Talos Rules 2023-11-16
This release adds and modifies rules in several categories.

Microsoft Vulnerability CVE-2023-36017: A coding deficiency exists in Microsoft Windows Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 62659 through 62660, Snort 3: GID 1, SID 300762.

Talos has added and modified multiple rules in the browser-ie, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2023-11-16 14:18:25 UTC

Snort Subscriber Rules Update

Date: 2023-11-16

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2092000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:62648 <-> DISABLED <-> SERVER-WEBAPP mySCADA myPRO command injection attempt (server-webapp.rules)
 * 1:62649 <-> DISABLED <-> SERVER-WEBAPP NETGEAR RAX30 rex_cgi remote code execution attempt (server-webapp.rules)
 * 1:62650 <-> ENABLED <-> SERVER-WEBAPP SysAid Server directory traversal attempt (server-webapp.rules)
 * 1:62651 <-> DISABLED <-> SERVER-WEBAPP SysAid Server directory traversal attempt (server-webapp.rules)
 * 1:62652 <-> DISABLED <-> SERVER-WEBAPP SysAid Server directory traversal attempt (server-webapp.rules)
 * 1:62653 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt (server-webapp.rules)
 * 1:62654 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt (server-webapp.rules)
 * 1:62655 <-> DISABLED <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt (protocol-other.rules)
 * 1:62656 <-> DISABLED <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt (protocol-other.rules)
 * 1:62657 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qakbot variant download attempt (malware-other.rules)
 * 1:62658 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qakbot variant download attempt (malware-other.rules)
 * 1:62659 <-> DISABLED <-> BROWSER-IE Windows Scripting Engine out-of-bounds write attempt (browser-ie.rules)
 * 1:62660 <-> DISABLED <-> BROWSER-IE Windows Scripting Engine out-of-bounds write attempt (browser-ie.rules)
 * 3:62661 <-> ENABLED <-> MALWARE-CNC inbound implant communication attempt (malware-cnc.rules)
 * 3:62662 <-> ENABLED <-> MALWARE-CNC inbound implant communication attempt (malware-cnc.rules)
 * 3:62663 <-> ENABLED <-> MALWARE-CNC inbound implant communication request (malware-cnc.rules)
 * 3:62664 <-> ENABLED <-> MALWARE-CNC inbound implant communication request (malware-cnc.rules)
 * 3:62665 <-> ENABLED <-> MALWARE-CNC outbound implant communication attempt (malware-cnc.rules)
 * 3:62666 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1850 attack attempt (server-webapp.rules)
 * 3:62667 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1853 attack attempt (server-webapp.rules)
 * 3:62668 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1859 attack attempt (server-webapp.rules)
 * 3:62669 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1858 attack attempt (server-webapp.rules)

Modified Rules:


 * 3:62646 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1854 attack attempt (server-webapp.rules)
 * 3:62645 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1855 attack attempt (server-webapp.rules)

2023-11-16 14:18:25 UTC

Snort Subscriber Rules Update

Date: 2023-11-16

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091900.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:62657 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qakbot variant download attempt (malware-other.rules)
 * 1:62656 <-> DISABLED <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt (protocol-other.rules)
 * 1:62648 <-> DISABLED <-> SERVER-WEBAPP mySCADA myPRO command injection attempt (server-webapp.rules)
 * 1:62654 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt (server-webapp.rules)
 * 1:62653 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt (server-webapp.rules)
 * 1:62658 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qakbot variant download attempt (malware-other.rules)
 * 1:62659 <-> DISABLED <-> BROWSER-IE Windows Scripting Engine out-of-bounds write attempt (browser-ie.rules)
 * 1:62649 <-> DISABLED <-> SERVER-WEBAPP NETGEAR RAX30 rex_cgi remote code execution attempt (server-webapp.rules)
 * 1:62650 <-> ENABLED <-> SERVER-WEBAPP SysAid Server directory traversal attempt (server-webapp.rules)
 * 1:62655 <-> DISABLED <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt (protocol-other.rules)
 * 1:62651 <-> DISABLED <-> SERVER-WEBAPP SysAid Server directory traversal attempt (server-webapp.rules)
 * 1:62652 <-> DISABLED <-> SERVER-WEBAPP SysAid Server directory traversal attempt (server-webapp.rules)
 * 1:62660 <-> DISABLED <-> BROWSER-IE Windows Scripting Engine out-of-bounds write attempt (browser-ie.rules)
 * 3:62662 <-> ENABLED <-> MALWARE-CNC inbound implant communication attempt (malware-cnc.rules)
 * 3:62669 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1858 attack attempt (server-webapp.rules)
 * 3:62661 <-> ENABLED <-> MALWARE-CNC inbound implant communication attempt (malware-cnc.rules)
 * 3:62663 <-> ENABLED <-> MALWARE-CNC inbound implant communication request (malware-cnc.rules)
 * 3:62664 <-> ENABLED <-> MALWARE-CNC inbound implant communication request (malware-cnc.rules)
 * 3:62665 <-> ENABLED <-> MALWARE-CNC outbound implant communication attempt (malware-cnc.rules)
 * 3:62668 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1859 attack attempt (server-webapp.rules)
 * 3:62667 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1853 attack attempt (server-webapp.rules)
 * 3:62666 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1850 attack attempt (server-webapp.rules)

Modified Rules:


 * 3:62645 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1855 attack attempt (server-webapp.rules)
 * 3:62646 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1854 attack attempt (server-webapp.rules)

2023-11-16 14:18:25 UTC

Snort Subscriber Rules Update

Date: 2023-11-16

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091801.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:62648 <-> DISABLED <-> SERVER-WEBAPP mySCADA myPRO command injection attempt (server-webapp.rules)
 * 1:62659 <-> DISABLED <-> BROWSER-IE Windows Scripting Engine out-of-bounds write attempt (browser-ie.rules)
 * 1:62660 <-> DISABLED <-> BROWSER-IE Windows Scripting Engine out-of-bounds write attempt (browser-ie.rules)
 * 1:62657 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qakbot variant download attempt (malware-other.rules)
 * 1:62649 <-> DISABLED <-> SERVER-WEBAPP NETGEAR RAX30 rex_cgi remote code execution attempt (server-webapp.rules)
 * 1:62652 <-> DISABLED <-> SERVER-WEBAPP SysAid Server directory traversal attempt (server-webapp.rules)
 * 1:62656 <-> DISABLED <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt (protocol-other.rules)
 * 1:62655 <-> DISABLED <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt (protocol-other.rules)
 * 1:62651 <-> DISABLED <-> SERVER-WEBAPP SysAid Server directory traversal attempt (server-webapp.rules)
 * 1:62653 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt (server-webapp.rules)
 * 1:62654 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt (server-webapp.rules)
 * 1:62650 <-> ENABLED <-> SERVER-WEBAPP SysAid Server directory traversal attempt (server-webapp.rules)
 * 1:62658 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qakbot variant download attempt (malware-other.rules)
 * 3:62663 <-> ENABLED <-> MALWARE-CNC inbound implant communication request (malware-cnc.rules)
 * 3:62661 <-> ENABLED <-> MALWARE-CNC inbound implant communication attempt (malware-cnc.rules)
 * 3:62664 <-> ENABLED <-> MALWARE-CNC inbound implant communication request (malware-cnc.rules)
 * 3:62669 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1858 attack attempt (server-webapp.rules)
 * 3:62662 <-> ENABLED <-> MALWARE-CNC inbound implant communication attempt (malware-cnc.rules)
 * 3:62666 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1850 attack attempt (server-webapp.rules)
 * 3:62668 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1859 attack attempt (server-webapp.rules)
 * 3:62667 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1853 attack attempt (server-webapp.rules)
 * 3:62665 <-> ENABLED <-> MALWARE-CNC outbound implant communication attempt (malware-cnc.rules)

Modified Rules:


 * 3:62645 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1855 attack attempt (server-webapp.rules)
 * 3:62646 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1854 attack attempt (server-webapp.rules)

2023-11-16 14:18:25 UTC

Snort Subscriber Rules Update

Date: 2023-11-16

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:62657 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qakbot variant download attempt (malware-other.rules)
 * 1:62656 <-> DISABLED <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt (protocol-other.rules)
 * 1:62649 <-> DISABLED <-> SERVER-WEBAPP NETGEAR RAX30 rex_cgi remote code execution attempt (server-webapp.rules)
 * 1:62653 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt (server-webapp.rules)
 * 1:62652 <-> DISABLED <-> SERVER-WEBAPP SysAid Server directory traversal attempt (server-webapp.rules)
 * 1:62651 <-> DISABLED <-> SERVER-WEBAPP SysAid Server directory traversal attempt (server-webapp.rules)
 * 1:62650 <-> ENABLED <-> SERVER-WEBAPP SysAid Server directory traversal attempt (server-webapp.rules)
 * 1:62654 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt (server-webapp.rules)
 * 1:62648 <-> DISABLED <-> SERVER-WEBAPP mySCADA myPRO command injection attempt (server-webapp.rules)
 * 1:62660 <-> DISABLED <-> BROWSER-IE Windows Scripting Engine out-of-bounds write attempt (browser-ie.rules)
 * 1:62659 <-> DISABLED <-> BROWSER-IE Windows Scripting Engine out-of-bounds write attempt (browser-ie.rules)
 * 1:62655 <-> DISABLED <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt (protocol-other.rules)
 * 1:62658 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qakbot variant download attempt (malware-other.rules)
 * 3:62669 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1858 attack attempt (server-webapp.rules)
 * 3:62665 <-> ENABLED <-> MALWARE-CNC outbound implant communication attempt (malware-cnc.rules)
 * 3:62666 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1850 attack attempt (server-webapp.rules)
 * 3:62662 <-> ENABLED <-> MALWARE-CNC inbound implant communication attempt (malware-cnc.rules)
 * 3:62663 <-> ENABLED <-> MALWARE-CNC inbound implant communication request (malware-cnc.rules)
 * 3:62664 <-> ENABLED <-> MALWARE-CNC inbound implant communication request (malware-cnc.rules)
 * 3:62668 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1859 attack attempt (server-webapp.rules)
 * 3:62661 <-> ENABLED <-> MALWARE-CNC inbound implant communication attempt (malware-cnc.rules)
 * 3:62667 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1853 attack attempt (server-webapp.rules)

Modified Rules:


 * 3:62646 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1854 attack attempt (server-webapp.rules)
 * 3:62645 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1855 attack attempt (server-webapp.rules)

2023-11-16 14:18:25 UTC

Snort Subscriber Rules Update

Date: 2023-11-16

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:62656 <-> DISABLED <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt (protocol-other.rules)
 * 1:62654 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt (server-webapp.rules)
 * 1:62659 <-> DISABLED <-> BROWSER-IE Windows Scripting Engine out-of-bounds write attempt (browser-ie.rules)
 * 1:62649 <-> DISABLED <-> SERVER-WEBAPP NETGEAR RAX30 rex_cgi remote code execution attempt (server-webapp.rules)
 * 1:62653 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt (server-webapp.rules)
 * 1:62658 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qakbot variant download attempt (malware-other.rules)
 * 1:62651 <-> DISABLED <-> SERVER-WEBAPP SysAid Server directory traversal attempt (server-webapp.rules)
 * 1:62650 <-> ENABLED <-> SERVER-WEBAPP SysAid Server directory traversal attempt (server-webapp.rules)
 * 1:62660 <-> DISABLED <-> BROWSER-IE Windows Scripting Engine out-of-bounds write attempt (browser-ie.rules)
 * 1:62652 <-> DISABLED <-> SERVER-WEBAPP SysAid Server directory traversal attempt (server-webapp.rules)
 * 1:62655 <-> DISABLED <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt (protocol-other.rules)
 * 1:62648 <-> DISABLED <-> SERVER-WEBAPP mySCADA myPRO command injection attempt (server-webapp.rules)
 * 1:62657 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qakbot variant download attempt (malware-other.rules)
 * 3:62668 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1859 attack attempt (server-webapp.rules)
 * 3:62667 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1853 attack attempt (server-webapp.rules)
 * 3:62663 <-> ENABLED <-> MALWARE-CNC inbound implant communication request (malware-cnc.rules)
 * 3:62662 <-> ENABLED <-> MALWARE-CNC inbound implant communication attempt (malware-cnc.rules)
 * 3:62669 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1858 attack attempt (server-webapp.rules)
 * 3:62664 <-> ENABLED <-> MALWARE-CNC inbound implant communication request (malware-cnc.rules)
 * 3:62666 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1850 attack attempt (server-webapp.rules)
 * 3:62665 <-> ENABLED <-> MALWARE-CNC outbound implant communication attempt (malware-cnc.rules)
 * 3:62661 <-> ENABLED <-> MALWARE-CNC inbound implant communication attempt (malware-cnc.rules)

Modified Rules:


 * 3:62645 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1855 attack attempt (server-webapp.rules)
 * 3:62646 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1854 attack attempt (server-webapp.rules)

2023-11-16 14:18:25 UTC

Snort Subscriber Rules Update

Date: 2023-11-16

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:62654 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt (server-webapp.rules)
 * 1:62651 <-> DISABLED <-> SERVER-WEBAPP SysAid Server directory traversal attempt (server-webapp.rules)
 * 1:62658 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qakbot variant download attempt (malware-other.rules)
 * 1:62648 <-> DISABLED <-> SERVER-WEBAPP mySCADA myPRO command injection attempt (server-webapp.rules)
 * 1:62650 <-> ENABLED <-> SERVER-WEBAPP SysAid Server directory traversal attempt (server-webapp.rules)
 * 1:62649 <-> DISABLED <-> SERVER-WEBAPP NETGEAR RAX30 rex_cgi remote code execution attempt (server-webapp.rules)
 * 1:62659 <-> DISABLED <-> BROWSER-IE Windows Scripting Engine out-of-bounds write attempt (browser-ie.rules)
 * 1:62655 <-> DISABLED <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt (protocol-other.rules)
 * 1:62660 <-> DISABLED <-> BROWSER-IE Windows Scripting Engine out-of-bounds write attempt (browser-ie.rules)
 * 1:62652 <-> DISABLED <-> SERVER-WEBAPP SysAid Server directory traversal attempt (server-webapp.rules)
 * 1:62653 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt (server-webapp.rules)
 * 1:62656 <-> DISABLED <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt (protocol-other.rules)
 * 1:62657 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qakbot variant download attempt (malware-other.rules)
 * 3:62664 <-> ENABLED <-> MALWARE-CNC inbound implant communication request (malware-cnc.rules)
 * 3:62665 <-> ENABLED <-> MALWARE-CNC outbound implant communication attempt (malware-cnc.rules)
 * 3:62666 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1850 attack attempt (server-webapp.rules)
 * 3:62662 <-> ENABLED <-> MALWARE-CNC inbound implant communication attempt (malware-cnc.rules)
 * 3:62663 <-> ENABLED <-> MALWARE-CNC inbound implant communication request (malware-cnc.rules)
 * 3:62667 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1853 attack attempt (server-webapp.rules)
 * 3:62669 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1858 attack attempt (server-webapp.rules)
 * 3:62668 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1859 attack attempt (server-webapp.rules)
 * 3:62661 <-> ENABLED <-> MALWARE-CNC inbound implant communication attempt (malware-cnc.rules)

Modified Rules:


 * 3:62645 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1855 attack attempt (server-webapp.rules)
 * 3:62646 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1854 attack attempt (server-webapp.rules)

2023-11-16 14:18:25 UTC

Snort Subscriber Rules Update

Date: 2023-11-16

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:62649 <-> DISABLED <-> SERVER-WEBAPP NETGEAR RAX30 rex_cgi remote code execution attempt (server-webapp.rules)
 * 1:62659 <-> DISABLED <-> BROWSER-IE Windows Scripting Engine out-of-bounds write attempt (browser-ie.rules)
 * 1:62657 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qakbot variant download attempt (malware-other.rules)
 * 1:62655 <-> DISABLED <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt (protocol-other.rules)
 * 1:62654 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt (server-webapp.rules)
 * 1:62651 <-> DISABLED <-> SERVER-WEBAPP SysAid Server directory traversal attempt (server-webapp.rules)
 * 1:62658 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qakbot variant download attempt (malware-other.rules)
 * 1:62650 <-> ENABLED <-> SERVER-WEBAPP SysAid Server directory traversal attempt (server-webapp.rules)
 * 1:62656 <-> DISABLED <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt (protocol-other.rules)
 * 1:62652 <-> DISABLED <-> SERVER-WEBAPP SysAid Server directory traversal attempt (server-webapp.rules)
 * 1:62660 <-> DISABLED <-> BROWSER-IE Windows Scripting Engine out-of-bounds write attempt (browser-ie.rules)
 * 1:62653 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt (server-webapp.rules)
 * 1:62648 <-> DISABLED <-> SERVER-WEBAPP mySCADA myPRO command injection attempt (server-webapp.rules)
 * 3:62669 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1858 attack attempt (server-webapp.rules)
 * 3:62666 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1850 attack attempt (server-webapp.rules)
 * 3:62668 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1859 attack attempt (server-webapp.rules)
 * 3:62667 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1853 attack attempt (server-webapp.rules)
 * 3:62661 <-> ENABLED <-> MALWARE-CNC inbound implant communication attempt (malware-cnc.rules)
 * 3:62663 <-> ENABLED <-> MALWARE-CNC inbound implant communication request (malware-cnc.rules)
 * 3:62662 <-> ENABLED <-> MALWARE-CNC inbound implant communication attempt (malware-cnc.rules)
 * 3:62664 <-> ENABLED <-> MALWARE-CNC inbound implant communication request (malware-cnc.rules)
 * 3:62665 <-> ENABLED <-> MALWARE-CNC outbound implant communication attempt (malware-cnc.rules)

Modified Rules:


 * 3:62645 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1855 attack attempt (server-webapp.rules)
 * 3:62646 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1854 attack attempt (server-webapp.rules)

2023-11-16 14:18:25 UTC

Snort Subscriber Rules Update

Date: 2023-11-16

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:62655 <-> DISABLED <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt (protocol-other.rules)
 * 1:62649 <-> DISABLED <-> SERVER-WEBAPP NETGEAR RAX30 rex_cgi remote code execution attempt (server-webapp.rules)
 * 1:62659 <-> DISABLED <-> BROWSER-IE Windows Scripting Engine out-of-bounds write attempt (browser-ie.rules)
 * 1:62657 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qakbot variant download attempt (malware-other.rules)
 * 1:62656 <-> DISABLED <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt (protocol-other.rules)
 * 1:62652 <-> DISABLED <-> SERVER-WEBAPP SysAid Server directory traversal attempt (server-webapp.rules)
 * 1:62660 <-> DISABLED <-> BROWSER-IE Windows Scripting Engine out-of-bounds write attempt (browser-ie.rules)
 * 1:62651 <-> DISABLED <-> SERVER-WEBAPP SysAid Server directory traversal attempt (server-webapp.rules)
 * 1:62654 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt (server-webapp.rules)
 * 1:62658 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qakbot variant download attempt (malware-other.rules)
 * 1:62653 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt (server-webapp.rules)
 * 1:62648 <-> DISABLED <-> SERVER-WEBAPP mySCADA myPRO command injection attempt (server-webapp.rules)
 * 1:62650 <-> ENABLED <-> SERVER-WEBAPP SysAid Server directory traversal attempt (server-webapp.rules)
 * 3:62661 <-> ENABLED <-> MALWARE-CNC inbound implant communication attempt (malware-cnc.rules)
 * 3:62669 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1858 attack attempt (server-webapp.rules)
 * 3:62668 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1859 attack attempt (server-webapp.rules)
 * 3:62666 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1850 attack attempt (server-webapp.rules)
 * 3:62662 <-> ENABLED <-> MALWARE-CNC inbound implant communication attempt (malware-cnc.rules)
 * 3:62665 <-> ENABLED <-> MALWARE-CNC outbound implant communication attempt (malware-cnc.rules)
 * 3:62663 <-> ENABLED <-> MALWARE-CNC inbound implant communication request (malware-cnc.rules)
 * 3:62664 <-> ENABLED <-> MALWARE-CNC inbound implant communication request (malware-cnc.rules)
 * 3:62667 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1853 attack attempt (server-webapp.rules)

Modified Rules:


 * 3:62646 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1854 attack attempt (server-webapp.rules)
 * 3:62645 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1855 attack attempt (server-webapp.rules)

2023-11-16 14:18:25 UTC

Snort Subscriber Rules Update

Date: 2023-11-16

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:62656 <-> DISABLED <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt (protocol-other.rules)
 * 1:62651 <-> DISABLED <-> SERVER-WEBAPP SysAid Server directory traversal attempt (server-webapp.rules)
 * 1:62648 <-> DISABLED <-> SERVER-WEBAPP mySCADA myPRO command injection attempt (server-webapp.rules)
 * 1:62655 <-> DISABLED <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt (protocol-other.rules)
 * 1:62649 <-> DISABLED <-> SERVER-WEBAPP NETGEAR RAX30 rex_cgi remote code execution attempt (server-webapp.rules)
 * 1:62658 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qakbot variant download attempt (malware-other.rules)
 * 1:62660 <-> DISABLED <-> BROWSER-IE Windows Scripting Engine out-of-bounds write attempt (browser-ie.rules)
 * 1:62650 <-> ENABLED <-> SERVER-WEBAPP SysAid Server directory traversal attempt (server-webapp.rules)
 * 1:62653 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt (server-webapp.rules)
 * 1:62659 <-> DISABLED <-> BROWSER-IE Windows Scripting Engine out-of-bounds write attempt (browser-ie.rules)
 * 1:62652 <-> DISABLED <-> SERVER-WEBAPP SysAid Server directory traversal attempt (server-webapp.rules)
 * 1:62657 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qakbot variant download attempt (malware-other.rules)
 * 1:62654 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt (server-webapp.rules)
 * 3:62669 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1858 attack attempt (server-webapp.rules)
 * 3:62664 <-> ENABLED <-> MALWARE-CNC inbound implant communication request (malware-cnc.rules)
 * 3:62668 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1859 attack attempt (server-webapp.rules)
 * 3:62667 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1853 attack attempt (server-webapp.rules)
 * 3:62663 <-> ENABLED <-> MALWARE-CNC inbound implant communication request (malware-cnc.rules)
 * 3:62661 <-> ENABLED <-> MALWARE-CNC inbound implant communication attempt (malware-cnc.rules)
 * 3:62665 <-> ENABLED <-> MALWARE-CNC outbound implant communication attempt (malware-cnc.rules)
 * 3:62662 <-> ENABLED <-> MALWARE-CNC inbound implant communication attempt (malware-cnc.rules)
 * 3:62666 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1850 attack attempt (server-webapp.rules)

Modified Rules:


 * 3:62646 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1854 attack attempt (server-webapp.rules)
 * 3:62645 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1855 attack attempt (server-webapp.rules)

2023-11-16 14:18:25 UTC

Snort Subscriber Rules Update

Date: 2023-11-16

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:62654 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt (server-webapp.rules)
 * 1:62656 <-> DISABLED <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt (protocol-other.rules)
 * 1:62658 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qakbot variant download attempt (malware-other.rules)
 * 1:62652 <-> DISABLED <-> SERVER-WEBAPP SysAid Server directory traversal attempt (server-webapp.rules)
 * 1:62657 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qakbot variant download attempt (malware-other.rules)
 * 1:62651 <-> DISABLED <-> SERVER-WEBAPP SysAid Server directory traversal attempt (server-webapp.rules)
 * 1:62655 <-> DISABLED <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt (protocol-other.rules)
 * 1:62660 <-> DISABLED <-> BROWSER-IE Windows Scripting Engine out-of-bounds write attempt (browser-ie.rules)
 * 1:62650 <-> ENABLED <-> SERVER-WEBAPP SysAid Server directory traversal attempt (server-webapp.rules)
 * 1:62653 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt (server-webapp.rules)
 * 1:62648 <-> DISABLED <-> SERVER-WEBAPP mySCADA myPRO command injection attempt (server-webapp.rules)
 * 1:62649 <-> DISABLED <-> SERVER-WEBAPP NETGEAR RAX30 rex_cgi remote code execution attempt (server-webapp.rules)
 * 1:62659 <-> DISABLED <-> BROWSER-IE Windows Scripting Engine out-of-bounds write attempt (browser-ie.rules)
 * 3:62662 <-> ENABLED <-> MALWARE-CNC inbound implant communication attempt (malware-cnc.rules)
 * 3:62665 <-> ENABLED <-> MALWARE-CNC outbound implant communication attempt (malware-cnc.rules)
 * 3:62668 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1859 attack attempt (server-webapp.rules)
 * 3:62669 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1858 attack attempt (server-webapp.rules)
 * 3:62663 <-> ENABLED <-> MALWARE-CNC inbound implant communication request (malware-cnc.rules)
 * 3:62661 <-> ENABLED <-> MALWARE-CNC inbound implant communication attempt (malware-cnc.rules)
 * 3:62667 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1853 attack attempt (server-webapp.rules)
 * 3:62664 <-> ENABLED <-> MALWARE-CNC inbound implant communication request (malware-cnc.rules)
 * 3:62666 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1850 attack attempt (server-webapp.rules)

Modified Rules:


 * 3:62646 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1854 attack attempt (server-webapp.rules)
 * 3:62645 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1855 attack attempt (server-webapp.rules)

2023-11-16 14:18:25 UTC

Snort Subscriber Rules Update

Date: 2023-11-16

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:62657 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qakbot variant download attempt (malware-other.rules)
 * 1:62648 <-> DISABLED <-> SERVER-WEBAPP mySCADA myPRO command injection attempt (server-webapp.rules)
 * 1:62658 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qakbot variant download attempt (malware-other.rules)
 * 1:62650 <-> ENABLED <-> SERVER-WEBAPP SysAid Server directory traversal attempt (server-webapp.rules)
 * 1:62653 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt (server-webapp.rules)
 * 1:62651 <-> DISABLED <-> SERVER-WEBAPP SysAid Server directory traversal attempt (server-webapp.rules)
 * 1:62652 <-> DISABLED <-> SERVER-WEBAPP SysAid Server directory traversal attempt (server-webapp.rules)
 * 1:62655 <-> DISABLED <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt (protocol-other.rules)
 * 1:62659 <-> DISABLED <-> BROWSER-IE Windows Scripting Engine out-of-bounds write attempt (browser-ie.rules)
 * 1:62654 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt (server-webapp.rules)
 * 1:62656 <-> DISABLED <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt (protocol-other.rules)
 * 1:62660 <-> DISABLED <-> BROWSER-IE Windows Scripting Engine out-of-bounds write attempt (browser-ie.rules)
 * 1:62649 <-> DISABLED <-> SERVER-WEBAPP NETGEAR RAX30 rex_cgi remote code execution attempt (server-webapp.rules)
 * 3:62663 <-> ENABLED <-> MALWARE-CNC inbound implant communication request (malware-cnc.rules)
 * 3:62666 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1850 attack attempt (server-webapp.rules)
 * 3:62669 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1858 attack attempt (server-webapp.rules)
 * 3:62665 <-> ENABLED <-> MALWARE-CNC outbound implant communication attempt (malware-cnc.rules)
 * 3:62662 <-> ENABLED <-> MALWARE-CNC inbound implant communication attempt (malware-cnc.rules)
 * 3:62667 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1853 attack attempt (server-webapp.rules)
 * 3:62668 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1859 attack attempt (server-webapp.rules)
 * 3:62661 <-> ENABLED <-> MALWARE-CNC inbound implant communication attempt (malware-cnc.rules)
 * 3:62664 <-> ENABLED <-> MALWARE-CNC inbound implant communication request (malware-cnc.rules)

Modified Rules:


 * 3:62646 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1854 attack attempt (server-webapp.rules)
 * 3:62645 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1855 attack attempt (server-webapp.rules)

2023-11-16 14:18:25 UTC

Snort Subscriber Rules Update

Date: 2023-11-16

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:62649 <-> DISABLED <-> SERVER-WEBAPP NETGEAR RAX30 rex_cgi remote code execution attempt (server-webapp.rules)
 * 1:62650 <-> ENABLED <-> SERVER-WEBAPP SysAid Server directory traversal attempt (server-webapp.rules)
 * 1:62656 <-> DISABLED <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt (protocol-other.rules)
 * 1:62648 <-> DISABLED <-> SERVER-WEBAPP mySCADA myPRO command injection attempt (server-webapp.rules)
 * 1:62651 <-> DISABLED <-> SERVER-WEBAPP SysAid Server directory traversal attempt (server-webapp.rules)
 * 1:62659 <-> DISABLED <-> BROWSER-IE Windows Scripting Engine out-of-bounds write attempt (browser-ie.rules)
 * 1:62654 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt (server-webapp.rules)
 * 1:62660 <-> DISABLED <-> BROWSER-IE Windows Scripting Engine out-of-bounds write attempt (browser-ie.rules)
 * 1:62652 <-> DISABLED <-> SERVER-WEBAPP SysAid Server directory traversal attempt (server-webapp.rules)
 * 1:62653 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt (server-webapp.rules)
 * 1:62655 <-> DISABLED <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt (protocol-other.rules)
 * 1:62658 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qakbot variant download attempt (malware-other.rules)
 * 1:62657 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Qakbot variant download attempt (malware-other.rules)

Modified Rules:



2023-11-16 14:22:45 UTC

Snort Subscriber Rules Update

Date: 2023-11-15-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.0.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300759 <-> SERVER-WEBAPP SysAid Server directory traversal attempt
* 1:300760 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:300761 <-> MALWARE-OTHER Win.Trojan.Qakbot variant download attempt
* 1:300762 <-> BROWSER-IE Windows Scripting Engine out-of-bounds write attempt
* 1:62648 <-> SERVER-WEBAPP mySCADA myPRO command injection attempt
* 1:62649 <-> SERVER-WEBAPP NETGEAR RAX30 rex_cgi remote code execution attempt
* 1:62650 <-> SERVER-WEBAPP SysAid Server directory traversal attempt
* 1:62653 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:62654 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:62655 <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt
* 1:62656 <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt
* 3:62661 <-> MALWARE-CNC inbound implant communication attempt
* 3:62662 <-> MALWARE-CNC inbound implant communication attempt
* 3:62663 <-> MALWARE-CNC inbound implant communication request
* 3:62664 <-> MALWARE-CNC inbound implant communication request
* 3:62665 <-> MALWARE-CNC outbound implant communication attempt
* 3:62666 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1850 attack attempt
* 3:62667 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1853 attack attempt
* 3:62668 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1859 attack attempt
* 3:62669 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1858 attack attempt

Modified Rules:

* 3:62645 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1855 attack attempt
* 3:62646 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1854 attack attempt


2023-11-16 14:22:45 UTC

Snort Subscriber Rules Update

Date: 2023-11-15-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.0.3.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300759 <-> SERVER-WEBAPP SysAid Server directory traversal attempt
* 1:300760 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:300761 <-> MALWARE-OTHER Win.Trojan.Qakbot variant download attempt
* 1:300762 <-> BROWSER-IE Windows Scripting Engine out-of-bounds write attempt
* 1:62648 <-> SERVER-WEBAPP mySCADA myPRO command injection attempt
* 1:62649 <-> SERVER-WEBAPP NETGEAR RAX30 rex_cgi remote code execution attempt
* 1:62650 <-> SERVER-WEBAPP SysAid Server directory traversal attempt
* 1:62653 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:62654 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:62655 <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt
* 1:62656 <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt
* 3:62661 <-> MALWARE-CNC inbound implant communication attempt
* 3:62662 <-> MALWARE-CNC inbound implant communication attempt
* 3:62663 <-> MALWARE-CNC inbound implant communication request
* 3:62664 <-> MALWARE-CNC inbound implant communication request
* 3:62665 <-> MALWARE-CNC outbound implant communication attempt
* 3:62666 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1850 attack attempt
* 3:62667 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1853 attack attempt
* 3:62668 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1859 attack attempt
* 3:62669 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1858 attack attempt

Modified Rules:

* 3:62645 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1855 attack attempt
* 3:62646 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1854 attack attempt


2023-11-16 14:22:45 UTC

Snort Subscriber Rules Update

Date: 2023-11-15-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.0.3.4.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300759 <-> SERVER-WEBAPP SysAid Server directory traversal attempt
* 1:300760 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:300761 <-> MALWARE-OTHER Win.Trojan.Qakbot variant download attempt
* 1:300762 <-> BROWSER-IE Windows Scripting Engine out-of-bounds write attempt
* 1:62648 <-> SERVER-WEBAPP mySCADA myPRO command injection attempt
* 1:62649 <-> SERVER-WEBAPP NETGEAR RAX30 rex_cgi remote code execution attempt
* 1:62650 <-> SERVER-WEBAPP SysAid Server directory traversal attempt
* 1:62653 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:62654 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:62655 <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt
* 1:62656 <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt
* 3:62661 <-> MALWARE-CNC inbound implant communication attempt
* 3:62662 <-> MALWARE-CNC inbound implant communication attempt
* 3:62663 <-> MALWARE-CNC inbound implant communication request
* 3:62664 <-> MALWARE-CNC inbound implant communication request
* 3:62665 <-> MALWARE-CNC outbound implant communication attempt
* 3:62666 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1850 attack attempt
* 3:62667 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1853 attack attempt
* 3:62668 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1859 attack attempt
* 3:62669 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1858 attack attempt

Modified Rules:

* 3:62645 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1855 attack attempt
* 3:62646 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1854 attack attempt


2023-11-16 14:22:45 UTC

Snort Subscriber Rules Update

Date: 2023-11-15-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300759 <-> SERVER-WEBAPP SysAid Server directory traversal attempt
* 1:300760 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:300761 <-> MALWARE-OTHER Win.Trojan.Qakbot variant download attempt
* 1:300762 <-> BROWSER-IE Windows Scripting Engine out-of-bounds write attempt
* 1:62648 <-> SERVER-WEBAPP mySCADA myPRO command injection attempt
* 1:62649 <-> SERVER-WEBAPP NETGEAR RAX30 rex_cgi remote code execution attempt
* 1:62650 <-> SERVER-WEBAPP SysAid Server directory traversal attempt
* 1:62653 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:62654 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:62655 <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt
* 1:62656 <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt
* 3:62661 <-> MALWARE-CNC inbound implant communication attempt
* 3:62662 <-> MALWARE-CNC inbound implant communication attempt
* 3:62663 <-> MALWARE-CNC inbound implant communication request
* 3:62664 <-> MALWARE-CNC inbound implant communication request
* 3:62665 <-> MALWARE-CNC outbound implant communication attempt
* 3:62666 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1850 attack attempt
* 3:62667 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1853 attack attempt
* 3:62668 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1859 attack attempt
* 3:62669 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1858 attack attempt

Modified Rules:

* 3:62645 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1855 attack attempt
* 3:62646 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1854 attack attempt


2023-11-16 14:22:45 UTC

Snort Subscriber Rules Update

Date: 2023-11-15-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.0.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300759 <-> SERVER-WEBAPP SysAid Server directory traversal attempt
* 1:300760 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:300761 <-> MALWARE-OTHER Win.Trojan.Qakbot variant download attempt
* 1:300762 <-> BROWSER-IE Windows Scripting Engine out-of-bounds write attempt
* 1:62648 <-> SERVER-WEBAPP mySCADA myPRO command injection attempt
* 1:62649 <-> SERVER-WEBAPP NETGEAR RAX30 rex_cgi remote code execution attempt
* 1:62650 <-> SERVER-WEBAPP SysAid Server directory traversal attempt
* 1:62653 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:62654 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:62655 <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt
* 1:62656 <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt
* 3:62661 <-> MALWARE-CNC inbound implant communication attempt
* 3:62662 <-> MALWARE-CNC inbound implant communication attempt
* 3:62663 <-> MALWARE-CNC inbound implant communication request
* 3:62664 <-> MALWARE-CNC inbound implant communication request
* 3:62665 <-> MALWARE-CNC outbound implant communication attempt
* 3:62666 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1850 attack attempt
* 3:62667 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1853 attack attempt
* 3:62668 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1859 attack attempt
* 3:62669 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1858 attack attempt

Modified Rules:

* 3:62645 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1855 attack attempt
* 3:62646 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1854 attack attempt


2023-11-16 14:22:45 UTC

Snort Subscriber Rules Update

Date: 2023-11-15-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.1.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300759 <-> SERVER-WEBAPP SysAid Server directory traversal attempt
* 1:300760 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:300761 <-> MALWARE-OTHER Win.Trojan.Qakbot variant download attempt
* 1:300762 <-> BROWSER-IE Windows Scripting Engine out-of-bounds write attempt
* 1:62648 <-> SERVER-WEBAPP mySCADA myPRO command injection attempt
* 1:62649 <-> SERVER-WEBAPP NETGEAR RAX30 rex_cgi remote code execution attempt
* 1:62650 <-> SERVER-WEBAPP SysAid Server directory traversal attempt
* 1:62653 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:62654 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:62655 <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt
* 1:62656 <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt
* 3:62661 <-> MALWARE-CNC inbound implant communication attempt
* 3:62662 <-> MALWARE-CNC inbound implant communication attempt
* 3:62663 <-> MALWARE-CNC inbound implant communication request
* 3:62664 <-> MALWARE-CNC inbound implant communication request
* 3:62665 <-> MALWARE-CNC outbound implant communication attempt
* 3:62666 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1850 attack attempt
* 3:62667 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1853 attack attempt
* 3:62668 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1859 attack attempt
* 3:62669 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1858 attack attempt

Modified Rules:

* 3:62645 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1855 attack attempt
* 3:62646 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1854 attack attempt


2023-11-16 14:22:45 UTC

Snort Subscriber Rules Update

Date: 2023-11-15-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.3.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300759 <-> SERVER-WEBAPP SysAid Server directory traversal attempt
* 1:300760 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:300761 <-> MALWARE-OTHER Win.Trojan.Qakbot variant download attempt
* 1:300762 <-> BROWSER-IE Windows Scripting Engine out-of-bounds write attempt
* 1:62648 <-> SERVER-WEBAPP mySCADA myPRO command injection attempt
* 1:62649 <-> SERVER-WEBAPP NETGEAR RAX30 rex_cgi remote code execution attempt
* 1:62650 <-> SERVER-WEBAPP SysAid Server directory traversal attempt
* 1:62653 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:62654 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:62655 <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt
* 1:62656 <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt
* 3:62661 <-> MALWARE-CNC inbound implant communication attempt
* 3:62662 <-> MALWARE-CNC inbound implant communication attempt
* 3:62663 <-> MALWARE-CNC inbound implant communication request
* 3:62664 <-> MALWARE-CNC inbound implant communication request
* 3:62665 <-> MALWARE-CNC outbound implant communication attempt
* 3:62666 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1850 attack attempt
* 3:62667 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1853 attack attempt
* 3:62668 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1859 attack attempt
* 3:62669 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1858 attack attempt

Modified Rules:

* 3:62645 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1855 attack attempt
* 3:62646 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1854 attack attempt


2023-11-16 14:22:45 UTC

Snort Subscriber Rules Update

Date: 2023-11-15-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.4.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300759 <-> SERVER-WEBAPP SysAid Server directory traversal attempt
* 1:300760 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:300761 <-> MALWARE-OTHER Win.Trojan.Qakbot variant download attempt
* 1:300762 <-> BROWSER-IE Windows Scripting Engine out-of-bounds write attempt
* 1:62648 <-> SERVER-WEBAPP mySCADA myPRO command injection attempt
* 1:62649 <-> SERVER-WEBAPP NETGEAR RAX30 rex_cgi remote code execution attempt
* 1:62650 <-> SERVER-WEBAPP SysAid Server directory traversal attempt
* 1:62653 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:62654 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:62655 <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt
* 1:62656 <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt
* 3:62661 <-> MALWARE-CNC inbound implant communication attempt
* 3:62662 <-> MALWARE-CNC inbound implant communication attempt
* 3:62663 <-> MALWARE-CNC inbound implant communication request
* 3:62664 <-> MALWARE-CNC inbound implant communication request
* 3:62665 <-> MALWARE-CNC outbound implant communication attempt
* 3:62666 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1850 attack attempt
* 3:62667 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1853 attack attempt
* 3:62668 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1859 attack attempt
* 3:62669 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1858 attack attempt

Modified Rules:

* 3:62645 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1855 attack attempt
* 3:62646 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1854 attack attempt


2023-11-16 14:22:45 UTC

Snort Subscriber Rules Update

Date: 2023-11-15-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.5.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300759 <-> SERVER-WEBAPP SysAid Server directory traversal attempt
* 1:300760 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:300761 <-> MALWARE-OTHER Win.Trojan.Qakbot variant download attempt
* 1:300762 <-> BROWSER-IE Windows Scripting Engine out-of-bounds write attempt
* 1:62648 <-> SERVER-WEBAPP mySCADA myPRO command injection attempt
* 1:62649 <-> SERVER-WEBAPP NETGEAR RAX30 rex_cgi remote code execution attempt
* 1:62650 <-> SERVER-WEBAPP SysAid Server directory traversal attempt
* 1:62653 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:62654 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:62655 <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt
* 1:62656 <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt
* 3:62661 <-> MALWARE-CNC inbound implant communication attempt
* 3:62662 <-> MALWARE-CNC inbound implant communication attempt
* 3:62663 <-> MALWARE-CNC inbound implant communication request
* 3:62664 <-> MALWARE-CNC inbound implant communication request
* 3:62665 <-> MALWARE-CNC outbound implant communication attempt
* 3:62666 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1850 attack attempt
* 3:62667 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1853 attack attempt
* 3:62668 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1859 attack attempt
* 3:62669 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1858 attack attempt

Modified Rules:

* 3:62645 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1855 attack attempt
* 3:62646 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1854 attack attempt


2023-11-16 14:22:45 UTC

Snort Subscriber Rules Update

Date: 2023-11-15-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.7.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300759 <-> SERVER-WEBAPP SysAid Server directory traversal attempt
* 1:300760 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:300761 <-> MALWARE-OTHER Win.Trojan.Qakbot variant download attempt
* 1:300762 <-> BROWSER-IE Windows Scripting Engine out-of-bounds write attempt
* 1:62648 <-> SERVER-WEBAPP mySCADA myPRO command injection attempt
* 1:62649 <-> SERVER-WEBAPP NETGEAR RAX30 rex_cgi remote code execution attempt
* 1:62650 <-> SERVER-WEBAPP SysAid Server directory traversal attempt
* 1:62653 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:62654 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:62655 <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt
* 1:62656 <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt
* 3:62661 <-> MALWARE-CNC inbound implant communication attempt
* 3:62662 <-> MALWARE-CNC inbound implant communication attempt
* 3:62663 <-> MALWARE-CNC inbound implant communication request
* 3:62664 <-> MALWARE-CNC inbound implant communication request
* 3:62665 <-> MALWARE-CNC outbound implant communication attempt
* 3:62666 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1850 attack attempt
* 3:62667 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1853 attack attempt
* 3:62668 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1859 attack attempt
* 3:62669 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1858 attack attempt

Modified Rules:

* 3:62645 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1855 attack attempt
* 3:62646 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1854 attack attempt


2023-11-16 14:22:45 UTC

Snort Subscriber Rules Update

Date: 2023-11-15-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.9.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300759 <-> SERVER-WEBAPP SysAid Server directory traversal attempt
* 1:300760 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:300761 <-> MALWARE-OTHER Win.Trojan.Qakbot variant download attempt
* 1:300762 <-> BROWSER-IE Windows Scripting Engine out-of-bounds write attempt
* 1:62648 <-> SERVER-WEBAPP mySCADA myPRO command injection attempt
* 1:62649 <-> SERVER-WEBAPP NETGEAR RAX30 rex_cgi remote code execution attempt
* 1:62650 <-> SERVER-WEBAPP SysAid Server directory traversal attempt
* 1:62653 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:62654 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:62655 <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt
* 1:62656 <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt
* 3:62661 <-> MALWARE-CNC inbound implant communication attempt
* 3:62662 <-> MALWARE-CNC inbound implant communication attempt
* 3:62663 <-> MALWARE-CNC inbound implant communication request
* 3:62664 <-> MALWARE-CNC inbound implant communication request
* 3:62665 <-> MALWARE-CNC outbound implant communication attempt
* 3:62666 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1850 attack attempt
* 3:62667 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1853 attack attempt
* 3:62668 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1859 attack attempt
* 3:62669 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1858 attack attempt

Modified Rules:

* 3:62645 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1855 attack attempt
* 3:62646 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1854 attack attempt


2023-11-16 14:22:45 UTC

Snort Subscriber Rules Update

Date: 2023-11-15-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.11.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300759 <-> SERVER-WEBAPP SysAid Server directory traversal attempt
* 1:300760 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:300761 <-> MALWARE-OTHER Win.Trojan.Qakbot variant download attempt
* 1:300762 <-> BROWSER-IE Windows Scripting Engine out-of-bounds write attempt
* 1:62648 <-> SERVER-WEBAPP mySCADA myPRO command injection attempt
* 1:62649 <-> SERVER-WEBAPP NETGEAR RAX30 rex_cgi remote code execution attempt
* 1:62650 <-> SERVER-WEBAPP SysAid Server directory traversal attempt
* 1:62653 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:62654 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:62655 <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt
* 1:62656 <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt
* 3:62661 <-> MALWARE-CNC inbound implant communication attempt
* 3:62662 <-> MALWARE-CNC inbound implant communication attempt
* 3:62663 <-> MALWARE-CNC inbound implant communication request
* 3:62664 <-> MALWARE-CNC inbound implant communication request
* 3:62665 <-> MALWARE-CNC outbound implant communication attempt
* 3:62666 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1850 attack attempt
* 3:62667 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1853 attack attempt
* 3:62668 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1859 attack attempt
* 3:62669 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1858 attack attempt

Modified Rules:

* 3:62645 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1855 attack attempt
* 3:62646 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1854 attack attempt


2023-11-16 14:22:45 UTC

Snort Subscriber Rules Update

Date: 2023-11-15-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.15.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300759 <-> SERVER-WEBAPP SysAid Server directory traversal attempt
* 1:300760 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:300761 <-> MALWARE-OTHER Win.Trojan.Qakbot variant download attempt
* 1:300762 <-> BROWSER-IE Windows Scripting Engine out-of-bounds write attempt
* 1:62648 <-> SERVER-WEBAPP mySCADA myPRO command injection attempt
* 1:62649 <-> SERVER-WEBAPP NETGEAR RAX30 rex_cgi remote code execution attempt
* 1:62650 <-> SERVER-WEBAPP SysAid Server directory traversal attempt
* 1:62653 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:62654 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:62655 <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt
* 1:62656 <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt
* 3:62661 <-> MALWARE-CNC inbound implant communication attempt
* 3:62662 <-> MALWARE-CNC inbound implant communication attempt
* 3:62663 <-> MALWARE-CNC inbound implant communication request
* 3:62664 <-> MALWARE-CNC inbound implant communication request
* 3:62665 <-> MALWARE-CNC outbound implant communication attempt
* 3:62666 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1850 attack attempt
* 3:62667 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1853 attack attempt
* 3:62668 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1859 attack attempt
* 3:62669 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1858 attack attempt

Modified Rules:

* 3:62645 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1855 attack attempt
* 3:62646 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1854 attack attempt


2023-11-16 14:22:45 UTC

Snort Subscriber Rules Update

Date: 2023-11-15-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.18.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300759 <-> SERVER-WEBAPP SysAid Server directory traversal attempt
* 1:300760 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:300761 <-> MALWARE-OTHER Win.Trojan.Qakbot variant download attempt
* 1:300762 <-> BROWSER-IE Windows Scripting Engine out-of-bounds write attempt
* 1:62648 <-> SERVER-WEBAPP mySCADA myPRO command injection attempt
* 1:62649 <-> SERVER-WEBAPP NETGEAR RAX30 rex_cgi remote code execution attempt
* 1:62650 <-> SERVER-WEBAPP SysAid Server directory traversal attempt
* 1:62653 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:62654 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:62655 <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt
* 1:62656 <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt
* 3:62661 <-> MALWARE-CNC inbound implant communication attempt
* 3:62662 <-> MALWARE-CNC inbound implant communication attempt
* 3:62663 <-> MALWARE-CNC inbound implant communication request
* 3:62664 <-> MALWARE-CNC inbound implant communication request
* 3:62665 <-> MALWARE-CNC outbound implant communication attempt
* 3:62666 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1850 attack attempt
* 3:62667 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1853 attack attempt
* 3:62668 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1859 attack attempt
* 3:62669 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1858 attack attempt

Modified Rules:

* 3:62645 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1855 attack attempt
* 3:62646 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1854 attack attempt


2023-11-16 14:22:45 UTC

Snort Subscriber Rules Update

Date: 2023-11-15-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.20.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300759 <-> SERVER-WEBAPP SysAid Server directory traversal attempt
* 1:300760 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:300761 <-> MALWARE-OTHER Win.Trojan.Qakbot variant download attempt
* 1:300762 <-> BROWSER-IE Windows Scripting Engine out-of-bounds write attempt
* 1:62648 <-> SERVER-WEBAPP mySCADA myPRO command injection attempt
* 1:62649 <-> SERVER-WEBAPP NETGEAR RAX30 rex_cgi remote code execution attempt
* 1:62650 <-> SERVER-WEBAPP SysAid Server directory traversal attempt
* 1:62653 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:62654 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:62655 <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt
* 1:62656 <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt
* 3:62661 <-> MALWARE-CNC inbound implant communication attempt
* 3:62662 <-> MALWARE-CNC inbound implant communication attempt
* 3:62663 <-> MALWARE-CNC inbound implant communication request
* 3:62664 <-> MALWARE-CNC inbound implant communication request
* 3:62665 <-> MALWARE-CNC outbound implant communication attempt
* 3:62666 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1850 attack attempt
* 3:62667 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1853 attack attempt
* 3:62668 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1859 attack attempt
* 3:62669 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1858 attack attempt

Modified Rules:

* 3:62645 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1855 attack attempt
* 3:62646 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1854 attack attempt


2023-11-16 14:22:45 UTC

Snort Subscriber Rules Update

Date: 2023-11-15-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.21.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300759 <-> SERVER-WEBAPP SysAid Server directory traversal attempt
* 1:300760 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:300761 <-> MALWARE-OTHER Win.Trojan.Qakbot variant download attempt
* 1:300762 <-> BROWSER-IE Windows Scripting Engine out-of-bounds write attempt
* 1:62648 <-> SERVER-WEBAPP mySCADA myPRO command injection attempt
* 1:62649 <-> SERVER-WEBAPP NETGEAR RAX30 rex_cgi remote code execution attempt
* 1:62650 <-> SERVER-WEBAPP SysAid Server directory traversal attempt
* 1:62653 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:62654 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:62655 <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt
* 1:62656 <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt
* 3:62661 <-> MALWARE-CNC inbound implant communication attempt
* 3:62662 <-> MALWARE-CNC inbound implant communication attempt
* 3:62663 <-> MALWARE-CNC inbound implant communication request
* 3:62664 <-> MALWARE-CNC inbound implant communication request
* 3:62665 <-> MALWARE-CNC outbound implant communication attempt
* 3:62666 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1850 attack attempt
* 3:62667 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1853 attack attempt
* 3:62668 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1859 attack attempt
* 3:62669 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1858 attack attempt

Modified Rules:

* 3:62645 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1855 attack attempt
* 3:62646 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1854 attack attempt


2023-11-16 14:22:45 UTC

Snort Subscriber Rules Update

Date: 2023-11-15-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.35.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300759 <-> SERVER-WEBAPP SysAid Server directory traversal attempt
* 1:300760 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:300761 <-> MALWARE-OTHER Win.Trojan.Qakbot variant download attempt
* 1:300762 <-> BROWSER-IE Windows Scripting Engine out-of-bounds write attempt
* 1:62648 <-> SERVER-WEBAPP mySCADA myPRO command injection attempt
* 1:62649 <-> SERVER-WEBAPP NETGEAR RAX30 rex_cgi remote code execution attempt
* 1:62650 <-> SERVER-WEBAPP SysAid Server directory traversal attempt
* 1:62653 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:62654 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:62655 <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt
* 1:62656 <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt
* 3:62661 <-> MALWARE-CNC inbound implant communication attempt
* 3:62662 <-> MALWARE-CNC inbound implant communication attempt
* 3:62663 <-> MALWARE-CNC inbound implant communication request
* 3:62664 <-> MALWARE-CNC inbound implant communication request
* 3:62665 <-> MALWARE-CNC outbound implant communication attempt
* 3:62666 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1850 attack attempt
* 3:62667 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1853 attack attempt
* 3:62668 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1859 attack attempt
* 3:62669 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1858 attack attempt

Modified Rules:

* 3:62645 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1855 attack attempt
* 3:62646 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1854 attack attempt


2023-11-16 14:22:45 UTC

Snort Subscriber Rules Update

Date: 2023-11-15-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.44.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300759 <-> SERVER-WEBAPP SysAid Server directory traversal attempt
* 1:300760 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:300761 <-> MALWARE-OTHER Win.Trojan.Qakbot variant download attempt
* 1:300762 <-> BROWSER-IE Windows Scripting Engine out-of-bounds write attempt
* 1:62648 <-> SERVER-WEBAPP mySCADA myPRO command injection attempt
* 1:62649 <-> SERVER-WEBAPP NETGEAR RAX30 rex_cgi remote code execution attempt
* 1:62650 <-> SERVER-WEBAPP SysAid Server directory traversal attempt
* 1:62653 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:62654 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:62655 <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt
* 1:62656 <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt
* 3:62661 <-> MALWARE-CNC inbound implant communication attempt
* 3:62662 <-> MALWARE-CNC inbound implant communication attempt
* 3:62663 <-> MALWARE-CNC inbound implant communication request
* 3:62664 <-> MALWARE-CNC inbound implant communication request
* 3:62665 <-> MALWARE-CNC outbound implant communication attempt
* 3:62666 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1850 attack attempt
* 3:62667 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1853 attack attempt
* 3:62668 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1859 attack attempt
* 3:62669 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1858 attack attempt

Modified Rules:

* 3:62645 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1855 attack attempt
* 3:62646 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1854 attack attempt


2023-11-16 14:22:45 UTC

Snort Subscriber Rules Update

Date: 2023-11-15-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.47.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300759 <-> SERVER-WEBAPP SysAid Server directory traversal attempt
* 1:300760 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:300761 <-> MALWARE-OTHER Win.Trojan.Qakbot variant download attempt
* 1:300762 <-> BROWSER-IE Windows Scripting Engine out-of-bounds write attempt
* 1:62648 <-> SERVER-WEBAPP mySCADA myPRO command injection attempt
* 1:62649 <-> SERVER-WEBAPP NETGEAR RAX30 rex_cgi remote code execution attempt
* 1:62650 <-> SERVER-WEBAPP SysAid Server directory traversal attempt
* 1:62653 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:62654 <-> SERVER-WEBAPP Roundcube Webmail cross-site scripting attempt
* 1:62655 <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt
* 1:62656 <-> PROTOCOL-OTHER Service Location Protocol denial-of-service attempt
* 3:62661 <-> MALWARE-CNC inbound implant communication attempt
* 3:62662 <-> MALWARE-CNC inbound implant communication attempt
* 3:62663 <-> MALWARE-CNC inbound implant communication request
* 3:62664 <-> MALWARE-CNC inbound implant communication request
* 3:62665 <-> MALWARE-CNC outbound implant communication attempt
* 3:62666 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1850 attack attempt
* 3:62667 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1853 attack attempt
* 3:62668 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1859 attack attempt
* 3:62669 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1858 attack attempt

Modified Rules:

* 3:62645 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1855 attack attempt
* 3:62646 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2023-1854 attack attempt