Talos Rules 2022-03-08
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2022-21990: A coding deficiency exists in Remote Desktop Client that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 59107 through 59108.

Microsoft Vulnerability CVE-2022-23253: A coding deficiency exists in Point-to-Point Tunneling Protocol that may lead to denial of service.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 59212.

Microsoft Vulnerability CVE-2022-23285: A coding deficiency exists in Remote Desktop Client that may lead to remote code execution.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 59215.

Microsoft Vulnerability CVE-2022-23286: A coding deficiency exists in Microsoft Windows Cloud Files Mini Filter Driver that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 59213 through 59214.

Microsoft Vulnerability CVE-2022-23299: A coding deficiency exists in Microsoft Windows PDEV that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 59210 through 59211.

Microsoft Vulnerability CVE-2022-24502: A coding deficiency exists in Microsoft Windows HTML Platforms that may lead to security feature bypass.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 59216 through 59217.

Microsoft Vulnerability CVE-2022-24507: A coding deficiency exists in Microsoft Windows Ancillary Function Driver that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 59220 through 59221.

Talos also has added and modified multiple rules in the browser-ie, malware-cnc, malware-other, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2022-03-08 18:34:04 UTC

Snort Subscriber Rules Update

Date: 2022-03-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091900.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:59107 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt (os-windows.rules)
 * 1:59108 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt (os-windows.rules)
 * 1:59210 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt (os-windows.rules)
 * 1:59211 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt (os-windows.rules)
 * 1:59212 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PPTP denial-of-service attempt (os-windows.rules)
 * 1:59213 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (os-windows.rules)
 * 1:59214 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (os-windows.rules)
 * 1:59215 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client remote code execution attempt (os-windows.rules)
 * 1:59216 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt (browser-ie.rules)
 * 1:59217 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt (browser-ie.rules)
 * 1:59218 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.C99Madnet outbound connection attempt (malware-other.rules)
 * 1:59219 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.C99Madnet inbound connection attempt (malware-other.rules)
 * 1:59220 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt (os-windows.rules)
 * 1:59221 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt (os-windows.rules)
 * 1:59222 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.TransparentTribe outbound connection attempt (malware-other.rules)
 * 1:59223 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TransparentTribe outbound connection attempt (malware-cnc.rules)
 * 1:59226 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt (malware-cnc.rules)
 * 1:59227 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt (malware-cnc.rules)
 * 1:59228 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt (malware-cnc.rules)
 * 1:59229 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt (malware-cnc.rules)
 * 1:59230 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt (malware-cnc.rules)
 * 1:59231 <-> DISABLED <-> SERVER-SAMBA Samba SMB SET_INFO heap overwrite attempt (server-samba.rules)
 * 3:59225 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt (server-webapp.rules)
 * 3:59224 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt (server-webapp.rules)

Modified Rules:



2022-03-08 18:34:04 UTC

Snort Subscriber Rules Update

Date: 2022-03-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091801.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:59227 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt (malware-cnc.rules)
 * 1:59107 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt (os-windows.rules)
 * 1:59210 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt (os-windows.rules)
 * 1:59211 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt (os-windows.rules)
 * 1:59212 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PPTP denial-of-service attempt (os-windows.rules)
 * 1:59213 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (os-windows.rules)
 * 1:59214 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (os-windows.rules)
 * 1:59215 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client remote code execution attempt (os-windows.rules)
 * 1:59216 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt (browser-ie.rules)
 * 1:59217 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt (browser-ie.rules)
 * 1:59218 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.C99Madnet outbound connection attempt (malware-other.rules)
 * 1:59219 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.C99Madnet inbound connection attempt (malware-other.rules)
 * 1:59220 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt (os-windows.rules)
 * 1:59221 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt (os-windows.rules)
 * 1:59222 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.TransparentTribe outbound connection attempt (malware-other.rules)
 * 1:59223 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TransparentTribe outbound connection attempt (malware-cnc.rules)
 * 1:59229 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt (malware-cnc.rules)
 * 1:59228 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt (malware-cnc.rules)
 * 1:59230 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt (malware-cnc.rules)
 * 1:59231 <-> DISABLED <-> SERVER-SAMBA Samba SMB SET_INFO heap overwrite attempt (server-samba.rules)
 * 1:59108 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt (os-windows.rules)
 * 1:59226 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt (malware-cnc.rules)
 * 3:59225 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt (server-webapp.rules)
 * 3:59224 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt (server-webapp.rules)

Modified Rules:



