Microsoft Vulnerability CVE-2023-21552: A coding deficiency exists in Microsoft Windows GDI that may lead to elevation of privilege.
Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 61060 through 61061, Snort 2: GID 1, SID 300358.
Microsoft Vulnerability CVE-2023-21674: A coding deficiency exists in Microsoft Windows Advanced Local Procedure Call (ALPC) that may lead to an escalation of privilege.
Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 61062 through 61063, Snort 3: GID 1, SID 300359.
Microsoft Vulnerability CVE-2023-21768: A coding deficiency exists in Microsoft Windows Ancillary Function Driver for WinSock that may lead to an escalation of privilege.
Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 61064 through 61065, Snort 3: GID 1, SID 300360.
Talos also has added and modified multiple rules in the malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2092000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:61060 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules) * 1:61061 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules) * 1:61062 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt (os-windows.rules) * 1:61063 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt (os-windows.rules) * 1:61064 <-> DISABLED <-> OS-WINDOWS Microsoft Windows AFD.sys privilege escalation attempt (os-windows.rules) * 1:61065 <-> DISABLED <-> OS-WINDOWS Microsoft Windows AFD.sys privilege escalation attempt (os-windows.rules) * 1:61066 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt (server-webapp.rules) * 1:61067 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt (server-webapp.rules) * 1:61068 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt (server-webapp.rules) * 1:61069 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt (server-webapp.rules) * 1:61070 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt (server-webapp.rules) * 1:61071 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt (server-webapp.rules) * 1:61072 <-> ENABLED <-> MALWARE-OTHER JSP.Webshell.JSPShell upload attempt (malware-other.rules) * 1:61073 <-> ENABLED <-> MALWARE-OTHER JSP.Webshell.JSPShell download attempt (malware-other.rules) * 1:61074 <-> ENABLED <-> MALWARE-CNC JSP.Webshell.JSPShell outbound connection (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091900.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:61072 <-> ENABLED <-> MALWARE-OTHER JSP.Webshell.JSPShell upload attempt (malware-other.rules) * 1:61070 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt (server-webapp.rules) * 1:61071 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt (server-webapp.rules) * 1:61060 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules) * 1:61061 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules) * 1:61062 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt (os-windows.rules) * 1:61063 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt (os-windows.rules) * 1:61064 <-> DISABLED <-> OS-WINDOWS Microsoft Windows AFD.sys privilege escalation attempt (os-windows.rules) * 1:61065 <-> DISABLED <-> OS-WINDOWS Microsoft Windows AFD.sys privilege escalation attempt (os-windows.rules) * 1:61066 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt (server-webapp.rules) * 1:61067 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt (server-webapp.rules) * 1:61068 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt (server-webapp.rules) * 1:61069 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt (server-webapp.rules) * 1:61073 <-> ENABLED <-> MALWARE-OTHER JSP.Webshell.JSPShell download attempt (malware-other.rules) * 1:61074 <-> ENABLED <-> MALWARE-CNC JSP.Webshell.JSPShell outbound connection (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091801.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:61061 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules) * 1:61060 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules) * 1:61063 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt (os-windows.rules) * 1:61064 <-> DISABLED <-> OS-WINDOWS Microsoft Windows AFD.sys privilege escalation attempt (os-windows.rules) * 1:61065 <-> DISABLED <-> OS-WINDOWS Microsoft Windows AFD.sys privilege escalation attempt (os-windows.rules) * 1:61066 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt (server-webapp.rules) * 1:61067 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt (server-webapp.rules) * 1:61068 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt (server-webapp.rules) * 1:61069 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt (server-webapp.rules) * 1:61070 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt (server-webapp.rules) * 1:61071 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt (server-webapp.rules) * 1:61072 <-> ENABLED <-> MALWARE-OTHER JSP.Webshell.JSPShell upload attempt (malware-other.rules) * 1:61073 <-> ENABLED <-> MALWARE-OTHER JSP.Webshell.JSPShell download attempt (malware-other.rules) * 1:61062 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt (os-windows.rules) * 1:61074 <-> ENABLED <-> MALWARE-CNC JSP.Webshell.JSPShell outbound connection (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091701.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:61068 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt (server-webapp.rules) * 1:61070 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt (server-webapp.rules) * 1:61072 <-> ENABLED <-> MALWARE-OTHER JSP.Webshell.JSPShell upload attempt (malware-other.rules) * 1:61067 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt (server-webapp.rules) * 1:61074 <-> ENABLED <-> MALWARE-CNC JSP.Webshell.JSPShell outbound connection (malware-cnc.rules) * 1:61071 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt (server-webapp.rules) * 1:61073 <-> ENABLED <-> MALWARE-OTHER JSP.Webshell.JSPShell download attempt (malware-other.rules) * 1:61066 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt (server-webapp.rules) * 1:61069 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt (server-webapp.rules) * 1:61060 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules) * 1:61062 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt (os-windows.rules) * 1:61061 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules) * 1:61064 <-> DISABLED <-> OS-WINDOWS Microsoft Windows AFD.sys privilege escalation attempt (os-windows.rules) * 1:61063 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt (os-windows.rules) * 1:61065 <-> DISABLED <-> OS-WINDOWS Microsoft Windows AFD.sys privilege escalation attempt (os-windows.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:61072 <-> ENABLED <-> MALWARE-OTHER JSP.Webshell.JSPShell upload attempt (malware-other.rules) * 1:61063 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt (os-windows.rules) * 1:61073 <-> ENABLED <-> MALWARE-OTHER JSP.Webshell.JSPShell download attempt (malware-other.rules) * 1:61066 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt (server-webapp.rules) * 1:61064 <-> DISABLED <-> OS-WINDOWS Microsoft Windows AFD.sys privilege escalation attempt (os-windows.rules) * 1:61060 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules) * 1:61062 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt (os-windows.rules) * 1:61061 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules) * 1:61074 <-> ENABLED <-> MALWARE-CNC JSP.Webshell.JSPShell outbound connection (malware-cnc.rules) * 1:61069 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt (server-webapp.rules) * 1:61065 <-> DISABLED <-> OS-WINDOWS Microsoft Windows AFD.sys privilege escalation attempt (os-windows.rules) * 1:61067 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt (server-webapp.rules) * 1:61068 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt (server-webapp.rules) * 1:61070 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt (server-webapp.rules) * 1:61071 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:61071 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt (server-webapp.rules) * 1:61073 <-> ENABLED <-> MALWARE-OTHER JSP.Webshell.JSPShell download attempt (malware-other.rules) * 1:61070 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt (server-webapp.rules) * 1:61072 <-> ENABLED <-> MALWARE-OTHER JSP.Webshell.JSPShell upload attempt (malware-other.rules) * 1:61064 <-> DISABLED <-> OS-WINDOWS Microsoft Windows AFD.sys privilege escalation attempt (os-windows.rules) * 1:61074 <-> ENABLED <-> MALWARE-CNC JSP.Webshell.JSPShell outbound connection (malware-cnc.rules) * 1:61061 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules) * 1:61063 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt (os-windows.rules) * 1:61065 <-> DISABLED <-> OS-WINDOWS Microsoft Windows AFD.sys privilege escalation attempt (os-windows.rules) * 1:61066 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt (server-webapp.rules) * 1:61060 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules) * 1:61067 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt (server-webapp.rules) * 1:61069 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt (server-webapp.rules) * 1:61062 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt (os-windows.rules) * 1:61068 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:61072 <-> ENABLED <-> MALWARE-OTHER JSP.Webshell.JSPShell upload attempt (malware-other.rules) * 1:61074 <-> ENABLED <-> MALWARE-CNC JSP.Webshell.JSPShell outbound connection (malware-cnc.rules) * 1:61071 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt (server-webapp.rules) * 1:61067 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt (server-webapp.rules) * 1:61070 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt (server-webapp.rules) * 1:61063 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt (os-windows.rules) * 1:61060 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules) * 1:61062 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt (os-windows.rules) * 1:61069 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt (server-webapp.rules) * 1:61065 <-> DISABLED <-> OS-WINDOWS Microsoft Windows AFD.sys privilege escalation attempt (os-windows.rules) * 1:61064 <-> DISABLED <-> OS-WINDOWS Microsoft Windows AFD.sys privilege escalation attempt (os-windows.rules) * 1:61073 <-> ENABLED <-> MALWARE-OTHER JSP.Webshell.JSPShell download attempt (malware-other.rules) * 1:61066 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt (server-webapp.rules) * 1:61068 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt (server-webapp.rules) * 1:61061 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:61073 <-> ENABLED <-> MALWARE-OTHER JSP.Webshell.JSPShell download attempt (malware-other.rules) * 1:61063 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt (os-windows.rules) * 1:61071 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt (server-webapp.rules) * 1:61064 <-> DISABLED <-> OS-WINDOWS Microsoft Windows AFD.sys privilege escalation attempt (os-windows.rules) * 1:61062 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt (os-windows.rules) * 1:61072 <-> ENABLED <-> MALWARE-OTHER JSP.Webshell.JSPShell upload attempt (malware-other.rules) * 1:61074 <-> ENABLED <-> MALWARE-CNC JSP.Webshell.JSPShell outbound connection (malware-cnc.rules) * 1:61068 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt (server-webapp.rules) * 1:61067 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt (server-webapp.rules) * 1:61066 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt (server-webapp.rules) * 1:61069 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt (server-webapp.rules) * 1:61060 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules) * 1:61070 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt (server-webapp.rules) * 1:61065 <-> DISABLED <-> OS-WINDOWS Microsoft Windows AFD.sys privilege escalation attempt (os-windows.rules) * 1:61061 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:61071 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt (server-webapp.rules) * 1:61062 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt (os-windows.rules) * 1:61073 <-> ENABLED <-> MALWARE-OTHER JSP.Webshell.JSPShell download attempt (malware-other.rules) * 1:61074 <-> ENABLED <-> MALWARE-CNC JSP.Webshell.JSPShell outbound connection (malware-cnc.rules) * 1:61063 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt (os-windows.rules) * 1:61069 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt (server-webapp.rules) * 1:61070 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt (server-webapp.rules) * 1:61061 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules) * 1:61072 <-> ENABLED <-> MALWARE-OTHER JSP.Webshell.JSPShell upload attempt (malware-other.rules) * 1:61068 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt (server-webapp.rules) * 1:61067 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt (server-webapp.rules) * 1:61060 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules) * 1:61066 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt (server-webapp.rules) * 1:61064 <-> DISABLED <-> OS-WINDOWS Microsoft Windows AFD.sys privilege escalation attempt (os-windows.rules) * 1:61065 <-> DISABLED <-> OS-WINDOWS Microsoft Windows AFD.sys privilege escalation attempt (os-windows.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:61071 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt (server-webapp.rules) * 1:61061 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules) * 1:61069 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt (server-webapp.rules) * 1:61073 <-> ENABLED <-> MALWARE-OTHER JSP.Webshell.JSPShell download attempt (malware-other.rules) * 1:61062 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt (os-windows.rules) * 1:61066 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt (server-webapp.rules) * 1:61072 <-> ENABLED <-> MALWARE-OTHER JSP.Webshell.JSPShell upload attempt (malware-other.rules) * 1:61063 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt (os-windows.rules) * 1:61070 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt (server-webapp.rules) * 1:61065 <-> DISABLED <-> OS-WINDOWS Microsoft Windows AFD.sys privilege escalation attempt (os-windows.rules) * 1:61068 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt (server-webapp.rules) * 1:61074 <-> ENABLED <-> MALWARE-CNC JSP.Webshell.JSPShell outbound connection (malware-cnc.rules) * 1:61064 <-> DISABLED <-> OS-WINDOWS Microsoft Windows AFD.sys privilege escalation attempt (os-windows.rules) * 1:61067 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt (server-webapp.rules) * 1:61060 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:61068 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt (server-webapp.rules) * 1:61070 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt (server-webapp.rules) * 1:61063 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt (os-windows.rules) * 1:61074 <-> ENABLED <-> MALWARE-CNC JSP.Webshell.JSPShell outbound connection (malware-cnc.rules) * 1:61061 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules) * 1:61072 <-> ENABLED <-> MALWARE-OTHER JSP.Webshell.JSPShell upload attempt (malware-other.rules) * 1:61069 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt (server-webapp.rules) * 1:61062 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt (os-windows.rules) * 1:61073 <-> ENABLED <-> MALWARE-OTHER JSP.Webshell.JSPShell download attempt (malware-other.rules) * 1:61060 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules) * 1:61071 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt (server-webapp.rules) * 1:61065 <-> DISABLED <-> OS-WINDOWS Microsoft Windows AFD.sys privilege escalation attempt (os-windows.rules) * 1:61066 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt (server-webapp.rules) * 1:61064 <-> DISABLED <-> OS-WINDOWS Microsoft Windows AFD.sys privilege escalation attempt (os-windows.rules) * 1:61067 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:300361 <-> ENABLED <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt (snort3-server-webapp.rules) * 1:61074 <-> ENABLED <-> MALWARE-CNC JSP.Webshell.JSPShell outbound connection (snort3-malware-cnc.rules) * 1:61068 <-> ENABLED <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt (snort3-server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:61073 <-> ENABLED <-> MALWARE-OTHER JSP.Webshell.JSPShell download attempt (malware-other.rules) * 1:61071 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt (server-webapp.rules) * 1:61070 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt (server-webapp.rules) * 1:61068 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt (server-webapp.rules) * 1:61063 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt (os-windows.rules) * 1:61061 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules) * 1:61072 <-> ENABLED <-> MALWARE-OTHER JSP.Webshell.JSPShell upload attempt (malware-other.rules) * 1:61074 <-> ENABLED <-> MALWARE-CNC JSP.Webshell.JSPShell outbound connection (malware-cnc.rules) * 1:61065 <-> DISABLED <-> OS-WINDOWS Microsoft Windows AFD.sys privilege escalation attempt (os-windows.rules) * 1:61064 <-> DISABLED <-> OS-WINDOWS Microsoft Windows AFD.sys privilege escalation attempt (os-windows.rules) * 1:61066 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt (server-webapp.rules) * 1:61060 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules) * 1:61069 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt (server-webapp.rules) * 1:61062 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt (os-windows.rules) * 1:61067 <-> DISABLED <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.1.
The format of the file is:
gid:sid <-> Message
* 1:300358 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt * 1:300359 <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt * 1:300360 <-> OS-WINDOWS Microsoft Windows AFD.sys privilege escalation attempt * 1:300361 <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt * 1:300362 <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt * 1:300363 <-> MALWARE-OTHER JSP.Webshell.JSPShell transfer attempt * 1:61068 <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt * 1:61069 <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt * 1:61074 <-> MALWARE-CNC JSP.Webshell.JSPShell outbound connection
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.4.
The format of the file is:
gid:sid <-> Message
* 1:300358 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt * 1:300359 <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt * 1:300360 <-> OS-WINDOWS Microsoft Windows AFD.sys privilege escalation attempt * 1:300361 <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt * 1:300362 <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt * 1:300363 <-> MALWARE-OTHER JSP.Webshell.JSPShell transfer attempt * 1:61068 <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt * 1:61069 <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt * 1:61074 <-> MALWARE-CNC JSP.Webshell.JSPShell outbound connection
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.0.
The format of the file is:
gid:sid <-> Message
* 1:300358 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt * 1:300359 <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt * 1:300360 <-> OS-WINDOWS Microsoft Windows AFD.sys privilege escalation attempt * 1:300361 <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt * 1:300362 <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt * 1:300363 <-> MALWARE-OTHER JSP.Webshell.JSPShell transfer attempt * 1:61068 <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt * 1:61069 <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt * 1:61074 <-> MALWARE-CNC JSP.Webshell.JSPShell outbound connection
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.1.
The format of the file is:
gid:sid <-> Message
* 1:300358 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt * 1:300359 <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt * 1:300360 <-> OS-WINDOWS Microsoft Windows AFD.sys privilege escalation attempt * 1:300361 <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt * 1:300362 <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt * 1:300363 <-> MALWARE-OTHER JSP.Webshell.JSPShell transfer attempt * 1:61068 <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt * 1:61069 <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt * 1:61074 <-> MALWARE-CNC JSP.Webshell.JSPShell outbound connection
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.1.0.
The format of the file is:
gid:sid <-> Message
* 1:300358 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt * 1:300359 <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt * 1:300360 <-> OS-WINDOWS Microsoft Windows AFD.sys privilege escalation attempt * 1:300361 <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt * 1:300362 <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt * 1:300363 <-> MALWARE-OTHER JSP.Webshell.JSPShell transfer attempt * 1:61068 <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt * 1:61069 <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt * 1:61074 <-> MALWARE-CNC JSP.Webshell.JSPShell outbound connection
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.3.0.
The format of the file is:
gid:sid <-> Message
* 1:300358 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt * 1:300359 <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt * 1:300360 <-> OS-WINDOWS Microsoft Windows AFD.sys privilege escalation attempt * 1:300361 <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt * 1:300362 <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt * 1:300363 <-> MALWARE-OTHER JSP.Webshell.JSPShell transfer attempt * 1:61068 <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt * 1:61069 <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt * 1:61074 <-> MALWARE-CNC JSP.Webshell.JSPShell outbound connection
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.4.0.
The format of the file is:
gid:sid <-> Message
* 1:300358 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt * 1:300359 <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt * 1:300360 <-> OS-WINDOWS Microsoft Windows AFD.sys privilege escalation attempt * 1:300361 <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt * 1:300362 <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt * 1:300363 <-> MALWARE-OTHER JSP.Webshell.JSPShell transfer attempt * 1:61068 <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt * 1:61069 <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt * 1:61074 <-> MALWARE-CNC JSP.Webshell.JSPShell outbound connection
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.5.0.
The format of the file is:
gid:sid <-> Message
* 1:300358 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt * 1:300359 <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt * 1:300360 <-> OS-WINDOWS Microsoft Windows AFD.sys privilege escalation attempt * 1:300361 <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt * 1:300362 <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt * 1:300363 <-> MALWARE-OTHER JSP.Webshell.JSPShell transfer attempt * 1:61068 <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt * 1:61069 <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt * 1:61074 <-> MALWARE-CNC JSP.Webshell.JSPShell outbound connection
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.7.0.
The format of the file is:
gid:sid <-> Message
* 1:300358 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt * 1:300359 <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt * 1:300360 <-> OS-WINDOWS Microsoft Windows AFD.sys privilege escalation attempt * 1:300361 <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt * 1:300362 <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt * 1:300363 <-> MALWARE-OTHER JSP.Webshell.JSPShell transfer attempt * 1:61068 <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt * 1:61069 <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt * 1:61074 <-> MALWARE-CNC JSP.Webshell.JSPShell outbound connection
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.9.0.
The format of the file is:
gid:sid <-> Message
* 1:300358 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt * 1:300359 <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt * 1:300360 <-> OS-WINDOWS Microsoft Windows AFD.sys privilege escalation attempt * 1:300361 <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt * 1:300362 <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt * 1:300363 <-> MALWARE-OTHER JSP.Webshell.JSPShell transfer attempt * 1:61068 <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt * 1:61069 <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt * 1:61074 <-> MALWARE-CNC JSP.Webshell.JSPShell outbound connection
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.11.0.
The format of the file is:
gid:sid <-> Message
* 1:300358 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt * 1:300359 <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt * 1:300360 <-> OS-WINDOWS Microsoft Windows AFD.sys privilege escalation attempt * 1:300361 <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt * 1:300362 <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt * 1:300363 <-> MALWARE-OTHER JSP.Webshell.JSPShell transfer attempt * 1:61068 <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt * 1:61069 <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt * 1:61074 <-> MALWARE-CNC JSP.Webshell.JSPShell outbound connection
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.15.0.
The format of the file is:
gid:sid <-> Message
* 1:300358 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt * 1:300359 <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt * 1:300360 <-> OS-WINDOWS Microsoft Windows AFD.sys privilege escalation attempt * 1:300361 <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt * 1:300362 <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt * 1:300363 <-> MALWARE-OTHER JSP.Webshell.JSPShell transfer attempt * 1:61068 <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt * 1:61069 <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt * 1:61074 <-> MALWARE-CNC JSP.Webshell.JSPShell outbound connection
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.18.0.
The format of the file is:
gid:sid <-> Message
* 1:300358 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt * 1:300359 <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt * 1:300360 <-> OS-WINDOWS Microsoft Windows AFD.sys privilege escalation attempt * 1:300361 <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt * 1:300362 <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt * 1:300363 <-> MALWARE-OTHER JSP.Webshell.JSPShell transfer attempt * 1:61068 <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt * 1:61069 <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt * 1:61074 <-> MALWARE-CNC JSP.Webshell.JSPShell outbound connection
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.20.0.
The format of the file is:
gid:sid <-> Message
* 1:300358 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt * 1:300359 <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt * 1:300360 <-> OS-WINDOWS Microsoft Windows AFD.sys privilege escalation attempt * 1:300361 <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt * 1:300362 <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt * 1:300363 <-> MALWARE-OTHER JSP.Webshell.JSPShell transfer attempt * 1:61068 <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt * 1:61069 <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt * 1:61074 <-> MALWARE-CNC JSP.Webshell.JSPShell outbound connection
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.21.0.
The format of the file is:
gid:sid <-> Message
* 1:300358 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt * 1:300359 <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt * 1:300360 <-> OS-WINDOWS Microsoft Windows AFD.sys privilege escalation attempt * 1:300361 <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt * 1:300362 <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt * 1:300363 <-> MALWARE-OTHER JSP.Webshell.JSPShell transfer attempt * 1:61068 <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt * 1:61069 <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt * 1:61074 <-> MALWARE-CNC JSP.Webshell.JSPShell outbound connection
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.35.0.
The format of the file is:
gid:sid <-> Message
* 1:300358 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt * 1:300359 <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt * 1:300360 <-> OS-WINDOWS Microsoft Windows AFD.sys privilege escalation attempt * 1:300361 <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt * 1:300362 <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt * 1:300363 <-> MALWARE-OTHER JSP.Webshell.JSPShell transfer attempt * 1:61068 <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt * 1:61069 <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt * 1:61074 <-> MALWARE-CNC JSP.Webshell.JSPShell outbound connection
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.44.0.
The format of the file is:
gid:sid <-> Message
* 1:300358 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt * 1:300359 <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt * 1:300360 <-> OS-WINDOWS Microsoft Windows AFD.sys privilege escalation attempt * 1:300361 <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt * 1:300362 <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt * 1:300363 <-> MALWARE-OTHER JSP.Webshell.JSPShell transfer attempt * 1:61068 <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt * 1:61069 <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt * 1:61074 <-> MALWARE-CNC JSP.Webshell.JSPShell outbound connection
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.47.0.
The format of the file is:
gid:sid <-> Message
* 1:300358 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt * 1:300359 <-> OS-WINDOWS Microsoft Windows ALPC privilege escalation attempt * 1:300360 <-> OS-WINDOWS Microsoft Windows AFD.sys privilege escalation attempt * 1:300361 <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt * 1:300362 <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt * 1:300363 <-> MALWARE-OTHER JSP.Webshell.JSPShell transfer attempt * 1:61068 <-> SERVER-WEBAPP TIBCO JasperReports reportresource directory traversal attempt * 1:61069 <-> SERVER-WEBAPP TIBCO JasperReports flow.html directory traversal attempt * 1:61074 <-> MALWARE-CNC JSP.Webshell.JSPShell outbound connection
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
