Snort - Network Intrusion Detection & Prevention System

Talos Rules 2024-06-04

This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, malware-cnc, malware-tools, policy-other, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

29200

2024-06-04 13:46:25 UTC

Snort Subscriber Rules Update

Date: 2024-06-04

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2092000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:63521 <-> ENABLED <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection (malware-cnc.rules)
 * 1:63522 <-> ENABLED <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection (malware-cnc.rules)
 * 1:63523 <-> ENABLED <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection (malware-cnc.rules)
 * 1:63524 <-> ENABLED <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection (malware-cnc.rules)
 * 1:63525 <-> DISABLED <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt (server-other.rules)
 * 1:63526 <-> DISABLED <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt (server-other.rules)
 * 1:63527 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt (server-oracle.rules)
 * 1:63528 <-> DISABLED <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt (server-webapp.rules)
 * 1:63529 <-> DISABLED <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt (server-webapp.rules)
 * 1:63530 <-> DISABLED <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt (server-webapp.rules)
 * 1:63531 <-> DISABLED <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt (server-webapp.rules)
 * 1:63532 <-> ENABLED <-> SERVER-WEBAPP Check Point CloudGuard directory traversal attempt (server-webapp.rules)
 * 1:63533 <-> DISABLED <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt (policy-other.rules)
 * 1:63534 <-> DISABLED <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt (policy-other.rules)
 * 1:63535 <-> DISABLED <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt (policy-other.rules)
 * 1:63536 <-> DISABLED <-> SERVER-WEBAPP Arcadyan routers path traversal attempt (server-webapp.rules)
 * 1:63537 <-> DISABLED <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt (server-webapp.rules)
 * 1:63538 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SpiceRAT variant outbound connection (malware-cnc.rules)
 * 1:63539 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt (browser-ie.rules)
 * 1:63540 <-> DISABLED <-> MALWARE-TOOLS Win.Ransomware.Megazord executable download attempt (malware-tools.rules)
 * 1:63541 <-> DISABLED <-> MALWARE-TOOLS Win.Ransomware.Megazord executable download attempt (malware-tools.rules)
 * 1:63542 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.BadPotato executable download attempt (malware-tools.rules)
 * 1:63543 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.BadPotato executable download attempt (malware-tools.rules)
 * 1:63544 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.SpoolFool executable download attempt (malware-tools.rules)
 * 1:63545 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.SpoolFool executable download attempt (malware-tools.rules)
 * 1:63546 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.JuicyPotato executable download attempt (malware-tools.rules)
 * 1:63547 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.JuicyPotato executable download attempt (malware-tools.rules)
 * 1:63548 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.SweetPotato executable download attempt (malware-tools.rules)
 * 1:63549 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.SweetPotato executable download attempt (malware-tools.rules)
 * 1:63550 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.RottenPotato executable download attempt (malware-tools.rules)
 * 1:63551 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.RottenPotato executable download attempt (malware-tools.rules)
 * 3:63552 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1981 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:29671 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt (browser-ie.rules)
 * 1:34889 <-> DISABLED <-> SERVER-OTHER OpenSSL denial-of-service via crafted x.509 certificate attempt (server-other.rules)
 * 1:21248 <-> DISABLED <-> SERVER-OTHER multiple vendors host buffer overflow attempt (server-other.rules)
 * 1:37571 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)
 * 1:37573 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)
 * 1:53744 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt (server-oracle.rules)
 * 1:51976 <-> DISABLED <-> SERVER-WEBAPP Multiple products directory traversal attempt (server-webapp.rules)

29190

2024-06-04 13:46:25 UTC

Snort Subscriber Rules Update

Date: 2024-06-04

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091900.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:63551 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.RottenPotato executable download attempt (malware-tools.rules)
 * 1:63544 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.SpoolFool executable download attempt (malware-tools.rules)
 * 1:63524 <-> ENABLED <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection (malware-cnc.rules)
 * 1:63525 <-> DISABLED <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt (server-other.rules)
 * 1:63527 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt (server-oracle.rules)
 * 1:63521 <-> ENABLED <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection (malware-cnc.rules)
 * 1:63523 <-> ENABLED <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection (malware-cnc.rules)
 * 1:63528 <-> DISABLED <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt (server-webapp.rules)
 * 1:63529 <-> DISABLED <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt (server-webapp.rules)
 * 1:63530 <-> DISABLED <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt (server-webapp.rules)
 * 1:63531 <-> DISABLED <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt (server-webapp.rules)
 * 1:63532 <-> ENABLED <-> SERVER-WEBAPP Check Point CloudGuard directory traversal attempt (server-webapp.rules)
 * 1:63533 <-> DISABLED <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt (policy-other.rules)
 * 1:63534 <-> DISABLED <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt (policy-other.rules)
 * 1:63535 <-> DISABLED <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt (policy-other.rules)
 * 1:63536 <-> DISABLED <-> SERVER-WEBAPP Arcadyan routers path traversal attempt (server-webapp.rules)
 * 1:63537 <-> DISABLED <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt (server-webapp.rules)
 * 1:63538 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SpiceRAT variant outbound connection (malware-cnc.rules)
 * 1:63539 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt (browser-ie.rules)
 * 1:63540 <-> DISABLED <-> MALWARE-TOOLS Win.Ransomware.Megazord executable download attempt (malware-tools.rules)
 * 1:63541 <-> DISABLED <-> MALWARE-TOOLS Win.Ransomware.Megazord executable download attempt (malware-tools.rules)
 * 1:63542 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.BadPotato executable download attempt (malware-tools.rules)
 * 1:63547 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.JuicyPotato executable download attempt (malware-tools.rules)
 * 1:63546 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.JuicyPotato executable download attempt (malware-tools.rules)
 * 1:63545 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.SpoolFool executable download attempt (malware-tools.rules)
 * 1:63548 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.SweetPotato executable download attempt (malware-tools.rules)
 * 1:63526 <-> DISABLED <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt (server-other.rules)
 * 1:63549 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.SweetPotato executable download attempt (malware-tools.rules)
 * 1:63550 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.RottenPotato executable download attempt (malware-tools.rules)
 * 1:63522 <-> ENABLED <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection (malware-cnc.rules)
 * 1:63543 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.BadPotato executable download attempt (malware-tools.rules)
 * 3:63552 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1981 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:21248 <-> DISABLED <-> SERVER-OTHER multiple vendors host buffer overflow attempt (server-other.rules)
 * 1:37571 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)
 * 1:37573 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)
 * 1:51976 <-> DISABLED <-> SERVER-WEBAPP Multiple products directory traversal attempt (server-webapp.rules)
 * 1:53744 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt (server-oracle.rules)
 * 1:34889 <-> DISABLED <-> SERVER-OTHER OpenSSL denial-of-service via crafted x.509 certificate attempt (server-other.rules)
 * 1:29671 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt (browser-ie.rules)

29181

2024-06-04 13:46:25 UTC

Snort Subscriber Rules Update

Date: 2024-06-04

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091801.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:63521 <-> ENABLED <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection (malware-cnc.rules)
 * 1:63523 <-> ENABLED <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection (malware-cnc.rules)
 * 1:63522 <-> ENABLED <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection (malware-cnc.rules)
 * 1:63545 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.SpoolFool executable download attempt (malware-tools.rules)
 * 1:63546 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.JuicyPotato executable download attempt (malware-tools.rules)
 * 1:63548 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.SweetPotato executable download attempt (malware-tools.rules)
 * 1:63549 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.SweetPotato executable download attempt (malware-tools.rules)
 * 1:63547 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.JuicyPotato executable download attempt (malware-tools.rules)
 * 1:63550 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.RottenPotato executable download attempt (malware-tools.rules)
 * 1:63528 <-> DISABLED <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt (server-webapp.rules)
 * 1:63551 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.RottenPotato executable download attempt (malware-tools.rules)
 * 1:63526 <-> DISABLED <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt (server-other.rules)
 * 1:63524 <-> ENABLED <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection (malware-cnc.rules)
 * 1:63527 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt (server-oracle.rules)
 * 1:63538 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SpiceRAT variant outbound connection (malware-cnc.rules)
 * 1:63535 <-> DISABLED <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt (policy-other.rules)
 * 1:63536 <-> DISABLED <-> SERVER-WEBAPP Arcadyan routers path traversal attempt (server-webapp.rules)
 * 1:63537 <-> DISABLED <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt (server-webapp.rules)
 * 1:63525 <-> DISABLED <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt (server-other.rules)
 * 1:63530 <-> DISABLED <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt (server-webapp.rules)
 * 1:63529 <-> DISABLED <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt (server-webapp.rules)
 * 1:63531 <-> DISABLED <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt (server-webapp.rules)
 * 1:63532 <-> ENABLED <-> SERVER-WEBAPP Check Point CloudGuard directory traversal attempt (server-webapp.rules)
 * 1:63534 <-> DISABLED <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt (policy-other.rules)
 * 1:63533 <-> DISABLED <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt (policy-other.rules)
 * 1:63539 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt (browser-ie.rules)
 * 1:63541 <-> DISABLED <-> MALWARE-TOOLS Win.Ransomware.Megazord executable download attempt (malware-tools.rules)
 * 1:63540 <-> DISABLED <-> MALWARE-TOOLS Win.Ransomware.Megazord executable download attempt (malware-tools.rules)
 * 1:63543 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.BadPotato executable download attempt (malware-tools.rules)
 * 1:63542 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.BadPotato executable download attempt (malware-tools.rules)
 * 1:63544 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.SpoolFool executable download attempt (malware-tools.rules)
 * 3:63552 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1981 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:21248 <-> DISABLED <-> SERVER-OTHER multiple vendors host buffer overflow attempt (server-other.rules)
 * 1:37573 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)
 * 1:51976 <-> DISABLED <-> SERVER-WEBAPP Multiple products directory traversal attempt (server-webapp.rules)
 * 1:53744 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt (server-oracle.rules)
 * 1:29671 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt (browser-ie.rules)
 * 1:37571 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)
 * 1:34889 <-> DISABLED <-> SERVER-OTHER OpenSSL denial-of-service via crafted x.509 certificate attempt (server-other.rules)

29171

2024-06-04 13:46:25 UTC

Snort Subscriber Rules Update

Date: 2024-06-04

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:63543 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.BadPotato executable download attempt (malware-tools.rules)
 * 1:63545 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.SpoolFool executable download attempt (malware-tools.rules)
 * 1:63522 <-> ENABLED <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection (malware-cnc.rules)
 * 1:63523 <-> ENABLED <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection (malware-cnc.rules)
 * 1:63551 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.RottenPotato executable download attempt (malware-tools.rules)
 * 1:63521 <-> ENABLED <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection (malware-cnc.rules)
 * 1:63535 <-> DISABLED <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt (policy-other.rules)
 * 1:63528 <-> DISABLED <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt (server-webapp.rules)
 * 1:63546 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.JuicyPotato executable download attempt (malware-tools.rules)
 * 1:63524 <-> ENABLED <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection (malware-cnc.rules)
 * 1:63541 <-> DISABLED <-> MALWARE-TOOLS Win.Ransomware.Megazord executable download attempt (malware-tools.rules)
 * 1:63550 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.RottenPotato executable download attempt (malware-tools.rules)
 * 1:63548 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.SweetPotato executable download attempt (malware-tools.rules)
 * 1:63549 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.SweetPotato executable download attempt (malware-tools.rules)
 * 1:63527 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt (server-oracle.rules)
 * 1:63536 <-> DISABLED <-> SERVER-WEBAPP Arcadyan routers path traversal attempt (server-webapp.rules)
 * 1:63537 <-> DISABLED <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt (server-webapp.rules)
 * 1:63539 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt (browser-ie.rules)
 * 1:63538 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SpiceRAT variant outbound connection (malware-cnc.rules)
 * 1:63534 <-> DISABLED <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt (policy-other.rules)
 * 1:63540 <-> DISABLED <-> MALWARE-TOOLS Win.Ransomware.Megazord executable download attempt (malware-tools.rules)
 * 1:63542 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.BadPotato executable download attempt (malware-tools.rules)
 * 1:63525 <-> DISABLED <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt (server-other.rules)
 * 1:63526 <-> DISABLED <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt (server-other.rules)
 * 1:63529 <-> DISABLED <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt (server-webapp.rules)
 * 1:63531 <-> DISABLED <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt (server-webapp.rules)
 * 1:63532 <-> ENABLED <-> SERVER-WEBAPP Check Point CloudGuard directory traversal attempt (server-webapp.rules)
 * 1:63533 <-> DISABLED <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt (policy-other.rules)
 * 1:63530 <-> DISABLED <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt (server-webapp.rules)
 * 1:63544 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.SpoolFool executable download attempt (malware-tools.rules)
 * 1:63547 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.JuicyPotato executable download attempt (malware-tools.rules)
 * 3:63552 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1981 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:29671 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt (browser-ie.rules)
 * 1:37573 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)
 * 1:51976 <-> DISABLED <-> SERVER-WEBAPP Multiple products directory traversal attempt (server-webapp.rules)
 * 1:53744 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt (server-oracle.rules)
 * 1:21248 <-> DISABLED <-> SERVER-OTHER multiple vendors host buffer overflow attempt (server-other.rules)
 * 1:37571 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)
 * 1:34889 <-> DISABLED <-> SERVER-OTHER OpenSSL denial-of-service via crafted x.509 certificate attempt (server-other.rules)

29170

2024-06-04 13:46:25 UTC

Snort Subscriber Rules Update

Date: 2024-06-04

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:63524 <-> ENABLED <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection (malware-cnc.rules)
 * 1:63529 <-> DISABLED <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt (server-webapp.rules)
 * 1:63546 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.JuicyPotato executable download attempt (malware-tools.rules)
 * 1:63538 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SpiceRAT variant outbound connection (malware-cnc.rules)
 * 1:63539 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt (browser-ie.rules)
 * 1:63540 <-> DISABLED <-> MALWARE-TOOLS Win.Ransomware.Megazord executable download attempt (malware-tools.rules)
 * 1:63551 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.RottenPotato executable download attempt (malware-tools.rules)
 * 1:63548 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.SweetPotato executable download attempt (malware-tools.rules)
 * 1:63550 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.RottenPotato executable download attempt (malware-tools.rules)
 * 1:63544 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.SpoolFool executable download attempt (malware-tools.rules)
 * 1:63521 <-> ENABLED <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection (malware-cnc.rules)
 * 1:63527 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt (server-oracle.rules)
 * 1:63526 <-> DISABLED <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt (server-other.rules)
 * 1:63533 <-> DISABLED <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt (policy-other.rules)
 * 1:63532 <-> ENABLED <-> SERVER-WEBAPP Check Point CloudGuard directory traversal attempt (server-webapp.rules)
 * 1:63531 <-> DISABLED <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt (server-webapp.rules)
 * 1:63530 <-> DISABLED <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt (server-webapp.rules)
 * 1:63534 <-> DISABLED <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt (policy-other.rules)
 * 1:63525 <-> DISABLED <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt (server-other.rules)
 * 1:63549 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.SweetPotato executable download attempt (malware-tools.rules)
 * 1:63547 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.JuicyPotato executable download attempt (malware-tools.rules)
 * 1:63522 <-> ENABLED <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection (malware-cnc.rules)
 * 1:63543 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.BadPotato executable download attempt (malware-tools.rules)
 * 1:63523 <-> ENABLED <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection (malware-cnc.rules)
 * 1:63536 <-> DISABLED <-> SERVER-WEBAPP Arcadyan routers path traversal attempt (server-webapp.rules)
 * 1:63541 <-> DISABLED <-> MALWARE-TOOLS Win.Ransomware.Megazord executable download attempt (malware-tools.rules)
 * 1:63528 <-> DISABLED <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt (server-webapp.rules)
 * 1:63542 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.BadPotato executable download attempt (malware-tools.rules)
 * 1:63535 <-> DISABLED <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt (policy-other.rules)
 * 1:63537 <-> DISABLED <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt (server-webapp.rules)
 * 1:63545 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.SpoolFool executable download attempt (malware-tools.rules)
 * 3:63552 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1981 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:29671 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt (browser-ie.rules)
 * 1:37571 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)
 * 1:37573 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)
 * 1:51976 <-> DISABLED <-> SERVER-WEBAPP Multiple products directory traversal attempt (server-webapp.rules)
 * 1:53744 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt (server-oracle.rules)
 * 1:34889 <-> DISABLED <-> SERVER-OTHER OpenSSL denial-of-service via crafted x.509 certificate attempt (server-other.rules)
 * 1:21248 <-> DISABLED <-> SERVER-OTHER multiple vendors host buffer overflow attempt (server-other.rules)

29161

2024-06-04 13:46:25 UTC

Snort Subscriber Rules Update

Date: 2024-06-04

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:63547 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.JuicyPotato executable download attempt (malware-tools.rules)
 * 1:63546 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.JuicyPotato executable download attempt (malware-tools.rules)
 * 1:63521 <-> ENABLED <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection (malware-cnc.rules)
 * 1:63548 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.SweetPotato executable download attempt (malware-tools.rules)
 * 1:63523 <-> ENABLED <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection (malware-cnc.rules)
 * 1:63545 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.SpoolFool executable download attempt (malware-tools.rules)
 * 1:63526 <-> DISABLED <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt (server-other.rules)
 * 1:63533 <-> DISABLED <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt (policy-other.rules)
 * 1:63551 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.RottenPotato executable download attempt (malware-tools.rules)
 * 1:63534 <-> DISABLED <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt (policy-other.rules)
 * 1:63530 <-> DISABLED <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt (server-webapp.rules)
 * 1:63529 <-> DISABLED <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt (server-webapp.rules)
 * 1:63525 <-> DISABLED <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt (server-other.rules)
 * 1:63524 <-> ENABLED <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection (malware-cnc.rules)
 * 1:63538 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SpiceRAT variant outbound connection (malware-cnc.rules)
 * 1:63535 <-> DISABLED <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt (policy-other.rules)
 * 1:63536 <-> DISABLED <-> SERVER-WEBAPP Arcadyan routers path traversal attempt (server-webapp.rules)
 * 1:63542 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.BadPotato executable download attempt (malware-tools.rules)
 * 1:63537 <-> DISABLED <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt (server-webapp.rules)
 * 1:63540 <-> DISABLED <-> MALWARE-TOOLS Win.Ransomware.Megazord executable download attempt (malware-tools.rules)
 * 1:63539 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt (browser-ie.rules)
 * 1:63541 <-> DISABLED <-> MALWARE-TOOLS Win.Ransomware.Megazord executable download attempt (malware-tools.rules)
 * 1:63544 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.SpoolFool executable download attempt (malware-tools.rules)
 * 1:63543 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.BadPotato executable download attempt (malware-tools.rules)
 * 1:63522 <-> ENABLED <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection (malware-cnc.rules)
 * 1:63549 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.SweetPotato executable download attempt (malware-tools.rules)
 * 1:63532 <-> ENABLED <-> SERVER-WEBAPP Check Point CloudGuard directory traversal attempt (server-webapp.rules)
 * 1:63531 <-> DISABLED <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt (server-webapp.rules)
 * 1:63528 <-> DISABLED <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt (server-webapp.rules)
 * 1:63527 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt (server-oracle.rules)
 * 1:63550 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.RottenPotato executable download attempt (malware-tools.rules)
 * 3:63552 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1981 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:29671 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt (browser-ie.rules)
 * 1:37573 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)
 * 1:51976 <-> DISABLED <-> SERVER-WEBAPP Multiple products directory traversal attempt (server-webapp.rules)
 * 1:53744 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt (server-oracle.rules)
 * 1:34889 <-> DISABLED <-> SERVER-OTHER OpenSSL denial-of-service via crafted x.509 certificate attempt (server-other.rules)
 * 1:37571 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)
 * 1:21248 <-> DISABLED <-> SERVER-OTHER multiple vendors host buffer overflow attempt (server-other.rules)

29160

2024-06-04 13:46:25 UTC

Snort Subscriber Rules Update

Date: 2024-06-04

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:63525 <-> DISABLED <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt (server-other.rules)
 * 1:63534 <-> DISABLED <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt (policy-other.rules)
 * 1:63545 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.SpoolFool executable download attempt (malware-tools.rules)
 * 1:63532 <-> ENABLED <-> SERVER-WEBAPP Check Point CloudGuard directory traversal attempt (server-webapp.rules)
 * 1:63547 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.JuicyPotato executable download attempt (malware-tools.rules)
 * 1:63546 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.JuicyPotato executable download attempt (malware-tools.rules)
 * 1:63550 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.RottenPotato executable download attempt (malware-tools.rules)
 * 1:63526 <-> DISABLED <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt (server-other.rules)
 * 1:63528 <-> DISABLED <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt (server-webapp.rules)
 * 1:63521 <-> ENABLED <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection (malware-cnc.rules)
 * 1:63549 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.SweetPotato executable download attempt (malware-tools.rules)
 * 1:63524 <-> ENABLED <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection (malware-cnc.rules)
 * 1:63536 <-> DISABLED <-> SERVER-WEBAPP Arcadyan routers path traversal attempt (server-webapp.rules)
 * 1:63535 <-> DISABLED <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt (policy-other.rules)
 * 1:63540 <-> DISABLED <-> MALWARE-TOOLS Win.Ransomware.Megazord executable download attempt (malware-tools.rules)
 * 1:63537 <-> DISABLED <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt (server-webapp.rules)
 * 1:63538 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SpiceRAT variant outbound connection (malware-cnc.rules)
 * 1:63544 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.SpoolFool executable download attempt (malware-tools.rules)
 * 1:63541 <-> DISABLED <-> MALWARE-TOOLS Win.Ransomware.Megazord executable download attempt (malware-tools.rules)
 * 1:63542 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.BadPotato executable download attempt (malware-tools.rules)
 * 1:63530 <-> DISABLED <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt (server-webapp.rules)
 * 1:63539 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt (browser-ie.rules)
 * 1:63527 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt (server-oracle.rules)
 * 1:63543 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.BadPotato executable download attempt (malware-tools.rules)
 * 1:63531 <-> DISABLED <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt (server-webapp.rules)
 * 1:63533 <-> DISABLED <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt (policy-other.rules)
 * 1:63548 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.SweetPotato executable download attempt (malware-tools.rules)
 * 1:63529 <-> DISABLED <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt (server-webapp.rules)
 * 1:63522 <-> ENABLED <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection (malware-cnc.rules)
 * 1:63551 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.RottenPotato executable download attempt (malware-tools.rules)
 * 1:63523 <-> ENABLED <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection (malware-cnc.rules)
 * 3:63552 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1981 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:29671 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt (browser-ie.rules)
 * 1:34889 <-> DISABLED <-> SERVER-OTHER OpenSSL denial-of-service via crafted x.509 certificate attempt (server-other.rules)
 * 1:53744 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt (server-oracle.rules)
 * 1:21248 <-> DISABLED <-> SERVER-OTHER multiple vendors host buffer overflow attempt (server-other.rules)
 * 1:37571 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)
 * 1:37573 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)
 * 1:51976 <-> DISABLED <-> SERVER-WEBAPP Multiple products directory traversal attempt (server-webapp.rules)

29151

2024-06-04 13:46:25 UTC

Snort Subscriber Rules Update

Date: 2024-06-04

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:63527 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt (server-oracle.rules)
 * 1:63529 <-> DISABLED <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt (server-webapp.rules)
 * 1:63536 <-> DISABLED <-> SERVER-WEBAPP Arcadyan routers path traversal attempt (server-webapp.rules)
 * 1:63530 <-> DISABLED <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt (server-webapp.rules)
 * 1:63543 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.BadPotato executable download attempt (malware-tools.rules)
 * 1:63547 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.JuicyPotato executable download attempt (malware-tools.rules)
 * 1:63528 <-> DISABLED <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt (server-webapp.rules)
 * 1:63524 <-> ENABLED <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection (malware-cnc.rules)
 * 1:63526 <-> DISABLED <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt (server-other.rules)
 * 1:63531 <-> DISABLED <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt (server-webapp.rules)
 * 1:63539 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt (browser-ie.rules)
 * 1:63521 <-> ENABLED <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection (malware-cnc.rules)
 * 1:63532 <-> ENABLED <-> SERVER-WEBAPP Check Point CloudGuard directory traversal attempt (server-webapp.rules)
 * 1:63544 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.SpoolFool executable download attempt (malware-tools.rules)
 * 1:63523 <-> ENABLED <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection (malware-cnc.rules)
 * 1:63533 <-> DISABLED <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt (policy-other.rules)
 * 1:63545 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.SpoolFool executable download attempt (malware-tools.rules)
 * 1:63546 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.JuicyPotato executable download attempt (malware-tools.rules)
 * 1:63548 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.SweetPotato executable download attempt (malware-tools.rules)
 * 1:63522 <-> ENABLED <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection (malware-cnc.rules)
 * 1:63551 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.RottenPotato executable download attempt (malware-tools.rules)
 * 1:63541 <-> DISABLED <-> MALWARE-TOOLS Win.Ransomware.Megazord executable download attempt (malware-tools.rules)
 * 1:63542 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.BadPotato executable download attempt (malware-tools.rules)
 * 1:63538 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SpiceRAT variant outbound connection (malware-cnc.rules)
 * 1:63550 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.RottenPotato executable download attempt (malware-tools.rules)
 * 1:63537 <-> DISABLED <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt (server-webapp.rules)
 * 1:63549 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.SweetPotato executable download attempt (malware-tools.rules)
 * 1:63540 <-> DISABLED <-> MALWARE-TOOLS Win.Ransomware.Megazord executable download attempt (malware-tools.rules)
 * 1:63534 <-> DISABLED <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt (policy-other.rules)
 * 1:63535 <-> DISABLED <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt (policy-other.rules)
 * 1:63525 <-> DISABLED <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt (server-other.rules)
 * 3:63552 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1981 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:34889 <-> DISABLED <-> SERVER-OTHER OpenSSL denial-of-service via crafted x.509 certificate attempt (server-other.rules)
 * 1:37571 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)
 * 1:37573 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)
 * 1:51976 <-> DISABLED <-> SERVER-WEBAPP Multiple products directory traversal attempt (server-webapp.rules)
 * 1:53744 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt (server-oracle.rules)
 * 1:29671 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt (browser-ie.rules)
 * 1:21248 <-> DISABLED <-> SERVER-OTHER multiple vendors host buffer overflow attempt (server-other.rules)

29141

2024-06-04 13:46:25 UTC

Snort Subscriber Rules Update

Date: 2024-06-04

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:63549 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.SweetPotato executable download attempt (malware-tools.rules)
 * 1:63521 <-> ENABLED <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection (malware-cnc.rules)
 * 1:63523 <-> ENABLED <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection (malware-cnc.rules)
 * 1:63546 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.JuicyPotato executable download attempt (malware-tools.rules)
 * 1:63526 <-> DISABLED <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt (server-other.rules)
 * 1:63545 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.SpoolFool executable download attempt (malware-tools.rules)
 * 1:63544 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.SpoolFool executable download attempt (malware-tools.rules)
 * 1:63533 <-> DISABLED <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt (policy-other.rules)
 * 1:63532 <-> ENABLED <-> SERVER-WEBAPP Check Point CloudGuard directory traversal attempt (server-webapp.rules)
 * 1:63550 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.RottenPotato executable download attempt (malware-tools.rules)
 * 1:63524 <-> ENABLED <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection (malware-cnc.rules)
 * 1:63534 <-> DISABLED <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt (policy-other.rules)
 * 1:63528 <-> DISABLED <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt (server-webapp.rules)
 * 1:63537 <-> DISABLED <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt (server-webapp.rules)
 * 1:63522 <-> ENABLED <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection (malware-cnc.rules)
 * 1:63551 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.RottenPotato executable download attempt (malware-tools.rules)
 * 1:63529 <-> DISABLED <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt (server-webapp.rules)
 * 1:63539 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt (browser-ie.rules)
 * 1:63541 <-> DISABLED <-> MALWARE-TOOLS Win.Ransomware.Megazord executable download attempt (malware-tools.rules)
 * 1:63538 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SpiceRAT variant outbound connection (malware-cnc.rules)
 * 1:63543 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.BadPotato executable download attempt (malware-tools.rules)
 * 1:63542 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.BadPotato executable download attempt (malware-tools.rules)
 * 1:63535 <-> DISABLED <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt (policy-other.rules)
 * 1:63536 <-> DISABLED <-> SERVER-WEBAPP Arcadyan routers path traversal attempt (server-webapp.rules)
 * 1:63547 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.JuicyPotato executable download attempt (malware-tools.rules)
 * 1:63540 <-> DISABLED <-> MALWARE-TOOLS Win.Ransomware.Megazord executable download attempt (malware-tools.rules)
 * 1:63530 <-> DISABLED <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt (server-webapp.rules)
 * 1:63527 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt (server-oracle.rules)
 * 1:63531 <-> DISABLED <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt (server-webapp.rules)
 * 1:63548 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.SweetPotato executable download attempt (malware-tools.rules)
 * 1:63525 <-> DISABLED <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt (server-other.rules)
 * 3:63552 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1981 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:29671 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt (browser-ie.rules)
 * 1:37573 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)
 * 1:51976 <-> DISABLED <-> SERVER-WEBAPP Multiple products directory traversal attempt (server-webapp.rules)
 * 1:34889 <-> DISABLED <-> SERVER-OTHER OpenSSL denial-of-service via crafted x.509 certificate attempt (server-other.rules)
 * 1:53744 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt (server-oracle.rules)
 * 1:21248 <-> DISABLED <-> SERVER-OTHER multiple vendors host buffer overflow attempt (server-other.rules)
 * 1:37571 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)

29130

2024-06-04 13:46:25 UTC

Snort Subscriber Rules Update

Date: 2024-06-04

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:63546 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.JuicyPotato executable download attempt (malware-tools.rules)
 * 1:63548 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.SweetPotato executable download attempt (malware-tools.rules)
 * 1:63545 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.SpoolFool executable download attempt (malware-tools.rules)
 * 1:63523 <-> ENABLED <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection (malware-cnc.rules)
 * 1:63547 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.JuicyPotato executable download attempt (malware-tools.rules)
 * 1:63526 <-> DISABLED <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt (server-other.rules)
 * 1:63521 <-> ENABLED <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection (malware-cnc.rules)
 * 1:63539 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt (browser-ie.rules)
 * 1:63533 <-> DISABLED <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt (policy-other.rules)
 * 1:63527 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt (server-oracle.rules)
 * 1:63530 <-> DISABLED <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt (server-webapp.rules)
 * 1:63524 <-> ENABLED <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection (malware-cnc.rules)
 * 1:63551 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.RottenPotato executable download attempt (malware-tools.rules)
 * 1:63534 <-> DISABLED <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt (policy-other.rules)
 * 1:63537 <-> DISABLED <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt (server-webapp.rules)
 * 1:63541 <-> DISABLED <-> MALWARE-TOOLS Win.Ransomware.Megazord executable download attempt (malware-tools.rules)
 * 1:63532 <-> ENABLED <-> SERVER-WEBAPP Check Point CloudGuard directory traversal attempt (server-webapp.rules)
 * 1:63542 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.BadPotato executable download attempt (malware-tools.rules)
 * 1:63531 <-> DISABLED <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt (server-webapp.rules)
 * 1:63522 <-> ENABLED <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection (malware-cnc.rules)
 * 1:63550 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.RottenPotato executable download attempt (malware-tools.rules)
 * 1:63525 <-> DISABLED <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt (server-other.rules)
 * 1:63543 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.BadPotato executable download attempt (malware-tools.rules)
 * 1:63544 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.SpoolFool executable download attempt (malware-tools.rules)
 * 1:63540 <-> DISABLED <-> MALWARE-TOOLS Win.Ransomware.Megazord executable download attempt (malware-tools.rules)
 * 1:63529 <-> DISABLED <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt (server-webapp.rules)
 * 1:63549 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.SweetPotato executable download attempt (malware-tools.rules)
 * 1:63538 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SpiceRAT variant outbound connection (malware-cnc.rules)
 * 1:63528 <-> DISABLED <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt (server-webapp.rules)
 * 1:63536 <-> DISABLED <-> SERVER-WEBAPP Arcadyan routers path traversal attempt (server-webapp.rules)
 * 1:63535 <-> DISABLED <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt (policy-other.rules)
 * 3:63552 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1981 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:34889 <-> DISABLED <-> SERVER-OTHER OpenSSL denial-of-service via crafted x.509 certificate attempt (server-other.rules)
 * 1:29671 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt (browser-ie.rules)
 * 1:37573 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)
 * 1:21248 <-> DISABLED <-> SERVER-OTHER multiple vendors host buffer overflow attempt (server-other.rules)
 * 1:37571 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)
 * 1:51976 <-> DISABLED <-> SERVER-WEBAPP Multiple products directory traversal attempt (server-webapp.rules)
 * 1:53744 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt (server-oracle.rules)

29111

2024-06-04 13:46:25 UTC

Snort Subscriber Rules Update

Date: 2024-06-04

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:63546 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.JuicyPotato executable download attempt (malware-tools.rules)
 * 1:63524 <-> ENABLED <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection (malware-cnc.rules)
 * 1:63522 <-> ENABLED <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection (malware-cnc.rules)
 * 1:63551 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.RottenPotato executable download attempt (malware-tools.rules)
 * 1:63534 <-> DISABLED <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt (policy-other.rules)
 * 1:63527 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt (server-oracle.rules)
 * 1:63539 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt (browser-ie.rules)
 * 1:63548 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.SweetPotato executable download attempt (malware-tools.rules)
 * 1:63526 <-> DISABLED <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt (server-other.rules)
 * 1:63529 <-> DISABLED <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt (server-webapp.rules)
 * 1:63523 <-> ENABLED <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection (malware-cnc.rules)
 * 1:63533 <-> DISABLED <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt (policy-other.rules)
 * 1:63544 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.SpoolFool executable download attempt (malware-tools.rules)
 * 1:63545 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.SpoolFool executable download attempt (malware-tools.rules)
 * 1:63532 <-> ENABLED <-> SERVER-WEBAPP Check Point CloudGuard directory traversal attempt (server-webapp.rules)
 * 1:63549 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.SweetPotato executable download attempt (malware-tools.rules)
 * 1:63536 <-> DISABLED <-> SERVER-WEBAPP Arcadyan routers path traversal attempt (server-webapp.rules)
 * 1:63537 <-> DISABLED <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt (server-webapp.rules)
 * 1:63531 <-> DISABLED <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt (server-webapp.rules)
 * 1:63542 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.BadPotato executable download attempt (malware-tools.rules)
 * 1:63535 <-> DISABLED <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt (policy-other.rules)
 * 1:63547 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.JuicyPotato executable download attempt (malware-tools.rules)
 * 1:63528 <-> DISABLED <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt (server-webapp.rules)
 * 1:63538 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SpiceRAT variant outbound connection (malware-cnc.rules)
 * 1:63525 <-> DISABLED <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt (server-other.rules)
 * 1:63541 <-> DISABLED <-> MALWARE-TOOLS Win.Ransomware.Megazord executable download attempt (malware-tools.rules)
 * 1:63521 <-> ENABLED <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection (malware-cnc.rules)
 * 1:63540 <-> DISABLED <-> MALWARE-TOOLS Win.Ransomware.Megazord executable download attempt (malware-tools.rules)
 * 1:63530 <-> DISABLED <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt (server-webapp.rules)
 * 1:63543 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.BadPotato executable download attempt (malware-tools.rules)
 * 1:63550 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.RottenPotato executable download attempt (malware-tools.rules)
 * 3:63552 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1981 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:21248 <-> DISABLED <-> SERVER-OTHER multiple vendors host buffer overflow attempt (server-other.rules)
 * 1:37571 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)
 * 1:34889 <-> DISABLED <-> SERVER-OTHER OpenSSL denial-of-service via crafted x.509 certificate attempt (server-other.rules)
 * 1:51976 <-> DISABLED <-> SERVER-WEBAPP Multiple products directory traversal attempt (server-webapp.rules)
 * 1:37573 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)
 * 1:29671 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt (browser-ie.rules)
 * 1:53744 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt (server-oracle.rules)

3000

2024-06-04 13:51:15 UTC

Snort Subscriber Rules Update

Date: 2024-06-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.0.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300923 <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt
* 1:300924 <-> MALWARE-TOOLS Win.Ransomware.Megazord executable download attempt
* 1:300925 <-> MALWARE-TOOLS Win.Malware.BadPotato executable download attempt
* 1:300926 <-> MALWARE-TOOLS Win.Malware.SpoolFool executable download attempt
* 1:300927 <-> MALWARE-TOOLS Win.Malware.JuicyPotato executable download attempt
* 1:300928 <-> MALWARE-TOOLS Win.Malware.SweetPotato executable download attempt
* 1:300929 <-> MALWARE-TOOLS Win.Malware.RottenPotato executable download attempt
* 1:63521 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63522 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63523 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63524 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63525 <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt
* 1:63526 <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt
* 1:63527 <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt
* 1:63528 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63529 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63530 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63531 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63532 <-> SERVER-WEBAPP Check Point CloudGuard directory traversal attempt
* 1:63533 <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt
* 1:63536 <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt
* 1:63537 <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt
* 1:63538 <-> MALWARE-CNC Win.Trojan.SpiceRAT variant outbound connection
* 3:63552 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1981 attack attempt

Modified Rules:

* 1:21248 <-> SERVER-OTHER multiple vendors host buffer overflow attempt
* 3:28487 <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt
* 3:28488 <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt
* 1:29671 <-> BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt
* 1:300007 <-> SERVER-WEBAPP Multiple products directory traversal attempt
* 1:34878 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34879 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34880 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34889 <-> SERVER-OTHER OpenSSL denial-of-service via crafted x.509 certificate attempt
* 1:37571 <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt
* 1:53744 <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt

3031

2024-06-04 13:51:15 UTC

Snort Subscriber Rules Update

Date: 2024-06-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.0.3.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300923 <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt
* 1:300924 <-> MALWARE-TOOLS Win.Ransomware.Megazord executable download attempt
* 1:300925 <-> MALWARE-TOOLS Win.Malware.BadPotato executable download attempt
* 1:300926 <-> MALWARE-TOOLS Win.Malware.SpoolFool executable download attempt
* 1:300927 <-> MALWARE-TOOLS Win.Malware.JuicyPotato executable download attempt
* 1:300928 <-> MALWARE-TOOLS Win.Malware.SweetPotato executable download attempt
* 1:300929 <-> MALWARE-TOOLS Win.Malware.RottenPotato executable download attempt
* 1:63521 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63522 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63523 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63524 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63525 <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt
* 1:63526 <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt
* 1:63527 <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt
* 1:63528 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63529 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63530 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63531 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63532 <-> SERVER-WEBAPP Check Point CloudGuard directory traversal attempt
* 1:63533 <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt
* 1:63536 <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt
* 1:63537 <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt
* 1:63538 <-> MALWARE-CNC Win.Trojan.SpiceRAT variant outbound connection
* 3:63552 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1981 attack attempt

Modified Rules:

* 1:21248 <-> SERVER-OTHER multiple vendors host buffer overflow attempt
* 3:28487 <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt
* 3:28488 <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt
* 1:29671 <-> BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt
* 1:300007 <-> SERVER-WEBAPP Multiple products directory traversal attempt
* 1:34878 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34879 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34880 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34889 <-> SERVER-OTHER OpenSSL denial-of-service via crafted x.509 certificate attempt
* 1:37571 <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt
* 1:53744 <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt

3034

2024-06-04 13:51:15 UTC

Snort Subscriber Rules Update

Date: 2024-06-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.0.3.4.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300923 <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt
* 1:300924 <-> MALWARE-TOOLS Win.Ransomware.Megazord executable download attempt
* 1:300925 <-> MALWARE-TOOLS Win.Malware.BadPotato executable download attempt
* 1:300926 <-> MALWARE-TOOLS Win.Malware.SpoolFool executable download attempt
* 1:300927 <-> MALWARE-TOOLS Win.Malware.JuicyPotato executable download attempt
* 1:300928 <-> MALWARE-TOOLS Win.Malware.SweetPotato executable download attempt
* 1:300929 <-> MALWARE-TOOLS Win.Malware.RottenPotato executable download attempt
* 1:63521 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63522 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63523 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63524 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63525 <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt
* 1:63526 <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt
* 1:63527 <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt
* 1:63528 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63529 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63530 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63531 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63532 <-> SERVER-WEBAPP Check Point CloudGuard directory traversal attempt
* 1:63533 <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt
* 1:63536 <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt
* 1:63537 <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt
* 1:63538 <-> MALWARE-CNC Win.Trojan.SpiceRAT variant outbound connection
* 3:63552 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1981 attack attempt

Modified Rules:

* 1:21248 <-> SERVER-OTHER multiple vendors host buffer overflow attempt
* 3:28487 <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt
* 3:28488 <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt
* 1:29671 <-> BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt
* 1:300007 <-> SERVER-WEBAPP Multiple products directory traversal attempt
* 1:34878 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34879 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34880 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34889 <-> SERVER-OTHER OpenSSL denial-of-service via crafted x.509 certificate attempt
* 1:37571 <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt
* 1:53744 <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt

3100

2024-06-04 13:51:15 UTC

Snort Subscriber Rules Update

Date: 2024-06-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300923 <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt
* 1:300924 <-> MALWARE-TOOLS Win.Ransomware.Megazord executable download attempt
* 1:300925 <-> MALWARE-TOOLS Win.Malware.BadPotato executable download attempt
* 1:300926 <-> MALWARE-TOOLS Win.Malware.SpoolFool executable download attempt
* 1:300927 <-> MALWARE-TOOLS Win.Malware.JuicyPotato executable download attempt
* 1:300928 <-> MALWARE-TOOLS Win.Malware.SweetPotato executable download attempt
* 1:300929 <-> MALWARE-TOOLS Win.Malware.RottenPotato executable download attempt
* 1:63521 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63522 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63523 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63524 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63525 <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt
* 1:63526 <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt
* 1:63527 <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt
* 1:63528 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63529 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63530 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63531 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63532 <-> SERVER-WEBAPP Check Point CloudGuard directory traversal attempt
* 1:63533 <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt
* 1:63536 <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt
* 1:63537 <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt
* 1:63538 <-> MALWARE-CNC Win.Trojan.SpiceRAT variant outbound connection
* 3:63552 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1981 attack attempt

Modified Rules:

* 1:21248 <-> SERVER-OTHER multiple vendors host buffer overflow attempt
* 3:28487 <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt
* 3:28488 <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt
* 1:29671 <-> BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt
* 1:300007 <-> SERVER-WEBAPP Multiple products directory traversal attempt
* 1:34878 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34879 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34880 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34889 <-> SERVER-OTHER OpenSSL denial-of-service via crafted x.509 certificate attempt
* 1:37571 <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt
* 1:53744 <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt

3101

2024-06-04 13:51:15 UTC

Snort Subscriber Rules Update

Date: 2024-06-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.0.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300923 <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt
* 1:300924 <-> MALWARE-TOOLS Win.Ransomware.Megazord executable download attempt
* 1:300925 <-> MALWARE-TOOLS Win.Malware.BadPotato executable download attempt
* 1:300926 <-> MALWARE-TOOLS Win.Malware.SpoolFool executable download attempt
* 1:300927 <-> MALWARE-TOOLS Win.Malware.JuicyPotato executable download attempt
* 1:300928 <-> MALWARE-TOOLS Win.Malware.SweetPotato executable download attempt
* 1:300929 <-> MALWARE-TOOLS Win.Malware.RottenPotato executable download attempt
* 1:63521 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63522 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63523 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63524 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63525 <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt
* 1:63526 <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt
* 1:63527 <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt
* 1:63528 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63529 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63530 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63531 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63532 <-> SERVER-WEBAPP Check Point CloudGuard directory traversal attempt
* 1:63533 <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt
* 1:63536 <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt
* 1:63537 <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt
* 1:63538 <-> MALWARE-CNC Win.Trojan.SpiceRAT variant outbound connection
* 3:63552 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1981 attack attempt

Modified Rules:

* 1:21248 <-> SERVER-OTHER multiple vendors host buffer overflow attempt
* 3:28487 <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt
* 3:28488 <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt
* 1:29671 <-> BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt
* 1:300007 <-> SERVER-WEBAPP Multiple products directory traversal attempt
* 1:34878 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34879 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34880 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34889 <-> SERVER-OTHER OpenSSL denial-of-service via crafted x.509 certificate attempt
* 1:37571 <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt
* 1:53744 <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt

3110

2024-06-04 13:51:15 UTC

Snort Subscriber Rules Update

Date: 2024-06-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.1.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300923 <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt
* 1:300924 <-> MALWARE-TOOLS Win.Ransomware.Megazord executable download attempt
* 1:300925 <-> MALWARE-TOOLS Win.Malware.BadPotato executable download attempt
* 1:300926 <-> MALWARE-TOOLS Win.Malware.SpoolFool executable download attempt
* 1:300927 <-> MALWARE-TOOLS Win.Malware.JuicyPotato executable download attempt
* 1:300928 <-> MALWARE-TOOLS Win.Malware.SweetPotato executable download attempt
* 1:300929 <-> MALWARE-TOOLS Win.Malware.RottenPotato executable download attempt
* 1:63521 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63522 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63523 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63524 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63525 <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt
* 1:63526 <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt
* 1:63527 <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt
* 1:63528 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63529 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63530 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63531 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63532 <-> SERVER-WEBAPP Check Point CloudGuard directory traversal attempt
* 1:63533 <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt
* 1:63536 <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt
* 1:63537 <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt
* 1:63538 <-> MALWARE-CNC Win.Trojan.SpiceRAT variant outbound connection
* 3:63552 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1981 attack attempt

Modified Rules:

* 1:21248 <-> SERVER-OTHER multiple vendors host buffer overflow attempt
* 3:28487 <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt
* 3:28488 <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt
* 1:29671 <-> BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt
* 1:300007 <-> SERVER-WEBAPP Multiple products directory traversal attempt
* 1:34878 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34879 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34880 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34889 <-> SERVER-OTHER OpenSSL denial-of-service via crafted x.509 certificate attempt
* 1:37571 <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt
* 1:53744 <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt

3130

2024-06-04 13:51:15 UTC

Snort Subscriber Rules Update

Date: 2024-06-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.3.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300923 <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt
* 1:300924 <-> MALWARE-TOOLS Win.Ransomware.Megazord executable download attempt
* 1:300925 <-> MALWARE-TOOLS Win.Malware.BadPotato executable download attempt
* 1:300926 <-> MALWARE-TOOLS Win.Malware.SpoolFool executable download attempt
* 1:300927 <-> MALWARE-TOOLS Win.Malware.JuicyPotato executable download attempt
* 1:300928 <-> MALWARE-TOOLS Win.Malware.SweetPotato executable download attempt
* 1:300929 <-> MALWARE-TOOLS Win.Malware.RottenPotato executable download attempt
* 1:63521 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63522 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63523 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63524 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63525 <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt
* 1:63526 <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt
* 1:63527 <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt
* 1:63528 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63529 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63530 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63531 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63532 <-> SERVER-WEBAPP Check Point CloudGuard directory traversal attempt
* 1:63533 <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt
* 1:63536 <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt
* 1:63537 <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt
* 1:63538 <-> MALWARE-CNC Win.Trojan.SpiceRAT variant outbound connection
* 3:63552 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1981 attack attempt

Modified Rules:

* 1:21248 <-> SERVER-OTHER multiple vendors host buffer overflow attempt
* 3:28487 <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt
* 3:28488 <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt
* 1:29671 <-> BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt
* 1:300007 <-> SERVER-WEBAPP Multiple products directory traversal attempt
* 1:34878 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34879 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34880 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34889 <-> SERVER-OTHER OpenSSL denial-of-service via crafted x.509 certificate attempt
* 1:37571 <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt
* 1:53744 <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt

3140

2024-06-04 13:51:15 UTC

Snort Subscriber Rules Update

Date: 2024-06-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.4.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300923 <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt
* 1:300924 <-> MALWARE-TOOLS Win.Ransomware.Megazord executable download attempt
* 1:300925 <-> MALWARE-TOOLS Win.Malware.BadPotato executable download attempt
* 1:300926 <-> MALWARE-TOOLS Win.Malware.SpoolFool executable download attempt
* 1:300927 <-> MALWARE-TOOLS Win.Malware.JuicyPotato executable download attempt
* 1:300928 <-> MALWARE-TOOLS Win.Malware.SweetPotato executable download attempt
* 1:300929 <-> MALWARE-TOOLS Win.Malware.RottenPotato executable download attempt
* 1:63521 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63522 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63523 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63524 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63525 <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt
* 1:63526 <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt
* 1:63527 <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt
* 1:63528 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63529 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63530 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63531 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63532 <-> SERVER-WEBAPP Check Point CloudGuard directory traversal attempt
* 1:63533 <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt
* 1:63536 <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt
* 1:63537 <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt
* 1:63538 <-> MALWARE-CNC Win.Trojan.SpiceRAT variant outbound connection
* 3:63552 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1981 attack attempt

Modified Rules:

* 1:21248 <-> SERVER-OTHER multiple vendors host buffer overflow attempt
* 3:28487 <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt
* 3:28488 <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt
* 1:29671 <-> BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt
* 1:300007 <-> SERVER-WEBAPP Multiple products directory traversal attempt
* 1:34878 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34879 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34880 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34889 <-> SERVER-OTHER OpenSSL denial-of-service via crafted x.509 certificate attempt
* 1:37571 <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt
* 1:53744 <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt

3150

2024-06-04 13:51:15 UTC

Snort Subscriber Rules Update

Date: 2024-06-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.5.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300923 <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt
* 1:300924 <-> MALWARE-TOOLS Win.Ransomware.Megazord executable download attempt
* 1:300925 <-> MALWARE-TOOLS Win.Malware.BadPotato executable download attempt
* 1:300926 <-> MALWARE-TOOLS Win.Malware.SpoolFool executable download attempt
* 1:300927 <-> MALWARE-TOOLS Win.Malware.JuicyPotato executable download attempt
* 1:300928 <-> MALWARE-TOOLS Win.Malware.SweetPotato executable download attempt
* 1:300929 <-> MALWARE-TOOLS Win.Malware.RottenPotato executable download attempt
* 1:63521 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63522 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63523 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63524 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63525 <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt
* 1:63526 <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt
* 1:63527 <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt
* 1:63528 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63529 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63530 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63531 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63532 <-> SERVER-WEBAPP Check Point CloudGuard directory traversal attempt
* 1:63533 <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt
* 1:63536 <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt
* 1:63537 <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt
* 1:63538 <-> MALWARE-CNC Win.Trojan.SpiceRAT variant outbound connection
* 3:63552 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1981 attack attempt

Modified Rules:

* 1:21248 <-> SERVER-OTHER multiple vendors host buffer overflow attempt
* 3:28487 <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt
* 3:28488 <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt
* 1:29671 <-> BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt
* 1:300007 <-> SERVER-WEBAPP Multiple products directory traversal attempt
* 1:34878 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34879 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34880 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34889 <-> SERVER-OTHER OpenSSL denial-of-service via crafted x.509 certificate attempt
* 1:37571 <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt
* 1:53744 <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt

3170

2024-06-04 13:51:15 UTC

Snort Subscriber Rules Update

Date: 2024-06-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.7.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300923 <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt
* 1:300924 <-> MALWARE-TOOLS Win.Ransomware.Megazord executable download attempt
* 1:300925 <-> MALWARE-TOOLS Win.Malware.BadPotato executable download attempt
* 1:300926 <-> MALWARE-TOOLS Win.Malware.SpoolFool executable download attempt
* 1:300927 <-> MALWARE-TOOLS Win.Malware.JuicyPotato executable download attempt
* 1:300928 <-> MALWARE-TOOLS Win.Malware.SweetPotato executable download attempt
* 1:300929 <-> MALWARE-TOOLS Win.Malware.RottenPotato executable download attempt
* 1:63521 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63522 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63523 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63524 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63525 <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt
* 1:63526 <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt
* 1:63527 <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt
* 1:63528 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63529 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63530 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63531 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63532 <-> SERVER-WEBAPP Check Point CloudGuard directory traversal attempt
* 1:63533 <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt
* 1:63536 <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt
* 1:63537 <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt
* 1:63538 <-> MALWARE-CNC Win.Trojan.SpiceRAT variant outbound connection
* 3:63552 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1981 attack attempt

Modified Rules:

* 1:21248 <-> SERVER-OTHER multiple vendors host buffer overflow attempt
* 3:28487 <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt
* 3:28488 <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt
* 1:29671 <-> BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt
* 1:300007 <-> SERVER-WEBAPP Multiple products directory traversal attempt
* 1:34878 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34879 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34880 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34889 <-> SERVER-OTHER OpenSSL denial-of-service via crafted x.509 certificate attempt
* 1:37571 <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt
* 1:53744 <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt

3190

2024-06-04 13:51:15 UTC

Snort Subscriber Rules Update

Date: 2024-06-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.9.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300923 <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt
* 1:300924 <-> MALWARE-TOOLS Win.Ransomware.Megazord executable download attempt
* 1:300925 <-> MALWARE-TOOLS Win.Malware.BadPotato executable download attempt
* 1:300926 <-> MALWARE-TOOLS Win.Malware.SpoolFool executable download attempt
* 1:300927 <-> MALWARE-TOOLS Win.Malware.JuicyPotato executable download attempt
* 1:300928 <-> MALWARE-TOOLS Win.Malware.SweetPotato executable download attempt
* 1:300929 <-> MALWARE-TOOLS Win.Malware.RottenPotato executable download attempt
* 1:63521 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63522 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63523 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63524 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63525 <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt
* 1:63526 <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt
* 1:63527 <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt
* 1:63528 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63529 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63530 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63531 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63532 <-> SERVER-WEBAPP Check Point CloudGuard directory traversal attempt
* 1:63533 <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt
* 1:63536 <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt
* 1:63537 <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt
* 1:63538 <-> MALWARE-CNC Win.Trojan.SpiceRAT variant outbound connection
* 3:63552 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1981 attack attempt

Modified Rules:

* 1:21248 <-> SERVER-OTHER multiple vendors host buffer overflow attempt
* 3:28487 <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt
* 3:28488 <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt
* 1:29671 <-> BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt
* 1:300007 <-> SERVER-WEBAPP Multiple products directory traversal attempt
* 1:34878 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34879 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34880 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34889 <-> SERVER-OTHER OpenSSL denial-of-service via crafted x.509 certificate attempt
* 1:37571 <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt
* 1:53744 <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt

3200

2024-06-04 13:51:15 UTC

Snort Subscriber Rules Update

Date: 2024-06-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.2.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300923 <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt
* 1:300924 <-> MALWARE-TOOLS Win.Ransomware.Megazord executable download attempt
* 1:300925 <-> MALWARE-TOOLS Win.Malware.BadPotato executable download attempt
* 1:300926 <-> MALWARE-TOOLS Win.Malware.SpoolFool executable download attempt
* 1:300927 <-> MALWARE-TOOLS Win.Malware.JuicyPotato executable download attempt
* 1:300928 <-> MALWARE-TOOLS Win.Malware.SweetPotato executable download attempt
* 1:300929 <-> MALWARE-TOOLS Win.Malware.RottenPotato executable download attempt
* 1:63521 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63522 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63523 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63524 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63525 <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt
* 1:63526 <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt
* 1:63527 <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt
* 1:63528 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63529 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63530 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63531 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63532 <-> SERVER-WEBAPP Check Point CloudGuard directory traversal attempt
* 1:63533 <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt
* 1:63536 <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt
* 1:63537 <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt
* 1:63538 <-> MALWARE-CNC Win.Trojan.SpiceRAT variant outbound connection
* 3:63552 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1981 attack attempt

Modified Rules:

* 1:21248 <-> SERVER-OTHER multiple vendors host buffer overflow attempt
* 3:28487 <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt
* 3:28488 <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt
* 1:29671 <-> BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt
* 1:300007 <-> SERVER-WEBAPP Multiple products directory traversal attempt
* 1:34878 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34879 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34880 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34889 <-> SERVER-OTHER OpenSSL denial-of-service via crafted x.509 certificate attempt
* 1:37571 <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt
* 1:53744 <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt

31110

2024-06-04 13:51:15 UTC

Snort Subscriber Rules Update

Date: 2024-06-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.11.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300923 <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt
* 1:300924 <-> MALWARE-TOOLS Win.Ransomware.Megazord executable download attempt
* 1:300925 <-> MALWARE-TOOLS Win.Malware.BadPotato executable download attempt
* 1:300926 <-> MALWARE-TOOLS Win.Malware.SpoolFool executable download attempt
* 1:300927 <-> MALWARE-TOOLS Win.Malware.JuicyPotato executable download attempt
* 1:300928 <-> MALWARE-TOOLS Win.Malware.SweetPotato executable download attempt
* 1:300929 <-> MALWARE-TOOLS Win.Malware.RottenPotato executable download attempt
* 1:63521 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63522 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63523 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63524 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63525 <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt
* 1:63526 <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt
* 1:63527 <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt
* 1:63528 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63529 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63530 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63531 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63532 <-> SERVER-WEBAPP Check Point CloudGuard directory traversal attempt
* 1:63533 <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt
* 1:63536 <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt
* 1:63537 <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt
* 1:63538 <-> MALWARE-CNC Win.Trojan.SpiceRAT variant outbound connection
* 3:63552 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1981 attack attempt

Modified Rules:

* 1:21248 <-> SERVER-OTHER multiple vendors host buffer overflow attempt
* 3:28487 <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt
* 3:28488 <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt
* 1:29671 <-> BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt
* 1:300007 <-> SERVER-WEBAPP Multiple products directory traversal attempt
* 1:34878 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34879 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34880 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34889 <-> SERVER-OTHER OpenSSL denial-of-service via crafted x.509 certificate attempt
* 1:37571 <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt
* 1:53744 <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt

31150

2024-06-04 13:51:15 UTC

Snort Subscriber Rules Update

Date: 2024-06-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.15.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300923 <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt
* 1:300924 <-> MALWARE-TOOLS Win.Ransomware.Megazord executable download attempt
* 1:300925 <-> MALWARE-TOOLS Win.Malware.BadPotato executable download attempt
* 1:300926 <-> MALWARE-TOOLS Win.Malware.SpoolFool executable download attempt
* 1:300927 <-> MALWARE-TOOLS Win.Malware.JuicyPotato executable download attempt
* 1:300928 <-> MALWARE-TOOLS Win.Malware.SweetPotato executable download attempt
* 1:300929 <-> MALWARE-TOOLS Win.Malware.RottenPotato executable download attempt
* 1:63521 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63522 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63523 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63524 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63525 <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt
* 1:63526 <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt
* 1:63527 <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt
* 1:63528 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63529 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63530 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63531 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63532 <-> SERVER-WEBAPP Check Point CloudGuard directory traversal attempt
* 1:63533 <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt
* 1:63536 <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt
* 1:63537 <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt
* 1:63538 <-> MALWARE-CNC Win.Trojan.SpiceRAT variant outbound connection
* 3:63552 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1981 attack attempt

Modified Rules:

* 1:21248 <-> SERVER-OTHER multiple vendors host buffer overflow attempt
* 3:28487 <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt
* 3:28488 <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt
* 1:29671 <-> BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt
* 1:300007 <-> SERVER-WEBAPP Multiple products directory traversal attempt
* 1:34878 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34879 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34880 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34889 <-> SERVER-OTHER OpenSSL denial-of-service via crafted x.509 certificate attempt
* 1:37571 <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt
* 1:53744 <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt

31180

2024-06-04 13:51:15 UTC

Snort Subscriber Rules Update

Date: 2024-06-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.18.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300923 <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt
* 1:300924 <-> MALWARE-TOOLS Win.Ransomware.Megazord executable download attempt
* 1:300925 <-> MALWARE-TOOLS Win.Malware.BadPotato executable download attempt
* 1:300926 <-> MALWARE-TOOLS Win.Malware.SpoolFool executable download attempt
* 1:300927 <-> MALWARE-TOOLS Win.Malware.JuicyPotato executable download attempt
* 1:300928 <-> MALWARE-TOOLS Win.Malware.SweetPotato executable download attempt
* 1:300929 <-> MALWARE-TOOLS Win.Malware.RottenPotato executable download attempt
* 1:63521 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63522 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63523 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63524 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63525 <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt
* 1:63526 <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt
* 1:63527 <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt
* 1:63528 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63529 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63530 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63531 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63532 <-> SERVER-WEBAPP Check Point CloudGuard directory traversal attempt
* 1:63533 <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt
* 1:63536 <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt
* 1:63537 <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt
* 1:63538 <-> MALWARE-CNC Win.Trojan.SpiceRAT variant outbound connection
* 3:63552 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1981 attack attempt

Modified Rules:

* 1:21248 <-> SERVER-OTHER multiple vendors host buffer overflow attempt
* 3:28487 <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt
* 3:28488 <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt
* 1:29671 <-> BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt
* 1:300007 <-> SERVER-WEBAPP Multiple products directory traversal attempt
* 1:34878 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34879 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34880 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34889 <-> SERVER-OTHER OpenSSL denial-of-service via crafted x.509 certificate attempt
* 1:37571 <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt
* 1:53744 <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt

31200

2024-06-04 13:51:15 UTC

Snort Subscriber Rules Update

Date: 2024-06-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.20.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300923 <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt
* 1:300924 <-> MALWARE-TOOLS Win.Ransomware.Megazord executable download attempt
* 1:300925 <-> MALWARE-TOOLS Win.Malware.BadPotato executable download attempt
* 1:300926 <-> MALWARE-TOOLS Win.Malware.SpoolFool executable download attempt
* 1:300927 <-> MALWARE-TOOLS Win.Malware.JuicyPotato executable download attempt
* 1:300928 <-> MALWARE-TOOLS Win.Malware.SweetPotato executable download attempt
* 1:300929 <-> MALWARE-TOOLS Win.Malware.RottenPotato executable download attempt
* 1:63521 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63522 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63523 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63524 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63525 <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt
* 1:63526 <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt
* 1:63527 <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt
* 1:63528 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63529 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63530 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63531 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63532 <-> SERVER-WEBAPP Check Point CloudGuard directory traversal attempt
* 1:63533 <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt
* 1:63536 <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt
* 1:63537 <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt
* 1:63538 <-> MALWARE-CNC Win.Trojan.SpiceRAT variant outbound connection
* 3:63552 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1981 attack attempt

Modified Rules:

* 1:21248 <-> SERVER-OTHER multiple vendors host buffer overflow attempt
* 3:28487 <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt
* 3:28488 <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt
* 1:29671 <-> BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt
* 1:300007 <-> SERVER-WEBAPP Multiple products directory traversal attempt
* 1:34878 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34879 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34880 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34889 <-> SERVER-OTHER OpenSSL denial-of-service via crafted x.509 certificate attempt
* 1:37571 <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt
* 1:53744 <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt

31210

2024-06-04 13:51:15 UTC

Snort Subscriber Rules Update

Date: 2024-06-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.21.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300923 <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt
* 1:300924 <-> MALWARE-TOOLS Win.Ransomware.Megazord executable download attempt
* 1:300925 <-> MALWARE-TOOLS Win.Malware.BadPotato executable download attempt
* 1:300926 <-> MALWARE-TOOLS Win.Malware.SpoolFool executable download attempt
* 1:300927 <-> MALWARE-TOOLS Win.Malware.JuicyPotato executable download attempt
* 1:300928 <-> MALWARE-TOOLS Win.Malware.SweetPotato executable download attempt
* 1:300929 <-> MALWARE-TOOLS Win.Malware.RottenPotato executable download attempt
* 1:63521 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63522 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63523 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63524 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63525 <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt
* 1:63526 <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt
* 1:63527 <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt
* 1:63528 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63529 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63530 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63531 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63532 <-> SERVER-WEBAPP Check Point CloudGuard directory traversal attempt
* 1:63533 <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt
* 1:63536 <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt
* 1:63537 <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt
* 1:63538 <-> MALWARE-CNC Win.Trojan.SpiceRAT variant outbound connection
* 3:63552 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1981 attack attempt

Modified Rules:

* 1:21248 <-> SERVER-OTHER multiple vendors host buffer overflow attempt
* 3:28487 <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt
* 3:28488 <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt
* 1:29671 <-> BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt
* 1:300007 <-> SERVER-WEBAPP Multiple products directory traversal attempt
* 1:34878 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34879 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34880 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34889 <-> SERVER-OTHER OpenSSL denial-of-service via crafted x.509 certificate attempt
* 1:37571 <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt
* 1:53744 <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt

31350

2024-06-04 13:51:15 UTC

Snort Subscriber Rules Update

Date: 2024-06-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.35.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300923 <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt
* 1:300924 <-> MALWARE-TOOLS Win.Ransomware.Megazord executable download attempt
* 1:300925 <-> MALWARE-TOOLS Win.Malware.BadPotato executable download attempt
* 1:300926 <-> MALWARE-TOOLS Win.Malware.SpoolFool executable download attempt
* 1:300927 <-> MALWARE-TOOLS Win.Malware.JuicyPotato executable download attempt
* 1:300928 <-> MALWARE-TOOLS Win.Malware.SweetPotato executable download attempt
* 1:300929 <-> MALWARE-TOOLS Win.Malware.RottenPotato executable download attempt
* 1:63521 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63522 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63523 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63524 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63525 <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt
* 1:63526 <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt
* 1:63527 <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt
* 1:63528 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63529 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63530 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63531 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63532 <-> SERVER-WEBAPP Check Point CloudGuard directory traversal attempt
* 1:63533 <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt
* 1:63536 <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt
* 1:63537 <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt
* 1:63538 <-> MALWARE-CNC Win.Trojan.SpiceRAT variant outbound connection
* 3:63552 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1981 attack attempt

Modified Rules:

* 1:21248 <-> SERVER-OTHER multiple vendors host buffer overflow attempt
* 3:28487 <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt
* 3:28488 <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt
* 1:29671 <-> BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt
* 1:300007 <-> SERVER-WEBAPP Multiple products directory traversal attempt
* 1:34878 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34879 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34880 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34889 <-> SERVER-OTHER OpenSSL denial-of-service via crafted x.509 certificate attempt
* 1:37571 <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt
* 1:53744 <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt

31440

2024-06-04 13:51:15 UTC

Snort Subscriber Rules Update

Date: 2024-06-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.44.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300923 <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt
* 1:300924 <-> MALWARE-TOOLS Win.Ransomware.Megazord executable download attempt
* 1:300925 <-> MALWARE-TOOLS Win.Malware.BadPotato executable download attempt
* 1:300926 <-> MALWARE-TOOLS Win.Malware.SpoolFool executable download attempt
* 1:300927 <-> MALWARE-TOOLS Win.Malware.JuicyPotato executable download attempt
* 1:300928 <-> MALWARE-TOOLS Win.Malware.SweetPotato executable download attempt
* 1:300929 <-> MALWARE-TOOLS Win.Malware.RottenPotato executable download attempt
* 1:63521 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63522 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63523 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63524 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63525 <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt
* 1:63526 <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt
* 1:63527 <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt
* 1:63528 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63529 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63530 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63531 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63532 <-> SERVER-WEBAPP Check Point CloudGuard directory traversal attempt
* 1:63533 <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt
* 1:63536 <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt
* 1:63537 <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt
* 1:63538 <-> MALWARE-CNC Win.Trojan.SpiceRAT variant outbound connection
* 3:63552 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1981 attack attempt

Modified Rules:

* 1:21248 <-> SERVER-OTHER multiple vendors host buffer overflow attempt
* 3:28487 <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt
* 3:28488 <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt
* 1:29671 <-> BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt
* 1:300007 <-> SERVER-WEBAPP Multiple products directory traversal attempt
* 1:34878 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34879 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34880 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34889 <-> SERVER-OTHER OpenSSL denial-of-service via crafted x.509 certificate attempt
* 1:37571 <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt
* 1:53744 <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt

31470

2024-06-04 13:51:15 UTC

Snort Subscriber Rules Update

Date: 2024-06-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.47.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300923 <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt
* 1:300924 <-> MALWARE-TOOLS Win.Ransomware.Megazord executable download attempt
* 1:300925 <-> MALWARE-TOOLS Win.Malware.BadPotato executable download attempt
* 1:300926 <-> MALWARE-TOOLS Win.Malware.SpoolFool executable download attempt
* 1:300927 <-> MALWARE-TOOLS Win.Malware.JuicyPotato executable download attempt
* 1:300928 <-> MALWARE-TOOLS Win.Malware.SweetPotato executable download attempt
* 1:300929 <-> MALWARE-TOOLS Win.Malware.RottenPotato executable download attempt
* 1:63521 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63522 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63523 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63524 <-> MALWARE-CNC Win.Malware.DarkGate variant outbound connection
* 1:63525 <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt
* 1:63526 <-> SERVER-OTHER PHP ldap_get_entries denial of service attempt
* 1:63527 <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt
* 1:63528 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63529 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63530 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63531 <-> SERVER-WEBAPP ZoneMinder monitor_ids command injection attempt
* 1:63532 <-> SERVER-WEBAPP Check Point CloudGuard directory traversal attempt
* 1:63533 <-> POLICY-OTHER D-Link DIR-605L information disclosure attempt
* 1:63536 <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt
* 1:63537 <-> SERVER-WEBAPP Arcadyan Buffalo directory traversal attempt
* 1:63538 <-> MALWARE-CNC Win.Trojan.SpiceRAT variant outbound connection
* 3:63552 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1981 attack attempt

Modified Rules:

* 1:21248 <-> SERVER-OTHER multiple vendors host buffer overflow attempt
* 3:28487 <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt
* 3:28488 <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt
* 1:29671 <-> BROWSER-IE Microsoft Internet Explorer SVG handling use after free attempt
* 1:300007 <-> SERVER-WEBAPP Multiple products directory traversal attempt
* 1:34878 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34879 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34880 <-> SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt
* 1:34889 <-> SERVER-OTHER OpenSSL denial-of-service via crafted x.509 certificate attempt
* 1:37571 <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt
* 1:53744 <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt