Talos Rules 2022-11-23
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-other, malware-cnc, malware-other, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

29200

2022-11-23 15:05:54 UTC

Snort Subscriber Rules Update

Date: 2022-11-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2092000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:60888 <-> DISABLED <-> SERVER-OTHER Apache CouchDB node remote command execution attempt (server-other.rules)
 * 1:60889 <-> DISABLED <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt (server-webapp.rules)
 * 1:60890 <-> DISABLED <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt (server-webapp.rules)
 * 1:60891 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.MetaStealer file download attempt (malware-other.rules)
 * 1:60892 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.MetaStealer file download attempt (malware-other.rules)
 * 1:60893 <-> DISABLED <-> MALWARE-OTHER Shikata Ga Nai polymorphic encoder encoded shellcode download attempt (malware-other.rules)
 * 1:60894 <-> DISABLED <-> MALWARE-OTHER Shikata Ga Nai polymorphic encoder encoded shellcode download attempt (malware-other.rules)
 * 1:60895 <-> DISABLED <-> MALWARE-CNC Unix.Downloader.Shikitega variant payload download attempt (malware-cnc.rules)
 * 1:60896 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt (server-webapp.rules)
 * 1:60897 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt (server-webapp.rules)
 * 1:60898 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt (server-webapp.rules)
 * 1:60899 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt (server-webapp.rules)
 * 1:60900 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt (server-webapp.rules)
 * 1:60901 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt (server-webapp.rules)
 * 1:60902 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.MetaStealer variant outbound connection (malware-cnc.rules)
 * 1:60903 <-> ENABLED <-> MALWARE-CNC Xls.Downloader.AXQ variant outbound connection (malware-cnc.rules)
 * 1:60906 <-> DISABLED <-> POLICY-OTHER SAP NetWeaver JWFTestAddAssignees potential disclosure vulnerable page (policy-other.rules)
 * 1:60907 <-> DISABLED <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt (server-webapp.rules)
 * 1:60908 <-> DISABLED <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt (server-webapp.rules)
 * 1:60909 <-> DISABLED <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt (server-webapp.rules)
 * 1:60910 <-> DISABLED <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt (server-webapp.rules)
 * 1:60911 <-> DISABLED <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt (server-webapp.rules)
 * 3:60904 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt (file-other.rules)
 * 3:60905 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt (file-other.rules)
 * 3:60912 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt (file-other.rules)
 * 3:60913 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt (file-other.rules)
 * 3:60914 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2022-1612 attack attempt (policy-other.rules)

Modified Rules:


 * 1:50768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel (malware-cnc.rules)

29190

2022-11-23 15:05:54 UTC

Snort Subscriber Rules Update

Date: 2022-11-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091900.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:60910 <-> DISABLED <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt (server-webapp.rules)
 * 1:60909 <-> DISABLED <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt (server-webapp.rules)
 * 1:60902 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.MetaStealer variant outbound connection (malware-cnc.rules)
 * 1:60901 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt (server-webapp.rules)
 * 1:60911 <-> DISABLED <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt (server-webapp.rules)
 * 1:60891 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.MetaStealer file download attempt (malware-other.rules)
 * 1:60892 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.MetaStealer file download attempt (malware-other.rules)
 * 1:60893 <-> DISABLED <-> MALWARE-OTHER Shikata Ga Nai polymorphic encoder encoded shellcode download attempt (malware-other.rules)
 * 1:60894 <-> DISABLED <-> MALWARE-OTHER Shikata Ga Nai polymorphic encoder encoded shellcode download attempt (malware-other.rules)
 * 1:60896 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt (server-webapp.rules)
 * 1:60897 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt (server-webapp.rules)
 * 1:60898 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt (server-webapp.rules)
 * 1:60899 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt (server-webapp.rules)
 * 1:60900 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt (server-webapp.rules)
 * 1:60906 <-> DISABLED <-> POLICY-OTHER SAP NetWeaver JWFTestAddAssignees potential disclosure vulnerable page (policy-other.rules)
 * 1:60903 <-> ENABLED <-> MALWARE-CNC Xls.Downloader.AXQ variant outbound connection (malware-cnc.rules)
 * 1:60907 <-> DISABLED <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt (server-webapp.rules)
 * 1:60889 <-> DISABLED <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt (server-webapp.rules)
 * 1:60908 <-> DISABLED <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt (server-webapp.rules)
 * 1:60888 <-> DISABLED <-> SERVER-OTHER Apache CouchDB node remote command execution attempt (server-other.rules)
 * 1:60890 <-> DISABLED <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt (server-webapp.rules)
 * 1:60895 <-> DISABLED <-> MALWARE-CNC Unix.Downloader.Shikitega variant payload download attempt (malware-cnc.rules)
 * 3:60905 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt (file-other.rules)
 * 3:60912 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt (file-other.rules)
 * 3:60904 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt (file-other.rules)
 * 3:60914 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2022-1612 attack attempt (policy-other.rules)
 * 3:60913 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt (file-other.rules)

Modified Rules:


 * 1:50768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel (malware-cnc.rules)

29181

2022-11-23 15:05:54 UTC

Snort Subscriber Rules Update

Date: 2022-11-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091801.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:60891 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.MetaStealer file download attempt (malware-other.rules)
 * 1:60910 <-> DISABLED <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt (server-webapp.rules)
 * 1:60911 <-> DISABLED <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt (server-webapp.rules)
 * 1:60895 <-> DISABLED <-> MALWARE-CNC Unix.Downloader.Shikitega variant payload download attempt (malware-cnc.rules)
 * 1:60908 <-> DISABLED <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt (server-webapp.rules)
 * 1:60889 <-> DISABLED <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt (server-webapp.rules)
 * 1:60893 <-> DISABLED <-> MALWARE-OTHER Shikata Ga Nai polymorphic encoder encoded shellcode download attempt (malware-other.rules)
 * 1:60903 <-> ENABLED <-> MALWARE-CNC Xls.Downloader.AXQ variant outbound connection (malware-cnc.rules)
 * 1:60897 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt (server-webapp.rules)
 * 1:60898 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt (server-webapp.rules)
 * 1:60899 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt (server-webapp.rules)
 * 1:60900 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt (server-webapp.rules)
 * 1:60888 <-> DISABLED <-> SERVER-OTHER Apache CouchDB node remote command execution attempt (server-other.rules)
 * 1:60909 <-> DISABLED <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt (server-webapp.rules)
 * 1:60906 <-> DISABLED <-> POLICY-OTHER SAP NetWeaver JWFTestAddAssignees potential disclosure vulnerable page (policy-other.rules)
 * 1:60902 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.MetaStealer variant outbound connection (malware-cnc.rules)
 * 1:60896 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt (server-webapp.rules)
 * 1:60894 <-> DISABLED <-> MALWARE-OTHER Shikata Ga Nai polymorphic encoder encoded shellcode download attempt (malware-other.rules)
 * 1:60907 <-> DISABLED <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt (server-webapp.rules)
 * 1:60892 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.MetaStealer file download attempt (malware-other.rules)
 * 1:60901 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt (server-webapp.rules)
 * 1:60890 <-> DISABLED <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt (server-webapp.rules)
 * 3:60913 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt (file-other.rules)
 * 3:60904 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt (file-other.rules)
 * 3:60914 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2022-1612 attack attempt (policy-other.rules)
 * 3:60905 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt (file-other.rules)
 * 3:60912 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt (file-other.rules)