2022-03-08 18:34:04 UTC

Snort Subscriber Rules Update

Date: 2022-03-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:59211 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt (os-windows.rules)
 * 1:59230 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt (malware-cnc.rules)
 * 1:59231 <-> DISABLED <-> SERVER-SAMBA Samba SMB SET_INFO heap overwrite attempt (server-samba.rules)
 * 1:59210 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt (os-windows.rules)
 * 1:59213 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (os-windows.rules)
 * 1:59216 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt (browser-ie.rules)
 * 1:59217 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt (browser-ie.rules)
 * 1:59220 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt (os-windows.rules)
 * 1:59221 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt (os-windows.rules)
 * 1:59226 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt (malware-cnc.rules)
 * 1:59227 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt (malware-cnc.rules)
 * 1:59223 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TransparentTribe outbound connection attempt (malware-cnc.rules)
 * 1:59228 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt (malware-cnc.rules)
 * 1:59108 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt (os-windows.rules)
 * 1:59107 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt (os-windows.rules)
 * 1:59212 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PPTP denial-of-service attempt (os-windows.rules)
 * 1:59214 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (os-windows.rules)
 * 1:59215 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client remote code execution attempt (os-windows.rules)
 * 1:59219 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.C99Madnet inbound connection attempt (malware-other.rules)
 * 1:59218 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.C99Madnet outbound connection attempt (malware-other.rules)
 * 1:59222 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.TransparentTribe outbound connection attempt (malware-other.rules)
 * 1:59229 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt (malware-cnc.rules)
 * 3:59224 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt (server-webapp.rules)
 * 3:59225 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt (server-webapp.rules)

Modified Rules:



2022-03-08 18:34:04 UTC

Snort Subscriber Rules Update

Date: 2022-03-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:59228 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt (malware-cnc.rules)
 * 1:59227 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt (malware-cnc.rules)
 * 1:59108 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt (os-windows.rules)
 * 1:59229 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt (malware-cnc.rules)
 * 1:59230 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt (malware-cnc.rules)
 * 1:59231 <-> DISABLED <-> SERVER-SAMBA Samba SMB SET_INFO heap overwrite attempt (server-samba.rules)
 * 1:59218 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.C99Madnet outbound connection attempt (malware-other.rules)
 * 1:59220 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt (os-windows.rules)
 * 1:59221 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt (os-windows.rules)
 * 1:59226 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt (malware-cnc.rules)
 * 1:59223 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TransparentTribe outbound connection attempt (malware-cnc.rules)
 * 1:59212 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PPTP denial-of-service attempt (os-windows.rules)
 * 1:59216 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt (browser-ie.rules)
 * 1:59215 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client remote code execution attempt (os-windows.rules)
 * 1:59210 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt (os-windows.rules)
 * 1:59211 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt (os-windows.rules)
 * 1:59219 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.C99Madnet inbound connection attempt (malware-other.rules)
 * 1:59107 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt (os-windows.rules)
 * 1:59222 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.TransparentTribe outbound connection attempt (malware-other.rules)
 * 1:59213 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (os-windows.rules)
 * 1:59214 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (os-windows.rules)
 * 1:59217 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt (browser-ie.rules)
 * 3:59224 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt (server-webapp.rules)
 * 3:59225 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt (server-webapp.rules)

Modified Rules:



2022-03-08 18:34:04 UTC

Snort Subscriber Rules Update

Date: 2022-03-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:59230 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt (malware-cnc.rules)
 * 1:59223 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TransparentTribe outbound connection attempt (malware-cnc.rules)
 * 1:59210 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt (os-windows.rules)
 * 1:59212 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PPTP denial-of-service attempt (os-windows.rules)
 * 1:59108 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt (os-windows.rules)
 * 1:59229 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt (malware-cnc.rules)
 * 1:59107 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt (os-windows.rules)
 * 1:59220 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt (os-windows.rules)
 * 1:59221 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt (os-windows.rules)
 * 1:59217 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt (browser-ie.rules)
 * 1:59231 <-> DISABLED <-> SERVER-SAMBA Samba SMB SET_INFO heap overwrite attempt (server-samba.rules)
 * 1:59227 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt (malware-cnc.rules)
 * 1:59219 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.C99Madnet inbound connection attempt (malware-other.rules)
 * 1:59211 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt (os-windows.rules)
 * 1:59228 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt (malware-cnc.rules)
 * 1:59215 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client remote code execution attempt (os-windows.rules)
 * 1:59222 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.TransparentTribe outbound connection attempt (malware-other.rules)
 * 1:59213 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (os-windows.rules)
 * 1:59226 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt (malware-cnc.rules)
 * 1:59214 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (os-windows.rules)
 * 1:59216 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt (browser-ie.rules)
 * 1:59218 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.C99Madnet outbound connection attempt (malware-other.rules)
 * 3:59224 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt (server-webapp.rules)
 * 3:59225 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt (server-webapp.rules)

Modified Rules:



2022-03-08 18:34:04 UTC

Snort Subscriber Rules Update

Date: 2022-03-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:59219 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.C99Madnet inbound connection attempt (malware-other.rules)
 * 1:59231 <-> DISABLED <-> SERVER-SAMBA Samba SMB SET_INFO heap overwrite attempt (server-samba.rules)
 * 1:59228 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt (malware-cnc.rules)
 * 1:59107 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt (os-windows.rules)
 * 1:59218 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.C99Madnet outbound connection attempt (malware-other.rules)
 * 1:59229 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt (malware-cnc.rules)
 * 1:59108 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt (os-windows.rules)
 * 1:59215 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client remote code execution attempt (os-windows.rules)
 * 1:59210 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt (os-windows.rules)
 * 1:59222 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.TransparentTribe outbound connection attempt (malware-other.rules)
 * 1:59211 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt (os-windows.rules)
 * 1:59220 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt (os-windows.rules)
 * 1:59230 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt (malware-cnc.rules)
 * 1:59227 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt (malware-cnc.rules)
 * 1:59226 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt (malware-cnc.rules)
 * 1:59214 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (os-windows.rules)
 * 1:59213 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (os-windows.rules)
 * 1:59217 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt (browser-ie.rules)
 * 1:59216 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt (browser-ie.rules)
 * 1:59212 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PPTP denial-of-service attempt (os-windows.rules)
 * 1:59221 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt (os-windows.rules)
 * 1:59223 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TransparentTribe outbound connection attempt (malware-cnc.rules)
 * 3:59224 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt (server-webapp.rules)
 * 3:59225 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt (server-webapp.rules)

Modified Rules:



2022-03-08 18:34:04 UTC

Snort Subscriber Rules Update

Date: 2022-03-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:59214 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (os-windows.rules)
 * 1:59223 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TransparentTribe outbound connection attempt (malware-cnc.rules)
 * 1:59228 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt (malware-cnc.rules)
 * 1:59217 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt (browser-ie.rules)
 * 1:59222 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.TransparentTribe outbound connection attempt (malware-other.rules)
 * 1:59215 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client remote code execution attempt (os-windows.rules)
 * 1:59230 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt (malware-cnc.rules)
 * 1:59226 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt (malware-cnc.rules)
 * 1:59210 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt (os-windows.rules)
 * 1:59231 <-> DISABLED <-> SERVER-SAMBA Samba SMB SET_INFO heap overwrite attempt (server-samba.rules)
 * 1:59212 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PPTP denial-of-service attempt (os-windows.rules)
 * 1:59107 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt (os-windows.rules)
 * 1:59221 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt (os-windows.rules)
 * 1:59218 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.C99Madnet outbound connection attempt (malware-other.rules)
 * 1:59108 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt (os-windows.rules)
 * 1:59220 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt (os-windows.rules)
 * 1:59216 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt (browser-ie.rules)
 * 1:59229 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt (malware-cnc.rules)
 * 1:59219 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.C99Madnet inbound connection attempt (malware-other.rules)
 * 1:59213 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (os-windows.rules)
 * 1:59227 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt (malware-cnc.rules)
 * 1:59211 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt (os-windows.rules)
 * 3:59225 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt (server-webapp.rules)
 * 3:59224 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt (server-webapp.rules)

Modified Rules:



2022-03-08 18:34:04 UTC

Snort Subscriber Rules Update

Date: 2022-03-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:59230 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt (malware-cnc.rules)
 * 1:59108 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt (os-windows.rules)
 * 1:59212 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PPTP denial-of-service attempt (os-windows.rules)
 * 1:59228 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt (malware-cnc.rules)
 * 1:59231 <-> DISABLED <-> SERVER-SAMBA Samba SMB SET_INFO heap overwrite attempt (server-samba.rules)
 * 1:59222 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.TransparentTribe outbound connection attempt (malware-other.rules)
 * 1:59211 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt (os-windows.rules)
 * 1:59216 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt (browser-ie.rules)
 * 1:59210 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt (os-windows.rules)
 * 1:59217 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt (browser-ie.rules)
 * 1:59229 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt (malware-cnc.rules)
 * 1:59214 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (os-windows.rules)
 * 1:59219 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.C99Madnet inbound connection attempt (malware-other.rules)
 * 1:59213 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (os-windows.rules)
 * 1:59215 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client remote code execution attempt (os-windows.rules)
 * 1:59226 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt (malware-cnc.rules)
 * 1:59221 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt (os-windows.rules)
 * 1:59107 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt (os-windows.rules)
 * 1:59218 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.C99Madnet outbound connection attempt (malware-other.rules)
 * 1:59223 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TransparentTribe outbound connection attempt (malware-cnc.rules)
 * 1:59227 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt (malware-cnc.rules)
 * 1:59220 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt (os-windows.rules)
 * 3:59225 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt (server-webapp.rules)
 * 3:59224 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt (server-webapp.rules)

Modified Rules:



2022-03-08 18:34:04 UTC

Snort Subscriber Rules Update

Date: 2022-03-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:59227 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt (malware-cnc.rules)
 * 1:59108 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt (os-windows.rules)
 * 1:59230 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt (malware-cnc.rules)
 * 1:59229 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt (malware-cnc.rules)
 * 1:59107 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt (os-windows.rules)
 * 1:59212 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PPTP denial-of-service attempt (os-windows.rules)
 * 1:59211 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt (os-windows.rules)
 * 1:59217 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt (browser-ie.rules)
 * 1:59216 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt (browser-ie.rules)
 * 1:59231 <-> DISABLED <-> SERVER-SAMBA Samba SMB SET_INFO heap overwrite attempt (server-samba.rules)
 * 1:59219 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.C99Madnet inbound connection attempt (malware-other.rules)
 * 1:59210 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt (os-windows.rules)
 * 1:59223 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TransparentTribe outbound connection attempt (malware-cnc.rules)
 * 1:59220 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt (os-windows.rules)
 * 1:59222 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.TransparentTribe outbound connection attempt (malware-other.rules)
 * 1:59221 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt (os-windows.rules)
 * 1:59213 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (os-windows.rules)
 * 1:59228 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt (malware-cnc.rules)
 * 1:59214 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (os-windows.rules)
 * 1:59215 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client remote code execution attempt (os-windows.rules)
 * 1:59218 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.C99Madnet outbound connection attempt (malware-other.rules)
 * 1:59226 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt (malware-cnc.rules)
 * 3:59225 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt (server-webapp.rules)
 * 3:59224 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt (server-webapp.rules)

Modified Rules:



2022-03-08 18:34:04 UTC

Snort Subscriber Rules Update

Date: 2022-03-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:59210 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt (os-windows.rules)
 * 1:59217 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt (browser-ie.rules)
 * 1:59108 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt (os-windows.rules)
 * 1:59228 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt (malware-cnc.rules)
 * 1:59231 <-> DISABLED <-> SERVER-SAMBA Samba SMB SET_INFO heap overwrite attempt (server-samba.rules)
 * 1:59216 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt (browser-ie.rules)
 * 1:59229 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt (malware-cnc.rules)
 * 1:59213 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (os-windows.rules)
 * 1:59214 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (os-windows.rules)
 * 1:59107 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt (os-windows.rules)
 * 1:59219 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.C99Madnet inbound connection attempt (malware-other.rules)
 * 1:59211 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt (os-windows.rules)
 * 1:59218 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.C99Madnet outbound connection attempt (malware-other.rules)
 * 1:59221 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt (os-windows.rules)
 * 1:59226 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt (malware-cnc.rules)
 * 1:59223 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TransparentTribe outbound connection attempt (malware-cnc.rules)
 * 1:59227 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt (malware-cnc.rules)
 * 1:59220 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt (os-windows.rules)
 * 1:59212 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PPTP denial-of-service attempt (os-windows.rules)
 * 1:59215 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client remote code execution attempt (os-windows.rules)
 * 1:59222 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.TransparentTribe outbound connection attempt (malware-other.rules)
 * 1:59230 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt (malware-cnc.rules)
 * 3:59224 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt (server-webapp.rules)
 * 3:59225 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt (server-webapp.rules)

Modified Rules:



2022-03-08 18:34:04 UTC

Snort Subscriber Rules Update

Date: 2022-03-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:59229 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt (snort3-malware-cnc.rules)
 * 1:59210 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt (snort3-os-windows.rules)
 * 1:59214 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (snort3-os-windows.rules)
 * 1:59215 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client remote code execution attempt (snort3-os-windows.rules)
 * 1:59216 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt (snort3-browser-ie.rules)
 * 1:59108 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt (snort3-os-windows.rules)
 * 1:59107 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt (snort3-os-windows.rules)
 * 1:59217 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt (snort3-browser-ie.rules)
 * 1:59218 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.C99Madnet outbound connection attempt (snort3-malware-other.rules)
 * 1:59212 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PPTP denial-of-service attempt (snort3-os-windows.rules)
 * 1:59219 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.C99Madnet inbound connection attempt (snort3-malware-other.rules)
 * 1:59220 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt (snort3-os-windows.rules)
 * 1:59221 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt (snort3-os-windows.rules)
 * 1:59213 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (snort3-os-windows.rules)
 * 1:59222 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.TransparentTribe outbound connection attempt (snort3-malware-other.rules)
 * 1:59211 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt (snort3-os-windows.rules)
 * 1:59230 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt (snort3-malware-cnc.rules)
 * 1:59223 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TransparentTribe outbound connection attempt (snort3-malware-cnc.rules)
 * 1:59226 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt (snort3-malware-cnc.rules)
 * 1:59227 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt (snort3-malware-cnc.rules)
 * 1:59228 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt (snort3-malware-cnc.rules)
 * 1:59231 <-> DISABLED <-> SERVER-SAMBA Samba SMB SET_INFO heap overwrite attempt (snort3-server-samba.rules)

Modified Rules:



2022-03-08 18:34:04 UTC

Snort Subscriber Rules Update

Date: 2022-03-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:59218 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.C99Madnet outbound connection attempt (malware-other.rules)
 * 1:59227 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt (malware-cnc.rules)
 * 1:59226 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt (malware-cnc.rules)
 * 1:59217 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt (browser-ie.rules)
 * 1:59223 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TransparentTribe outbound connection attempt (malware-cnc.rules)
 * 1:59230 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt (malware-cnc.rules)
 * 1:59211 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt (os-windows.rules)
 * 1:59229 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt (malware-cnc.rules)
 * 1:59231 <-> DISABLED <-> SERVER-SAMBA Samba SMB SET_INFO heap overwrite attempt (server-samba.rules)
 * 1:59213 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (os-windows.rules)
 * 1:59221 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt (os-windows.rules)
 * 1:59108 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt (os-windows.rules)
 * 1:59215 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client remote code execution attempt (os-windows.rules)
 * 1:59210 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt (os-windows.rules)
 * 1:59228 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt (malware-cnc.rules)
 * 1:59222 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.TransparentTribe outbound connection attempt (malware-other.rules)
 * 1:59107 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt (os-windows.rules)
 * 1:59219 <-> ENABLED <-> MALWARE-OTHER Php.Webshell.C99Madnet inbound connection attempt (malware-other.rules)
 * 1:59214 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (os-windows.rules)
 * 1:59212 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PPTP denial-of-service attempt (os-windows.rules)
 * 1:59216 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt (browser-ie.rules)
 * 1:59220 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt (os-windows.rules)

