Talos Rules 2021-07-13
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2021-31979: A coding deficiency exists in Microsoft Windows Kernel that may lead to elevation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 57894 through 57895.

Microsoft Vulnerability CVE-2021-33771: A coding deficiency exists in Microsoft Windows Kernel that may lead to elevation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 57896 through 57897.

Microsoft Vulnerability CVE-2021-34448: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 42749 through 42750.

Microsoft Vulnerability CVE-2021-34449: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 57890 through 57891.

Microsoft Vulnerability CVE-2021-34467: A coding deficiency exists in Microsoft SharePoint Server that may lead to remote code execution.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 57910.

Microsoft Vulnerability CVE-2021-34473: A coding deficiency exists in Microsoft Exchange Server that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 57906 through 57909.

Microsoft Vulnerability CVE-2021-34527: A coding deficiency exists in Microsoft Windows Print Spooler that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 57876 through 57877.

Talos also has added and modified multiple rules in the browser-ie, malware-cnc, os-other, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2021-07-13 17:45:36 UTC

Snort Subscriber Rules Update

Date: 2021-07-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091800.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57890 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:57891 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:57892 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish administration console authentication bypass attempt (server-webapp.rules)
 * 1:57893 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TrickBot outbound connection attempt (malware-cnc.rules)
 * 1:57894 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel privilege escalation attempt (os-windows.rules)
 * 1:57895 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel privilege escalation attempt (os-windows.rules)
 * 1:57896 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:57897 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:57898 <-> ENABLED <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt (server-other.rules)
 * 1:57901 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.Emotet variant outbound connection attempt (malware-cnc.rules)
 * 1:57902 <-> ENABLED <-> SERVER-WEBAPP HPE Systems Insight Manager remote code execution attempt (server-webapp.rules)
 * 1:57903 <-> ENABLED <-> SERVER-OTHER Kaseya authentication bypass attempt (server-other.rules)
 * 1:57904 <-> ENABLED <-> SERVER-OTHER Kaseya authentication bypass attempt (server-other.rules)
 * 1:57905 <-> ENABLED <-> SERVER-OTHER Kaseya authentication bypass attempt (server-other.rules)
 * 1:57906 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt (server-webapp.rules)
 * 1:57907 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt (server-webapp.rules)
 * 1:57908 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt (server-webapp.rules)
 * 1:57909 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt (server-webapp.rules)
 * 1:57910 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server authenticated remote code execution attempt (server-webapp.rules)
 * 3:57899 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1340 attack attempt (os-other.rules)
 * 3:57900 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1340 attack attempt (os-other.rules)

Modified Rules:


 * 1:45499 <-> DISABLED <-> SERVER-OTHER ISC DHCPD remote denial of service attempt (server-other.rules)
 * 1:42749 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (browser-ie.rules)
 * 1:57199 <-> DISABLED <-> SERVER-OTHER Multiple products outbound HTTP request to SIP port and potential NAT slipstreaming attack attempt (server-other.rules)
 * 1:42750 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (browser-ie.rules)
 * 1:57197 <-> DISABLED <-> SERVER-OTHER Multiple products outbound HTTP request to SIP port and potential NAT slipstreaming attack attempt (server-other.rules)

2021-07-13 17:45:36 UTC

Snort Subscriber Rules Update

Date: 2021-07-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57909 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt (server-webapp.rules)
 * 1:57908 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt (server-webapp.rules)
 * 1:57902 <-> ENABLED <-> SERVER-WEBAPP HPE Systems Insight Manager remote code execution attempt (server-webapp.rules)
 * 1:57904 <-> ENABLED <-> SERVER-OTHER Kaseya authentication bypass attempt (server-other.rules)
 * 1:57903 <-> ENABLED <-> SERVER-OTHER Kaseya authentication bypass attempt (server-other.rules)
 * 1:57910 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server authenticated remote code execution attempt (server-webapp.rules)
 * 1:57892 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish administration console authentication bypass attempt (server-webapp.rules)
 * 1:57893 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TrickBot outbound connection attempt (malware-cnc.rules)
 * 1:57891 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:57894 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel privilege escalation attempt (os-windows.rules)
 * 1:57895 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel privilege escalation attempt (os-windows.rules)
 * 1:57896 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:57897 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:57901 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.Emotet variant outbound connection attempt (malware-cnc.rules)
 * 1:57905 <-> ENABLED <-> SERVER-OTHER Kaseya authentication bypass attempt (server-other.rules)
 * 1:57907 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt (server-webapp.rules)
 * 1:57906 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt (server-webapp.rules)
 * 1:57890 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:57898 <-> ENABLED <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt (server-other.rules)
 * 3:57900 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1340 attack attempt (os-other.rules)
 * 3:57899 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1340 attack attempt (os-other.rules)

Modified Rules:


 * 1:42749 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (browser-ie.rules)
 * 1:45499 <-> DISABLED <-> SERVER-OTHER ISC DHCPD remote denial of service attempt (server-other.rules)
 * 1:57199 <-> DISABLED <-> SERVER-OTHER Multiple products outbound HTTP request to SIP port and potential NAT slipstreaming attack attempt (server-other.rules)
 * 1:42750 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (browser-ie.rules)
 * 1:57197 <-> DISABLED <-> SERVER-OTHER Multiple products outbound HTTP request to SIP port and potential NAT slipstreaming attack attempt (server-other.rules)

2021-07-13 17:45:36 UTC

Snort Subscriber Rules Update

Date: 2021-07-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57910 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server authenticated remote code execution attempt (server-webapp.rules)
 * 1:57896 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:57890 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:57901 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.Emotet variant outbound connection attempt (malware-cnc.rules)
 * 1:57895 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel privilege escalation attempt (os-windows.rules)
 * 1:57897 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:57902 <-> ENABLED <-> SERVER-WEBAPP HPE Systems Insight Manager remote code execution attempt (server-webapp.rules)
 * 1:57903 <-> ENABLED <-> SERVER-OTHER Kaseya authentication bypass attempt (server-other.rules)
 * 1:57904 <-> ENABLED <-> SERVER-OTHER Kaseya authentication bypass attempt (server-other.rules)
 * 1:57891 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:57905 <-> ENABLED <-> SERVER-OTHER Kaseya authentication bypass attempt (server-other.rules)
 * 1:57906 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt (server-webapp.rules)
 * 1:57892 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish administration console authentication bypass attempt (server-webapp.rules)
 * 1:57894 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel privilege escalation attempt (os-windows.rules)
 * 1:57898 <-> ENABLED <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt (server-other.rules)
 * 1:57909 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt (server-webapp.rules)
 * 1:57907 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt (server-webapp.rules)
 * 1:57893 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TrickBot outbound connection attempt (malware-cnc.rules)
 * 1:57908 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt (server-webapp.rules)
 * 3:57900 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1340 attack attempt (os-other.rules)
 * 3:57899 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1340 attack attempt (os-other.rules)

Modified Rules:


 * 1:42750 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (browser-ie.rules)
 * 1:42749 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (browser-ie.rules)
 * 1:57199 <-> DISABLED <-> SERVER-OTHER Multiple products outbound HTTP request to SIP port and potential NAT slipstreaming attack attempt (server-other.rules)
 * 1:45499 <-> DISABLED <-> SERVER-OTHER ISC DHCPD remote denial of service attempt (server-other.rules)
 * 1:57197 <-> DISABLED <-> SERVER-OTHER Multiple products outbound HTTP request to SIP port and potential NAT slipstreaming attack attempt (server-other.rules)

2021-07-13 17:45:36 UTC

Snort Subscriber Rules Update

Date: 2021-07-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57907 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt (server-webapp.rules)
 * 1:57897 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:57908 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt (server-webapp.rules)
 * 1:57909 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt (server-webapp.rules)
 * 1:57892 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish administration console authentication bypass attempt (server-webapp.rules)
 * 1:57893 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TrickBot outbound connection attempt (malware-cnc.rules)
 * 1:57890 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:57910 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server authenticated remote code execution attempt (server-webapp.rules)
 * 1:57906 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt (server-webapp.rules)
 * 1:57901 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.Emotet variant outbound connection attempt (malware-cnc.rules)
 * 1:57895 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel privilege escalation attempt (os-windows.rules)
 * 1:57894 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel privilege escalation attempt (os-windows.rules)
 * 1:57905 <-> ENABLED <-> SERVER-OTHER Kaseya authentication bypass attempt (server-other.rules)
 * 1:57904 <-> ENABLED <-> SERVER-OTHER Kaseya authentication bypass attempt (server-other.rules)
 * 1:57896 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:57903 <-> ENABLED <-> SERVER-OTHER Kaseya authentication bypass attempt (server-other.rules)
 * 1:57902 <-> ENABLED <-> SERVER-WEBAPP HPE Systems Insight Manager remote code execution attempt (server-webapp.rules)
 * 1:57898 <-> ENABLED <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt (server-other.rules)
 * 1:57891 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 3:57899 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1340 attack attempt (os-other.rules)
 * 3:57900 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1340 attack attempt (os-other.rules)

Modified Rules:


 * 1:45499 <-> DISABLED <-> SERVER-OTHER ISC DHCPD remote denial of service attempt (server-other.rules)
 * 1:42750 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (browser-ie.rules)
 * 1:57197 <-> DISABLED <-> SERVER-OTHER Multiple products outbound HTTP request to SIP port and potential NAT slipstreaming attack attempt (server-other.rules)
 * 1:42749 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (browser-ie.rules)
 * 1:57199 <-> DISABLED <-> SERVER-OTHER Multiple products outbound HTTP request to SIP port and potential NAT slipstreaming attack attempt (server-other.rules)

2021-07-13 17:45:36 UTC

Snort Subscriber Rules Update

Date: 2021-07-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57905 <-> ENABLED <-> SERVER-OTHER Kaseya authentication bypass attempt (server-other.rules)
 * 1:57907 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt (server-webapp.rules)
 * 1:57903 <-> ENABLED <-> SERVER-OTHER Kaseya authentication bypass attempt (server-other.rules)
 * 1:57896 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:57895 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel privilege escalation attempt (os-windows.rules)
 * 1:57893 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TrickBot outbound connection attempt (malware-cnc.rules)
 * 1:57908 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt (server-webapp.rules)
 * 1:57892 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish administration console authentication bypass attempt (server-webapp.rules)
 * 1:57894 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel privilege escalation attempt (os-windows.rules)
 * 1:57906 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt (server-webapp.rules)
 * 1:57898 <-> ENABLED <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt (server-other.rules)
 * 1:57891 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:57901 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.Emotet variant outbound connection attempt (malware-cnc.rules)
 * 1:57904 <-> ENABLED <-> SERVER-OTHER Kaseya authentication bypass attempt (server-other.rules)
 * 1:57890 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:57902 <-> ENABLED <-> SERVER-WEBAPP HPE Systems Insight Manager remote code execution attempt (server-webapp.rules)
 * 1:57910 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server authenticated remote code execution attempt (server-webapp.rules)
 * 1:57909 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt (server-webapp.rules)
 * 1:57897 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 3:57900 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1340 attack attempt (os-other.rules)
 * 3:57899 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1340 attack attempt (os-other.rules)

Modified Rules:


 * 1:45499 <-> DISABLED <-> SERVER-OTHER ISC DHCPD remote denial of service attempt (server-other.rules)
 * 1:42749 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (browser-ie.rules)
 * 1:57197 <-> DISABLED <-> SERVER-OTHER Multiple products outbound HTTP request to SIP port and potential NAT slipstreaming attack attempt (server-other.rules)
 * 1:57199 <-> DISABLED <-> SERVER-OTHER Multiple products outbound HTTP request to SIP port and potential NAT slipstreaming attack attempt (server-other.rules)
 * 1:42750 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (browser-ie.rules)

2021-07-13 17:45:36 UTC

Snort Subscriber Rules Update

Date: 2021-07-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57908 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt (server-webapp.rules)
 * 1:57910 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server authenticated remote code execution attempt (server-webapp.rules)
 * 1:57905 <-> ENABLED <-> SERVER-OTHER Kaseya authentication bypass attempt (server-other.rules)
 * 1:57895 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel privilege escalation attempt (os-windows.rules)
 * 1:57896 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:57891 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:57894 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel privilege escalation attempt (os-windows.rules)
 * 1:57903 <-> ENABLED <-> SERVER-OTHER Kaseya authentication bypass attempt (server-other.rules)
 * 1:57892 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish administration console authentication bypass attempt (server-webapp.rules)
 * 1:57901 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.Emotet variant outbound connection attempt (malware-cnc.rules)
 * 1:57893 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TrickBot outbound connection attempt (malware-cnc.rules)
 * 1:57902 <-> ENABLED <-> SERVER-WEBAPP HPE Systems Insight Manager remote code execution attempt (server-webapp.rules)
 * 1:57906 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt (server-webapp.rules)
 * 1:57890 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:57904 <-> ENABLED <-> SERVER-OTHER Kaseya authentication bypass attempt (server-other.rules)
 * 1:57898 <-> ENABLED <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt (server-other.rules)
 * 1:57907 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt (server-webapp.rules)
 * 1:57909 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt (server-webapp.rules)
 * 1:57897 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 3:57900 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1340 attack attempt (os-other.rules)
 * 3:57899 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1340 attack attempt (os-other.rules)

Modified Rules:


 * 1:57199 <-> DISABLED <-> SERVER-OTHER Multiple products outbound HTTP request to SIP port and potential NAT slipstreaming attack attempt (server-other.rules)
 * 1:57197 <-> DISABLED <-> SERVER-OTHER Multiple products outbound HTTP request to SIP port and potential NAT slipstreaming attack attempt (server-other.rules)
 * 1:42750 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (browser-ie.rules)
 * 1:45499 <-> DISABLED <-> SERVER-OTHER ISC DHCPD remote denial of service attempt (server-other.rules)
 * 1:42749 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (browser-ie.rules)

2021-07-13 17:45:36 UTC

Snort Subscriber Rules Update

Date: 2021-07-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57908 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt (server-webapp.rules)
 * 1:57909 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt (server-webapp.rules)
 * 1:57890 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:57893 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TrickBot outbound connection attempt (malware-cnc.rules)
 * 1:57902 <-> ENABLED <-> SERVER-WEBAPP HPE Systems Insight Manager remote code execution attempt (server-webapp.rules)
 * 1:57895 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel privilege escalation attempt (os-windows.rules)
 * 1:57901 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.Emotet variant outbound connection attempt (malware-cnc.rules)
 * 1:57907 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt (server-webapp.rules)
 * 1:57898 <-> ENABLED <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt (server-other.rules)
 * 1:57903 <-> ENABLED <-> SERVER-OTHER Kaseya authentication bypass attempt (server-other.rules)
 * 1:57891 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:57906 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt (server-webapp.rules)
 * 1:57894 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel privilege escalation attempt (os-windows.rules)
 * 1:57904 <-> ENABLED <-> SERVER-OTHER Kaseya authentication bypass attempt (server-other.rules)
 * 1:57897 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:57910 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server authenticated remote code execution attempt (server-webapp.rules)
 * 1:57896 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:57892 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish administration console authentication bypass attempt (server-webapp.rules)
 * 1:57905 <-> ENABLED <-> SERVER-OTHER Kaseya authentication bypass attempt (server-other.rules)
 * 3:57900 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1340 attack attempt (os-other.rules)
 * 3:57899 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1340 attack attempt (os-other.rules)

Modified Rules:


 * 1:57199 <-> DISABLED <-> SERVER-OTHER Multiple products outbound HTTP request to SIP port and potential NAT slipstreaming attack attempt (server-other.rules)
 * 1:45499 <-> DISABLED <-> SERVER-OTHER ISC DHCPD remote denial of service attempt (server-other.rules)
 * 1:57197 <-> DISABLED <-> SERVER-OTHER Multiple products outbound HTTP request to SIP port and potential NAT slipstreaming attack attempt (server-other.rules)
 * 1:42749 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (browser-ie.rules)
 * 1:42750 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (browser-ie.rules)

2021-07-13 17:45:36 UTC

Snort Subscriber Rules Update

Date: 2021-07-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57901 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.Emotet variant outbound connection attempt (malware-cnc.rules)
 * 1:57907 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt (server-webapp.rules)
 * 1:57897 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:57906 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt (server-webapp.rules)
 * 1:57903 <-> ENABLED <-> SERVER-OTHER Kaseya authentication bypass attempt (server-other.rules)
 * 1:57908 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt (server-webapp.rules)
 * 1:57902 <-> ENABLED <-> SERVER-WEBAPP HPE Systems Insight Manager remote code execution attempt (server-webapp.rules)
 * 1:57896 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:57895 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel privilege escalation attempt (os-windows.rules)
 * 1:57890 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:57891 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:57905 <-> ENABLED <-> SERVER-OTHER Kaseya authentication bypass attempt (server-other.rules)
 * 1:57893 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TrickBot outbound connection attempt (malware-cnc.rules)
 * 1:57909 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt (server-webapp.rules)
 * 1:57894 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel privilege escalation attempt (os-windows.rules)
 * 1:57910 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server authenticated remote code execution attempt (server-webapp.rules)
 * 1:57898 <-> ENABLED <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt (server-other.rules)
 * 1:57892 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish administration console authentication bypass attempt (server-webapp.rules)
 * 1:57904 <-> ENABLED <-> SERVER-OTHER Kaseya authentication bypass attempt (server-other.rules)
 * 3:57899 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1340 attack attempt (os-other.rules)
 * 3:57900 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1340 attack attempt (os-other.rules)

Modified Rules:


 * 1:57197 <-> DISABLED <-> SERVER-OTHER Multiple products outbound HTTP request to SIP port and potential NAT slipstreaming attack attempt (server-other.rules)
 * 1:42749 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (browser-ie.rules)
 * 1:45499 <-> DISABLED <-> SERVER-OTHER ISC DHCPD remote denial of service attempt (server-other.rules)
 * 1:57199 <-> DISABLED <-> SERVER-OTHER Multiple products outbound HTTP request to SIP port and potential NAT slipstreaming attack attempt (server-other.rules)
 * 1:42750 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (browser-ie.rules)

2021-07-13 17:45:36 UTC

Snort Subscriber Rules Update

Date: 2021-07-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57895 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel privilege escalation attempt (os-windows.rules)
 * 1:57910 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server authenticated remote code execution attempt (server-webapp.rules)
 * 1:57894 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel privilege escalation attempt (os-windows.rules)
 * 1:57896 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:57893 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TrickBot outbound connection attempt (malware-cnc.rules)
 * 1:57909 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt (server-webapp.rules)
 * 1:57904 <-> ENABLED <-> SERVER-OTHER Kaseya authentication bypass attempt (server-other.rules)
 * 1:57905 <-> ENABLED <-> SERVER-OTHER Kaseya authentication bypass attempt (server-other.rules)
 * 1:57903 <-> ENABLED <-> SERVER-OTHER Kaseya authentication bypass attempt (server-other.rules)
 * 1:57908 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt (server-webapp.rules)
 * 1:57890 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:57902 <-> ENABLED <-> SERVER-WEBAPP HPE Systems Insight Manager remote code execution attempt (server-webapp.rules)
 * 1:57892 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish administration console authentication bypass attempt (server-webapp.rules)
 * 1:57891 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:57898 <-> ENABLED <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt (server-other.rules)
 * 1:57907 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt (server-webapp.rules)
 * 1:57901 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.Emotet variant outbound connection attempt (malware-cnc.rules)
 * 1:57897 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:57906 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt (server-webapp.rules)
 * 3:57899 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1340 attack attempt (os-other.rules)
 * 3:57900 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1340 attack attempt (os-other.rules)

Modified Rules:


 * 1:45499 <-> DISABLED <-> SERVER-OTHER ISC DHCPD remote denial of service attempt (server-other.rules)
 * 1:42750 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (browser-ie.rules)
 * 1:57197 <-> DISABLED <-> SERVER-OTHER Multiple products outbound HTTP request to SIP port and potential NAT slipstreaming attack attempt (server-other.rules)
 * 1:57199 <-> DISABLED <-> SERVER-OTHER Multiple products outbound HTTP request to SIP port and potential NAT slipstreaming attack attempt (server-other.rules)
 * 1:42749 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (browser-ie.rules)

2021-07-13 17:45:36 UTC

Snort Subscriber Rules Update

Date: 2021-07-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57890 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (snort3-os-windows.rules)
 * 1:57891 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (snort3-os-windows.rules)
 * 1:57894 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel privilege escalation attempt (snort3-os-windows.rules)
 * 1:57902 <-> ENABLED <-> SERVER-WEBAPP HPE Systems Insight Manager remote code execution attempt (snort3-server-webapp.rules)
 * 1:57895 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel privilege escalation attempt (snort3-os-windows.rules)
 * 1:57892 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish administration console authentication bypass attempt (snort3-server-webapp.rules)
 * 1:57898 <-> ENABLED <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt (snort3-server-other.rules)
 * 1:57893 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TrickBot outbound connection attempt (snort3-malware-cnc.rules)
 * 1:57901 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.Emotet variant outbound connection attempt (snort3-malware-cnc.rules)
 * 1:57904 <-> ENABLED <-> SERVER-OTHER Kaseya authentication bypass attempt (snort3-server-other.rules)
 * 1:57905 <-> ENABLED <-> SERVER-OTHER Kaseya authentication bypass attempt (snort3-server-other.rules)
 * 1:57906 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt (snort3-server-webapp.rules)
 * 1:57897 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (snort3-os-windows.rules)
 * 1:57907 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt (snort3-server-webapp.rules)
 * 1:57908 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt (snort3-server-webapp.rules)
 * 1:57910 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server authenticated remote code execution attempt (snort3-server-webapp.rules)
 * 1:57896 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (snort3-os-windows.rules)
 * 1:57909 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt (snort3-server-webapp.rules)
 * 1:57903 <-> ENABLED <-> SERVER-OTHER Kaseya authentication bypass attempt (snort3-server-other.rules)

Modified Rules:


 * 1:42749 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (snort3-browser-ie.rules)
 * 1:42750 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (snort3-browser-ie.rules)
 * 1:45499 <-> DISABLED <-> SERVER-OTHER ISC DHCPD remote denial of service attempt (snort3-server-other.rules)
 * 1:57197 <-> DISABLED <-> SERVER-OTHER Multiple products outbound HTTP request to SIP port and potential NAT slipstreaming attack attempt (snort3-server-other.rules)
 * 1:57199 <-> DISABLED <-> SERVER-OTHER Multiple products outbound HTTP request to SIP port and potential NAT slipstreaming attack attempt (snort3-server-other.rules)

2021-07-13 17:45:36 UTC

Snort Subscriber Rules Update

Date: 2021-07-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57890 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:57907 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt (server-webapp.rules)
 * 1:57903 <-> ENABLED <-> SERVER-OTHER Kaseya authentication bypass attempt (server-other.rules)
 * 1:57906 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt (server-webapp.rules)
 * 1:57891 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:57909 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt (server-webapp.rules)
 * 1:57905 <-> ENABLED <-> SERVER-OTHER Kaseya authentication bypass attempt (server-other.rules)
 * 1:57894 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel privilege escalation attempt (os-windows.rules)
 * 1:57901 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.Emotet variant outbound connection attempt (malware-cnc.rules)
 * 1:57893 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TrickBot outbound connection attempt (malware-cnc.rules)
 * 1:57892 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish administration console authentication bypass attempt (server-webapp.rules)
 * 1:57902 <-> ENABLED <-> SERVER-WEBAPP HPE Systems Insight Manager remote code execution attempt (server-webapp.rules)
 * 1:57898 <-> ENABLED <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt (server-other.rules)
 * 1:57904 <-> ENABLED <-> SERVER-OTHER Kaseya authentication bypass attempt (server-other.rules)
 * 1:57897 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:57896 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:57910 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Server authenticated remote code execution attempt (server-webapp.rules)
 * 1:57908 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt (server-webapp.rules)
 * 1:57895 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel privilege escalation attempt (os-windows.rules)
 * 3:57899 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1340 attack attempt (os-other.rules)
 * 3:57900 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1340 attack attempt (os-other.rules)

Modified Rules:


 * 1:57199 <-> DISABLED <-> SERVER-OTHER Multiple products outbound HTTP request to SIP port and potential NAT slipstreaming attack attempt (server-other.rules)
 * 1:42749 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (browser-ie.rules)
 * 1:45499 <-> DISABLED <-> SERVER-OTHER ISC DHCPD remote denial of service attempt (server-other.rules)
 * 1:57197 <-> DISABLED <-> SERVER-OTHER Multiple products outbound HTTP request to SIP port and potential NAT slipstreaming attack attempt (server-other.rules)
 * 1:42750 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (browser-ie.rules)

2021-07-13 17:58:17 UTC

Snort Subscriber Rules Update

Date: 2021-07-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:57890 <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt
* 1:57891 <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt
* 1:57892 <-> SERVER-WEBAPP Oracle GlassFish administration console authentication bypass attempt
* 1:57893 <-> MALWARE-CNC Win.Trojan.TrickBot outbound connection attempt
* 1:57894 <-> OS-WINDOWS Microsoft Windows Kernel privilege escalation attempt
* 1:57895 <-> OS-WINDOWS Microsoft Windows Kernel privilege escalation attempt
* 1:57896 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:57897 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:57898 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt
* 1:57901 <-> MALWARE-CNC Doc.Downloader.Emotet variant outbound connection attempt
* 1:57902 <-> SERVER-WEBAPP HPE Systems Insight Manager remote code execution attempt
* 1:57903 <-> SERVER-OTHER Kaseya authentication bypass attempt
* 1:57904 <-> SERVER-OTHER Kaseya authentication bypass attempt
* 1:57905 <-> SERVER-OTHER Kaseya authentication bypass attempt
* 1:57906 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57907 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57908 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57909 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57910 <-> SERVER-WEBAPP Microsoft SharePoint Server authenticated remote code execution attempt

Modified Rules:

* 1:42749 <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt
* 1:42750 <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt
* 1:45499 <-> SERVER-OTHER ISC DHCPD remote denial of service attempt
* 1:57197 <-> SERVER-OTHER Multiple products outbound HTTP request to SIP port and potential NAT slipstreaming attack attempt
* 1:57199 <-> SERVER-OTHER Multiple products outbound HTTP request to SIP port and potential NAT slipstreaming attack attempt


2021-07-13 17:58:17 UTC

Snort Subscriber Rules Update

Date: 2021-07-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.4.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:57890 <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt
* 1:57891 <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt
* 1:57892 <-> SERVER-WEBAPP Oracle GlassFish administration console authentication bypass attempt
* 1:57893 <-> MALWARE-CNC Win.Trojan.TrickBot outbound connection attempt
* 1:57894 <-> OS-WINDOWS Microsoft Windows Kernel privilege escalation attempt
* 1:57895 <-> OS-WINDOWS Microsoft Windows Kernel privilege escalation attempt
* 1:57896 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:57897 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:57898 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt
* 1:57901 <-> MALWARE-CNC Doc.Downloader.Emotet variant outbound connection attempt
* 1:57902 <-> SERVER-WEBAPP HPE Systems Insight Manager remote code execution attempt
* 1:57903 <-> SERVER-OTHER Kaseya authentication bypass attempt
* 1:57904 <-> SERVER-OTHER Kaseya authentication bypass attempt
* 1:57905 <-> SERVER-OTHER Kaseya authentication bypass attempt
* 1:57906 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57907 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57908 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57909 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57910 <-> SERVER-WEBAPP Microsoft SharePoint Server authenticated remote code execution attempt

Modified Rules:

* 1:42749 <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt
* 1:42750 <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt
* 1:45499 <-> SERVER-OTHER ISC DHCPD remote denial of service attempt
* 1:57197 <-> SERVER-OTHER Multiple products outbound HTTP request to SIP port and potential NAT slipstreaming attack attempt
* 1:57199 <-> SERVER-OTHER Multiple products outbound HTTP request to SIP port and potential NAT slipstreaming attack attempt


2021-07-13 17:58:17 UTC

Snort Subscriber Rules Update

Date: 2021-07-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:57890 <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt
* 1:57891 <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt
* 1:57892 <-> SERVER-WEBAPP Oracle GlassFish administration console authentication bypass attempt
* 1:57893 <-> MALWARE-CNC Win.Trojan.TrickBot outbound connection attempt
* 1:57894 <-> OS-WINDOWS Microsoft Windows Kernel privilege escalation attempt
* 1:57895 <-> OS-WINDOWS Microsoft Windows Kernel privilege escalation attempt
* 1:57896 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:57897 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:57898 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt
* 1:57901 <-> MALWARE-CNC Doc.Downloader.Emotet variant outbound connection attempt
* 1:57902 <-> SERVER-WEBAPP HPE Systems Insight Manager remote code execution attempt
* 1:57903 <-> SERVER-OTHER Kaseya authentication bypass attempt
* 1:57904 <-> SERVER-OTHER Kaseya authentication bypass attempt
* 1:57905 <-> SERVER-OTHER Kaseya authentication bypass attempt
* 1:57906 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57907 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57908 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57909 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57910 <-> SERVER-WEBAPP Microsoft SharePoint Server authenticated remote code execution attempt

Modified Rules:

* 1:42749 <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt
* 1:42750 <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt
* 1:45499 <-> SERVER-OTHER ISC DHCPD remote denial of service attempt
* 1:57197 <-> SERVER-OTHER Multiple products outbound HTTP request to SIP port and potential NAT slipstreaming attack attempt
* 1:57199 <-> SERVER-OTHER Multiple products outbound HTTP request to SIP port and potential NAT slipstreaming attack attempt


2021-07-13 17:58:17 UTC

Snort Subscriber Rules Update

Date: 2021-07-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:57890 <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt
* 1:57891 <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt
* 1:57892 <-> SERVER-WEBAPP Oracle GlassFish administration console authentication bypass attempt
* 1:57893 <-> MALWARE-CNC Win.Trojan.TrickBot outbound connection attempt
* 1:57894 <-> OS-WINDOWS Microsoft Windows Kernel privilege escalation attempt
* 1:57895 <-> OS-WINDOWS Microsoft Windows Kernel privilege escalation attempt
* 1:57896 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:57897 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:57898 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt
* 1:57901 <-> MALWARE-CNC Doc.Downloader.Emotet variant outbound connection attempt
* 1:57902 <-> SERVER-WEBAPP HPE Systems Insight Manager remote code execution attempt
* 1:57903 <-> SERVER-OTHER Kaseya authentication bypass attempt
* 1:57904 <-> SERVER-OTHER Kaseya authentication bypass attempt
* 1:57905 <-> SERVER-OTHER Kaseya authentication bypass attempt
* 1:57906 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57907 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57908 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57909 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57910 <-> SERVER-WEBAPP Microsoft SharePoint Server authenticated remote code execution attempt

Modified Rules:

* 1:42749 <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt
* 1:42750 <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt
* 1:45499 <-> SERVER-OTHER ISC DHCPD remote denial of service attempt
* 1:57197 <-> SERVER-OTHER Multiple products outbound HTTP request to SIP port and potential NAT slipstreaming attack attempt
* 1:57199 <-> SERVER-OTHER Multiple products outbound HTTP request to SIP port and potential NAT slipstreaming attack attempt


2021-07-13 17:58:18 UTC

Snort Subscriber Rules Update

Date: 2021-07-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.1.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:57890 <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt
* 1:57891 <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt
* 1:57892 <-> SERVER-WEBAPP Oracle GlassFish administration console authentication bypass attempt
* 1:57893 <-> MALWARE-CNC Win.Trojan.TrickBot outbound connection attempt
* 1:57894 <-> OS-WINDOWS Microsoft Windows Kernel privilege escalation attempt
* 1:57895 <-> OS-WINDOWS Microsoft Windows Kernel privilege escalation attempt
* 1:57896 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:57897 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:57898 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt
* 1:57901 <-> MALWARE-CNC Doc.Downloader.Emotet variant outbound connection attempt
* 1:57902 <-> SERVER-WEBAPP HPE Systems Insight Manager remote code execution attempt
* 1:57903 <-> SERVER-OTHER Kaseya authentication bypass attempt
* 1:57904 <-> SERVER-OTHER Kaseya authentication bypass attempt
* 1:57905 <-> SERVER-OTHER Kaseya authentication bypass attempt
* 1:57906 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57907 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57908 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57909 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57910 <-> SERVER-WEBAPP Microsoft SharePoint Server authenticated remote code execution attempt

Modified Rules:

* 1:42749 <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt
* 1:42750 <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt
* 1:45499 <-> SERVER-OTHER ISC DHCPD remote denial of service attempt
* 1:57197 <-> SERVER-OTHER Multiple products outbound HTTP request to SIP port and potential NAT slipstreaming attack attempt
* 1:57199 <-> SERVER-OTHER Multiple products outbound HTTP request to SIP port and potential NAT slipstreaming attack attempt


2021-07-13 17:58:18 UTC

Snort Subscriber Rules Update

Date: 2021-07-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.3.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:57890 <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt
* 1:57891 <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt
* 1:57892 <-> SERVER-WEBAPP Oracle GlassFish administration console authentication bypass attempt
* 1:57893 <-> MALWARE-CNC Win.Trojan.TrickBot outbound connection attempt
* 1:57894 <-> OS-WINDOWS Microsoft Windows Kernel privilege escalation attempt
* 1:57895 <-> OS-WINDOWS Microsoft Windows Kernel privilege escalation attempt
* 1:57896 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:57897 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:57898 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt
* 1:57901 <-> MALWARE-CNC Doc.Downloader.Emotet variant outbound connection attempt
* 1:57902 <-> SERVER-WEBAPP HPE Systems Insight Manager remote code execution attempt
* 1:57903 <-> SERVER-OTHER Kaseya authentication bypass attempt
* 1:57904 <-> SERVER-OTHER Kaseya authentication bypass attempt
* 1:57905 <-> SERVER-OTHER Kaseya authentication bypass attempt
* 1:57906 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57907 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57908 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57909 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57910 <-> SERVER-WEBAPP Microsoft SharePoint Server authenticated remote code execution attempt

Modified Rules:

* 1:42749 <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt
* 1:42750 <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt
* 1:45499 <-> SERVER-OTHER ISC DHCPD remote denial of service attempt
* 1:57197 <-> SERVER-OTHER Multiple products outbound HTTP request to SIP port and potential NAT slipstreaming attack attempt
* 1:57199 <-> SERVER-OTHER Multiple products outbound HTTP request to SIP port and potential NAT slipstreaming attack attempt


2021-07-13 17:58:18 UTC

Snort Subscriber Rules Update

Date: 2021-07-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.4.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:57890 <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt
* 1:57891 <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt
* 1:57892 <-> SERVER-WEBAPP Oracle GlassFish administration console authentication bypass attempt
* 1:57893 <-> MALWARE-CNC Win.Trojan.TrickBot outbound connection attempt
* 1:57894 <-> OS-WINDOWS Microsoft Windows Kernel privilege escalation attempt
* 1:57895 <-> OS-WINDOWS Microsoft Windows Kernel privilege escalation attempt
* 1:57896 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:57897 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:57898 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt
* 1:57901 <-> MALWARE-CNC Doc.Downloader.Emotet variant outbound connection attempt
* 1:57902 <-> SERVER-WEBAPP HPE Systems Insight Manager remote code execution attempt
* 1:57903 <-> SERVER-OTHER Kaseya authentication bypass attempt
* 1:57904 <-> SERVER-OTHER Kaseya authentication bypass attempt
* 1:57905 <-> SERVER-OTHER Kaseya authentication bypass attempt
* 1:57906 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57907 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57908 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57909 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57910 <-> SERVER-WEBAPP Microsoft SharePoint Server authenticated remote code execution attempt

Modified Rules:

* 1:42749 <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt
* 1:42750 <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt
* 1:45499 <-> SERVER-OTHER ISC DHCPD remote denial of service attempt
* 1:57197 <-> SERVER-OTHER Multiple products outbound HTTP request to SIP port and potential NAT slipstreaming attack attempt
* 1:57199 <-> SERVER-OTHER Multiple products outbound HTTP request to SIP port and potential NAT slipstreaming attack attempt


2021-07-13 17:58:18 UTC

Snort Subscriber Rules Update

Date: 2021-07-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.5.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:57890 <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt
* 1:57891 <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt
* 1:57892 <-> SERVER-WEBAPP Oracle GlassFish administration console authentication bypass attempt
* 1:57893 <-> MALWARE-CNC Win.Trojan.TrickBot outbound connection attempt
* 1:57894 <-> OS-WINDOWS Microsoft Windows Kernel privilege escalation attempt
* 1:57895 <-> OS-WINDOWS Microsoft Windows Kernel privilege escalation attempt
* 1:57896 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:57897 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:57898 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt
* 1:57901 <-> MALWARE-CNC Doc.Downloader.Emotet variant outbound connection attempt
* 1:57902 <-> SERVER-WEBAPP HPE Systems Insight Manager remote code execution attempt
* 1:57903 <-> SERVER-OTHER Kaseya authentication bypass attempt
* 1:57904 <-> SERVER-OTHER Kaseya authentication bypass attempt
* 1:57905 <-> SERVER-OTHER Kaseya authentication bypass attempt
* 1:57906 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57907 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57908 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57909 <-> SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt
* 1:57910 <-> SERVER-WEBAPP Microsoft SharePoint Server authenticated remote code execution attempt

Modified Rules:

* 1:42749 <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt
* 1:42750 <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt
* 1:45499 <-> SERVER-OTHER ISC DHCPD remote denial of service attempt
* 1:57197 <-> SERVER-OTHER Multiple products outbound HTTP request to SIP port and potential NAT slipstreaming attack attempt
* 1:57199 <-> SERVER-OTHER Multiple products outbound HTTP request to SIP port and potential NAT slipstreaming attack attempt