Modified Rules:


 * 1:50768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel (malware-cnc.rules)

29171

2022-11-23 15:05:54 UTC

Snort Subscriber Rules Update

Date: 2022-11-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:60903 <-> ENABLED <-> MALWARE-CNC Xls.Downloader.AXQ variant outbound connection (malware-cnc.rules)
 * 1:60911 <-> DISABLED <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt (server-webapp.rules)
 * 1:60910 <-> DISABLED <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt (server-webapp.rules)
 * 1:60908 <-> DISABLED <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt (server-webapp.rules)
 * 1:60909 <-> DISABLED <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt (server-webapp.rules)
 * 1:60896 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt (server-webapp.rules)
 * 1:60901 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt (server-webapp.rules)
 * 1:60898 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt (server-webapp.rules)
 * 1:60893 <-> DISABLED <-> MALWARE-OTHER Shikata Ga Nai polymorphic encoder encoded shellcode download attempt (malware-other.rules)
 * 1:60894 <-> DISABLED <-> MALWARE-OTHER Shikata Ga Nai polymorphic encoder encoded shellcode download attempt (malware-other.rules)
 * 1:60906 <-> DISABLED <-> POLICY-OTHER SAP NetWeaver JWFTestAddAssignees potential disclosure vulnerable page (policy-other.rules)
 * 1:60892 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.MetaStealer file download attempt (malware-other.rules)
 * 1:60890 <-> DISABLED <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt (server-webapp.rules)
 * 1:60888 <-> DISABLED <-> SERVER-OTHER Apache CouchDB node remote command execution attempt (server-other.rules)
 * 1:60897 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt (server-webapp.rules)
 * 1:60889 <-> DISABLED <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt (server-webapp.rules)
 * 1:60899 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt (server-webapp.rules)
 * 1:60891 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.MetaStealer file download attempt (malware-other.rules)
 * 1:60900 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt (server-webapp.rules)
 * 1:60895 <-> DISABLED <-> MALWARE-CNC Unix.Downloader.Shikitega variant payload download attempt (malware-cnc.rules)
 * 1:60907 <-> DISABLED <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt (server-webapp.rules)
 * 1:60902 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.MetaStealer variant outbound connection (malware-cnc.rules)
 * 3:60905 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt (file-other.rules)
 * 3:60912 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt (file-other.rules)
 * 3:60913 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt (file-other.rules)
 * 3:60914 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2022-1612 attack attempt (policy-other.rules)
 * 3:60904 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt (file-other.rules)

Modified Rules:


 * 1:50768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel (malware-cnc.rules)

29170

2022-11-23 15:05:54 UTC

Snort Subscriber Rules Update

Date: 2022-11-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:60899 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt (server-webapp.rules)
 * 1:60891 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.MetaStealer file download attempt (malware-other.rules)
 * 1:60888 <-> DISABLED <-> SERVER-OTHER Apache CouchDB node remote command execution attempt (server-other.rules)
 * 1:60894 <-> DISABLED <-> MALWARE-OTHER Shikata Ga Nai polymorphic encoder encoded shellcode download attempt (malware-other.rules)
 * 1:60911 <-> DISABLED <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt (server-webapp.rules)
 * 1:60892 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.MetaStealer file download attempt (malware-other.rules)
 * 1:60901 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt (server-webapp.rules)
 * 1:60896 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt (server-webapp.rules)
 * 1:60906 <-> DISABLED <-> POLICY-OTHER SAP NetWeaver JWFTestAddAssignees potential disclosure vulnerable page (policy-other.rules)
 * 1:60910 <-> DISABLED <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt (server-webapp.rules)
 * 1:60909 <-> DISABLED <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt (server-webapp.rules)
 * 1:60893 <-> DISABLED <-> MALWARE-OTHER Shikata Ga Nai polymorphic encoder encoded shellcode download attempt (malware-other.rules)
 * 1:60890 <-> DISABLED <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt (server-webapp.rules)
 * 1:60897 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt (server-webapp.rules)
 * 1:60900 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt (server-webapp.rules)
 * 1:60898 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt (server-webapp.rules)
 * 1:60895 <-> DISABLED <-> MALWARE-CNC Unix.Downloader.Shikitega variant payload download attempt (malware-cnc.rules)
 * 1:60902 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.MetaStealer variant outbound connection (malware-cnc.rules)
 * 1:60908 <-> DISABLED <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt (server-webapp.rules)
 * 1:60907 <-> DISABLED <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt (server-webapp.rules)
 * 1:60903 <-> ENABLED <-> MALWARE-CNC Xls.Downloader.AXQ variant outbound connection (malware-cnc.rules)
 * 1:60889 <-> DISABLED <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt (server-webapp.rules)
 * 3:60904 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt (file-other.rules)
 * 3:60912 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt (file-other.rules)
 * 3:60913 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt (file-other.rules)
 * 3:60914 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2022-1612 attack attempt (policy-other.rules)
 * 3:60905 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt (file-other.rules)

Modified Rules:


 * 1:50768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel (malware-cnc.rules)

29161

2022-11-23 15:05:54 UTC

Snort Subscriber Rules Update

Date: 2022-11-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:60892 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.MetaStealer file download attempt (malware-other.rules)
 * 1:60911 <-> DISABLED <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt (server-webapp.rules)
 * 1:60906 <-> DISABLED <-> POLICY-OTHER SAP NetWeaver JWFTestAddAssignees potential disclosure vulnerable page (policy-other.rules)
 * 1:60910 <-> DISABLED <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt (server-webapp.rules)
 * 1:60891 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.MetaStealer file download attempt (malware-other.rules)
 * 1:60908 <-> DISABLED <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt (server-webapp.rules)
 * 1:60893 <-> DISABLED <-> MALWARE-OTHER Shikata Ga Nai polymorphic encoder encoded shellcode download attempt (malware-other.rules)
 * 1:60888 <-> DISABLED <-> SERVER-OTHER Apache CouchDB node remote command execution attempt (server-other.rules)
 * 1:60895 <-> DISABLED <-> MALWARE-CNC Unix.Downloader.Shikitega variant payload download attempt (malware-cnc.rules)
 * 1:60889 <-> DISABLED <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt (server-webapp.rules)
 * 1:60896 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt (server-webapp.rules)
 * 1:60894 <-> DISABLED <-> MALWARE-OTHER Shikata Ga Nai polymorphic encoder encoded shellcode download attempt (malware-other.rules)
 * 1:60897 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt (server-webapp.rules)
 * 1:60899 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt (server-webapp.rules)
 * 1:60900 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt (server-webapp.rules)
 * 1:60903 <-> ENABLED <-> MALWARE-CNC Xls.Downloader.AXQ variant outbound connection (malware-cnc.rules)
 * 1:60902 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.MetaStealer variant outbound connection (malware-cnc.rules)
 * 1:60901 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt (server-webapp.rules)
 * 1:60898 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt (server-webapp.rules)
 * 1:60909 <-> DISABLED <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt (server-webapp.rules)
 * 1:60890 <-> DISABLED <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt (server-webapp.rules)
 * 1:60907 <-> DISABLED <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt (server-webapp.rules)
 * 3:60914 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2022-1612 attack attempt (policy-other.rules)
 * 3:60904 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt (file-other.rules)
 * 3:60913 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt (file-other.rules)
 * 3:60905 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt (file-other.rules)
 * 3:60912 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt (file-other.rules)

Modified Rules:


 * 1:50768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel (malware-cnc.rules)

29160

2022-11-23 15:05:54 UTC

Snort Subscriber Rules Update

Date: 2022-11-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:60897 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt (server-webapp.rules)
 * 1:60891 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.MetaStealer file download attempt (malware-other.rules)
 * 1:60888 <-> DISABLED <-> SERVER-OTHER Apache CouchDB node remote command execution attempt (server-other.rules)
 * 1:60910 <-> DISABLED <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt (server-webapp.rules)
 * 1:60902 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.MetaStealer variant outbound connection (malware-cnc.rules)
 * 1:60908 <-> DISABLED <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt (server-webapp.rules)
 * 1:60909 <-> DISABLED <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt (server-webapp.rules)
 * 1:60895 <-> DISABLED <-> MALWARE-CNC Unix.Downloader.Shikitega variant payload download attempt (malware-cnc.rules)
 * 1:60911 <-> DISABLED <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt (server-webapp.rules)
 * 1:60889 <-> DISABLED <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt (server-webapp.rules)
 * 1:60901 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt (server-webapp.rules)
 * 1:60894 <-> DISABLED <-> MALWARE-OTHER Shikata Ga Nai polymorphic encoder encoded shellcode download attempt (malware-other.rules)
 * 1:60906 <-> DISABLED <-> POLICY-OTHER SAP NetWeaver JWFTestAddAssignees potential disclosure vulnerable page (policy-other.rules)
 * 1:60890 <-> DISABLED <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt (server-webapp.rules)
 * 1:60898 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt (server-webapp.rules)
 * 1:60899 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt (server-webapp.rules)
 * 1:60896 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt (server-webapp.rules)
 * 1:60893 <-> DISABLED <-> MALWARE-OTHER Shikata Ga Nai polymorphic encoder encoded shellcode download attempt (malware-other.rules)
 * 1:60900 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt (server-webapp.rules)
 * 1:60892 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.MetaStealer file download attempt (malware-other.rules)
 * 1:60903 <-> ENABLED <-> MALWARE-CNC Xls.Downloader.AXQ variant outbound connection (malware-cnc.rules)
 * 1:60907 <-> DISABLED <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt (server-webapp.rules)
 * 3:60914 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2022-1612 attack attempt (policy-other.rules)
 * 3:60904 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt (file-other.rules)
 * 3:60913 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt (file-other.rules)
 * 3:60912 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt (file-other.rules)
 * 3:60905 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt (file-other.rules)

Modified Rules:


 * 1:50768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel (malware-cnc.rules)

29151

2022-11-23 15:05:54 UTC

Snort Subscriber Rules Update

Date: 2022-11-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:60908 <-> DISABLED <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt (server-webapp.rules)
 * 1:60888 <-> DISABLED <-> SERVER-OTHER Apache CouchDB node remote command execution attempt (server-other.rules)
 * 1:60889 <-> DISABLED <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt (server-webapp.rules)
 * 1:60893 <-> DISABLED <-> MALWARE-OTHER Shikata Ga Nai polymorphic encoder encoded shellcode download attempt (malware-other.rules)
 * 1:60894 <-> DISABLED <-> MALWARE-OTHER Shikata Ga Nai polymorphic encoder encoded shellcode download attempt (malware-other.rules)
 * 1:60907 <-> DISABLED <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt (server-webapp.rules)
 * 1:60890 <-> DISABLED <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt (server-webapp.rules)
 * 1:60892 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.MetaStealer file download attempt (malware-other.rules)
 * 1:60903 <-> ENABLED <-> MALWARE-CNC Xls.Downloader.AXQ variant outbound connection (malware-cnc.rules)
 * 1:60891 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.MetaStealer file download attempt (malware-other.rules)
 * 1:60910 <-> DISABLED <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt (server-webapp.rules)
 * 1:60897 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt (server-webapp.rules)
 * 1:60900 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt (server-webapp.rules)
 * 1:60899 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt (server-webapp.rules)
 * 1:60901 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt (server-webapp.rules)
 * 1:60902 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.MetaStealer variant outbound connection (malware-cnc.rules)
 * 1:60898 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt (server-webapp.rules)
 * 1:60895 <-> DISABLED <-> MALWARE-CNC Unix.Downloader.Shikitega variant payload download attempt (malware-cnc.rules)
 * 1:60896 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt (server-webapp.rules)
 * 1:60909 <-> DISABLED <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt (server-webapp.rules)
 * 1:60911 <-> DISABLED <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt (server-webapp.rules)
 * 1:60906 <-> DISABLED <-> POLICY-OTHER SAP NetWeaver JWFTestAddAssignees potential disclosure vulnerable page (policy-other.rules)
 * 3:60914 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2022-1612 attack attempt (policy-other.rules)
 * 3:60913 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt (file-other.rules)
 * 3:60904 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt (file-other.rules)
 * 3:60912 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt (file-other.rules)
 * 3:60905 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt (file-other.rules)

Modified Rules:


 * 1:50768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel (malware-cnc.rules)

29141

2022-11-23 15:05:54 UTC

Snort Subscriber Rules Update

Date: 2022-11-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:60909 <-> DISABLED <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt (server-webapp.rules)
 * 1:60896 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt (server-webapp.rules)
 * 1:60907 <-> DISABLED <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt (server-webapp.rules)
 * 1:60888 <-> DISABLED <-> SERVER-OTHER Apache CouchDB node remote command execution attempt (server-other.rules)
 * 1:60895 <-> DISABLED <-> MALWARE-CNC Unix.Downloader.Shikitega variant payload download attempt (malware-cnc.rules)
 * 1:60891 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.MetaStealer file download attempt (malware-other.rules)
 * 1:60910 <-> DISABLED <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt (server-webapp.rules)
 * 1:60908 <-> DISABLED <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt (server-webapp.rules)
 * 1:60911 <-> DISABLED <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt (server-webapp.rules)
 * 1:60903 <-> ENABLED <-> MALWARE-CNC Xls.Downloader.AXQ variant outbound connection (malware-cnc.rules)
 * 1:60894 <-> DISABLED <-> MALWARE-OTHER Shikata Ga Nai polymorphic encoder encoded shellcode download attempt (malware-other.rules)
 * 1:60893 <-> DISABLED <-> MALWARE-OTHER Shikata Ga Nai polymorphic encoder encoded shellcode download attempt (malware-other.rules)
 * 1:60889 <-> DISABLED <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt (server-webapp.rules)
 * 1:60890 <-> DISABLED <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt (server-webapp.rules)
 * 1:60901 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt (server-webapp.rules)
 * 1:60900 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt (server-webapp.rules)
 * 1:60902 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.MetaStealer variant outbound connection (malware-cnc.rules)
 * 1:60897 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt (server-webapp.rules)
 * 1:60906 <-> DISABLED <-> POLICY-OTHER SAP NetWeaver JWFTestAddAssignees potential disclosure vulnerable page (policy-other.rules)
 * 1:60899 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt (server-webapp.rules)
 * 1:60898 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt (server-webapp.rules)
 * 1:60892 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.MetaStealer file download attempt (malware-other.rules)
 * 3:60904 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt (file-other.rules)
 * 3:60913 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt (file-other.rules)
 * 3:60905 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt (file-other.rules)
 * 3:60914 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2022-1612 attack attempt (policy-other.rules)
 * 3:60912 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt (file-other.rules)

Modified Rules:


 * 1:50768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel (malware-cnc.rules)

29130

2022-11-23 15:05:54 UTC

Snort Subscriber Rules Update

Date: 2022-11-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:60906 <-> DISABLED <-> POLICY-OTHER SAP NetWeaver JWFTestAddAssignees potential disclosure vulnerable page (policy-other.rules)
 * 1:60900 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt (server-webapp.rules)
 * 1:60903 <-> ENABLED <-> MALWARE-CNC Xls.Downloader.AXQ variant outbound connection (malware-cnc.rules)
 * 1:60891 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.MetaStealer file download attempt (malware-other.rules)
 * 1:60909 <-> DISABLED <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt (server-webapp.rules)
 * 1:60895 <-> DISABLED <-> MALWARE-CNC Unix.Downloader.Shikitega variant payload download attempt (malware-cnc.rules)
 * 1:60888 <-> DISABLED <-> SERVER-OTHER Apache CouchDB node remote command execution attempt (server-other.rules)
 * 1:60899 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt (server-webapp.rules)
 * 1:60893 <-> DISABLED <-> MALWARE-OTHER Shikata Ga Nai polymorphic encoder encoded shellcode download attempt (malware-other.rules)
 * 1:60907 <-> DISABLED <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt (server-webapp.rules)
 * 1:60901 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt (server-webapp.rules)
 * 1:60902 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.MetaStealer variant outbound connection (malware-cnc.rules)
 * 1:60894 <-> DISABLED <-> MALWARE-OTHER Shikata Ga Nai polymorphic encoder encoded shellcode download attempt (malware-other.rules)
 * 1:60908 <-> DISABLED <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt (server-webapp.rules)
 * 1:60911 <-> DISABLED <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt (server-webapp.rules)
 * 1:60898 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt (server-webapp.rules)
 * 1:60910 <-> DISABLED <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt (server-webapp.rules)
 * 1:60897 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt (server-webapp.rules)
 * 1:60892 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.MetaStealer file download attempt (malware-other.rules)
 * 1:60896 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt (server-webapp.rules)
 * 1:60890 <-> DISABLED <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt (server-webapp.rules)
 * 1:60889 <-> DISABLED <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt (server-webapp.rules)
 * 3:60904 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt (file-other.rules)
 * 3:60912 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt (file-other.rules)
 * 3:60914 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2022-1612 attack attempt (policy-other.rules)
 * 3:60905 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt (file-other.rules)
 * 3:60913 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt (file-other.rules)

Modified Rules:


 * 1:50768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel (malware-cnc.rules)

29111

2022-11-23 15:05:54 UTC

Snort Subscriber Rules Update

Date: 2022-11-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:60889 <-> DISABLED <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt (server-webapp.rules)
 * 1:60901 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt (server-webapp.rules)
 * 1:60909 <-> DISABLED <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt (server-webapp.rules)
 * 1:60894 <-> DISABLED <-> MALWARE-OTHER Shikata Ga Nai polymorphic encoder encoded shellcode download attempt (malware-other.rules)
 * 1:60900 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt (server-webapp.rules)
 * 1:60888 <-> DISABLED <-> SERVER-OTHER Apache CouchDB node remote command execution attempt (server-other.rules)
 * 1:60910 <-> DISABLED <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt (server-webapp.rules)
 * 1:60893 <-> DISABLED <-> MALWARE-OTHER Shikata Ga Nai polymorphic encoder encoded shellcode download attempt (malware-other.rules)
 * 1:60899 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt (server-webapp.rules)
 * 1:60911 <-> DISABLED <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt (server-webapp.rules)
 * 1:60902 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.MetaStealer variant outbound connection (malware-cnc.rules)
 * 1:60907 <-> DISABLED <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt (server-webapp.rules)
 * 1:60906 <-> DISABLED <-> POLICY-OTHER SAP NetWeaver JWFTestAddAssignees potential disclosure vulnerable page (policy-other.rules)
 * 1:60903 <-> ENABLED <-> MALWARE-CNC Xls.Downloader.AXQ variant outbound connection (malware-cnc.rules)
 * 1:60908 <-> DISABLED <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt (server-webapp.rules)
 * 1:60891 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.MetaStealer file download attempt (malware-other.rules)
 * 1:60896 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt (server-webapp.rules)
 * 1:60892 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.MetaStealer file download attempt (malware-other.rules)
 * 1:60898 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt (server-webapp.rules)
 * 1:60897 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt (server-webapp.rules)
 * 1:60895 <-> DISABLED <-> MALWARE-CNC Unix.Downloader.Shikitega variant payload download attempt (malware-cnc.rules)
 * 1:60890 <-> DISABLED <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt (server-webapp.rules)
 * 3:60904 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt (file-other.rules)
 * 3:60905 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt (file-other.rules)
 * 3:60913 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt (file-other.rules)
 * 3:60912 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt (file-other.rules)
 * 3:60914 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2022-1612 attack attempt (policy-other.rules)

Modified Rules:


 * 1:50768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel (malware-cnc.rules)

3000

2022-11-23 15:05:54 UTC

Snort Subscriber Rules Update

Date: 2022-11-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:60890 <-> ENABLED <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt (snort3-server-webapp.rules)
 * 1:60889 <-> ENABLED <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt (snort3-server-webapp.rules)
 * 1:60888 <-> ENABLED <-> SERVER-OTHER Apache CouchDB node remote command execution attempt (snort3-server-other.rules)
 * 1:60895 <-> ENABLED <-> MALWARE-CNC Unix.Downloader.Shikitega variant payload download attempt (snort3-malware-cnc.rules)

Modified Rules:


 * 1:50768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel (snort3-malware-cnc.rules)

2983

2022-11-23 15:05:54 UTC

Snort Subscriber Rules Update

Date: 2022-11-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:60911 <-> DISABLED <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt (server-webapp.rules)
 * 1:60902 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.MetaStealer variant outbound connection (malware-cnc.rules)
 * 1:60893 <-> DISABLED <-> MALWARE-OTHER Shikata Ga Nai polymorphic encoder encoded shellcode download attempt (malware-other.rules)
 * 1:60898 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt (server-webapp.rules)
 * 1:60899 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt (server-webapp.rules)
 * 1:60900 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt (server-webapp.rules)
 * 1:60894 <-> DISABLED <-> MALWARE-OTHER Shikata Ga Nai polymorphic encoder encoded shellcode download attempt (malware-other.rules)
 * 1:60897 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt (server-webapp.rules)
 * 1:60896 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt (server-webapp.rules)
 * 1:60895 <-> DISABLED <-> MALWARE-CNC Unix.Downloader.Shikitega variant payload download attempt (malware-cnc.rules)
 * 1:60892 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.MetaStealer file download attempt (malware-other.rules)
 * 1:60888 <-> DISABLED <-> SERVER-OTHER Apache CouchDB node remote command execution attempt (server-other.rules)
 * 1:60910 <-> DISABLED <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt (server-webapp.rules)
 * 1:60889 <-> DISABLED <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt (server-webapp.rules)
 * 1:60890 <-> DISABLED <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt (server-webapp.rules)
 * 1:60907 <-> DISABLED <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt (server-webapp.rules)
 * 1:60891 <-> DISABLED <-> MALWARE-OTHER Doc.Downloader.MetaStealer file download attempt (malware-other.rules)
 * 1:60903 <-> ENABLED <-> MALWARE-CNC Xls.Downloader.AXQ variant outbound connection (malware-cnc.rules)
 * 1:60909 <-> DISABLED <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt (server-webapp.rules)
 * 1:60901 <-> ENABLED <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt (server-webapp.rules)
 * 1:60906 <-> DISABLED <-> POLICY-OTHER SAP NetWeaver JWFTestAddAssignees potential disclosure vulnerable page (policy-other.rules)
 * 1:60908 <-> DISABLED <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt (server-webapp.rules)

Modified Rules:


 * 1:50768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel (malware-cnc.rules)

3031

2022-11-23 15:08:19 UTC

Snort Subscriber Rules Update

Date: 2022-11-22-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300322 <-> MALWARE-OTHER Doc.Downloader.MetaStealer file download attempt
* 1:300323 <-> MALWARE-OTHER Shikata Ga Nai polymorphic encoder encoded shellcode download attempt
* 1:300324 <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt
* 1:60888 <-> SERVER-OTHER Apache CouchDB node remote command execution attempt
* 1:60889 <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt
* 1:60890 <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt
* 1:60895 <-> MALWARE-CNC Unix.Downloader.Shikitega variant payload download attempt
* 1:60896 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt
* 1:60897 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt
* 1:60898 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt
* 1:60899 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt
* 1:60900 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt
* 1:60901 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt
* 1:60902 <-> MALWARE-CNC Win.Infostealer.MetaStealer variant outbound connection
* 1:60903 <-> MALWARE-CNC Xls.Downloader.AXQ variant outbound connection
* 3:60904 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt
* 3:60905 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt
* 1:60906 <-> POLICY-OTHER SAP NetWeaver JWFTestAddAssignees potential disclosure vulnerable page
* 1:60907 <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt
* 1:60910 <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt
* 1:60911 <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt
* 3:60912 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt
* 3:60913 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt
* 3:60914 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2022-1612 attack attempt

Modified Rules:

* 1:50768 <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel

3034

2022-11-23 15:08:19 UTC

Snort Subscriber Rules Update

Date: 2022-11-22-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.4.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300322 <-> MALWARE-OTHER Doc.Downloader.MetaStealer file download attempt
* 1:300323 <-> MALWARE-OTHER Shikata Ga Nai polymorphic encoder encoded shellcode download attempt
* 1:300324 <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt
* 1:60888 <-> SERVER-OTHER Apache CouchDB node remote command execution attempt
* 1:60889 <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt
* 1:60890 <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt
* 1:60895 <-> MALWARE-CNC Unix.Downloader.Shikitega variant payload download attempt
* 1:60896 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt
* 1:60897 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt
* 1:60898 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt
* 1:60899 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt
* 1:60900 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt
* 1:60901 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt
* 1:60902 <-> MALWARE-CNC Win.Infostealer.MetaStealer variant outbound connection
* 1:60903 <-> MALWARE-CNC Xls.Downloader.AXQ variant outbound connection
* 3:60904 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt
* 3:60905 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt
* 1:60906 <-> POLICY-OTHER SAP NetWeaver JWFTestAddAssignees potential disclosure vulnerable page
* 1:60907 <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt
* 1:60910 <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt
* 1:60911 <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt
* 3:60912 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt
* 3:60913 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt
* 3:60914 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2022-1612 attack attempt

Modified Rules:

* 1:50768 <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel

3100

2022-11-23 15:08:19 UTC

Snort Subscriber Rules Update

Date: 2022-11-22-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300322 <-> MALWARE-OTHER Doc.Downloader.MetaStealer file download attempt
* 1:300323 <-> MALWARE-OTHER Shikata Ga Nai polymorphic encoder encoded shellcode download attempt
* 1:300324 <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt
* 1:60888 <-> SERVER-OTHER Apache CouchDB node remote command execution attempt
* 1:60889 <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt
* 1:60890 <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt
* 1:60895 <-> MALWARE-CNC Unix.Downloader.Shikitega variant payload download attempt
* 1:60896 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt
* 1:60897 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt
* 1:60898 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt
* 1:60899 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt
* 1:60900 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt
* 1:60901 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt
* 1:60902 <-> MALWARE-CNC Win.Infostealer.MetaStealer variant outbound connection
* 1:60903 <-> MALWARE-CNC Xls.Downloader.AXQ variant outbound connection
* 3:60904 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt
* 3:60905 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt
* 1:60906 <-> POLICY-OTHER SAP NetWeaver JWFTestAddAssignees potential disclosure vulnerable page
* 1:60907 <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt
* 1:60910 <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt
* 1:60911 <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt
* 3:60912 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt
* 3:60913 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt
* 3:60914 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2022-1612 attack attempt

Modified Rules:

* 1:50768 <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel

3101

2022-11-23 15:08:19 UTC

Snort Subscriber Rules Update

Date: 2022-11-22-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300322 <-> MALWARE-OTHER Doc.Downloader.MetaStealer file download attempt
* 1:300323 <-> MALWARE-OTHER Shikata Ga Nai polymorphic encoder encoded shellcode download attempt
* 1:300324 <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt
* 1:60888 <-> SERVER-OTHER Apache CouchDB node remote command execution attempt
* 1:60889 <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt
* 1:60890 <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt
* 1:60895 <-> MALWARE-CNC Unix.Downloader.Shikitega variant payload download attempt
* 1:60896 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt
* 1:60897 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt
* 1:60898 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt
* 1:60899 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt
* 1:60900 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt
* 1:60901 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt
* 1:60902 <-> MALWARE-CNC Win.Infostealer.MetaStealer variant outbound connection
* 1:60903 <-> MALWARE-CNC Xls.Downloader.AXQ variant outbound connection
* 3:60904 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt
* 3:60905 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt
* 1:60906 <-> POLICY-OTHER SAP NetWeaver JWFTestAddAssignees potential disclosure vulnerable page
* 1:60907 <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt
* 1:60910 <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt
* 1:60911 <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt
* 3:60912 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt
* 3:60913 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt
* 3:60914 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2022-1612 attack attempt

Modified Rules:

* 1:50768 <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel

3110

2022-11-23 15:08:19 UTC

Snort Subscriber Rules Update

Date: 2022-11-22-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.1.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300322 <-> MALWARE-OTHER Doc.Downloader.MetaStealer file download attempt
* 1:300323 <-> MALWARE-OTHER Shikata Ga Nai polymorphic encoder encoded shellcode download attempt
* 1:300324 <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt
* 1:60888 <-> SERVER-OTHER Apache CouchDB node remote command execution attempt
* 1:60889 <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt
* 1:60890 <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt
* 1:60895 <-> MALWARE-CNC Unix.Downloader.Shikitega variant payload download attempt
* 1:60896 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt
* 1:60897 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt
* 1:60898 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt
* 1:60899 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt
* 1:60900 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt
* 1:60901 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt
* 1:60902 <-> MALWARE-CNC Win.Infostealer.MetaStealer variant outbound connection
* 1:60903 <-> MALWARE-CNC Xls.Downloader.AXQ variant outbound connection
* 3:60904 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt
* 3:60905 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt
* 1:60906 <-> POLICY-OTHER SAP NetWeaver JWFTestAddAssignees potential disclosure vulnerable page
* 1:60907 <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt
* 1:60910 <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt
* 1:60911 <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt
* 3:60912 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt
* 3:60913 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt
* 3:60914 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2022-1612 attack attempt

Modified Rules:

* 1:50768 <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel

3130

2022-11-23 15:08:19 UTC

Snort Subscriber Rules Update

Date: 2022-11-22-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.3.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300322 <-> MALWARE-OTHER Doc.Downloader.MetaStealer file download attempt
* 1:300323 <-> MALWARE-OTHER Shikata Ga Nai polymorphic encoder encoded shellcode download attempt
* 1:300324 <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt
* 1:60888 <-> SERVER-OTHER Apache CouchDB node remote command execution attempt
* 1:60889 <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt
* 1:60890 <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt
* 1:60895 <-> MALWARE-CNC Unix.Downloader.Shikitega variant payload download attempt
* 1:60896 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt
* 1:60897 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt
* 1:60898 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt
* 1:60899 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt
* 1:60900 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt
* 1:60901 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt
* 1:60902 <-> MALWARE-CNC Win.Infostealer.MetaStealer variant outbound connection
* 1:60903 <-> MALWARE-CNC Xls.Downloader.AXQ variant outbound connection
* 3:60904 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt
* 3:60905 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt
* 1:60906 <-> POLICY-OTHER SAP NetWeaver JWFTestAddAssignees potential disclosure vulnerable page
* 1:60907 <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt
* 1:60910 <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt
* 1:60911 <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt
* 3:60912 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt
* 3:60913 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt
* 3:60914 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2022-1612 attack attempt

Modified Rules:

* 1:50768 <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel

3140

2022-11-23 15:08:19 UTC

Snort Subscriber Rules Update

Date: 2022-11-22-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.4.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300322 <-> MALWARE-OTHER Doc.Downloader.MetaStealer file download attempt
* 1:300323 <-> MALWARE-OTHER Shikata Ga Nai polymorphic encoder encoded shellcode download attempt
* 1:300324 <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt
* 1:60888 <-> SERVER-OTHER Apache CouchDB node remote command execution attempt
* 1:60889 <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt
* 1:60890 <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt
* 1:60895 <-> MALWARE-CNC Unix.Downloader.Shikitega variant payload download attempt
* 1:60896 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt
* 1:60897 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt
* 1:60898 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt
* 1:60899 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt
* 1:60900 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt
* 1:60901 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt
* 1:60902 <-> MALWARE-CNC Win.Infostealer.MetaStealer variant outbound connection
* 1:60903 <-> MALWARE-CNC Xls.Downloader.AXQ variant outbound connection
* 3:60904 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt
* 3:60905 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt
* 1:60906 <-> POLICY-OTHER SAP NetWeaver JWFTestAddAssignees potential disclosure vulnerable page
* 1:60907 <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt
* 1:60910 <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt
* 1:60911 <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt
* 3:60912 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt
* 3:60913 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt
* 3:60914 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2022-1612 attack attempt

Modified Rules:

* 1:50768 <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel

3150

2022-11-23 15:08:20 UTC

Snort Subscriber Rules Update

Date: 2022-11-22-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.5.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300322 <-> MALWARE-OTHER Doc.Downloader.MetaStealer file download attempt
* 1:300323 <-> MALWARE-OTHER Shikata Ga Nai polymorphic encoder encoded shellcode download attempt
* 1:300324 <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt
* 1:60888 <-> SERVER-OTHER Apache CouchDB node remote command execution attempt
* 1:60889 <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt
* 1:60890 <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt
* 1:60895 <-> MALWARE-CNC Unix.Downloader.Shikitega variant payload download attempt
* 1:60896 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt
* 1:60897 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt
* 1:60898 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt
* 1:60899 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt
* 1:60900 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt
* 1:60901 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt
* 1:60902 <-> MALWARE-CNC Win.Infostealer.MetaStealer variant outbound connection
* 1:60903 <-> MALWARE-CNC Xls.Downloader.AXQ variant outbound connection
* 3:60904 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt
* 3:60905 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt
* 1:60906 <-> POLICY-OTHER SAP NetWeaver JWFTestAddAssignees potential disclosure vulnerable page
* 1:60907 <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt
* 1:60910 <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt
* 1:60911 <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt
* 3:60912 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt
* 3:60913 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt
* 3:60914 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2022-1612 attack attempt

Modified Rules:

* 1:50768 <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel

3170

2022-11-23 15:08:20 UTC

Snort Subscriber Rules Update

Date: 2022-11-22-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.7.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300322 <-> MALWARE-OTHER Doc.Downloader.MetaStealer file download attempt
* 1:300323 <-> MALWARE-OTHER Shikata Ga Nai polymorphic encoder encoded shellcode download attempt
* 1:300324 <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt
* 1:60888 <-> SERVER-OTHER Apache CouchDB node remote command execution attempt
* 1:60889 <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt
* 1:60890 <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt
* 1:60895 <-> MALWARE-CNC Unix.Downloader.Shikitega variant payload download attempt
* 1:60896 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt
* 1:60897 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt
* 1:60898 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt
* 1:60899 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt
* 1:60900 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt
* 1:60901 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt
* 1:60902 <-> MALWARE-CNC Win.Infostealer.MetaStealer variant outbound connection
* 1:60903 <-> MALWARE-CNC Xls.Downloader.AXQ variant outbound connection
* 3:60904 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt
* 3:60905 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt
* 1:60906 <-> POLICY-OTHER SAP NetWeaver JWFTestAddAssignees potential disclosure vulnerable page
* 1:60907 <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt
* 1:60910 <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt
* 1:60911 <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt
* 3:60912 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt
* 3:60913 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt
* 3:60914 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2022-1612 attack attempt

Modified Rules:

* 1:50768 <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel

3190

2022-11-23 15:08:20 UTC

Snort Subscriber Rules Update

Date: 2022-11-22-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.9.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300322 <-> MALWARE-OTHER Doc.Downloader.MetaStealer file download attempt
* 1:300323 <-> MALWARE-OTHER Shikata Ga Nai polymorphic encoder encoded shellcode download attempt
* 1:300324 <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt
* 1:60888 <-> SERVER-OTHER Apache CouchDB node remote command execution attempt
* 1:60889 <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt
* 1:60890 <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt
* 1:60895 <-> MALWARE-CNC Unix.Downloader.Shikitega variant payload download attempt
* 1:60896 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt
* 1:60897 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt
* 1:60898 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt
* 1:60899 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt
* 1:60900 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt
* 1:60901 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt
* 1:60902 <-> MALWARE-CNC Win.Infostealer.MetaStealer variant outbound connection
* 1:60903 <-> MALWARE-CNC Xls.Downloader.AXQ variant outbound connection
* 3:60904 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt
* 3:60905 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt
* 1:60906 <-> POLICY-OTHER SAP NetWeaver JWFTestAddAssignees potential disclosure vulnerable page
* 1:60907 <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt
* 1:60910 <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt
* 1:60911 <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt
* 3:60912 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt
* 3:60913 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt
* 3:60914 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2022-1612 attack attempt

Modified Rules:

* 1:50768 <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel

31110

2022-11-23 15:08:20 UTC

Snort Subscriber Rules Update

Date: 2022-11-22-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.11.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300322 <-> MALWARE-OTHER Doc.Downloader.MetaStealer file download attempt
* 1:300323 <-> MALWARE-OTHER Shikata Ga Nai polymorphic encoder encoded shellcode download attempt
* 1:300324 <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt
* 1:60888 <-> SERVER-OTHER Apache CouchDB node remote command execution attempt
* 1:60889 <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt
* 1:60890 <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt
* 1:60895 <-> MALWARE-CNC Unix.Downloader.Shikitega variant payload download attempt
* 1:60896 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt
* 1:60897 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt
* 1:60898 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt
* 1:60899 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt
* 1:60900 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt
* 1:60901 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt
* 1:60902 <-> MALWARE-CNC Win.Infostealer.MetaStealer variant outbound connection
* 1:60903 <-> MALWARE-CNC Xls.Downloader.AXQ variant outbound connection
* 3:60904 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt
* 3:60905 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt
* 1:60906 <-> POLICY-OTHER SAP NetWeaver JWFTestAddAssignees potential disclosure vulnerable page
* 1:60907 <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt
* 1:60910 <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt
* 1:60911 <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt
* 3:60912 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt
* 3:60913 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt
* 3:60914 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2022-1612 attack attempt

Modified Rules:

* 1:50768 <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel

31150

2022-11-23 15:08:20 UTC

Snort Subscriber Rules Update

Date: 2022-11-22-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.15.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300322 <-> MALWARE-OTHER Doc.Downloader.MetaStealer file download attempt
* 1:300323 <-> MALWARE-OTHER Shikata Ga Nai polymorphic encoder encoded shellcode download attempt
* 1:300324 <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt
* 1:60888 <-> SERVER-OTHER Apache CouchDB node remote command execution attempt
* 1:60889 <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt
* 1:60890 <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt
* 1:60895 <-> MALWARE-CNC Unix.Downloader.Shikitega variant payload download attempt
* 1:60896 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt
* 1:60897 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt
* 1:60898 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt
* 1:60899 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt
* 1:60900 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt
* 1:60901 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt
* 1:60902 <-> MALWARE-CNC Win.Infostealer.MetaStealer variant outbound connection
* 1:60903 <-> MALWARE-CNC Xls.Downloader.AXQ variant outbound connection
* 3:60904 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt
* 3:60905 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt
* 1:60906 <-> POLICY-OTHER SAP NetWeaver JWFTestAddAssignees potential disclosure vulnerable page
* 1:60907 <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt
* 1:60910 <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt
* 1:60911 <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt
* 3:60912 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt
* 3:60913 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt
* 3:60914 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2022-1612 attack attempt

Modified Rules:

* 1:50768 <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel

31180

2022-11-23 15:08:20 UTC

Snort Subscriber Rules Update

Date: 2022-11-22-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.18.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300322 <-> MALWARE-OTHER Doc.Downloader.MetaStealer file download attempt
* 1:300323 <-> MALWARE-OTHER Shikata Ga Nai polymorphic encoder encoded shellcode download attempt
* 1:300324 <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt
* 1:60888 <-> SERVER-OTHER Apache CouchDB node remote command execution attempt
* 1:60889 <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt
* 1:60890 <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt
* 1:60895 <-> MALWARE-CNC Unix.Downloader.Shikitega variant payload download attempt
* 1:60896 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt
* 1:60897 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt
* 1:60898 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt
* 1:60899 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt
* 1:60900 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt
* 1:60901 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt
* 1:60902 <-> MALWARE-CNC Win.Infostealer.MetaStealer variant outbound connection
* 1:60903 <-> MALWARE-CNC Xls.Downloader.AXQ variant outbound connection
* 3:60904 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt
* 3:60905 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt
* 1:60906 <-> POLICY-OTHER SAP NetWeaver JWFTestAddAssignees potential disclosure vulnerable page
* 1:60907 <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt
* 1:60910 <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt
* 1:60911 <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt
* 3:60912 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt
* 3:60913 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt
* 3:60914 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2022-1612 attack attempt

Modified Rules:

* 1:50768 <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel

31200

2022-11-23 15:08:20 UTC

Snort Subscriber Rules Update

Date: 2022-11-22-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.20.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300322 <-> MALWARE-OTHER Doc.Downloader.MetaStealer file download attempt
* 1:300323 <-> MALWARE-OTHER Shikata Ga Nai polymorphic encoder encoded shellcode download attempt
* 1:300324 <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt
* 1:60888 <-> SERVER-OTHER Apache CouchDB node remote command execution attempt
* 1:60889 <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt
* 1:60890 <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt
* 1:60895 <-> MALWARE-CNC Unix.Downloader.Shikitega variant payload download attempt
* 1:60896 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt
* 1:60897 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt
* 1:60898 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt
* 1:60899 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt
* 1:60900 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt
* 1:60901 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt
* 1:60902 <-> MALWARE-CNC Win.Infostealer.MetaStealer variant outbound connection
* 1:60903 <-> MALWARE-CNC Xls.Downloader.AXQ variant outbound connection
* 3:60904 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt
* 3:60905 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt
* 1:60906 <-> POLICY-OTHER SAP NetWeaver JWFTestAddAssignees potential disclosure vulnerable page
* 1:60907 <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt
* 1:60910 <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt
* 1:60911 <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt
* 3:60912 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt
* 3:60913 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt
* 3:60914 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2022-1612 attack attempt

Modified Rules:

* 1:50768 <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel

31210

2022-11-23 15:08:20 UTC

Snort Subscriber Rules Update

Date: 2022-11-22-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.21.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300322 <-> MALWARE-OTHER Doc.Downloader.MetaStealer file download attempt
* 1:300323 <-> MALWARE-OTHER Shikata Ga Nai polymorphic encoder encoded shellcode download attempt
* 1:300324 <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt
* 1:60888 <-> SERVER-OTHER Apache CouchDB node remote command execution attempt
* 1:60889 <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt
* 1:60890 <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt
* 1:60895 <-> MALWARE-CNC Unix.Downloader.Shikitega variant payload download attempt
* 1:60896 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt
* 1:60897 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt
* 1:60898 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt
* 1:60899 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt
* 1:60900 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt
* 1:60901 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt
* 1:60902 <-> MALWARE-CNC Win.Infostealer.MetaStealer variant outbound connection
* 1:60903 <-> MALWARE-CNC Xls.Downloader.AXQ variant outbound connection
* 3:60904 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt
* 3:60905 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt
* 1:60906 <-> POLICY-OTHER SAP NetWeaver JWFTestAddAssignees potential disclosure vulnerable page
* 1:60907 <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt
* 1:60910 <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt
* 1:60911 <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt
* 3:60912 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt
* 3:60913 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt
* 3:60914 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2022-1612 attack attempt

Modified Rules:

* 1:50768 <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel

31350

2022-11-23 15:08:20 UTC

Snort Subscriber Rules Update

Date: 2022-11-22-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.35.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300322 <-> MALWARE-OTHER Doc.Downloader.MetaStealer file download attempt
* 1:300323 <-> MALWARE-OTHER Shikata Ga Nai polymorphic encoder encoded shellcode download attempt
* 1:300324 <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt
* 1:60888 <-> SERVER-OTHER Apache CouchDB node remote command execution attempt
* 1:60889 <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt
* 1:60890 <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt
* 1:60895 <-> MALWARE-CNC Unix.Downloader.Shikitega variant payload download attempt
* 1:60896 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt
* 1:60897 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt
* 1:60898 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt
* 1:60899 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt
* 1:60900 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt
* 1:60901 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt
* 1:60902 <-> MALWARE-CNC Win.Infostealer.MetaStealer variant outbound connection
* 1:60903 <-> MALWARE-CNC Xls.Downloader.AXQ variant outbound connection
* 3:60904 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt
* 3:60905 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt
* 1:60906 <-> POLICY-OTHER SAP NetWeaver JWFTestAddAssignees potential disclosure vulnerable page
* 1:60907 <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt
* 1:60910 <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt
* 1:60911 <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt
* 3:60912 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt
* 3:60913 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt
* 3:60914 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2022-1612 attack attempt

Modified Rules:

* 1:50768 <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel

31440

2022-11-23 15:08:20 UTC

Snort Subscriber Rules Update

Date: 2022-11-22-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.44.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300322 <-> MALWARE-OTHER Doc.Downloader.MetaStealer file download attempt
* 1:300323 <-> MALWARE-OTHER Shikata Ga Nai polymorphic encoder encoded shellcode download attempt
* 1:300324 <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt
* 1:60888 <-> SERVER-OTHER Apache CouchDB node remote command execution attempt
* 1:60889 <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt
* 1:60890 <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt
* 1:60895 <-> MALWARE-CNC Unix.Downloader.Shikitega variant payload download attempt
* 1:60896 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt
* 1:60897 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt
* 1:60898 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt
* 1:60899 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt
* 1:60900 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt
* 1:60901 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt
* 1:60902 <-> MALWARE-CNC Win.Infostealer.MetaStealer variant outbound connection
* 1:60903 <-> MALWARE-CNC Xls.Downloader.AXQ variant outbound connection
* 3:60904 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt
* 3:60905 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt
* 1:60906 <-> POLICY-OTHER SAP NetWeaver JWFTestAddAssignees potential disclosure vulnerable page
* 1:60907 <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt
* 1:60910 <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt
* 1:60911 <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt
* 3:60912 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt
* 3:60913 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt
* 3:60914 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2022-1612 attack attempt

Modified Rules:

* 1:50768 <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel

31470

2022-11-23 15:08:20 UTC

Snort Subscriber Rules Update

Date: 2022-11-22-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.47.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300322 <-> MALWARE-OTHER Doc.Downloader.MetaStealer file download attempt
* 1:300323 <-> MALWARE-OTHER Shikata Ga Nai polymorphic encoder encoded shellcode download attempt
* 1:300324 <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt
* 1:60888 <-> SERVER-OTHER Apache CouchDB node remote command execution attempt
* 1:60889 <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt
* 1:60890 <-> SERVER-WEBAPP ES File Explorer File Manager policy bypass attempt
* 1:60895 <-> MALWARE-CNC Unix.Downloader.Shikitega variant payload download attempt
* 1:60896 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt
* 1:60897 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_task SQL injection attempt
* 1:60898 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt
* 1:60899 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_view_project SQL injection attempt
* 1:60900 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt
* 1:60901 <-> SERVER-WEBAPP WordPress Zephyr Project Manager plugin zpm_new_task SQL injection attempt
* 1:60902 <-> MALWARE-CNC Win.Infostealer.MetaStealer variant outbound connection
* 1:60903 <-> MALWARE-CNC Xls.Downloader.AXQ variant outbound connection
* 3:60904 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt
* 3:60905 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1635 attack attempt
* 1:60906 <-> POLICY-OTHER SAP NetWeaver JWFTestAddAssignees potential disclosure vulnerable page
* 1:60907 <-> SERVER-WEBAPP Sophos XG Firewall SQL injection attempt
* 1:60910 <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt
* 1:60911 <-> SERVER-WEBAPP TP-Link Router Web Server directory traversal attempt
* 3:60912 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt
* 3:60913 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2022-1650 attack attempt
* 3:60914 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2022-1612 attack attempt

Modified Rules:

* 1:50768 <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel