Talos Rules 2022-01-11
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2022-21881: A coding deficiency exists in Microsoft Windows Kernel that may lead to elevation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 58866 through 58867.

Microsoft Vulnerability CVE-2022-21882: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 58859 through 58860.

Microsoft Vulnerability CVE-2022-21887: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 58874 through 58875.

Microsoft Vulnerability CVE-2022-21897: A coding deficiency exists in Microsoft Windows Common Log File System Driver that may lead to an escalation of privilege.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 40689 through 40690.

Microsoft Vulnerability CVE-2022-21907: A coding deficiency exists in HTTP Stack that may lead to remote code execution.

Preprocessors to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 119, SIDs 19 and 31.

Microsoft Vulnerability CVE-2022-21908: A coding deficiency exists in Microsoft Windows Installer that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 58870 through 58871.

Microsoft Vulnerability CVE-2022-21916: A coding deficiency exists in Microsoft Windows Common Log File System Driver that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 58872 through 58873.

Microsoft Vulnerability CVE-2022-21919: A coding deficiency exists in Microsoft Windows User Profile Service that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 58868 through 58869.

Talos also has added and modified multiple rules in the file-other, indicator-obfuscation, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2022-01-11 20:34:01 UTC

Snort Subscriber Rules Update

Date: 2022-01-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091900.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58854 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58855 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt (server-webapp.rules)
 * 1:58856 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58857 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (server-webapp.rules)
 * 1:58858 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (server-webapp.rules)
 * 1:58859 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:58860 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:58861 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58862 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58863 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt (server-webapp.rules)
 * 1:58864 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58865 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beacon outbound connection (malware-cnc.rules)
 * 1:58866 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58867 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58868 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (os-windows.rules)
 * 1:58869 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (os-windows.rules)
 * 1:58870 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (os-windows.rules)
 * 1:58871 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (os-windows.rules)
 * 1:58872 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58873 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58874 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58875 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)

Modified Rules:


 * 1:1628 <-> DISABLED <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt (server-webapp.rules)
 * 1:40689 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:29105 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:41714 <-> DISABLED <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt (indicator-obfuscation.rules)
 * 1:40690 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:44649 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (malware-other.rules)
 * 1:47085 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt (server-webapp.rules)
 * 1:58336 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (server-webapp.rules)
 * 1:58335 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (server-webapp.rules)

2022-01-11 20:34:01 UTC

Snort Subscriber Rules Update

Date: 2022-01-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091801.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58861 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58862 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58859 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:58867 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58866 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58869 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (os-windows.rules)
 * 1:58868 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (os-windows.rules)
 * 1:58871 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (os-windows.rules)
 * 1:58870 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (os-windows.rules)
 * 1:58857 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (server-webapp.rules)
 * 1:58872 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58856 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58875 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58863 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt (server-webapp.rules)
 * 1:58864 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58865 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beacon outbound connection (malware-cnc.rules)
 * 1:58858 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (server-webapp.rules)
 * 1:58860 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:58873 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58874 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58855 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt (server-webapp.rules)
 * 1:58854 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt (server-webapp.rules)

Modified Rules:


 * 1:1628 <-> DISABLED <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt (server-webapp.rules)
 * 1:40689 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:29105 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:41714 <-> DISABLED <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt (indicator-obfuscation.rules)
 * 1:40690 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:47085 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt (server-webapp.rules)
 * 1:44649 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (malware-other.rules)
 * 1:58336 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (server-webapp.rules)
 * 1:58335 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (server-webapp.rules)

2022-01-11 20:34:01 UTC

Snort Subscriber Rules Update

Date: 2022-01-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58854 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58855 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt (server-webapp.rules)
 * 1:58856 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58857 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (server-webapp.rules)
 * 1:58858 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (server-webapp.rules)
 * 1:58861 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58865 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beacon outbound connection (malware-cnc.rules)
 * 1:58866 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58868 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (os-windows.rules)
 * 1:58862 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58875 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58869 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (os-windows.rules)
 * 1:58867 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58863 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt (server-webapp.rules)
 * 1:58859 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:58864 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58870 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (os-windows.rules)
 * 1:58871 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (os-windows.rules)
 * 1:58872 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58873 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58874 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58860 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)

Modified Rules:


 * 1:29105 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:40690 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:44649 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (malware-other.rules)
 * 1:1628 <-> DISABLED <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt (server-webapp.rules)
 * 1:40689 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:58335 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (server-webapp.rules)
 * 1:41714 <-> DISABLED <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt (indicator-obfuscation.rules)
 * 1:58336 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (server-webapp.rules)
 * 1:47085 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt (server-webapp.rules)

2022-01-11 20:34:01 UTC

Snort Subscriber Rules Update

Date: 2022-01-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58872 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58859 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:58867 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58864 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58855 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt (server-webapp.rules)
 * 1:58860 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:58865 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beacon outbound connection (malware-cnc.rules)
 * 1:58869 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (os-windows.rules)
 * 1:58868 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (os-windows.rules)
 * 1:58870 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (os-windows.rules)
 * 1:58871 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (os-windows.rules)
 * 1:58875 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58857 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (server-webapp.rules)
 * 1:58854 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58856 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58873 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58874 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58863 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt (server-webapp.rules)
 * 1:58862 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58858 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (server-webapp.rules)
 * 1:58866 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58861 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 1:29105 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:40690 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:44649 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (malware-other.rules)
 * 1:1628 <-> DISABLED <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt (server-webapp.rules)
 * 1:58335 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (server-webapp.rules)
 * 1:40689 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:41714 <-> DISABLED <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt (indicator-obfuscation.rules)
 * 1:47085 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt (server-webapp.rules)
 * 1:58336 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (server-webapp.rules)

2022-01-11 20:34:01 UTC

Snort Subscriber Rules Update

Date: 2022-01-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58872 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58855 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt (server-webapp.rules)
 * 1:58873 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58861 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58871 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (os-windows.rules)
 * 1:58867 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58874 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58854 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58859 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:58866 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58856 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58875 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58863 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt (server-webapp.rules)
 * 1:58858 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (server-webapp.rules)
 * 1:58868 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (os-windows.rules)
 * 1:58869 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (os-windows.rules)
 * 1:58864 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58870 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (os-windows.rules)
 * 1:58862 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58865 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beacon outbound connection (malware-cnc.rules)
 * 1:58857 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (server-webapp.rules)
 * 1:58860 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)

Modified Rules:


 * 1:1628 <-> DISABLED <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt (server-webapp.rules)
 * 1:40689 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:41714 <-> DISABLED <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt (indicator-obfuscation.rules)
 * 1:47085 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt (server-webapp.rules)
 * 1:58336 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (server-webapp.rules)
 * 1:40690 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:29105 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58335 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (server-webapp.rules)
 * 1:44649 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (malware-other.rules)

2022-01-11 20:34:01 UTC

Snort Subscriber Rules Update

Date: 2022-01-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58863 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt (server-webapp.rules)
 * 1:58873 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58864 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58866 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58871 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (os-windows.rules)
 * 1:58874 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58867 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58859 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:58855 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt (server-webapp.rules)
 * 1:58868 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (os-windows.rules)
 * 1:58857 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (server-webapp.rules)
 * 1:58861 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58869 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (os-windows.rules)
 * 1:58870 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (os-windows.rules)
 * 1:58875 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58872 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58858 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (server-webapp.rules)
 * 1:58860 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:58856 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58854 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58865 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beacon outbound connection (malware-cnc.rules)
 * 1:58862 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 1:29105 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58336 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (server-webapp.rules)
 * 1:40689 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:58335 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (server-webapp.rules)
 * 1:1628 <-> DISABLED <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt (server-webapp.rules)
 * 1:41714 <-> DISABLED <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt (indicator-obfuscation.rules)
 * 1:40690 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:47085 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt (server-webapp.rules)
 * 1:44649 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (malware-other.rules)

2022-01-11 20:34:01 UTC

Snort Subscriber Rules Update

Date: 2022-01-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58855 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt (server-webapp.rules)
 * 1:58872 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58875 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58854 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58862 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58856 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58863 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt (server-webapp.rules)
 * 1:58865 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beacon outbound connection (malware-cnc.rules)
 * 1:58864 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58871 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (os-windows.rules)
 * 1:58859 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:58857 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (server-webapp.rules)
 * 1:58867 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58861 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58869 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (os-windows.rules)
 * 1:58860 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:58873 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58866 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58868 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (os-windows.rules)
 * 1:58874 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58870 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (os-windows.rules)
 * 1:58858 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (server-webapp.rules)

Modified Rules:


 * 1:40690 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:58336 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (server-webapp.rules)
 * 1:40689 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:47085 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt (server-webapp.rules)
 * 1:58335 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (server-webapp.rules)
 * 1:29105 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:1628 <-> DISABLED <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt (server-webapp.rules)
 * 1:44649 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (malware-other.rules)
 * 1:41714 <-> DISABLED <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt (indicator-obfuscation.rules)

2022-01-11 20:34:01 UTC

Snort Subscriber Rules Update

Date: 2022-01-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58857 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (server-webapp.rules)
 * 1:58867 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58869 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (os-windows.rules)
 * 1:58855 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt (server-webapp.rules)
 * 1:58858 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (server-webapp.rules)
 * 1:58868 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (os-windows.rules)
 * 1:58871 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (os-windows.rules)
 * 1:58859 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:58854 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58875 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58860 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:58864 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58856 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58861 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58872 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58874 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58873 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58866 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58863 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt (server-webapp.rules)
 * 1:58862 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58870 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (os-windows.rules)
 * 1:58865 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beacon outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:47085 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt (server-webapp.rules)
 * 1:41714 <-> DISABLED <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt (indicator-obfuscation.rules)
 * 1:40689 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:1628 <-> DISABLED <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt (server-webapp.rules)
 * 1:29105 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58336 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (server-webapp.rules)
 * 1:40690 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:58335 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (server-webapp.rules)
 * 1:44649 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (malware-other.rules)

2022-01-11 20:34:01 UTC

Snort Subscriber Rules Update

Date: 2022-01-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58860 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:58861 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58865 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beacon outbound connection (malware-cnc.rules)
 * 1:58862 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58859 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:58866 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58854 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58868 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (os-windows.rules)
 * 1:58855 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt (server-webapp.rules)
 * 1:58856 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58857 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (server-webapp.rules)
 * 1:58869 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (os-windows.rules)
 * 1:58867 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58858 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (server-webapp.rules)
 * 1:58870 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (os-windows.rules)
 * 1:58871 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (os-windows.rules)
 * 1:58875 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58872 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58864 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58873 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58874 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58863 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt (server-webapp.rules)

Modified Rules:


 * 1:1628 <-> DISABLED <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt (server-webapp.rules)
 * 1:47085 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt (server-webapp.rules)
 * 1:40690 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:44649 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (malware-other.rules)
 * 1:40689 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:58336 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (server-webapp.rules)
 * 1:29105 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58335 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (server-webapp.rules)
 * 1:41714 <-> DISABLED <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt (indicator-obfuscation.rules)

2022-01-11 20:34:01 UTC

Snort Subscriber Rules Update

Date: 2022-01-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58870 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (os-windows.rules)
 * 1:58855 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt (server-webapp.rules)
 * 1:58864 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58869 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (os-windows.rules)
 * 1:58860 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:58875 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58872 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58874 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58861 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58868 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (os-windows.rules)
 * 1:58873 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58865 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beacon outbound connection (malware-cnc.rules)
 * 1:58858 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (server-webapp.rules)
 * 1:58856 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58862 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58859 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:58867 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58854 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58866 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58871 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (os-windows.rules)
 * 1:58857 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (server-webapp.rules)
 * 1:58863 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt (server-webapp.rules)

Modified Rules:


 * 1:47085 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt (server-webapp.rules)
 * 1:40690 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:58336 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (server-webapp.rules)
 * 1:41714 <-> DISABLED <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt (indicator-obfuscation.rules)
 * 1:58335 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (server-webapp.rules)
 * 1:44649 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (malware-other.rules)
 * 1:29105 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:40689 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:1628 <-> DISABLED <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt (server-webapp.rules)

2022-01-11 20:34:01 UTC

Snort Subscriber Rules Update

Date: 2022-01-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58861 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (snort3-server-webapp.rules)
 * 1:58867 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (snort3-os-windows.rules)
 * 1:58875 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (snort3-os-windows.rules)
 * 1:58865 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beacon outbound connection (snort3-malware-cnc.rules)
 * 1:58864 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (snort3-server-webapp.rules)
 * 1:58866 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (snort3-os-windows.rules)
 * 1:58854 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt (snort3-server-webapp.rules)
 * 1:58862 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (snort3-server-webapp.rules)
 * 1:58868 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (snort3-os-windows.rules)
 * 1:58869 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (snort3-os-windows.rules)
 * 1:58855 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt (snort3-server-webapp.rules)
 * 1:58870 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (snort3-os-windows.rules)
 * 1:58871 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (snort3-os-windows.rules)
 * 1:58872 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (snort3-os-windows.rules)
 * 1:58856 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt (snort3-server-webapp.rules)
 * 1:58873 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (snort3-os-windows.rules)
 * 1:58874 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (snort3-os-windows.rules)
 * 1:58860 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (snort3-os-windows.rules)
 * 1:58857 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (snort3-server-webapp.rules)
 * 1:58858 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (snort3-server-webapp.rules)
 * 1:58859 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (snort3-os-windows.rules)
 * 1:58863 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt (snort3-server-webapp.rules)

Modified Rules:


 * 1:40690 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (snort3-file-other.rules)
 * 1:29105 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (snort3-server-webapp.rules)
 * 1:47085 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt (snort3-server-webapp.rules)
 * 1:58336 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (snort3-server-webapp.rules)
 * 1:1628 <-> DISABLED <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt (snort3-server-webapp.rules)
 * 1:58335 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (snort3-server-webapp.rules)
 * 1:40689 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (snort3-file-other.rules)
 * 1:41714 <-> DISABLED <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt (snort3-indicator-obfuscation.rules)
 * 1:44649 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (snort3-malware-other.rules)

2022-01-11 20:34:01 UTC

Snort Subscriber Rules Update

Date: 2022-01-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58864 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58872 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58865 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beacon outbound connection (malware-cnc.rules)
 * 1:58863 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt (server-webapp.rules)
 * 1:58866 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58869 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (os-windows.rules)
 * 1:58871 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (os-windows.rules)
 * 1:58870 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (os-windows.rules)
 * 1:58855 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt (server-webapp.rules)
 * 1:58860 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:58859 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:58861 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58875 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58867 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58856 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58862 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58874 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58868 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (os-windows.rules)
 * 1:58854 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58857 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (server-webapp.rules)
 * 1:58858 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (server-webapp.rules)
 * 1:58873 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)

Modified Rules:


 * 1:40689 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:58335 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (server-webapp.rules)
 * 1:44649 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (malware-other.rules)
 * 1:47085 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt (server-webapp.rules)
 * 1:1628 <-> DISABLED <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt (server-webapp.rules)
 * 1:40690 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:41714 <-> DISABLED <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt (indicator-obfuscation.rules)
 * 1:29105 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58336 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (server-webapp.rules)

2022-01-11 20:36:25 UTC

Snort Subscriber Rules Update

Date: 2022-01-11-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58854 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt
* 1:58855 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt
* 1:58856 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt
* 1:58857 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58858 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58859 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58860 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58861 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58862 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58863 <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt
* 1:58864 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58866 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58867 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58868 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58869 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58870 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58871 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58872 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58873 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58874 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58875 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt

Modified Rules:

* 1:1628 <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt
* 1:29105 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:41714 <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt
* 1:44649 <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt
* 1:47085 <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt
* 1:58335 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt
* 1:58336 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt


2022-01-11 20:36:25 UTC

Snort Subscriber Rules Update

Date: 2022-01-11-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.4.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58854 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt
* 1:58855 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt
* 1:58856 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt
* 1:58857 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58858 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58859 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58860 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58861 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58862 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58863 <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt
* 1:58864 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58866 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58867 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58868 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58869 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58870 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58871 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58872 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58873 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58874 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58875 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt

Modified Rules:

* 1:1628 <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt
* 1:29105 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:41714 <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt
* 1:44649 <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt
* 1:47085 <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt
* 1:58335 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt
* 1:58336 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt


2022-01-11 20:36:30 UTC

Snort Subscriber Rules Update

Date: 2022-01-11-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58854 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt
* 1:58855 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt
* 1:58856 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt
* 1:58857 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58858 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58859 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58860 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58861 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58862 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58863 <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt
* 1:58864 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58866 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58867 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58868 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58869 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58870 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58871 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58872 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58873 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58874 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58875 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt

Modified Rules:

* 1:1628 <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt
* 1:29105 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:41714 <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt
* 1:44649 <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt
* 1:47085 <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt
* 1:58335 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt
* 1:58336 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt


2022-01-11 20:36:31 UTC

Snort Subscriber Rules Update

Date: 2022-01-11-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58854 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt
* 1:58855 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt
* 1:58856 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt
* 1:58857 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58858 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58859 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58860 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58861 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58862 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58863 <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt
* 1:58864 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58866 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58867 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58868 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58869 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58870 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58871 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58872 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58873 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58874 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58875 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt

Modified Rules:

* 1:1628 <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt
* 1:29105 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:41714 <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt
* 1:44649 <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt
* 1:47085 <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt
* 1:58335 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt
* 1:58336 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt


2022-01-11 20:36:31 UTC

Snort Subscriber Rules Update

Date: 2022-01-11-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.1.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58854 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt
* 1:58855 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt
* 1:58856 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt
* 1:58857 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58858 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58859 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58860 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58861 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58862 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58863 <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt
* 1:58864 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58866 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58867 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58868 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58869 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58870 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58871 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58872 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58873 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58874 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58875 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt

Modified Rules:

* 1:1628 <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt
* 1:29105 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:41714 <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt
* 1:44649 <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt
* 1:47085 <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt
* 1:58335 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt
* 1:58336 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt


2022-01-11 20:36:31 UTC

Snort Subscriber Rules Update

Date: 2022-01-11-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.3.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58854 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt
* 1:58855 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt
* 1:58856 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt
* 1:58857 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58858 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58859 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58860 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58861 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58862 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58863 <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt
* 1:58864 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58866 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58867 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58868 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58869 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58870 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58871 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58872 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58873 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58874 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58875 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt

Modified Rules:

* 1:1628 <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt
* 1:29105 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:41714 <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt
* 1:44649 <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt
* 1:47085 <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt
* 1:58335 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt
* 1:58336 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt


2022-01-11 20:36:31 UTC

Snort Subscriber Rules Update

Date: 2022-01-11-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.4.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58854 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt
* 1:58855 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt
* 1:58856 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt
* 1:58857 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58858 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58859 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58860 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58861 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58862 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58863 <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt
* 1:58864 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58866 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58867 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58868 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58869 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58870 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58871 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58872 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58873 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58874 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58875 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt

Modified Rules:

* 1:1628 <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt
* 1:29105 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:41714 <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt
* 1:44649 <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt
* 1:47085 <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt
* 1:58335 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt
* 1:58336 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt


2022-01-11 20:36:31 UTC

Snort Subscriber Rules Update

Date: 2022-01-11-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.5.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58854 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt
* 1:58855 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt
* 1:58856 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt
* 1:58857 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58858 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58859 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58860 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58861 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58862 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58863 <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt
* 1:58864 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58866 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58867 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58868 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58869 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58870 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58871 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58872 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58873 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58874 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58875 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt

Modified Rules:

* 1:1628 <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt
* 1:29105 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:41714 <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt
* 1:44649 <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt
* 1:47085 <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt
* 1:58335 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt
* 1:58336 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt


2022-01-11 20:36:31 UTC

Snort Subscriber Rules Update

Date: 2022-01-11-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.7.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58854 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt
* 1:58855 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt
* 1:58856 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt
* 1:58857 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58858 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58859 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58860 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58861 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58862 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58863 <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt
* 1:58864 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58866 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58867 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58868 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58869 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58870 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58871 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58872 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58873 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58874 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58875 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt

Modified Rules:

* 1:1628 <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt
* 1:29105 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:41714 <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt
* 1:44649 <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt
* 1:47085 <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt
* 1:58335 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt
* 1:58336 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt


2022-01-11 20:36:32 UTC

Snort Subscriber Rules Update

Date: 2022-01-11-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.9.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58854 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt
* 1:58855 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt
* 1:58856 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt
* 1:58857 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58858 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58859 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58860 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58861 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58862 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58863 <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt
* 1:58864 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58866 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58867 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58868 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58869 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58870 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58871 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58872 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58873 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58874 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58875 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt

Modified Rules:

* 1:1628 <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt
* 1:29105 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:41714 <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt
* 1:44649 <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt
* 1:47085 <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt
* 1:58335 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt
* 1:58336 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt


2022-01-11 20:36:32 UTC

Snort Subscriber Rules Update

Date: 2022-01-11-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.11.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58854 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt
* 1:58855 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt
* 1:58856 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt
* 1:58857 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58858 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58859 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58860 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58861 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58862 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58863 <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt
* 1:58864 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58866 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58867 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58868 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58869 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58870 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58871 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58872 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58873 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58874 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58875 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt

Modified Rules:

* 1:1628 <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt
* 1:29105 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:41714 <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt
* 1:44649 <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt
* 1:47085 <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt
* 1:58335 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt
* 1:58336 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt


2022-01-11 20:36:33 UTC

Snort Subscriber Rules Update

Date: 2022-01-11-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.15.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58854 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt
* 1:58855 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt
* 1:58856 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt
* 1:58857 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58858 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58859 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58860 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58861 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58862 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58863 <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt
* 1:58864 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58866 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58867 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58868 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58869 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58870 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58871 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58872 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58873 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58874 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58875 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt

Modified Rules:

* 1:1628 <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt
* 1:29105 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:41714 <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt
* 1:44649 <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt
* 1:47085 <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt
* 1:58335 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt
* 1:58336 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt


2022-01-11 20:36:33 UTC

Snort Subscriber Rules Update

Date: 2022-01-11-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.18.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58854 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt
* 1:58855 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt
* 1:58856 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt
* 1:58857 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58858 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58859 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58860 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58861 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58862 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58863 <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt
* 1:58864 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58866 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58867 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58868 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58869 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58870 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58871 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58872 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58873 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58874 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58875 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt

Modified Rules:

* 1:1628 <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt
* 1:29105 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:41714 <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt
* 1:44649 <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt
* 1:47085 <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt
* 1:58335 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt
* 1:58336 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt