Talos Rules 2023-06-13
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2023-28310: A coding deficiency exists in Microsoft Exchange Server that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort2: GID 1, SIDs 61933 through 61935, Snort3: GID 1, SIDs 61933 and 300600.

Microsoft Vulnerability CVE-2023-29357: A coding deficiency exists in Microsoft SharePoint Server that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort2: GID 1, SIDs 61937 through 61939, Snort3: GID 1, SIDs 61937 through 61939.

Microsoft Vulnerability CVE-2023-29358: A coding deficiency exists in Microsoft Windows GDI that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort2: GID 1, SIDs 61909 through 61910, Snort3: GID 1, SID 300592.

Microsoft Vulnerability CVE-2023-29360: A coding deficiency exists in Microsoft Windows TPM Device Driver that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort2: GID 1, SIDs 61915 through 61916, Snort3: GID 1, SID 300595.

Microsoft Vulnerability CVE-2023-29361: A coding deficiency exists in Microsoft Windows Cloud Files Mini Filter Driver that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort2: GID 1, SIDs 61907 through 61908, Snort3: GID 1, SID 300591.

Microsoft Vulnerability CVE-2023-29371: A coding deficiency exists in Microsoft Windows GDI that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort2: GID 1, SIDs 61911 through 61912, Snort3: GID 1, SID 300593.

Talos also has added and modified multiple rules in the file-other, malware-backdoor, malware-cnc, malware-other, malware-tools, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2023-06-13 18:29:27 UTC

Snort Subscriber Rules Update

Date: 2023-06-13

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2092000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:61897 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)
 * 1:61898 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)
 * 1:61899 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)
 * 1:61900 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)
 * 1:61901 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Redline malicious file download (malware-cnc.rules)
 * 1:61902 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Redline malicious file download (malware-cnc.rules)
 * 1:61903 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gozi malicious file download (malware-cnc.rules)
 * 1:61904 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gozi malicious file download (malware-cnc.rules)
 * 1:61905 <-> DISABLED <-> FILE-OTHER Microsoft Visual Studio Python Interpreter Services remote code execution attempt (file-other.rules)
 * 1:61907 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (os-windows.rules)
 * 1:61906 <-> DISABLED <-> FILE-OTHER Microsoft Visual Studio Python Interpreter Services remote code execution attempt (file-other.rules)
 * 1:61908 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (os-windows.rules)
 * 1:61909 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt (os-windows.rules)
 * 1:61910 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt (os-windows.rules)
 * 1:61911 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User-mode Printer Driver privilege escalation attempt (os-windows.rules)
 * 1:61912 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User-mode Printer Driver privilege escalation attempt (os-windows.rules)
 * 1:61913 <-> DISABLED <-> MALWARE-TOOLS Win.Proxy.frp download attempt (malware-tools.rules)
 * 1:61914 <-> DISABLED <-> MALWARE-TOOLS Win.Proxy.frp download attempt (malware-tools.rules)
 * 1:61915 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TPM device driver elevation of privilege attempt (os-windows.rules)
 * 1:61916 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TPM device driver elevation of privilege attempt (os-windows.rules)
 * 1:61917 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)
 * 1:61918 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)
 * 1:61919 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)
 * 1:61920 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)
 * 1:61921 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61922 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61923 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61924 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61933 <-> DISABLED <-> SERVER-MAIL Microsoft Exchange Server remote PowerShell session type confusion attempt (server-mail.rules)
 * 1:61934 <-> DISABLED <-> MALWARE-OTHER Win.Exploit.CVE_2023_28310 download attempt (malware-other.rules)
 * 1:61935 <-> DISABLED <-> MALWARE-OTHER Win.Exploit.CVE_2023_28310 download attempt (malware-other.rules)
 * 1:61936 <-> ENABLED <-> SERVER-WEBAPP MOVEit Transfer moveitisapi.dll server side request forgery attempt (server-webapp.rules)
 * 1:61937 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt (server-webapp.rules)
 * 1:61938 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt (server-webapp.rules)
 * 1:61939 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt (server-webapp.rules)

Modified Rules:


 * 1:57287 <-> ENABLED <-> MALWARE-BACKDOOR DEWMODE webshell file download attempt (malware-backdoor.rules)
 * 1:43268 <-> DISABLED <-> SERVER-WEBAPP Squid ESI processing buffer overflow attempt (server-webapp.rules)
 * 1:61372 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61373 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61375 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61374 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61376 <-> DISABLED <-> POLICY-OTHER Fortra GoAnywhere MFT potential remote code execution attempt (policy-other.rules)
 * 1:61377 <-> DISABLED <-> POLICY-OTHER Fortra GoAnywhere MFT potential remote code execution attempt (policy-other.rules)

2023-06-13 18:29:27 UTC

Snort Subscriber Rules Update

Date: 2023-06-13

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091900.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:61938 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt (server-webapp.rules)
 * 1:61921 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61922 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61923 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61939 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt (server-webapp.rules)
 * 1:61900 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)
 * 1:61901 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Redline malicious file download (malware-cnc.rules)
 * 1:61902 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Redline malicious file download (malware-cnc.rules)
 * 1:61903 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gozi malicious file download (malware-cnc.rules)
 * 1:61899 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)
 * 1:61904 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gozi malicious file download (malware-cnc.rules)
 * 1:61905 <-> DISABLED <-> FILE-OTHER Microsoft Visual Studio Python Interpreter Services remote code execution attempt (file-other.rules)
 * 1:61906 <-> DISABLED <-> FILE-OTHER Microsoft Visual Studio Python Interpreter Services remote code execution attempt (file-other.rules)
 * 1:61907 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (os-windows.rules)
 * 1:61908 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (os-windows.rules)
 * 1:61909 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt (os-windows.rules)
 * 1:61910 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt (os-windows.rules)
 * 1:61911 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User-mode Printer Driver privilege escalation attempt (os-windows.rules)
 * 1:61912 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User-mode Printer Driver privilege escalation attempt (os-windows.rules)
 * 1:61913 <-> DISABLED <-> MALWARE-TOOLS Win.Proxy.frp download attempt (malware-tools.rules)
 * 1:61914 <-> DISABLED <-> MALWARE-TOOLS Win.Proxy.frp download attempt (malware-tools.rules)
 * 1:61915 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TPM device driver elevation of privilege attempt (os-windows.rules)
 * 1:61916 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TPM device driver elevation of privilege attempt (os-windows.rules)
 * 1:61917 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)
 * 1:61918 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)
 * 1:61919 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)
 * 1:61920 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)
 * 1:61924 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61933 <-> DISABLED <-> SERVER-MAIL Microsoft Exchange Server remote PowerShell session type confusion attempt (server-mail.rules)
 * 1:61935 <-> DISABLED <-> MALWARE-OTHER Win.Exploit.CVE_2023_28310 download attempt (malware-other.rules)
 * 1:61934 <-> DISABLED <-> MALWARE-OTHER Win.Exploit.CVE_2023_28310 download attempt (malware-other.rules)
 * 1:61936 <-> ENABLED <-> SERVER-WEBAPP MOVEit Transfer moveitisapi.dll server side request forgery attempt (server-webapp.rules)
 * 1:61937 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt (server-webapp.rules)
 * 1:61898 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)
 * 1:61897 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:57287 <-> ENABLED <-> MALWARE-BACKDOOR DEWMODE webshell file download attempt (malware-backdoor.rules)
 * 1:43268 <-> DISABLED <-> SERVER-WEBAPP Squid ESI processing buffer overflow attempt (server-webapp.rules)
 * 1:61373 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61372 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61375 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61374 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61377 <-> DISABLED <-> POLICY-OTHER Fortra GoAnywhere MFT potential remote code execution attempt (policy-other.rules)
 * 1:61376 <-> DISABLED <-> POLICY-OTHER Fortra GoAnywhere MFT potential remote code execution attempt (policy-other.rules)

2023-06-13 18:29:27 UTC

Snort Subscriber Rules Update

Date: 2023-06-13

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091801.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:61902 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Redline malicious file download (malware-cnc.rules)
 * 1:61897 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)
 * 1:61923 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61924 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61934 <-> DISABLED <-> MALWARE-OTHER Win.Exploit.CVE_2023_28310 download attempt (malware-other.rules)
 * 1:61935 <-> DISABLED <-> MALWARE-OTHER Win.Exploit.CVE_2023_28310 download attempt (malware-other.rules)
 * 1:61937 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt (server-webapp.rules)
 * 1:61936 <-> ENABLED <-> SERVER-WEBAPP MOVEit Transfer moveitisapi.dll server side request forgery attempt (server-webapp.rules)
 * 1:61938 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt (server-webapp.rules)
 * 1:61904 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gozi malicious file download (malware-cnc.rules)
 * 1:61939 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt (server-webapp.rules)
 * 1:61933 <-> DISABLED <-> SERVER-MAIL Microsoft Exchange Server remote PowerShell session type confusion attempt (server-mail.rules)
 * 1:61922 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61905 <-> DISABLED <-> FILE-OTHER Microsoft Visual Studio Python Interpreter Services remote code execution attempt (file-other.rules)
 * 1:61901 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Redline malicious file download (malware-cnc.rules)
 * 1:61906 <-> DISABLED <-> FILE-OTHER Microsoft Visual Studio Python Interpreter Services remote code execution attempt (file-other.rules)
 * 1:61898 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)
 * 1:61909 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt (os-windows.rules)
 * 1:61910 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt (os-windows.rules)
 * 1:61911 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User-mode Printer Driver privilege escalation attempt (os-windows.rules)
 * 1:61912 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User-mode Printer Driver privilege escalation attempt (os-windows.rules)
 * 1:61913 <-> DISABLED <-> MALWARE-TOOLS Win.Proxy.frp download attempt (malware-tools.rules)
 * 1:61903 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gozi malicious file download (malware-cnc.rules)
 * 1:61916 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TPM device driver elevation of privilege attempt (os-windows.rules)
 * 1:61917 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)
 * 1:61919 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)
 * 1:61918 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)
 * 1:61920 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)
 * 1:61921 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61899 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)
 * 1:61900 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)
 * 1:61908 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (os-windows.rules)
 * 1:61907 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (os-windows.rules)
 * 1:61914 <-> DISABLED <-> MALWARE-TOOLS Win.Proxy.frp download attempt (malware-tools.rules)
 * 1:61915 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TPM device driver elevation of privilege attempt (os-windows.rules)

Modified Rules:


 * 1:43268 <-> DISABLED <-> SERVER-WEBAPP Squid ESI processing buffer overflow attempt (server-webapp.rules)
 * 1:57287 <-> ENABLED <-> MALWARE-BACKDOOR DEWMODE webshell file download attempt (malware-backdoor.rules)
 * 1:61372 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61375 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61374 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61376 <-> DISABLED <-> POLICY-OTHER Fortra GoAnywhere MFT potential remote code execution attempt (policy-other.rules)
 * 1:61373 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61377 <-> DISABLED <-> POLICY-OTHER Fortra GoAnywhere MFT potential remote code execution attempt (policy-other.rules)

2023-06-13 18:29:27 UTC

Snort Subscriber Rules Update

Date: 2023-06-13

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:61905 <-> DISABLED <-> FILE-OTHER Microsoft Visual Studio Python Interpreter Services remote code execution attempt (file-other.rules)
 * 1:61934 <-> DISABLED <-> MALWARE-OTHER Win.Exploit.CVE_2023_28310 download attempt (malware-other.rules)
 * 1:61936 <-> ENABLED <-> SERVER-WEBAPP MOVEit Transfer moveitisapi.dll server side request forgery attempt (server-webapp.rules)
 * 1:61899 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)
 * 1:61906 <-> DISABLED <-> FILE-OTHER Microsoft Visual Studio Python Interpreter Services remote code execution attempt (file-other.rules)
 * 1:61907 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (os-windows.rules)
 * 1:61909 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt (os-windows.rules)
 * 1:61898 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)
 * 1:61897 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)
 * 1:61908 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (os-windows.rules)
 * 1:61937 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt (server-webapp.rules)
 * 1:61921 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61922 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61904 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gozi malicious file download (malware-cnc.rules)
 * 1:61924 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61923 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61910 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt (os-windows.rules)
 * 1:61900 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)
 * 1:61915 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TPM device driver elevation of privilege attempt (os-windows.rules)
 * 1:61935 <-> DISABLED <-> MALWARE-OTHER Win.Exploit.CVE_2023_28310 download attempt (malware-other.rules)
 * 1:61916 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TPM device driver elevation of privilege attempt (os-windows.rules)
 * 1:61903 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gozi malicious file download (malware-cnc.rules)
 * 1:61902 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Redline malicious file download (malware-cnc.rules)
 * 1:61914 <-> DISABLED <-> MALWARE-TOOLS Win.Proxy.frp download attempt (malware-tools.rules)
 * 1:61911 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User-mode Printer Driver privilege escalation attempt (os-windows.rules)
 * 1:61901 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Redline malicious file download (malware-cnc.rules)
 * 1:61938 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt (server-webapp.rules)
 * 1:61939 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt (server-webapp.rules)
 * 1:61912 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User-mode Printer Driver privilege escalation attempt (os-windows.rules)
 * 1:61913 <-> DISABLED <-> MALWARE-TOOLS Win.Proxy.frp download attempt (malware-tools.rules)
 * 1:61933 <-> DISABLED <-> SERVER-MAIL Microsoft Exchange Server remote PowerShell session type confusion attempt (server-mail.rules)
 * 1:61918 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)
 * 1:61917 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)
 * 1:61920 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)
 * 1:61919 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)

Modified Rules:


 * 1:57287 <-> ENABLED <-> MALWARE-BACKDOOR DEWMODE webshell file download attempt (malware-backdoor.rules)
 * 1:43268 <-> DISABLED <-> SERVER-WEBAPP Squid ESI processing buffer overflow attempt (server-webapp.rules)
 * 1:61372 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61375 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61374 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61373 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61376 <-> DISABLED <-> POLICY-OTHER Fortra GoAnywhere MFT potential remote code execution attempt (policy-other.rules)
 * 1:61377 <-> DISABLED <-> POLICY-OTHER Fortra GoAnywhere MFT potential remote code execution attempt (policy-other.rules)

2023-06-13 18:29:27 UTC

Snort Subscriber Rules Update

Date: 2023-06-13

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:61908 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (os-windows.rules)
 * 1:61922 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61923 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61936 <-> ENABLED <-> SERVER-WEBAPP MOVEit Transfer moveitisapi.dll server side request forgery attempt (server-webapp.rules)
 * 1:61898 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)
 * 1:61939 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt (server-webapp.rules)
 * 1:61906 <-> DISABLED <-> FILE-OTHER Microsoft Visual Studio Python Interpreter Services remote code execution attempt (file-other.rules)
 * 1:61900 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)
 * 1:61933 <-> DISABLED <-> SERVER-MAIL Microsoft Exchange Server remote PowerShell session type confusion attempt (server-mail.rules)
 * 1:61934 <-> DISABLED <-> MALWARE-OTHER Win.Exploit.CVE_2023_28310 download attempt (malware-other.rules)
 * 1:61902 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Redline malicious file download (malware-cnc.rules)
 * 1:61924 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61905 <-> DISABLED <-> FILE-OTHER Microsoft Visual Studio Python Interpreter Services remote code execution attempt (file-other.rules)
 * 1:61938 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt (server-webapp.rules)
 * 1:61907 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (os-windows.rules)
 * 1:61901 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Redline malicious file download (malware-cnc.rules)
 * 1:61897 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)
 * 1:61910 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt (os-windows.rules)
 * 1:61911 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User-mode Printer Driver privilege escalation attempt (os-windows.rules)
 * 1:61921 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61904 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gozi malicious file download (malware-cnc.rules)
 * 1:61903 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gozi malicious file download (malware-cnc.rules)
 * 1:61909 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt (os-windows.rules)
 * 1:61935 <-> DISABLED <-> MALWARE-OTHER Win.Exploit.CVE_2023_28310 download attempt (malware-other.rules)
 * 1:61912 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User-mode Printer Driver privilege escalation attempt (os-windows.rules)
 * 1:61913 <-> DISABLED <-> MALWARE-TOOLS Win.Proxy.frp download attempt (malware-tools.rules)
 * 1:61914 <-> DISABLED <-> MALWARE-TOOLS Win.Proxy.frp download attempt (malware-tools.rules)
 * 1:61899 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)
 * 1:61915 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TPM device driver elevation of privilege attempt (os-windows.rules)
 * 1:61916 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TPM device driver elevation of privilege attempt (os-windows.rules)
 * 1:61937 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt (server-webapp.rules)
 * 1:61917 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)
 * 1:61918 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)
 * 1:61919 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)
 * 1:61920 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)

Modified Rules:


 * 1:61372 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:57287 <-> ENABLED <-> MALWARE-BACKDOOR DEWMODE webshell file download attempt (malware-backdoor.rules)
 * 1:43268 <-> DISABLED <-> SERVER-WEBAPP Squid ESI processing buffer overflow attempt (server-webapp.rules)
 * 1:61373 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61376 <-> DISABLED <-> POLICY-OTHER Fortra GoAnywhere MFT potential remote code execution attempt (policy-other.rules)
 * 1:61375 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61374 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61377 <-> DISABLED <-> POLICY-OTHER Fortra GoAnywhere MFT potential remote code execution attempt (policy-other.rules)

2023-06-13 18:29:27 UTC

Snort Subscriber Rules Update

Date: 2023-06-13

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:61899 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)
 * 1:61934 <-> DISABLED <-> MALWARE-OTHER Win.Exploit.CVE_2023_28310 download attempt (malware-other.rules)
 * 1:61918 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)
 * 1:61936 <-> ENABLED <-> SERVER-WEBAPP MOVEit Transfer moveitisapi.dll server side request forgery attempt (server-webapp.rules)
 * 1:61905 <-> DISABLED <-> FILE-OTHER Microsoft Visual Studio Python Interpreter Services remote code execution attempt (file-other.rules)
 * 1:61906 <-> DISABLED <-> FILE-OTHER Microsoft Visual Studio Python Interpreter Services remote code execution attempt (file-other.rules)
 * 1:61938 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt (server-webapp.rules)
 * 1:61939 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt (server-webapp.rules)
 * 1:61897 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)
 * 1:61921 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61907 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (os-windows.rules)
 * 1:61914 <-> DISABLED <-> MALWARE-TOOLS Win.Proxy.frp download attempt (malware-tools.rules)
 * 1:61902 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Redline malicious file download (malware-cnc.rules)
 * 1:61901 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Redline malicious file download (malware-cnc.rules)
 * 1:61935 <-> DISABLED <-> MALWARE-OTHER Win.Exploit.CVE_2023_28310 download attempt (malware-other.rules)
 * 1:61898 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)
 * 1:61900 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)
 * 1:61908 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (os-windows.rules)
 * 1:61911 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User-mode Printer Driver privilege escalation attempt (os-windows.rules)
 * 1:61910 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt (os-windows.rules)
 * 1:61909 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt (os-windows.rules)
 * 1:61912 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User-mode Printer Driver privilege escalation attempt (os-windows.rules)
 * 1:61913 <-> DISABLED <-> MALWARE-TOOLS Win.Proxy.frp download attempt (malware-tools.rules)
 * 1:61915 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TPM device driver elevation of privilege attempt (os-windows.rules)
 * 1:61916 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TPM device driver elevation of privilege attempt (os-windows.rules)
 * 1:61917 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)
 * 1:61922 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61919 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)
 * 1:61923 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61920 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)
 * 1:61924 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61937 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt (server-webapp.rules)
 * 1:61903 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gozi malicious file download (malware-cnc.rules)
 * 1:61933 <-> DISABLED <-> SERVER-MAIL Microsoft Exchange Server remote PowerShell session type confusion attempt (server-mail.rules)
 * 1:61904 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gozi malicious file download (malware-cnc.rules)

Modified Rules:


 * 1:61376 <-> DISABLED <-> POLICY-OTHER Fortra GoAnywhere MFT potential remote code execution attempt (policy-other.rules)
 * 1:43268 <-> DISABLED <-> SERVER-WEBAPP Squid ESI processing buffer overflow attempt (server-webapp.rules)
 * 1:61373 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:57287 <-> ENABLED <-> MALWARE-BACKDOOR DEWMODE webshell file download attempt (malware-backdoor.rules)
 * 1:61372 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61377 <-> DISABLED <-> POLICY-OTHER Fortra GoAnywhere MFT potential remote code execution attempt (policy-other.rules)
 * 1:61374 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61375 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)

2023-06-13 18:29:27 UTC

Snort Subscriber Rules Update

Date: 2023-06-13

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:61924 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61933 <-> DISABLED <-> SERVER-MAIL Microsoft Exchange Server remote PowerShell session type confusion attempt (server-mail.rules)
 * 1:61935 <-> DISABLED <-> MALWARE-OTHER Win.Exploit.CVE_2023_28310 download attempt (malware-other.rules)
 * 1:61923 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61897 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)
 * 1:61906 <-> DISABLED <-> FILE-OTHER Microsoft Visual Studio Python Interpreter Services remote code execution attempt (file-other.rules)
 * 1:61911 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User-mode Printer Driver privilege escalation attempt (os-windows.rules)
 * 1:61934 <-> DISABLED <-> MALWARE-OTHER Win.Exploit.CVE_2023_28310 download attempt (malware-other.rules)
 * 1:61904 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gozi malicious file download (malware-cnc.rules)
 * 1:61907 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (os-windows.rules)
 * 1:61900 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)
 * 1:61903 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gozi malicious file download (malware-cnc.rules)
 * 1:61905 <-> DISABLED <-> FILE-OTHER Microsoft Visual Studio Python Interpreter Services remote code execution attempt (file-other.rules)
 * 1:61937 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt (server-webapp.rules)
 * 1:61899 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)
 * 1:61910 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt (os-windows.rules)
 * 1:61901 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Redline malicious file download (malware-cnc.rules)
 * 1:61908 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (os-windows.rules)
 * 1:61912 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User-mode Printer Driver privilege escalation attempt (os-windows.rules)
 * 1:61913 <-> DISABLED <-> MALWARE-TOOLS Win.Proxy.frp download attempt (malware-tools.rules)
 * 1:61936 <-> ENABLED <-> SERVER-WEBAPP MOVEit Transfer moveitisapi.dll server side request forgery attempt (server-webapp.rules)
 * 1:61938 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt (server-webapp.rules)
 * 1:61939 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt (server-webapp.rules)
 * 1:61902 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Redline malicious file download (malware-cnc.rules)
 * 1:61909 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt (os-windows.rules)
 * 1:61919 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)
 * 1:61920 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)
 * 1:61921 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61914 <-> DISABLED <-> MALWARE-TOOLS Win.Proxy.frp download attempt (malware-tools.rules)
 * 1:61922 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61916 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TPM device driver elevation of privilege attempt (os-windows.rules)
 * 1:61918 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)
 * 1:61915 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TPM device driver elevation of privilege attempt (os-windows.rules)
 * 1:61917 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)
 * 1:61898 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:61374 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61375 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61376 <-> DISABLED <-> POLICY-OTHER Fortra GoAnywhere MFT potential remote code execution attempt (policy-other.rules)
 * 1:61377 <-> DISABLED <-> POLICY-OTHER Fortra GoAnywhere MFT potential remote code execution attempt (policy-other.rules)
 * 1:61372 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61373 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:43268 <-> DISABLED <-> SERVER-WEBAPP Squid ESI processing buffer overflow attempt (server-webapp.rules)
 * 1:57287 <-> ENABLED <-> MALWARE-BACKDOOR DEWMODE webshell file download attempt (malware-backdoor.rules)

2023-06-13 18:29:27 UTC

Snort Subscriber Rules Update

Date: 2023-06-13

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:61921 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61923 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61938 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt (server-webapp.rules)
 * 1:61900 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)
 * 1:61922 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61933 <-> DISABLED <-> SERVER-MAIL Microsoft Exchange Server remote PowerShell session type confusion attempt (server-mail.rules)
 * 1:61920 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)
 * 1:61935 <-> DISABLED <-> MALWARE-OTHER Win.Exploit.CVE_2023_28310 download attempt (malware-other.rules)
 * 1:61901 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Redline malicious file download (malware-cnc.rules)
 * 1:61905 <-> DISABLED <-> FILE-OTHER Microsoft Visual Studio Python Interpreter Services remote code execution attempt (file-other.rules)
 * 1:61939 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt (server-webapp.rules)
 * 1:61936 <-> ENABLED <-> SERVER-WEBAPP MOVEit Transfer moveitisapi.dll server side request forgery attempt (server-webapp.rules)
 * 1:61897 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)
 * 1:61937 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt (server-webapp.rules)
 * 1:61902 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Redline malicious file download (malware-cnc.rules)
 * 1:61904 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gozi malicious file download (malware-cnc.rules)
 * 1:61918 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)
 * 1:61907 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (os-windows.rules)
 * 1:61911 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User-mode Printer Driver privilege escalation attempt (os-windows.rules)
 * 1:61916 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TPM device driver elevation of privilege attempt (os-windows.rules)
 * 1:61919 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)
 * 1:61914 <-> DISABLED <-> MALWARE-TOOLS Win.Proxy.frp download attempt (malware-tools.rules)
 * 1:61912 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User-mode Printer Driver privilege escalation attempt (os-windows.rules)
 * 1:61913 <-> DISABLED <-> MALWARE-TOOLS Win.Proxy.frp download attempt (malware-tools.rules)
 * 1:61917 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)
 * 1:61915 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TPM device driver elevation of privilege attempt (os-windows.rules)
 * 1:61903 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gozi malicious file download (malware-cnc.rules)
 * 1:61934 <-> DISABLED <-> MALWARE-OTHER Win.Exploit.CVE_2023_28310 download attempt (malware-other.rules)
 * 1:61909 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt (os-windows.rules)
 * 1:61910 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt (os-windows.rules)
 * 1:61898 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)
 * 1:61908 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (os-windows.rules)
 * 1:61899 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)
 * 1:61906 <-> DISABLED <-> FILE-OTHER Microsoft Visual Studio Python Interpreter Services remote code execution attempt (file-other.rules)
 * 1:61924 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)

Modified Rules:


 * 1:61375 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61374 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61377 <-> DISABLED <-> POLICY-OTHER Fortra GoAnywhere MFT potential remote code execution attempt (policy-other.rules)
 * 1:61376 <-> DISABLED <-> POLICY-OTHER Fortra GoAnywhere MFT potential remote code execution attempt (policy-other.rules)
 * 1:61372 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:57287 <-> ENABLED <-> MALWARE-BACKDOOR DEWMODE webshell file download attempt (malware-backdoor.rules)
 * 1:61373 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:43268 <-> DISABLED <-> SERVER-WEBAPP Squid ESI processing buffer overflow attempt (server-webapp.rules)

2023-06-13 18:29:27 UTC

Snort Subscriber Rules Update

Date: 2023-06-13

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:61924 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61934 <-> DISABLED <-> MALWARE-OTHER Win.Exploit.CVE_2023_28310 download attempt (malware-other.rules)
 * 1:61936 <-> ENABLED <-> SERVER-WEBAPP MOVEit Transfer moveitisapi.dll server side request forgery attempt (server-webapp.rules)
 * 1:61935 <-> DISABLED <-> MALWARE-OTHER Win.Exploit.CVE_2023_28310 download attempt (malware-other.rules)
 * 1:61907 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (os-windows.rules)
 * 1:61908 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (os-windows.rules)
 * 1:61901 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Redline malicious file download (malware-cnc.rules)
 * 1:61906 <-> DISABLED <-> FILE-OTHER Microsoft Visual Studio Python Interpreter Services remote code execution attempt (file-other.rules)
 * 1:61902 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Redline malicious file download (malware-cnc.rules)
 * 1:61915 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TPM device driver elevation of privilege attempt (os-windows.rules)
 * 1:61916 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TPM device driver elevation of privilege attempt (os-windows.rules)
 * 1:61937 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt (server-webapp.rules)
 * 1:61938 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt (server-webapp.rules)
 * 1:61939 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt (server-webapp.rules)
 * 1:61904 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gozi malicious file download (malware-cnc.rules)
 * 1:61921 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61918 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)
 * 1:61910 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt (os-windows.rules)
 * 1:61909 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt (os-windows.rules)
 * 1:61933 <-> DISABLED <-> SERVER-MAIL Microsoft Exchange Server remote PowerShell session type confusion attempt (server-mail.rules)
 * 1:61922 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61923 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61912 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User-mode Printer Driver privilege escalation attempt (os-windows.rules)
 * 1:61900 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)
 * 1:61913 <-> DISABLED <-> MALWARE-TOOLS Win.Proxy.frp download attempt (malware-tools.rules)
 * 1:61919 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)
 * 1:61898 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)
 * 1:61903 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gozi malicious file download (malware-cnc.rules)
 * 1:61920 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)
 * 1:61917 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)
 * 1:61897 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)
 * 1:61914 <-> DISABLED <-> MALWARE-TOOLS Win.Proxy.frp download attempt (malware-tools.rules)
 * 1:61899 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)
 * 1:61911 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User-mode Printer Driver privilege escalation attempt (os-windows.rules)
 * 1:61905 <-> DISABLED <-> FILE-OTHER Microsoft Visual Studio Python Interpreter Services remote code execution attempt (file-other.rules)

Modified Rules:


 * 1:61373 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:43268 <-> DISABLED <-> SERVER-WEBAPP Squid ESI processing buffer overflow attempt (server-webapp.rules)
 * 1:61375 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61376 <-> DISABLED <-> POLICY-OTHER Fortra GoAnywhere MFT potential remote code execution attempt (policy-other.rules)
 * 1:57287 <-> ENABLED <-> MALWARE-BACKDOOR DEWMODE webshell file download attempt (malware-backdoor.rules)
 * 1:61372 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61377 <-> DISABLED <-> POLICY-OTHER Fortra GoAnywhere MFT potential remote code execution attempt (policy-other.rules)
 * 1:61374 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)

2023-06-13 18:29:27 UTC

Snort Subscriber Rules Update

Date: 2023-06-13

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:61933 <-> DISABLED <-> SERVER-MAIL Microsoft Exchange Server remote PowerShell session type confusion attempt (server-mail.rules)
 * 1:61900 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)
 * 1:61901 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Redline malicious file download (malware-cnc.rules)
 * 1:61897 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)
 * 1:61920 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)
 * 1:61902 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Redline malicious file download (malware-cnc.rules)
 * 1:61907 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (os-windows.rules)
 * 1:61923 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61903 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gozi malicious file download (malware-cnc.rules)
 * 1:61936 <-> ENABLED <-> SERVER-WEBAPP MOVEit Transfer moveitisapi.dll server side request forgery attempt (server-webapp.rules)
 * 1:61909 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt (os-windows.rules)
 * 1:61908 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (os-windows.rules)
 * 1:61899 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)
 * 1:61912 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User-mode Printer Driver privilege escalation attempt (os-windows.rules)
 * 1:61934 <-> DISABLED <-> MALWARE-OTHER Win.Exploit.CVE_2023_28310 download attempt (malware-other.rules)
 * 1:61917 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)
 * 1:61904 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gozi malicious file download (malware-cnc.rules)
 * 1:61935 <-> DISABLED <-> MALWARE-OTHER Win.Exploit.CVE_2023_28310 download attempt (malware-other.rules)
 * 1:61898 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)
 * 1:61922 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61924 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61913 <-> DISABLED <-> MALWARE-TOOLS Win.Proxy.frp download attempt (malware-tools.rules)
 * 1:61905 <-> DISABLED <-> FILE-OTHER Microsoft Visual Studio Python Interpreter Services remote code execution attempt (file-other.rules)
 * 1:61916 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TPM device driver elevation of privilege attempt (os-windows.rules)
 * 1:61911 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User-mode Printer Driver privilege escalation attempt (os-windows.rules)
 * 1:61939 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt (server-webapp.rules)
 * 1:61918 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)
 * 1:61938 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt (server-webapp.rules)
 * 1:61937 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt (server-webapp.rules)
 * 1:61906 <-> DISABLED <-> FILE-OTHER Microsoft Visual Studio Python Interpreter Services remote code execution attempt (file-other.rules)
 * 1:61910 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt (os-windows.rules)
 * 1:61919 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)
 * 1:61915 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TPM device driver elevation of privilege attempt (os-windows.rules)
 * 1:61921 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61914 <-> DISABLED <-> MALWARE-TOOLS Win.Proxy.frp download attempt (malware-tools.rules)

Modified Rules:


 * 1:61372 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61374 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61375 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:43268 <-> DISABLED <-> SERVER-WEBAPP Squid ESI processing buffer overflow attempt (server-webapp.rules)
 * 1:61377 <-> DISABLED <-> POLICY-OTHER Fortra GoAnywhere MFT potential remote code execution attempt (policy-other.rules)
 * 1:61376 <-> DISABLED <-> POLICY-OTHER Fortra GoAnywhere MFT potential remote code execution attempt (policy-other.rules)
 * 1:57287 <-> ENABLED <-> MALWARE-BACKDOOR DEWMODE webshell file download attempt (malware-backdoor.rules)
 * 1:61373 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)

2023-06-13 18:29:27 UTC

Snort Subscriber Rules Update

Date: 2023-06-13

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:61939 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt (server-webapp.rules)
 * 1:61900 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)
 * 1:61903 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gozi malicious file download (malware-cnc.rules)
 * 1:61898 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)
 * 1:61897 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)
 * 1:61936 <-> ENABLED <-> SERVER-WEBAPP MOVEit Transfer moveitisapi.dll server side request forgery attempt (server-webapp.rules)
 * 1:61910 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt (os-windows.rules)
 * 1:61902 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Redline malicious file download (malware-cnc.rules)
 * 1:61921 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61901 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Redline malicious file download (malware-cnc.rules)
 * 1:61937 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt (server-webapp.rules)
 * 1:61923 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61938 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt (server-webapp.rules)
 * 1:61908 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (os-windows.rules)
 * 1:61909 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt (os-windows.rules)
 * 1:61905 <-> DISABLED <-> FILE-OTHER Microsoft Visual Studio Python Interpreter Services remote code execution attempt (file-other.rules)
 * 1:61935 <-> DISABLED <-> MALWARE-OTHER Win.Exploit.CVE_2023_28310 download attempt (malware-other.rules)
 * 1:61906 <-> DISABLED <-> FILE-OTHER Microsoft Visual Studio Python Interpreter Services remote code execution attempt (file-other.rules)
 * 1:61922 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61912 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User-mode Printer Driver privilege escalation attempt (os-windows.rules)
 * 1:61913 <-> DISABLED <-> MALWARE-TOOLS Win.Proxy.frp download attempt (malware-tools.rules)
 * 1:61914 <-> DISABLED <-> MALWARE-TOOLS Win.Proxy.frp download attempt (malware-tools.rules)
 * 1:61934 <-> DISABLED <-> MALWARE-OTHER Win.Exploit.CVE_2023_28310 download attempt (malware-other.rules)
 * 1:61915 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TPM device driver elevation of privilege attempt (os-windows.rules)
 * 1:61911 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User-mode Printer Driver privilege escalation attempt (os-windows.rules)
 * 1:61916 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TPM device driver elevation of privilege attempt (os-windows.rules)
 * 1:61917 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)
 * 1:61907 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (os-windows.rules)
 * 1:61899 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)
 * 1:61918 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)
 * 1:61933 <-> DISABLED <-> SERVER-MAIL Microsoft Exchange Server remote PowerShell session type confusion attempt (server-mail.rules)
 * 1:61919 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)
 * 1:61920 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)
 * 1:61904 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gozi malicious file download (malware-cnc.rules)
 * 1:61924 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)

Modified Rules:


 * 1:61375 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61374 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:57287 <-> ENABLED <-> MALWARE-BACKDOOR DEWMODE webshell file download attempt (malware-backdoor.rules)
 * 1:61377 <-> DISABLED <-> POLICY-OTHER Fortra GoAnywhere MFT potential remote code execution attempt (policy-other.rules)
 * 1:61376 <-> DISABLED <-> POLICY-OTHER Fortra GoAnywhere MFT potential remote code execution attempt (policy-other.rules)
 * 1:61373 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:43268 <-> DISABLED <-> SERVER-WEBAPP Squid ESI processing buffer overflow attempt (server-webapp.rules)
 * 1:61372 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)

2023-06-13 18:29:27 UTC

Snort Subscriber Rules Update

Date: 2023-06-13

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


Modified Rules:


 * 1:57287 <-> ENABLED <-> MALWARE-BACKDOOR DEWMODE webshell file download attempt (snort3-malware-backdoor.rules)

2023-06-13 18:29:27 UTC

Snort Subscriber Rules Update

Date: 2023-06-13

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:61924 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61935 <-> DISABLED <-> MALWARE-OTHER Win.Exploit.CVE_2023_28310 download attempt (malware-other.rules)
 * 1:61920 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)
 * 1:61900 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)
 * 1:61934 <-> DISABLED <-> MALWARE-OTHER Win.Exploit.CVE_2023_28310 download attempt (malware-other.rules)
 * 1:61905 <-> DISABLED <-> FILE-OTHER Microsoft Visual Studio Python Interpreter Services remote code execution attempt (file-other.rules)
 * 1:61937 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt (server-webapp.rules)
 * 1:61897 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)
 * 1:61933 <-> DISABLED <-> SERVER-MAIL Microsoft Exchange Server remote PowerShell session type confusion attempt (server-mail.rules)
 * 1:61907 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (os-windows.rules)
 * 1:61921 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61898 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)
 * 1:61908 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt (os-windows.rules)
 * 1:61913 <-> DISABLED <-> MALWARE-TOOLS Win.Proxy.frp download attempt (malware-tools.rules)
 * 1:61906 <-> DISABLED <-> FILE-OTHER Microsoft Visual Studio Python Interpreter Services remote code execution attempt (file-other.rules)
 * 1:61911 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User-mode Printer Driver privilege escalation attempt (os-windows.rules)
 * 1:61919 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)
 * 1:61922 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61923 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61910 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt (os-windows.rules)
 * 1:61912 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User-mode Printer Driver privilege escalation attempt (os-windows.rules)
 * 1:61904 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gozi malicious file download (malware-cnc.rules)
 * 1:61901 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Redline malicious file download (malware-cnc.rules)
 * 1:61917 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)
 * 1:61909 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt (os-windows.rules)
 * 1:61918 <-> DISABLED <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt (server-webapp.rules)
 * 1:61899 <-> DISABLED <-> SERVER-WEBAPP Centreon Web Application command injection attempt (server-webapp.rules)
 * 1:61902 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Redline malicious file download (malware-cnc.rules)
 * 1:61903 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gozi malicious file download (malware-cnc.rules)
 * 1:61915 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TPM device driver elevation of privilege attempt (os-windows.rules)
 * 1:61916 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TPM device driver elevation of privilege attempt (os-windows.rules)
 * 1:61936 <-> ENABLED <-> SERVER-WEBAPP MOVEit Transfer moveitisapi.dll server side request forgery attempt (server-webapp.rules)
 * 1:61938 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt (server-webapp.rules)
 * 1:61939 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt (server-webapp.rules)
 * 1:61914 <-> DISABLED <-> MALWARE-TOOLS Win.Proxy.frp download attempt (malware-tools.rules)

Modified Rules:


 * 1:61372 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61375 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:61377 <-> DISABLED <-> POLICY-OTHER Fortra GoAnywhere MFT potential remote code execution attempt (policy-other.rules)
 * 1:61376 <-> DISABLED <-> POLICY-OTHER Fortra GoAnywhere MFT potential remote code execution attempt (policy-other.rules)
 * 1:61374 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)
 * 1:43268 <-> DISABLED <-> SERVER-WEBAPP Squid ESI processing buffer overflow attempt (server-webapp.rules)
 * 1:57287 <-> ENABLED <-> MALWARE-BACKDOOR DEWMODE webshell file download attempt (malware-backdoor.rules)
 * 1:61373 <-> DISABLED <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt (server-webapp.rules)

2023-06-13 18:32:42 UTC

Snort Subscriber Rules Update

Date: 2023-06-13-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.0.3.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300588 <-> MALWARE-CNC Win.Trojan.Redline malicious file download
* 1:300589 <-> MALWARE-CNC Win.Trojan.Gozi malicious file download
* 1:300590 <-> FILE-OTHER Microsoft Visual Studio Python Interpreter Services remote code execution attempt
* 1:300591 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:300592 <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt
* 1:300593 <-> OS-WINDOWS Microsoft Windows User-mode Printer Driver privilege escalation attempt
* 1:300594 <-> MALWARE-TOOLS Win.Proxy.frp download attempt
* 1:300595 <-> OS-WINDOWS Microsoft Windows TPM device driver elevation of privilege attempt
* 1:300596 <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt
* 1:300597 <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt
* 1:300598 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300599 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300600 <-> MALWARE-OTHER Win.Exploit.CVE_2023_28310 download attempt
* 1:61897 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61898 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61899 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61900 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61933 <-> SERVER-MAIL Microsoft Exchange Server remote PowerShell session type confusion attempt
* 1:61936 <-> SERVER-WEBAPP MOVEit Transfer moveitisapi.dll server side request forgery attempt
* 1:61937 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt
* 1:61938 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt
* 1:61939 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt

Modified Rules:

* 1:300442 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300443 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300444 <-> POLICY-OTHER Fortra GoAnywhere MFT potential remote code execution attempt
* 1:43268 <-> SERVER-WEBAPP Squid ESI processing buffer overflow attempt
* 1:57287 <-> MALWARE-BACKDOOR DEWMODE webshell file download attempt


2023-06-13 18:32:42 UTC

Snort Subscriber Rules Update

Date: 2023-06-13-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.0.3.4.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300588 <-> MALWARE-CNC Win.Trojan.Redline malicious file download
* 1:300589 <-> MALWARE-CNC Win.Trojan.Gozi malicious file download
* 1:300590 <-> FILE-OTHER Microsoft Visual Studio Python Interpreter Services remote code execution attempt
* 1:300591 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:300592 <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt
* 1:300593 <-> OS-WINDOWS Microsoft Windows User-mode Printer Driver privilege escalation attempt
* 1:300594 <-> MALWARE-TOOLS Win.Proxy.frp download attempt
* 1:300595 <-> OS-WINDOWS Microsoft Windows TPM device driver elevation of privilege attempt
* 1:300596 <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt
* 1:300597 <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt
* 1:300598 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300599 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300600 <-> MALWARE-OTHER Win.Exploit.CVE_2023_28310 download attempt
* 1:61897 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61898 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61899 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61900 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61933 <-> SERVER-MAIL Microsoft Exchange Server remote PowerShell session type confusion attempt
* 1:61936 <-> SERVER-WEBAPP MOVEit Transfer moveitisapi.dll server side request forgery attempt
* 1:61937 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt
* 1:61938 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt
* 1:61939 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt

Modified Rules:

* 1:300442 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300443 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300444 <-> POLICY-OTHER Fortra GoAnywhere MFT potential remote code execution attempt
* 1:43268 <-> SERVER-WEBAPP Squid ESI processing buffer overflow attempt
* 1:57287 <-> MALWARE-BACKDOOR DEWMODE webshell file download attempt


2023-06-13 18:32:42 UTC

Snort Subscriber Rules Update

Date: 2023-06-13-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300588 <-> MALWARE-CNC Win.Trojan.Redline malicious file download
* 1:300589 <-> MALWARE-CNC Win.Trojan.Gozi malicious file download
* 1:300590 <-> FILE-OTHER Microsoft Visual Studio Python Interpreter Services remote code execution attempt
* 1:300591 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:300592 <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt
* 1:300593 <-> OS-WINDOWS Microsoft Windows User-mode Printer Driver privilege escalation attempt
* 1:300594 <-> MALWARE-TOOLS Win.Proxy.frp download attempt
* 1:300595 <-> OS-WINDOWS Microsoft Windows TPM device driver elevation of privilege attempt
* 1:300596 <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt
* 1:300597 <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt
* 1:300598 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300599 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300600 <-> MALWARE-OTHER Win.Exploit.CVE_2023_28310 download attempt
* 1:61897 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61898 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61899 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61900 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61933 <-> SERVER-MAIL Microsoft Exchange Server remote PowerShell session type confusion attempt
* 1:61936 <-> SERVER-WEBAPP MOVEit Transfer moveitisapi.dll server side request forgery attempt
* 1:61937 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt
* 1:61938 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt
* 1:61939 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt

Modified Rules:

* 1:300442 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300443 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300444 <-> POLICY-OTHER Fortra GoAnywhere MFT potential remote code execution attempt
* 1:43268 <-> SERVER-WEBAPP Squid ESI processing buffer overflow attempt
* 1:57287 <-> MALWARE-BACKDOOR DEWMODE webshell file download attempt


2023-06-13 18:32:42 UTC

Snort Subscriber Rules Update

Date: 2023-06-13-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.0.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300588 <-> MALWARE-CNC Win.Trojan.Redline malicious file download
* 1:300589 <-> MALWARE-CNC Win.Trojan.Gozi malicious file download
* 1:300590 <-> FILE-OTHER Microsoft Visual Studio Python Interpreter Services remote code execution attempt
* 1:300591 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:300592 <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt
* 1:300593 <-> OS-WINDOWS Microsoft Windows User-mode Printer Driver privilege escalation attempt
* 1:300594 <-> MALWARE-TOOLS Win.Proxy.frp download attempt
* 1:300595 <-> OS-WINDOWS Microsoft Windows TPM device driver elevation of privilege attempt
* 1:300596 <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt
* 1:300597 <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt
* 1:300598 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300599 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300600 <-> MALWARE-OTHER Win.Exploit.CVE_2023_28310 download attempt
* 1:61897 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61898 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61899 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61900 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61933 <-> SERVER-MAIL Microsoft Exchange Server remote PowerShell session type confusion attempt
* 1:61936 <-> SERVER-WEBAPP MOVEit Transfer moveitisapi.dll server side request forgery attempt
* 1:61937 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt
* 1:61938 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt
* 1:61939 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt

Modified Rules:

* 1:300442 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300443 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300444 <-> POLICY-OTHER Fortra GoAnywhere MFT potential remote code execution attempt
* 1:43268 <-> SERVER-WEBAPP Squid ESI processing buffer overflow attempt
* 1:57287 <-> MALWARE-BACKDOOR DEWMODE webshell file download attempt


2023-06-13 18:32:42 UTC

Snort Subscriber Rules Update

Date: 2023-06-13-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.1.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300588 <-> MALWARE-CNC Win.Trojan.Redline malicious file download
* 1:300589 <-> MALWARE-CNC Win.Trojan.Gozi malicious file download
* 1:300590 <-> FILE-OTHER Microsoft Visual Studio Python Interpreter Services remote code execution attempt
* 1:300591 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:300592 <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt
* 1:300593 <-> OS-WINDOWS Microsoft Windows User-mode Printer Driver privilege escalation attempt
* 1:300594 <-> MALWARE-TOOLS Win.Proxy.frp download attempt
* 1:300595 <-> OS-WINDOWS Microsoft Windows TPM device driver elevation of privilege attempt
* 1:300596 <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt
* 1:300597 <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt
* 1:300598 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300599 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300600 <-> MALWARE-OTHER Win.Exploit.CVE_2023_28310 download attempt
* 1:61897 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61898 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61899 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61900 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61933 <-> SERVER-MAIL Microsoft Exchange Server remote PowerShell session type confusion attempt
* 1:61936 <-> SERVER-WEBAPP MOVEit Transfer moveitisapi.dll server side request forgery attempt
* 1:61937 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt
* 1:61938 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt
* 1:61939 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt

Modified Rules:

* 1:300442 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300443 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300444 <-> POLICY-OTHER Fortra GoAnywhere MFT potential remote code execution attempt
* 1:43268 <-> SERVER-WEBAPP Squid ESI processing buffer overflow attempt
* 1:57287 <-> MALWARE-BACKDOOR DEWMODE webshell file download attempt


2023-06-13 18:32:42 UTC

Snort Subscriber Rules Update

Date: 2023-06-13-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.3.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300588 <-> MALWARE-CNC Win.Trojan.Redline malicious file download
* 1:300589 <-> MALWARE-CNC Win.Trojan.Gozi malicious file download
* 1:300590 <-> FILE-OTHER Microsoft Visual Studio Python Interpreter Services remote code execution attempt
* 1:300591 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:300592 <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt
* 1:300593 <-> OS-WINDOWS Microsoft Windows User-mode Printer Driver privilege escalation attempt
* 1:300594 <-> MALWARE-TOOLS Win.Proxy.frp download attempt
* 1:300595 <-> OS-WINDOWS Microsoft Windows TPM device driver elevation of privilege attempt
* 1:300596 <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt
* 1:300597 <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt
* 1:300598 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300599 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300600 <-> MALWARE-OTHER Win.Exploit.CVE_2023_28310 download attempt
* 1:61897 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61898 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61899 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61900 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61933 <-> SERVER-MAIL Microsoft Exchange Server remote PowerShell session type confusion attempt
* 1:61936 <-> SERVER-WEBAPP MOVEit Transfer moveitisapi.dll server side request forgery attempt
* 1:61937 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt
* 1:61938 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt
* 1:61939 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt

Modified Rules:

* 1:300442 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300443 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300444 <-> POLICY-OTHER Fortra GoAnywhere MFT potential remote code execution attempt
* 1:43268 <-> SERVER-WEBAPP Squid ESI processing buffer overflow attempt
* 1:57287 <-> MALWARE-BACKDOOR DEWMODE webshell file download attempt


2023-06-13 18:32:42 UTC

Snort Subscriber Rules Update

Date: 2023-06-13-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.4.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300588 <-> MALWARE-CNC Win.Trojan.Redline malicious file download
* 1:300589 <-> MALWARE-CNC Win.Trojan.Gozi malicious file download
* 1:300590 <-> FILE-OTHER Microsoft Visual Studio Python Interpreter Services remote code execution attempt
* 1:300591 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:300592 <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt
* 1:300593 <-> OS-WINDOWS Microsoft Windows User-mode Printer Driver privilege escalation attempt
* 1:300594 <-> MALWARE-TOOLS Win.Proxy.frp download attempt
* 1:300595 <-> OS-WINDOWS Microsoft Windows TPM device driver elevation of privilege attempt
* 1:300596 <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt
* 1:300597 <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt
* 1:300598 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300599 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300600 <-> MALWARE-OTHER Win.Exploit.CVE_2023_28310 download attempt
* 1:61897 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61898 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61899 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61900 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61933 <-> SERVER-MAIL Microsoft Exchange Server remote PowerShell session type confusion attempt
* 1:61936 <-> SERVER-WEBAPP MOVEit Transfer moveitisapi.dll server side request forgery attempt
* 1:61937 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt
* 1:61938 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt
* 1:61939 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt

Modified Rules:

* 1:300442 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300443 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300444 <-> POLICY-OTHER Fortra GoAnywhere MFT potential remote code execution attempt
* 1:43268 <-> SERVER-WEBAPP Squid ESI processing buffer overflow attempt
* 1:57287 <-> MALWARE-BACKDOOR DEWMODE webshell file download attempt


2023-06-13 18:32:42 UTC

Snort Subscriber Rules Update

Date: 2023-06-13-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.5.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300588 <-> MALWARE-CNC Win.Trojan.Redline malicious file download
* 1:300589 <-> MALWARE-CNC Win.Trojan.Gozi malicious file download
* 1:300590 <-> FILE-OTHER Microsoft Visual Studio Python Interpreter Services remote code execution attempt
* 1:300591 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:300592 <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt
* 1:300593 <-> OS-WINDOWS Microsoft Windows User-mode Printer Driver privilege escalation attempt
* 1:300594 <-> MALWARE-TOOLS Win.Proxy.frp download attempt
* 1:300595 <-> OS-WINDOWS Microsoft Windows TPM device driver elevation of privilege attempt
* 1:300596 <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt
* 1:300597 <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt
* 1:300598 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300599 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300600 <-> MALWARE-OTHER Win.Exploit.CVE_2023_28310 download attempt
* 1:61897 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61898 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61899 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61900 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61933 <-> SERVER-MAIL Microsoft Exchange Server remote PowerShell session type confusion attempt
* 1:61936 <-> SERVER-WEBAPP MOVEit Transfer moveitisapi.dll server side request forgery attempt
* 1:61937 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt
* 1:61938 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt
* 1:61939 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt

Modified Rules:

* 1:300442 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300443 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300444 <-> POLICY-OTHER Fortra GoAnywhere MFT potential remote code execution attempt
* 1:43268 <-> SERVER-WEBAPP Squid ESI processing buffer overflow attempt
* 1:57287 <-> MALWARE-BACKDOOR DEWMODE webshell file download attempt


2023-06-13 18:32:42 UTC

Snort Subscriber Rules Update

Date: 2023-06-13-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.7.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300588 <-> MALWARE-CNC Win.Trojan.Redline malicious file download
* 1:300589 <-> MALWARE-CNC Win.Trojan.Gozi malicious file download
* 1:300590 <-> FILE-OTHER Microsoft Visual Studio Python Interpreter Services remote code execution attempt
* 1:300591 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:300592 <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt
* 1:300593 <-> OS-WINDOWS Microsoft Windows User-mode Printer Driver privilege escalation attempt
* 1:300594 <-> MALWARE-TOOLS Win.Proxy.frp download attempt
* 1:300595 <-> OS-WINDOWS Microsoft Windows TPM device driver elevation of privilege attempt
* 1:300596 <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt
* 1:300597 <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt
* 1:300598 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300599 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300600 <-> MALWARE-OTHER Win.Exploit.CVE_2023_28310 download attempt
* 1:61897 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61898 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61899 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61900 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61933 <-> SERVER-MAIL Microsoft Exchange Server remote PowerShell session type confusion attempt
* 1:61936 <-> SERVER-WEBAPP MOVEit Transfer moveitisapi.dll server side request forgery attempt
* 1:61937 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt
* 1:61938 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt
* 1:61939 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt

Modified Rules:

* 1:300442 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300443 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300444 <-> POLICY-OTHER Fortra GoAnywhere MFT potential remote code execution attempt
* 1:43268 <-> SERVER-WEBAPP Squid ESI processing buffer overflow attempt
* 1:57287 <-> MALWARE-BACKDOOR DEWMODE webshell file download attempt


2023-06-13 18:32:42 UTC

Snort Subscriber Rules Update

Date: 2023-06-13-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.9.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300588 <-> MALWARE-CNC Win.Trojan.Redline malicious file download
* 1:300589 <-> MALWARE-CNC Win.Trojan.Gozi malicious file download
* 1:300590 <-> FILE-OTHER Microsoft Visual Studio Python Interpreter Services remote code execution attempt
* 1:300591 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:300592 <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt
* 1:300593 <-> OS-WINDOWS Microsoft Windows User-mode Printer Driver privilege escalation attempt
* 1:300594 <-> MALWARE-TOOLS Win.Proxy.frp download attempt
* 1:300595 <-> OS-WINDOWS Microsoft Windows TPM device driver elevation of privilege attempt
* 1:300596 <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt
* 1:300597 <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt
* 1:300598 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300599 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300600 <-> MALWARE-OTHER Win.Exploit.CVE_2023_28310 download attempt
* 1:61897 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61898 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61899 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61900 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61933 <-> SERVER-MAIL Microsoft Exchange Server remote PowerShell session type confusion attempt
* 1:61936 <-> SERVER-WEBAPP MOVEit Transfer moveitisapi.dll server side request forgery attempt
* 1:61937 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt
* 1:61938 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt
* 1:61939 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt

Modified Rules:

* 1:300442 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300443 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300444 <-> POLICY-OTHER Fortra GoAnywhere MFT potential remote code execution attempt
* 1:43268 <-> SERVER-WEBAPP Squid ESI processing buffer overflow attempt
* 1:57287 <-> MALWARE-BACKDOOR DEWMODE webshell file download attempt


2023-06-13 18:32:42 UTC

Snort Subscriber Rules Update

Date: 2023-06-13-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.11.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300588 <-> MALWARE-CNC Win.Trojan.Redline malicious file download
* 1:300589 <-> MALWARE-CNC Win.Trojan.Gozi malicious file download
* 1:300590 <-> FILE-OTHER Microsoft Visual Studio Python Interpreter Services remote code execution attempt
* 1:300591 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:300592 <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt
* 1:300593 <-> OS-WINDOWS Microsoft Windows User-mode Printer Driver privilege escalation attempt
* 1:300594 <-> MALWARE-TOOLS Win.Proxy.frp download attempt
* 1:300595 <-> OS-WINDOWS Microsoft Windows TPM device driver elevation of privilege attempt
* 1:300596 <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt
* 1:300597 <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt
* 1:300598 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300599 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300600 <-> MALWARE-OTHER Win.Exploit.CVE_2023_28310 download attempt
* 1:61897 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61898 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61899 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61900 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61933 <-> SERVER-MAIL Microsoft Exchange Server remote PowerShell session type confusion attempt
* 1:61936 <-> SERVER-WEBAPP MOVEit Transfer moveitisapi.dll server side request forgery attempt
* 1:61937 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt
* 1:61938 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt
* 1:61939 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt

Modified Rules:

* 1:300442 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300443 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300444 <-> POLICY-OTHER Fortra GoAnywhere MFT potential remote code execution attempt
* 1:43268 <-> SERVER-WEBAPP Squid ESI processing buffer overflow attempt
* 1:57287 <-> MALWARE-BACKDOOR DEWMODE webshell file download attempt


2023-06-13 18:32:42 UTC

Snort Subscriber Rules Update

Date: 2023-06-13-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.15.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300588 <-> MALWARE-CNC Win.Trojan.Redline malicious file download
* 1:300589 <-> MALWARE-CNC Win.Trojan.Gozi malicious file download
* 1:300590 <-> FILE-OTHER Microsoft Visual Studio Python Interpreter Services remote code execution attempt
* 1:300591 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:300592 <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt
* 1:300593 <-> OS-WINDOWS Microsoft Windows User-mode Printer Driver privilege escalation attempt
* 1:300594 <-> MALWARE-TOOLS Win.Proxy.frp download attempt
* 1:300595 <-> OS-WINDOWS Microsoft Windows TPM device driver elevation of privilege attempt
* 1:300596 <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt
* 1:300597 <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt
* 1:300598 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300599 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300600 <-> MALWARE-OTHER Win.Exploit.CVE_2023_28310 download attempt
* 1:61897 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61898 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61899 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61900 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61933 <-> SERVER-MAIL Microsoft Exchange Server remote PowerShell session type confusion attempt
* 1:61936 <-> SERVER-WEBAPP MOVEit Transfer moveitisapi.dll server side request forgery attempt
* 1:61937 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt
* 1:61938 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt
* 1:61939 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt

Modified Rules:

* 1:300442 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300443 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300444 <-> POLICY-OTHER Fortra GoAnywhere MFT potential remote code execution attempt
* 1:43268 <-> SERVER-WEBAPP Squid ESI processing buffer overflow attempt
* 1:57287 <-> MALWARE-BACKDOOR DEWMODE webshell file download attempt


2023-06-13 18:32:43 UTC

Snort Subscriber Rules Update

Date: 2023-06-13-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.18.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300588 <-> MALWARE-CNC Win.Trojan.Redline malicious file download
* 1:300589 <-> MALWARE-CNC Win.Trojan.Gozi malicious file download
* 1:300590 <-> FILE-OTHER Microsoft Visual Studio Python Interpreter Services remote code execution attempt
* 1:300591 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:300592 <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt
* 1:300593 <-> OS-WINDOWS Microsoft Windows User-mode Printer Driver privilege escalation attempt
* 1:300594 <-> MALWARE-TOOLS Win.Proxy.frp download attempt
* 1:300595 <-> OS-WINDOWS Microsoft Windows TPM device driver elevation of privilege attempt
* 1:300596 <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt
* 1:300597 <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt
* 1:300598 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300599 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300600 <-> MALWARE-OTHER Win.Exploit.CVE_2023_28310 download attempt
* 1:61897 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61898 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61899 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61900 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61933 <-> SERVER-MAIL Microsoft Exchange Server remote PowerShell session type confusion attempt
* 1:61936 <-> SERVER-WEBAPP MOVEit Transfer moveitisapi.dll server side request forgery attempt
* 1:61937 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt
* 1:61938 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt
* 1:61939 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt

Modified Rules:

* 1:300442 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300443 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300444 <-> POLICY-OTHER Fortra GoAnywhere MFT potential remote code execution attempt
* 1:43268 <-> SERVER-WEBAPP Squid ESI processing buffer overflow attempt
* 1:57287 <-> MALWARE-BACKDOOR DEWMODE webshell file download attempt


2023-06-13 18:32:43 UTC

Snort Subscriber Rules Update

Date: 2023-06-13-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.20.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300588 <-> MALWARE-CNC Win.Trojan.Redline malicious file download
* 1:300589 <-> MALWARE-CNC Win.Trojan.Gozi malicious file download
* 1:300590 <-> FILE-OTHER Microsoft Visual Studio Python Interpreter Services remote code execution attempt
* 1:300591 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:300592 <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt
* 1:300593 <-> OS-WINDOWS Microsoft Windows User-mode Printer Driver privilege escalation attempt
* 1:300594 <-> MALWARE-TOOLS Win.Proxy.frp download attempt
* 1:300595 <-> OS-WINDOWS Microsoft Windows TPM device driver elevation of privilege attempt
* 1:300596 <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt
* 1:300597 <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt
* 1:300598 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300599 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300600 <-> MALWARE-OTHER Win.Exploit.CVE_2023_28310 download attempt
* 1:61897 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61898 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61899 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61900 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61933 <-> SERVER-MAIL Microsoft Exchange Server remote PowerShell session type confusion attempt
* 1:61936 <-> SERVER-WEBAPP MOVEit Transfer moveitisapi.dll server side request forgery attempt
* 1:61937 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt
* 1:61938 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt
* 1:61939 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt

Modified Rules:

* 1:300442 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300443 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300444 <-> POLICY-OTHER Fortra GoAnywhere MFT potential remote code execution attempt
* 1:43268 <-> SERVER-WEBAPP Squid ESI processing buffer overflow attempt
* 1:57287 <-> MALWARE-BACKDOOR DEWMODE webshell file download attempt


2023-06-13 18:32:43 UTC

Snort Subscriber Rules Update

Date: 2023-06-13-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.21.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300588 <-> MALWARE-CNC Win.Trojan.Redline malicious file download
* 1:300589 <-> MALWARE-CNC Win.Trojan.Gozi malicious file download
* 1:300590 <-> FILE-OTHER Microsoft Visual Studio Python Interpreter Services remote code execution attempt
* 1:300591 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:300592 <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt
* 1:300593 <-> OS-WINDOWS Microsoft Windows User-mode Printer Driver privilege escalation attempt
* 1:300594 <-> MALWARE-TOOLS Win.Proxy.frp download attempt
* 1:300595 <-> OS-WINDOWS Microsoft Windows TPM device driver elevation of privilege attempt
* 1:300596 <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt
* 1:300597 <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt
* 1:300598 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300599 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300600 <-> MALWARE-OTHER Win.Exploit.CVE_2023_28310 download attempt
* 1:61897 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61898 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61899 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61900 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61933 <-> SERVER-MAIL Microsoft Exchange Server remote PowerShell session type confusion attempt
* 1:61936 <-> SERVER-WEBAPP MOVEit Transfer moveitisapi.dll server side request forgery attempt
* 1:61937 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt
* 1:61938 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt
* 1:61939 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt

Modified Rules:

* 1:300442 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300443 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300444 <-> POLICY-OTHER Fortra GoAnywhere MFT potential remote code execution attempt
* 1:43268 <-> SERVER-WEBAPP Squid ESI processing buffer overflow attempt
* 1:57287 <-> MALWARE-BACKDOOR DEWMODE webshell file download attempt


2023-06-13 18:32:43 UTC

Snort Subscriber Rules Update

Date: 2023-06-13-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.35.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300588 <-> MALWARE-CNC Win.Trojan.Redline malicious file download
* 1:300589 <-> MALWARE-CNC Win.Trojan.Gozi malicious file download
* 1:300590 <-> FILE-OTHER Microsoft Visual Studio Python Interpreter Services remote code execution attempt
* 1:300591 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:300592 <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt
* 1:300593 <-> OS-WINDOWS Microsoft Windows User-mode Printer Driver privilege escalation attempt
* 1:300594 <-> MALWARE-TOOLS Win.Proxy.frp download attempt
* 1:300595 <-> OS-WINDOWS Microsoft Windows TPM device driver elevation of privilege attempt
* 1:300596 <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt
* 1:300597 <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt
* 1:300598 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300599 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300600 <-> MALWARE-OTHER Win.Exploit.CVE_2023_28310 download attempt
* 1:61897 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61898 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61899 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61900 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61933 <-> SERVER-MAIL Microsoft Exchange Server remote PowerShell session type confusion attempt
* 1:61936 <-> SERVER-WEBAPP MOVEit Transfer moveitisapi.dll server side request forgery attempt
* 1:61937 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt
* 1:61938 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt
* 1:61939 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt

Modified Rules:

* 1:300442 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300443 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300444 <-> POLICY-OTHER Fortra GoAnywhere MFT potential remote code execution attempt
* 1:43268 <-> SERVER-WEBAPP Squid ESI processing buffer overflow attempt
* 1:57287 <-> MALWARE-BACKDOOR DEWMODE webshell file download attempt


2023-06-13 18:32:43 UTC

Snort Subscriber Rules Update

Date: 2023-06-13-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.44.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300588 <-> MALWARE-CNC Win.Trojan.Redline malicious file download
* 1:300589 <-> MALWARE-CNC Win.Trojan.Gozi malicious file download
* 1:300590 <-> FILE-OTHER Microsoft Visual Studio Python Interpreter Services remote code execution attempt
* 1:300591 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:300592 <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt
* 1:300593 <-> OS-WINDOWS Microsoft Windows User-mode Printer Driver privilege escalation attempt
* 1:300594 <-> MALWARE-TOOLS Win.Proxy.frp download attempt
* 1:300595 <-> OS-WINDOWS Microsoft Windows TPM device driver elevation of privilege attempt
* 1:300596 <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt
* 1:300597 <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt
* 1:300598 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300599 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300600 <-> MALWARE-OTHER Win.Exploit.CVE_2023_28310 download attempt
* 1:61897 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61898 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61899 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61900 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61933 <-> SERVER-MAIL Microsoft Exchange Server remote PowerShell session type confusion attempt
* 1:61936 <-> SERVER-WEBAPP MOVEit Transfer moveitisapi.dll server side request forgery attempt
* 1:61937 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt
* 1:61938 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt
* 1:61939 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt

Modified Rules:

* 1:300442 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300443 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300444 <-> POLICY-OTHER Fortra GoAnywhere MFT potential remote code execution attempt
* 1:43268 <-> SERVER-WEBAPP Squid ESI processing buffer overflow attempt
* 1:57287 <-> MALWARE-BACKDOOR DEWMODE webshell file download attempt


2023-06-13 18:32:43 UTC

Snort Subscriber Rules Update

Date: 2023-06-13-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.47.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300588 <-> MALWARE-CNC Win.Trojan.Redline malicious file download
* 1:300589 <-> MALWARE-CNC Win.Trojan.Gozi malicious file download
* 1:300590 <-> FILE-OTHER Microsoft Visual Studio Python Interpreter Services remote code execution attempt
* 1:300591 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt
* 1:300592 <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt
* 1:300593 <-> OS-WINDOWS Microsoft Windows User-mode Printer Driver privilege escalation attempt
* 1:300594 <-> MALWARE-TOOLS Win.Proxy.frp download attempt
* 1:300595 <-> OS-WINDOWS Microsoft Windows TPM device driver elevation of privilege attempt
* 1:300596 <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt
* 1:300597 <-> SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt
* 1:300598 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300599 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300600 <-> MALWARE-OTHER Win.Exploit.CVE_2023_28310 download attempt
* 1:61897 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61898 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61899 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61900 <-> SERVER-WEBAPP Centreon Web Application command injection attempt
* 1:61933 <-> SERVER-MAIL Microsoft Exchange Server remote PowerShell session type confusion attempt
* 1:61936 <-> SERVER-WEBAPP MOVEit Transfer moveitisapi.dll server side request forgery attempt
* 1:61937 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt
* 1:61938 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt
* 1:61939 <-> SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt

Modified Rules:

* 1:300442 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300443 <-> SERVER-WEBAPP Fortra GoAnywhere MFT remote code execution attempt
* 1:300444 <-> POLICY-OTHER Fortra GoAnywhere MFT potential remote code execution attempt
* 1:43268 <-> SERVER-WEBAPP Squid ESI processing buffer overflow attempt
* 1:57287 <-> MALWARE-BACKDOOR DEWMODE webshell file download attempt