Modified Rules:



2022-03-08 18:36:34 UTC

Snort Subscriber Rules Update

Date: 2022-03-07-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:59107 <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt
* 1:59108 <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt
* 1:59210 <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt
* 1:59211 <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt
* 1:59212 <-> OS-WINDOWS Microsoft Windows PPTP denial-of-service attempt
* 1:59213 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:59214 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:59215 <-> OS-WINDOWS Microsoft Windows Remote Desktop client remote code execution attempt
* 1:59216 <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt
* 1:59217 <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt
* 1:59218 <-> MALWARE-OTHER Php.Webshell.C99Madnet outbound connection attempt
* 1:59219 <-> MALWARE-OTHER Php.Webshell.C99Madnet inbound connection attempt
* 1:59220 <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt
* 1:59221 <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt
* 1:59222 <-> MALWARE-OTHER Win.Downloader.TransparentTribe outbound connection attempt
* 1:59223 <-> MALWARE-CNC Win.Trojan.TransparentTribe outbound connection attempt
* 3:59224 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt
* 3:59225 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt
* 1:59226 <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt
* 1:59227 <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt
* 1:59228 <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt
* 1:59229 <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt
* 1:59230 <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt
* 1:59231 <-> SERVER-SAMBA Samba SMB SET_INFO heap overwrite attempt

Modified Rules:



2022-03-08 18:36:34 UTC

Snort Subscriber Rules Update

Date: 2022-03-07-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.4.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:59107 <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt
* 1:59108 <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt
* 1:59210 <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt
* 1:59211 <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt
* 1:59212 <-> OS-WINDOWS Microsoft Windows PPTP denial-of-service attempt
* 1:59213 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:59214 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:59215 <-> OS-WINDOWS Microsoft Windows Remote Desktop client remote code execution attempt
* 1:59216 <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt
* 1:59217 <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt
* 1:59218 <-> MALWARE-OTHER Php.Webshell.C99Madnet outbound connection attempt
* 1:59219 <-> MALWARE-OTHER Php.Webshell.C99Madnet inbound connection attempt
* 1:59220 <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt
* 1:59221 <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt
* 1:59222 <-> MALWARE-OTHER Win.Downloader.TransparentTribe outbound connection attempt
* 1:59223 <-> MALWARE-CNC Win.Trojan.TransparentTribe outbound connection attempt
* 3:59224 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt
* 3:59225 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt
* 1:59226 <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt
* 1:59227 <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt
* 1:59228 <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt
* 1:59229 <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt
* 1:59230 <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt
* 1:59231 <-> SERVER-SAMBA Samba SMB SET_INFO heap overwrite attempt

Modified Rules:



2022-03-08 18:36:34 UTC

Snort Subscriber Rules Update

Date: 2022-03-07-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:59107 <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt
* 1:59108 <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt
* 1:59210 <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt
* 1:59211 <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt
* 1:59212 <-> OS-WINDOWS Microsoft Windows PPTP denial-of-service attempt
* 1:59213 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:59214 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:59215 <-> OS-WINDOWS Microsoft Windows Remote Desktop client remote code execution attempt
* 1:59216 <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt
* 1:59217 <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt
* 1:59218 <-> MALWARE-OTHER Php.Webshell.C99Madnet outbound connection attempt
* 1:59219 <-> MALWARE-OTHER Php.Webshell.C99Madnet inbound connection attempt
* 1:59220 <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt
* 1:59221 <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt
* 1:59222 <-> MALWARE-OTHER Win.Downloader.TransparentTribe outbound connection attempt
* 1:59223 <-> MALWARE-CNC Win.Trojan.TransparentTribe outbound connection attempt
* 3:59224 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt
* 3:59225 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt
* 1:59226 <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt
* 1:59227 <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt
* 1:59228 <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt
* 1:59229 <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt
* 1:59230 <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt
* 1:59231 <-> SERVER-SAMBA Samba SMB SET_INFO heap overwrite attempt

Modified Rules:



2022-03-08 18:36:34 UTC

Snort Subscriber Rules Update

Date: 2022-03-07-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:59107 <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt
* 1:59108 <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt
* 1:59210 <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt
* 1:59211 <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt
* 1:59212 <-> OS-WINDOWS Microsoft Windows PPTP denial-of-service attempt
* 1:59213 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:59214 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:59215 <-> OS-WINDOWS Microsoft Windows Remote Desktop client remote code execution attempt
* 1:59216 <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt
* 1:59217 <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt
* 1:59218 <-> MALWARE-OTHER Php.Webshell.C99Madnet outbound connection attempt
* 1:59219 <-> MALWARE-OTHER Php.Webshell.C99Madnet inbound connection attempt
* 1:59220 <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt
* 1:59221 <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt
* 1:59222 <-> MALWARE-OTHER Win.Downloader.TransparentTribe outbound connection attempt
* 1:59223 <-> MALWARE-CNC Win.Trojan.TransparentTribe outbound connection attempt
* 3:59224 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt
* 3:59225 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt
* 1:59226 <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt
* 1:59227 <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt
* 1:59228 <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt
* 1:59229 <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt
* 1:59230 <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt
* 1:59231 <-> SERVER-SAMBA Samba SMB SET_INFO heap overwrite attempt

Modified Rules:



2022-03-08 18:36:34 UTC

Snort Subscriber Rules Update

Date: 2022-03-07-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.1.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:59107 <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt
* 1:59108 <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt
* 1:59210 <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt
* 1:59211 <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt
* 1:59212 <-> OS-WINDOWS Microsoft Windows PPTP denial-of-service attempt
* 1:59213 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:59214 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:59215 <-> OS-WINDOWS Microsoft Windows Remote Desktop client remote code execution attempt
* 1:59216 <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt
* 1:59217 <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt
* 1:59218 <-> MALWARE-OTHER Php.Webshell.C99Madnet outbound connection attempt
* 1:59219 <-> MALWARE-OTHER Php.Webshell.C99Madnet inbound connection attempt
* 1:59220 <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt
* 1:59221 <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt
* 1:59222 <-> MALWARE-OTHER Win.Downloader.TransparentTribe outbound connection attempt
* 1:59223 <-> MALWARE-CNC Win.Trojan.TransparentTribe outbound connection attempt
* 3:59224 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt
* 3:59225 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt
* 1:59226 <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt
* 1:59227 <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt
* 1:59228 <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt
* 1:59229 <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt
* 1:59230 <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt
* 1:59231 <-> SERVER-SAMBA Samba SMB SET_INFO heap overwrite attempt

Modified Rules:



2022-03-08 18:36:34 UTC

Snort Subscriber Rules Update

Date: 2022-03-07-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.3.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:59107 <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt
* 1:59108 <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt
* 1:59210 <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt
* 1:59211 <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt
* 1:59212 <-> OS-WINDOWS Microsoft Windows PPTP denial-of-service attempt
* 1:59213 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:59214 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:59215 <-> OS-WINDOWS Microsoft Windows Remote Desktop client remote code execution attempt
* 1:59216 <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt
* 1:59217 <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt
* 1:59218 <-> MALWARE-OTHER Php.Webshell.C99Madnet outbound connection attempt
* 1:59219 <-> MALWARE-OTHER Php.Webshell.C99Madnet inbound connection attempt
* 1:59220 <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt
* 1:59221 <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt
* 1:59222 <-> MALWARE-OTHER Win.Downloader.TransparentTribe outbound connection attempt
* 1:59223 <-> MALWARE-CNC Win.Trojan.TransparentTribe outbound connection attempt
* 3:59224 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt
* 3:59225 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt
* 1:59226 <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt
* 1:59227 <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt
* 1:59228 <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt
* 1:59229 <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt
* 1:59230 <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt
* 1:59231 <-> SERVER-SAMBA Samba SMB SET_INFO heap overwrite attempt

Modified Rules:



2022-03-08 18:36:34 UTC

Snort Subscriber Rules Update

Date: 2022-03-07-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.4.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:59107 <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt
* 1:59108 <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt
* 1:59210 <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt
* 1:59211 <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt
* 1:59212 <-> OS-WINDOWS Microsoft Windows PPTP denial-of-service attempt
* 1:59213 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:59214 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:59215 <-> OS-WINDOWS Microsoft Windows Remote Desktop client remote code execution attempt
* 1:59216 <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt
* 1:59217 <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt
* 1:59218 <-> MALWARE-OTHER Php.Webshell.C99Madnet outbound connection attempt
* 1:59219 <-> MALWARE-OTHER Php.Webshell.C99Madnet inbound connection attempt
* 1:59220 <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt
* 1:59221 <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt
* 1:59222 <-> MALWARE-OTHER Win.Downloader.TransparentTribe outbound connection attempt
* 1:59223 <-> MALWARE-CNC Win.Trojan.TransparentTribe outbound connection attempt
* 3:59224 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt
* 3:59225 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt
* 1:59226 <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt
* 1:59227 <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt
* 1:59228 <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt
* 1:59229 <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt
* 1:59230 <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt
* 1:59231 <-> SERVER-SAMBA Samba SMB SET_INFO heap overwrite attempt

Modified Rules:



2022-03-08 18:36:34 UTC

Snort Subscriber Rules Update

Date: 2022-03-07-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.5.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:59107 <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt
* 1:59108 <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt
* 1:59210 <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt
* 1:59211 <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt
* 1:59212 <-> OS-WINDOWS Microsoft Windows PPTP denial-of-service attempt
* 1:59213 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:59214 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:59215 <-> OS-WINDOWS Microsoft Windows Remote Desktop client remote code execution attempt
* 1:59216 <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt
* 1:59217 <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt
* 1:59218 <-> MALWARE-OTHER Php.Webshell.C99Madnet outbound connection attempt
* 1:59219 <-> MALWARE-OTHER Php.Webshell.C99Madnet inbound connection attempt
* 1:59220 <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt
* 1:59221 <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt
* 1:59222 <-> MALWARE-OTHER Win.Downloader.TransparentTribe outbound connection attempt
* 1:59223 <-> MALWARE-CNC Win.Trojan.TransparentTribe outbound connection attempt
* 3:59224 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt
* 3:59225 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt
* 1:59226 <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt
* 1:59227 <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt
* 1:59228 <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt
* 1:59229 <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt
* 1:59230 <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt
* 1:59231 <-> SERVER-SAMBA Samba SMB SET_INFO heap overwrite attempt

Modified Rules:



2022-03-08 18:36:34 UTC

Snort Subscriber Rules Update

Date: 2022-03-07-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.7.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:59107 <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt
* 1:59108 <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt
* 1:59210 <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt
* 1:59211 <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt
* 1:59212 <-> OS-WINDOWS Microsoft Windows PPTP denial-of-service attempt
* 1:59213 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:59214 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:59215 <-> OS-WINDOWS Microsoft Windows Remote Desktop client remote code execution attempt
* 1:59216 <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt
* 1:59217 <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt
* 1:59218 <-> MALWARE-OTHER Php.Webshell.C99Madnet outbound connection attempt
* 1:59219 <-> MALWARE-OTHER Php.Webshell.C99Madnet inbound connection attempt
* 1:59220 <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt
* 1:59221 <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt
* 1:59222 <-> MALWARE-OTHER Win.Downloader.TransparentTribe outbound connection attempt
* 1:59223 <-> MALWARE-CNC Win.Trojan.TransparentTribe outbound connection attempt
* 3:59224 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt
* 3:59225 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt
* 1:59226 <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt
* 1:59227 <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt
* 1:59228 <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt
* 1:59229 <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt
* 1:59230 <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt
* 1:59231 <-> SERVER-SAMBA Samba SMB SET_INFO heap overwrite attempt

Modified Rules:



2022-03-08 18:36:34 UTC

Snort Subscriber Rules Update

Date: 2022-03-07-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.9.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:59107 <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt
* 1:59108 <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt
* 1:59210 <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt
* 1:59211 <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt
* 1:59212 <-> OS-WINDOWS Microsoft Windows PPTP denial-of-service attempt
* 1:59213 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:59214 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:59215 <-> OS-WINDOWS Microsoft Windows Remote Desktop client remote code execution attempt
* 1:59216 <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt
* 1:59217 <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt
* 1:59218 <-> MALWARE-OTHER Php.Webshell.C99Madnet outbound connection attempt
* 1:59219 <-> MALWARE-OTHER Php.Webshell.C99Madnet inbound connection attempt
* 1:59220 <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt
* 1:59221 <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt
* 1:59222 <-> MALWARE-OTHER Win.Downloader.TransparentTribe outbound connection attempt
* 1:59223 <-> MALWARE-CNC Win.Trojan.TransparentTribe outbound connection attempt
* 3:59224 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt
* 3:59225 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt
* 1:59226 <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt
* 1:59227 <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt
* 1:59228 <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt
* 1:59229 <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt
* 1:59230 <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt
* 1:59231 <-> SERVER-SAMBA Samba SMB SET_INFO heap overwrite attempt

Modified Rules:



2022-03-08 18:36:34 UTC

Snort Subscriber Rules Update

Date: 2022-03-07-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.11.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:59107 <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt
* 1:59108 <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt
* 1:59210 <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt
* 1:59211 <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt
* 1:59212 <-> OS-WINDOWS Microsoft Windows PPTP denial-of-service attempt
* 1:59213 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:59214 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:59215 <-> OS-WINDOWS Microsoft Windows Remote Desktop client remote code execution attempt
* 1:59216 <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt
* 1:59217 <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt
* 1:59218 <-> MALWARE-OTHER Php.Webshell.C99Madnet outbound connection attempt
* 1:59219 <-> MALWARE-OTHER Php.Webshell.C99Madnet inbound connection attempt
* 1:59220 <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt
* 1:59221 <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt
* 1:59222 <-> MALWARE-OTHER Win.Downloader.TransparentTribe outbound connection attempt
* 1:59223 <-> MALWARE-CNC Win.Trojan.TransparentTribe outbound connection attempt
* 3:59224 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt
* 3:59225 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt
* 1:59226 <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt
* 1:59227 <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt
* 1:59228 <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt
* 1:59229 <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt
* 1:59230 <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt
* 1:59231 <-> SERVER-SAMBA Samba SMB SET_INFO heap overwrite attempt

Modified Rules:



2022-03-08 18:36:34 UTC

Snort Subscriber Rules Update

Date: 2022-03-07-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.15.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:59107 <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt
* 1:59108 <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt
* 1:59210 <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt
* 1:59211 <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt
* 1:59212 <-> OS-WINDOWS Microsoft Windows PPTP denial-of-service attempt
* 1:59213 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:59214 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:59215 <-> OS-WINDOWS Microsoft Windows Remote Desktop client remote code execution attempt
* 1:59216 <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt
* 1:59217 <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt
* 1:59218 <-> MALWARE-OTHER Php.Webshell.C99Madnet outbound connection attempt
* 1:59219 <-> MALWARE-OTHER Php.Webshell.C99Madnet inbound connection attempt
* 1:59220 <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt
* 1:59221 <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt
* 1:59222 <-> MALWARE-OTHER Win.Downloader.TransparentTribe outbound connection attempt
* 1:59223 <-> MALWARE-CNC Win.Trojan.TransparentTribe outbound connection attempt
* 3:59224 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt
* 3:59225 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt
* 1:59226 <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt
* 1:59227 <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt
* 1:59228 <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt
* 1:59229 <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt
* 1:59230 <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt
* 1:59231 <-> SERVER-SAMBA Samba SMB SET_INFO heap overwrite attempt

Modified Rules:



2022-03-08 18:36:34 UTC

Snort Subscriber Rules Update

Date: 2022-03-07-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.18.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:59107 <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt
* 1:59108 <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt
* 1:59210 <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt
* 1:59211 <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt
* 1:59212 <-> OS-WINDOWS Microsoft Windows PPTP denial-of-service attempt
* 1:59213 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:59214 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:59215 <-> OS-WINDOWS Microsoft Windows Remote Desktop client remote code execution attempt
* 1:59216 <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt
* 1:59217 <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt
* 1:59218 <-> MALWARE-OTHER Php.Webshell.C99Madnet outbound connection attempt
* 1:59219 <-> MALWARE-OTHER Php.Webshell.C99Madnet inbound connection attempt
* 1:59220 <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt
* 1:59221 <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt
* 1:59222 <-> MALWARE-OTHER Win.Downloader.TransparentTribe outbound connection attempt
* 1:59223 <-> MALWARE-CNC Win.Trojan.TransparentTribe outbound connection attempt
* 3:59224 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt
* 3:59225 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt
* 1:59226 <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt
* 1:59227 <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt
* 1:59228 <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt
* 1:59229 <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt
* 1:59230 <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt
* 1:59231 <-> SERVER-SAMBA Samba SMB SET_INFO heap overwrite attempt

Modified Rules:



2022-03-08 18:36:35 UTC

Snort Subscriber Rules Update

Date: 2022-03-07-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.20.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:59107 <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt
* 1:59108 <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt
* 1:59210 <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt
* 1:59211 <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt
* 1:59212 <-> OS-WINDOWS Microsoft Windows PPTP denial-of-service attempt
* 1:59213 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:59214 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:59215 <-> OS-WINDOWS Microsoft Windows Remote Desktop client remote code execution attempt
* 1:59216 <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt
* 1:59217 <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt
* 1:59218 <-> MALWARE-OTHER Php.Webshell.C99Madnet outbound connection attempt
* 1:59219 <-> MALWARE-OTHER Php.Webshell.C99Madnet inbound connection attempt
* 1:59220 <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt
* 1:59221 <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt
* 1:59222 <-> MALWARE-OTHER Win.Downloader.TransparentTribe outbound connection attempt
* 1:59223 <-> MALWARE-CNC Win.Trojan.TransparentTribe outbound connection attempt
* 3:59224 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt
* 3:59225 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt
* 1:59226 <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt
* 1:59227 <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt
* 1:59228 <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt
* 1:59229 <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt
* 1:59230 <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt
* 1:59231 <-> SERVER-SAMBA Samba SMB SET_INFO heap overwrite attempt

Modified Rules:



2022-03-08 18:36:35 UTC

Snort Subscriber Rules Update

Date: 2022-03-07-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.21.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:59107 <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt
* 1:59108 <-> OS-WINDOWS Microsoft Windows RDP path redirection remote code execution attempt
* 1:59210 <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt
* 1:59211 <-> OS-WINDOWS Microsoft Windows PDEV escalation of privilege attempt
* 1:59212 <-> OS-WINDOWS Microsoft Windows PPTP denial-of-service attempt
* 1:59213 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:59214 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:59215 <-> OS-WINDOWS Microsoft Windows Remote Desktop client remote code execution attempt
* 1:59216 <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt
* 1:59217 <-> BROWSER-IE Microsoft Internet Explorer security zone bypass attempt
* 1:59218 <-> MALWARE-OTHER Php.Webshell.C99Madnet outbound connection attempt
* 1:59219 <-> MALWARE-OTHER Php.Webshell.C99Madnet inbound connection attempt
* 1:59220 <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt
* 1:59221 <-> OS-WINDOWS Microsoft Windows Winsock local privilege escalation attempt
* 1:59222 <-> MALWARE-OTHER Win.Downloader.TransparentTribe outbound connection attempt
* 1:59223 <-> MALWARE-CNC Win.Trojan.TransparentTribe outbound connection attempt
* 3:59224 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt
* 3:59225 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2022-1469 attack attempt
* 1:59226 <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt
* 1:59227 <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt
* 1:59228 <-> MALWARE-CNC Win.Trojan.MuddyWater download attempt
* 1:59229 <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt
* 1:59230 <-> MALWARE-CNC Win.Trojan.MuddyWater outbound connection attempt
* 1:59231 <-> SERVER-SAMBA Samba SMB SET_INFO heap overwrite attempt

Modified Rules: