:58774 <-> OS-WINDOWS Microsoft Windows Remote Desktop Protocol remote code execution attempt
* 1:58775 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58776 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58777 <-> MALWARE-CNC Win.Trojan.FormBook outbound connection attempt
* 1:58778 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58779 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58780 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58781 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58782 <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt
* 1:58783 <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt
* 1:58784 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58785 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58786 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58787 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58788 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58789 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58790 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt

Modified Rules:

* 1:58635 <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt
* 1:58636 <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt
* 1:58740 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58741 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt


2021-12-14 18:36:51 UTC

Snort Subscriber Rules Update

Date: 2021-12-14-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.9.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58752 <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt
* 1:58753 <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt
* 1:58754 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58755 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58756 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58757 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58758 <-> MALWARE-OTHER Email.Dropper.Agent phishing email download attempt
* 1:58759 <-> MALWARE-OTHER Win.Trojan.Agent variant payload download attempt
* 1:58760 <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt
* 1:58761 <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt
* 1:58762 <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt
* 1:58763 <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt
* 1:58764 <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt
* 1:58765 <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt
* 1:58766 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58767 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58768 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58769 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58770 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58771 <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection
* 1:58772 <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection
* 1:58773 <-> MALWARE-CNC Rat.Trojan.AsyncRAT variant cnc connection
* 1:58774 <-> OS-WINDOWS Microsoft Windows Remote Desktop Protocol remote code execution attempt
* 1:58775 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58776 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58777 <-> MALWARE-CNC Win.Trojan.FormBook outbound connection attempt
* 1:58778 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58779 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58780 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58781 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58782 <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt
* 1:58783 <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt
* 1:58784 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58785 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58786 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58787 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58788 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58789 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58790 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt

Modified Rules:

* 1:58635 <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt
* 1:58636 <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt
* 1:58740 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58741 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt


2021-12-14 18:36:52 UTC

Snort Subscriber Rules Update

Date: 2021-12-14-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.11.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58752 <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt
* 1:58753 <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt
* 1:58754 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58755 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58756 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58757 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58758 <-> MALWARE-OTHER Email.Dropper.Agent phishing email download attempt
* 1:58759 <-> MALWARE-OTHER Win.Trojan.Agent variant payload download attempt
* 1:58760 <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt
* 1:58761 <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt
* 1:58762 <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt
* 1:58763 <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt
* 1:58764 <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt
* 1:58765 <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt
* 1:58766 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58767 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58768 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58769 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58770 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58771 <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection
* 1:58772 <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection
* 1:58773 <-> MALWARE-CNC Rat.Trojan.AsyncRAT variant cnc connection
* 1:58774 <-> OS-WINDOWS Microsoft Windows Remote Desktop Protocol remote code execution attempt
* 1:58775 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58776 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58777 <-> MALWARE-CNC Win.Trojan.FormBook outbound connection attempt
* 1:58778 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58779 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58780 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58781 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58782 <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt
* 1:58783 <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt
* 1:58784 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58785 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58786 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58787 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58788 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58789 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58790 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt

Modified Rules:

* 1:58635 <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt
* 1:58636 <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt
* 1:58740 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58741 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt


2021-12-14 18:36:52 UTC

Snort Subscriber Rules Update

Date: 2021-12-14-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.15.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58752 <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt
* 1:58753 <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt
* 1:58754 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58755 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58756 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58757 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58758 <-> MALWARE-OTHER Email.Dropper.Agent phishing email download attempt
* 1:58759 <-> MALWARE-OTHER Win.Trojan.Agent variant payload download attempt
* 1:58760 <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt
* 1:58761 <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt
* 1:58762 <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt
* 1:58763 <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt
* 1:58764 <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt
* 1:58765 <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt
* 1:58766 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58767 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58768 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58769 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58770 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58771 <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection
* 1:58772 <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection
* 1:58773 <-> MALWARE-CNC Rat.Trojan.AsyncRAT variant cnc connection
* 1:58774 <-> OS-WINDOWS Microsoft Windows Remote Desktop Protocol remote code execution attempt
* 1:58775 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58776 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58777 <-> MALWARE-CNC Win.Trojan.FormBook outbound connection attempt
* 1:58778 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58779 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58780 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58781 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58782 <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt
* 1:58783 <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt
* 1:58784 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58785 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58786 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58787 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58788 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58789 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58790 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt

Modified Rules:

* 1:58635 <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt
* 1:58636 <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt
* 1:58740 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58741 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt


2021-12-14 18:36:52 UTC

Snort Subscriber Rules Update

Date: 2021-12-14-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.18.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58752 <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt
* 1:58753 <-> OS-WINDOWS Microsoft Windows Print Spooler elevation of privilege attempt
* 1:58754 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58755 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58756 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58757 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:58758 <-> MALWARE-OTHER Email.Dropper.Agent phishing email download attempt
* 1:58759 <-> MALWARE-OTHER Win.Trojan.Agent variant payload download attempt
* 1:58760 <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt
* 1:58761 <-> MALWARE-OTHER Win.Dropper.Agent HCrypt PowerShell payload download attempt
* 1:58762 <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt
* 1:58763 <-> MALWARE-OTHER Win.Downloader.Agent payload download attempt
* 1:58764 <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt
* 1:58765 <-> MALWARE-OTHER Vbs.Downloader.Agent payload download attempt
* 1:58766 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58767 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58768 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58769 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58770 <-> MALWARE-CNC Rat.Trojan.Nanocore variant cnc connection
* 1:58771 <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection
* 1:58772 <-> MALWARE-CNC Rat.Trojan.Netwire variant cnc connection
* 1:58773 <-> MALWARE-CNC Rat.Trojan.AsyncRAT variant cnc connection
* 1:58774 <-> OS-WINDOWS Microsoft Windows Remote Desktop Protocol remote code execution attempt
* 1:58775 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58776 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58777 <-> MALWARE-CNC Win.Trojan.FormBook outbound connection attempt
* 1:58778 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58779 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58780 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58781 <-> MALWARE-CNC Win.Infostealer.RedLine outbound connection
* 1:58782 <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt
* 1:58783 <-> FILE-PDF Adobe Reader Uninitialized object RCE attempt
* 1:58784 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58785 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58786 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58787 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58788 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58789 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58790 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt

Modified Rules:

* 1:58635 <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt
* 1:58636 <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt
* 1:58740 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt
* 1:58741 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt