Talos Rules 2021-09-02
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-chrome, browser-ie, browser-other, browser-webkit, deleted, exploit-kit, file-executable, file-flash, file-image, file-java, file-multimedia, file-office, file-other, file-pdf, indicator-compromise, indicator-shellcode, malware-cnc, malware-other, netbios, os-linux, os-other, os-windows, policy-other, policy-social, protocol-dns, protocol-icmp, protocol-nntp, protocol-other, protocol-scada, protocol-snmp, protocol-tftp, protocol-voip, pua-p2p, server-iis, server-mail, server-mysql, server-oracle, server-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2021-09-02 12:48:55 UTC

Snort Subscriber Rules Update

Date: 2021-09-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091801.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58081 <-> DISABLED <-> BROWSER-CHROME Chromium V8 type confusion attempt (browser-chrome.rules)
 * 1:58082 <-> DISABLED <-> BROWSER-CHROME Chromium V8 type confusion attempt (browser-chrome.rules)
 * 1:58083 <-> ENABLED <-> MALWARE-OTHER Vbs.Worm.HWorm variant script download attempt (malware-other.rules)
 * 1:58084 <-> ENABLED <-> MALWARE-OTHER Vbs.Worm.HWorm variant script download attempt (malware-other.rules)
 * 1:58085 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Aspire variant binary download attempt (malware-other.rules)
 * 1:58086 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Aspire variant binary download attempt (malware-other.rules)
 * 1:58087 <-> ENABLED <-> MALWARE-CNC Win.Trojan.njRAT variant outbound connection (malware-cnc.rules)
 * 1:58088 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Aspire variant outbound connection (malware-cnc.rules)
 * 1:58089 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 upload attempt (malware-other.rules)
 * 1:58090 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 upload attempt (malware-other.rules)
 * 1:58091 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 download attempt (malware-other.rules)
 * 1:58092 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 download attempt (malware-other.rules)
 * 1:58093 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence OGNL injection remote code execution attempt (server-webapp.rules)
 * 1:58094 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence OGNL injection remote code execution attempt (server-webapp.rules)
 * 1:58095 <-> DISABLED <-> MALWARE-OTHER Asp.Webshell.Ajan download attempt (malware-other.rules)
 * 1:58096 <-> DISABLED <-> MALWARE-OTHER Asp.Webshell.Ajan upload attempt (malware-other.rules)
 * 1:58102 <-> DISABLED <-> FILE-PDF Adobe Reader ESObject use after free attempt (file-pdf.rules)
 * 1:58103 <-> DISABLED <-> FILE-PDF Adobe Reader ESObject use after free attempt (file-pdf.rules)
 * 3:58097 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt (server-webapp.rules)
 * 3:58098 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt (server-webapp.rules)
 * 3:58099 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt (server-webapp.rules)
 * 3:58101 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1367 attack attempt (file-image.rules)
 * 3:58100 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1367 attack attempt (file-image.rules)
 * 3:58104 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2021-1361 attack attempt (policy-other.rules)

Modified Rules:



2021-09-02 12:48:55 UTC

Snort Subscriber Rules Update

Date: 2021-09-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091800.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58088 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Aspire variant outbound connection (malware-cnc.rules)
 * 1:58082 <-> DISABLED <-> BROWSER-CHROME Chromium V8 type confusion attempt (browser-chrome.rules)
 * 1:58083 <-> ENABLED <-> MALWARE-OTHER Vbs.Worm.HWorm variant script download attempt (malware-other.rules)
 * 1:58086 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Aspire variant binary download attempt (malware-other.rules)
 * 1:58087 <-> ENABLED <-> MALWARE-CNC Win.Trojan.njRAT variant outbound connection (malware-cnc.rules)
 * 1:58081 <-> DISABLED <-> BROWSER-CHROME Chromium V8 type confusion attempt (browser-chrome.rules)
 * 1:58085 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Aspire variant binary download attempt (malware-other.rules)
 * 1:58095 <-> DISABLED <-> MALWARE-OTHER Asp.Webshell.Ajan download attempt (malware-other.rules)
 * 1:58084 <-> ENABLED <-> MALWARE-OTHER Vbs.Worm.HWorm variant script download attempt (malware-other.rules)
 * 1:58102 <-> DISABLED <-> FILE-PDF Adobe Reader ESObject use after free attempt (file-pdf.rules)
 * 1:58096 <-> DISABLED <-> MALWARE-OTHER Asp.Webshell.Ajan upload attempt (malware-other.rules)
 * 1:58103 <-> DISABLED <-> FILE-PDF Adobe Reader ESObject use after free attempt (file-pdf.rules)
 * 1:58089 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 upload attempt (malware-other.rules)
 * 1:58090 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 upload attempt (malware-other.rules)
 * 1:58092 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 download attempt (malware-other.rules)
 * 1:58091 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 download attempt (malware-other.rules)
 * 1:58094 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence OGNL injection remote code execution attempt (server-webapp.rules)
 * 1:58093 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence OGNL injection remote code execution attempt (server-webapp.rules)
 * 3:58100 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1367 attack attempt (file-image.rules)
 * 3:58097 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt (server-webapp.rules)
 * 3:58101 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1367 attack attempt (file-image.rules)
 * 3:58098 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt (server-webapp.rules)
 * 3:58099 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt (server-webapp.rules)
 * 3:58104 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2021-1361 attack attempt (policy-other.rules)

Modified Rules:



2021-09-02 12:48:55 UTC

Snort Subscriber Rules Update

Date: 2021-09-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58083 <-> ENABLED <-> MALWARE-OTHER Vbs.Worm.HWorm variant script download attempt (malware-other.rules)
 * 1:58103 <-> DISABLED <-> FILE-PDF Adobe Reader ESObject use after free attempt (file-pdf.rules)
 * 1:58090 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 upload attempt (malware-other.rules)
 * 1:58089 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 upload attempt (malware-other.rules)
 * 1:58094 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence OGNL injection remote code execution attempt (server-webapp.rules)
 * 1:58095 <-> DISABLED <-> MALWARE-OTHER Asp.Webshell.Ajan download attempt (malware-other.rules)
 * 1:58086 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Aspire variant binary download attempt (malware-other.rules)
 * 1:58088 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Aspire variant outbound connection (malware-cnc.rules)
 * 1:58085 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Aspire variant binary download attempt (malware-other.rules)
 * 1:58093 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence OGNL injection remote code execution attempt (server-webapp.rules)
 * 1:58092 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 download attempt (malware-other.rules)
 * 1:58091 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 download attempt (malware-other.rules)
 * 1:58102 <-> DISABLED <-> FILE-PDF Adobe Reader ESObject use after free attempt (file-pdf.rules)
 * 1:58087 <-> ENABLED <-> MALWARE-CNC Win.Trojan.njRAT variant outbound connection (malware-cnc.rules)
 * 1:58084 <-> ENABLED <-> MALWARE-OTHER Vbs.Worm.HWorm variant script download attempt (malware-other.rules)
 * 1:58096 <-> DISABLED <-> MALWARE-OTHER Asp.Webshell.Ajan upload attempt (malware-other.rules)
 * 1:58082 <-> DISABLED <-> BROWSER-CHROME Chromium V8 type confusion attempt (browser-chrome.rules)
 * 1:58081 <-> DISABLED <-> BROWSER-CHROME Chromium V8 type confusion attempt (browser-chrome.rules)
 * 3:58104 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2021-1361 attack attempt (policy-other.rules)
 * 3:58099 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt (server-webapp.rules)
 * 3:58097 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt (server-webapp.rules)
 * 3:58101 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1367 attack attempt (file-image.rules)
 * 3:58098 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt (server-webapp.rules)
 * 3:58100 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1367 attack attempt (file-image.rules)

Modified Rules:



2021-09-02 12:48:55 UTC

Snort Subscriber Rules Update

Date: 2021-09-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58089 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 upload attempt (malware-other.rules)
 * 1:58084 <-> ENABLED <-> MALWARE-OTHER Vbs.Worm.HWorm variant script download attempt (malware-other.rules)
 * 1:58085 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Aspire variant binary download attempt (malware-other.rules)
 * 1:58103 <-> DISABLED <-> FILE-PDF Adobe Reader ESObject use after free attempt (file-pdf.rules)
 * 1:58095 <-> DISABLED <-> MALWARE-OTHER Asp.Webshell.Ajan download attempt (malware-other.rules)
 * 1:58086 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Aspire variant binary download attempt (malware-other.rules)
 * 1:58091 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 download attempt (malware-other.rules)
 * 1:58093 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence OGNL injection remote code execution attempt (server-webapp.rules)
 * 1:58088 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Aspire variant outbound connection (malware-cnc.rules)
 * 1:58087 <-> ENABLED <-> MALWARE-CNC Win.Trojan.njRAT variant outbound connection (malware-cnc.rules)
 * 1:58081 <-> DISABLED <-> BROWSER-CHROME Chromium V8 type confusion attempt (browser-chrome.rules)
 * 1:58092 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 download attempt (malware-other.rules)
 * 1:58083 <-> ENABLED <-> MALWARE-OTHER Vbs.Worm.HWorm variant script download attempt (malware-other.rules)
 * 1:58082 <-> DISABLED <-> BROWSER-CHROME Chromium V8 type confusion attempt (browser-chrome.rules)
 * 1:58094 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence OGNL injection remote code execution attempt (server-webapp.rules)
 * 1:58090 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 upload attempt (malware-other.rules)
 * 1:58096 <-> DISABLED <-> MALWARE-OTHER Asp.Webshell.Ajan upload attempt (malware-other.rules)
 * 1:58102 <-> DISABLED <-> FILE-PDF Adobe Reader ESObject use after free attempt (file-pdf.rules)
 * 3:58100 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1367 attack attempt (file-image.rules)
 * 3:58098 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt (server-webapp.rules)
 * 3:58097 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt (server-webapp.rules)
 * 3:58099 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt (server-webapp.rules)
 * 3:58101 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1367 attack attempt (file-image.rules)
 * 3:58104 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2021-1361 attack attempt (policy-other.rules)

Modified Rules:



2021-09-02 12:48:55 UTC

Snort Subscriber Rules Update

Date: 2021-09-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58084 <-> ENABLED <-> MALWARE-OTHER Vbs.Worm.HWorm variant script download attempt (malware-other.rules)
 * 1:58087 <-> ENABLED <-> MALWARE-CNC Win.Trojan.njRAT variant outbound connection (malware-cnc.rules)
 * 1:58083 <-> ENABLED <-> MALWARE-OTHER Vbs.Worm.HWorm variant script download attempt (malware-other.rules)
 * 1:58103 <-> DISABLED <-> FILE-PDF Adobe Reader ESObject use after free attempt (file-pdf.rules)
 * 1:58095 <-> DISABLED <-> MALWARE-OTHER Asp.Webshell.Ajan download attempt (malware-other.rules)
 * 1:58088 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Aspire variant outbound connection (malware-cnc.rules)
 * 1:58081 <-> DISABLED <-> BROWSER-CHROME Chromium V8 type confusion attempt (browser-chrome.rules)
 * 1:58089 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 upload attempt (malware-other.rules)
 * 1:58085 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Aspire variant binary download attempt (malware-other.rules)
 * 1:58082 <-> DISABLED <-> BROWSER-CHROME Chromium V8 type confusion attempt (browser-chrome.rules)
 * 1:58086 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Aspire variant binary download attempt (malware-other.rules)
 * 1:58096 <-> DISABLED <-> MALWARE-OTHER Asp.Webshell.Ajan upload attempt (malware-other.rules)
 * 1:58102 <-> DISABLED <-> FILE-PDF Adobe Reader ESObject use after free attempt (file-pdf.rules)
 * 1:58090 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 upload attempt (malware-other.rules)
 * 1:58093 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence OGNL injection remote code execution attempt (server-webapp.rules)
 * 1:58091 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 download attempt (malware-other.rules)
 * 1:58094 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence OGNL injection remote code execution attempt (server-webapp.rules)
 * 1:58092 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 download attempt (malware-other.rules)
 * 3:58098 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt (server-webapp.rules)
 * 3:58101 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1367 attack attempt (file-image.rules)
 * 3:58099 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt (server-webapp.rules)
 * 3:58097 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt (server-webapp.rules)
 * 3:58100 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1367 attack attempt (file-image.rules)
 * 3:58104 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2021-1361 attack attempt (policy-other.rules)

Modified Rules:



2021-09-02 12:48:55 UTC

Snort Subscriber Rules Update

Date: 2021-09-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58085 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Aspire variant binary download attempt (malware-other.rules)
 * 1:58082 <-> DISABLED <-> BROWSER-CHROME Chromium V8 type confusion attempt (browser-chrome.rules)
 * 1:58081 <-> DISABLED <-> BROWSER-CHROME Chromium V8 type confusion attempt (browser-chrome.rules)
 * 1:58087 <-> ENABLED <-> MALWARE-CNC Win.Trojan.njRAT variant outbound connection (malware-cnc.rules)
 * 1:58102 <-> DISABLED <-> FILE-PDF Adobe Reader ESObject use after free attempt (file-pdf.rules)
 * 1:58084 <-> ENABLED <-> MALWARE-OTHER Vbs.Worm.HWorm variant script download attempt (malware-other.rules)
 * 1:58096 <-> DISABLED <-> MALWARE-OTHER Asp.Webshell.Ajan upload attempt (malware-other.rules)
 * 1:58095 <-> DISABLED <-> MALWARE-OTHER Asp.Webshell.Ajan download attempt (malware-other.rules)
 * 1:58088 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Aspire variant outbound connection (malware-cnc.rules)
 * 1:58090 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 upload attempt (malware-other.rules)
 * 1:58089 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 upload attempt (malware-other.rules)
 * 1:58091 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 download attempt (malware-other.rules)
 * 1:58093 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence OGNL injection remote code execution attempt (server-webapp.rules)
 * 1:58092 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 download attempt (malware-other.rules)
 * 1:58094 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence OGNL injection remote code execution attempt (server-webapp.rules)
 * 1:58103 <-> DISABLED <-> FILE-PDF Adobe Reader ESObject use after free attempt (file-pdf.rules)
 * 1:58083 <-> ENABLED <-> MALWARE-OTHER Vbs.Worm.HWorm variant script download attempt (malware-other.rules)
 * 1:58086 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Aspire variant binary download attempt (malware-other.rules)
 * 3:58097 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt (server-webapp.rules)
 * 3:58100 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1367 attack attempt (file-image.rules)
 * 3:58101 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1367 attack attempt (file-image.rules)
 * 3:58104 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2021-1361 attack attempt (policy-other.rules)
 * 3:58099 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt (server-webapp.rules)
 * 3:58098 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt (server-webapp.rules)

Modified Rules:



2021-09-02 12:48:55 UTC

Snort Subscriber Rules Update

Date: 2021-09-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58087 <-> ENABLED <-> MALWARE-CNC Win.Trojan.njRAT variant outbound connection (malware-cnc.rules)
 * 1:58086 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Aspire variant binary download attempt (malware-other.rules)
 * 1:58102 <-> DISABLED <-> FILE-PDF Adobe Reader ESObject use after free attempt (file-pdf.rules)
 * 1:58096 <-> DISABLED <-> MALWARE-OTHER Asp.Webshell.Ajan upload attempt (malware-other.rules)
 * 1:58091 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 download attempt (malware-other.rules)
 * 1:58081 <-> DISABLED <-> BROWSER-CHROME Chromium V8 type confusion attempt (browser-chrome.rules)
 * 1:58088 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Aspire variant outbound connection (malware-cnc.rules)
 * 1:58095 <-> DISABLED <-> MALWARE-OTHER Asp.Webshell.Ajan download attempt (malware-other.rules)
 * 1:58084 <-> ENABLED <-> MALWARE-OTHER Vbs.Worm.HWorm variant script download attempt (malware-other.rules)
 * 1:58085 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Aspire variant binary download attempt (malware-other.rules)
 * 1:58089 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 upload attempt (malware-other.rules)
 * 1:58103 <-> DISABLED <-> FILE-PDF Adobe Reader ESObject use after free attempt (file-pdf.rules)
 * 1:58090 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 upload attempt (malware-other.rules)
 * 1:58092 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 download attempt (malware-other.rules)
 * 1:58094 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence OGNL injection remote code execution attempt (server-webapp.rules)
 * 1:58093 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence OGNL injection remote code execution attempt (server-webapp.rules)
 * 1:58082 <-> DISABLED <-> BROWSER-CHROME Chromium V8 type confusion attempt (browser-chrome.rules)
 * 1:58083 <-> ENABLED <-> MALWARE-OTHER Vbs.Worm.HWorm variant script download attempt (malware-other.rules)
 * 3:58099 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt (server-webapp.rules)
 * 3:58101 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1367 attack attempt (file-image.rules)
 * 3:58104 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2021-1361 attack attempt (policy-other.rules)
 * 3:58097 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt (server-webapp.rules)
 * 3:58100 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1367 attack attempt (file-image.rules)
 * 3:58098 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt (server-webapp.rules)

Modified Rules:



2021-09-02 12:48:55 UTC

Snort Subscriber Rules Update

Date: 2021-09-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58085 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Aspire variant binary download attempt (malware-other.rules)
 * 1:58087 <-> ENABLED <-> MALWARE-CNC Win.Trojan.njRAT variant outbound connection (malware-cnc.rules)
 * 1:58083 <-> ENABLED <-> MALWARE-OTHER Vbs.Worm.HWorm variant script download attempt (malware-other.rules)
 * 1:58095 <-> DISABLED <-> MALWARE-OTHER Asp.Webshell.Ajan download attempt (malware-other.rules)
 * 1:58082 <-> DISABLED <-> BROWSER-CHROME Chromium V8 type confusion attempt (browser-chrome.rules)
 * 1:58102 <-> DISABLED <-> FILE-PDF Adobe Reader ESObject use after free attempt (file-pdf.rules)
 * 1:58094 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence OGNL injection remote code execution attempt (server-webapp.rules)
 * 1:58096 <-> DISABLED <-> MALWARE-OTHER Asp.Webshell.Ajan upload attempt (malware-other.rules)
 * 1:58088 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Aspire variant outbound connection (malware-cnc.rules)
 * 1:58090 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 upload attempt (malware-other.rules)
 * 1:58092 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 download attempt (malware-other.rules)
 * 1:58093 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence OGNL injection remote code execution attempt (server-webapp.rules)
 * 1:58081 <-> DISABLED <-> BROWSER-CHROME Chromium V8 type confusion attempt (browser-chrome.rules)
 * 1:58103 <-> DISABLED <-> FILE-PDF Adobe Reader ESObject use after free attempt (file-pdf.rules)
 * 1:58086 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Aspire variant binary download attempt (malware-other.rules)
 * 1:58089 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 upload attempt (malware-other.rules)
 * 1:58084 <-> ENABLED <-> MALWARE-OTHER Vbs.Worm.HWorm variant script download attempt (malware-other.rules)
 * 1:58091 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 download attempt (malware-other.rules)
 * 3:58100 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1367 attack attempt (file-image.rules)
 * 3:58101 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1367 attack attempt (file-image.rules)
 * 3:58097 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt (server-webapp.rules)
 * 3:58104 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2021-1361 attack attempt (policy-other.rules)
 * 3:58098 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt (server-webapp.rules)
 * 3:58099 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt (server-webapp.rules)

Modified Rules:



2021-09-02 12:48:55 UTC

Snort Subscriber Rules Update

Date: 2021-09-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58087 <-> ENABLED <-> MALWARE-CNC Win.Trojan.njRAT variant outbound connection (malware-cnc.rules)
 * 1:58102 <-> DISABLED <-> FILE-PDF Adobe Reader ESObject use after free attempt (file-pdf.rules)
 * 1:58083 <-> ENABLED <-> MALWARE-OTHER Vbs.Worm.HWorm variant script download attempt (malware-other.rules)
 * 1:58081 <-> DISABLED <-> BROWSER-CHROME Chromium V8 type confusion attempt (browser-chrome.rules)
 * 1:58103 <-> DISABLED <-> FILE-PDF Adobe Reader ESObject use after free attempt (file-pdf.rules)
 * 1:58096 <-> DISABLED <-> MALWARE-OTHER Asp.Webshell.Ajan upload attempt (malware-other.rules)
 * 1:58094 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence OGNL injection remote code execution attempt (server-webapp.rules)
 * 1:58095 <-> DISABLED <-> MALWARE-OTHER Asp.Webshell.Ajan download attempt (malware-other.rules)
 * 1:58085 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Aspire variant binary download attempt (malware-other.rules)
 * 1:58091 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 download attempt (malware-other.rules)
 * 1:58090 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 upload attempt (malware-other.rules)
 * 1:58092 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 download attempt (malware-other.rules)
 * 1:58089 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 upload attempt (malware-other.rules)
 * 1:58093 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence OGNL injection remote code execution attempt (server-webapp.rules)
 * 1:58088 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Aspire variant outbound connection (malware-cnc.rules)
 * 1:58082 <-> DISABLED <-> BROWSER-CHROME Chromium V8 type confusion attempt (browser-chrome.rules)
 * 1:58086 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Aspire variant binary download attempt (malware-other.rules)
 * 1:58084 <-> ENABLED <-> MALWARE-OTHER Vbs.Worm.HWorm variant script download attempt (malware-other.rules)
 * 3:58099 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt (server-webapp.rules)
 * 3:58100 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1367 attack attempt (file-image.rules)
 * 3:58098 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt (server-webapp.rules)
 * 3:58097 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt (server-webapp.rules)
 * 3:58101 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1367 attack attempt (file-image.rules)
 * 3:58104 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2021-1361 attack attempt (policy-other.rules)

Modified Rules:



2021-09-02 12:48:55 UTC

Snort Subscriber Rules Update

Date: 2021-09-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58083 <-> ENABLED <-> MALWARE-OTHER Vbs.Worm.HWorm variant script download attempt (malware-other.rules)
 * 1:58096 <-> DISABLED <-> MALWARE-OTHER Asp.Webshell.Ajan upload attempt (malware-other.rules)
 * 1:58095 <-> DISABLED <-> MALWARE-OTHER Asp.Webshell.Ajan download attempt (malware-other.rules)
 * 1:58086 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Aspire variant binary download attempt (malware-other.rules)
 * 1:58102 <-> DISABLED <-> FILE-PDF Adobe Reader ESObject use after free attempt (file-pdf.rules)
 * 1:58084 <-> ENABLED <-> MALWARE-OTHER Vbs.Worm.HWorm variant script download attempt (malware-other.rules)
 * 1:58088 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Aspire variant outbound connection (malware-cnc.rules)
 * 1:58085 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Aspire variant binary download attempt (malware-other.rules)
 * 1:58103 <-> DISABLED <-> FILE-PDF Adobe Reader ESObject use after free attempt (file-pdf.rules)
 * 1:58081 <-> DISABLED <-> BROWSER-CHROME Chromium V8 type confusion attempt (browser-chrome.rules)
 * 1:58082 <-> DISABLED <-> BROWSER-CHROME Chromium V8 type confusion attempt (browser-chrome.rules)
 * 1:58090 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 upload attempt (malware-other.rules)
 * 1:58091 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 download attempt (malware-other.rules)
 * 1:58087 <-> ENABLED <-> MALWARE-CNC Win.Trojan.njRAT variant outbound connection (malware-cnc.rules)
 * 1:58092 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 download attempt (malware-other.rules)
 * 1:58089 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 upload attempt (malware-other.rules)
 * 1:58093 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence OGNL injection remote code execution attempt (server-webapp.rules)
 * 1:58094 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence OGNL injection remote code execution attempt (server-webapp.rules)
 * 3:58100 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1367 attack attempt (file-image.rules)
 * 3:58099 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt (server-webapp.rules)
 * 3:58101 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1367 attack attempt (file-image.rules)
 * 3:58104 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2021-1361 attack attempt (policy-other.rules)
 * 3:58097 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt (server-webapp.rules)
 * 3:58098 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt (server-webapp.rules)

Modified Rules:



2021-09-02 12:48:55 UTC

Snort Subscriber Rules Update

Date: 2021-09-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58090 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 upload attempt (snort3-malware-other.rules)
 * 1:58082 <-> DISABLED <-> BROWSER-CHROME Chromium V8 type confusion attempt (snort3-browser-chrome.rules)
 * 1:58103 <-> DISABLED <-> FILE-PDF Adobe Reader ESObject use after free attempt (snort3-file-pdf.rules)
 * 1:58081 <-> DISABLED <-> BROWSER-CHROME Chromium V8 type confusion attempt (snort3-browser-chrome.rules)
 * 1:58094 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence OGNL injection remote code execution attempt (snort3-server-webapp.rules)
 * 1:58089 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 upload attempt (snort3-malware-other.rules)
 * 1:58085 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Aspire variant binary download attempt (snort3-malware-other.rules)
 * 1:58102 <-> DISABLED <-> FILE-PDF Adobe Reader ESObject use after free attempt (snort3-file-pdf.rules)
 * 1:58091 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 download attempt (snort3-malware-other.rules)
 * 1:58088 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Aspire variant outbound connection (snort3-malware-cnc.rules)
 * 1:58096 <-> DISABLED <-> MALWARE-OTHER Asp.Webshell.Ajan upload attempt (snort3-malware-other.rules)
 * 1:58093 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence OGNL injection remote code execution attempt (snort3-server-webapp.rules)
 * 1:58083 <-> ENABLED <-> MALWARE-OTHER Vbs.Worm.HWorm variant script download attempt (snort3-malware-other.rules)
 * 1:58086 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Aspire variant binary download attempt (snort3-malware-other.rules)
 * 1:58092 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 download attempt (snort3-malware-other.rules)
 * 1:58095 <-> DISABLED <-> MALWARE-OTHER Asp.Webshell.Ajan download attempt (snort3-malware-other.rules)
 * 1:58087 <-> ENABLED <-> MALWARE-CNC Win.Trojan.njRAT variant outbound connection (snort3-malware-cnc.rules)
 * 1:58084 <-> ENABLED <-> MALWARE-OTHER Vbs.Worm.HWorm variant script download attempt (snort3-malware-other.rules)

Modified Rules:



2021-09-02 12:48:55 UTC

Snort Subscriber Rules Update

Date: 2021-09-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58084 <-> ENABLED <-> MALWARE-OTHER Vbs.Worm.HWorm variant script download attempt (malware-other.rules)
 * 1:58091 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 download attempt (malware-other.rules)
 * 1:58090 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 upload attempt (malware-other.rules)
 * 1:58089 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 upload attempt (malware-other.rules)
 * 1:58088 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Aspire variant outbound connection (malware-cnc.rules)
 * 1:58092 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.Phpshell3 download attempt (malware-other.rules)
 * 1:58083 <-> ENABLED <-> MALWARE-OTHER Vbs.Worm.HWorm variant script download attempt (malware-other.rules)
 * 1:58094 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence OGNL injection remote code execution attempt (server-webapp.rules)
 * 1:58086 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Aspire variant binary download attempt (malware-other.rules)
 * 1:58093 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence OGNL injection remote code execution attempt (server-webapp.rules)
 * 1:58102 <-> DISABLED <-> FILE-PDF Adobe Reader ESObject use after free attempt (file-pdf.rules)
 * 1:58096 <-> DISABLED <-> MALWARE-OTHER Asp.Webshell.Ajan upload attempt (malware-other.rules)
 * 1:58103 <-> DISABLED <-> FILE-PDF Adobe Reader ESObject use after free attempt (file-pdf.rules)
 * 1:58081 <-> DISABLED <-> BROWSER-CHROME Chromium V8 type confusion attempt (browser-chrome.rules)
 * 1:58085 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Aspire variant binary download attempt (malware-other.rules)
 * 1:58087 <-> ENABLED <-> MALWARE-CNC Win.Trojan.njRAT variant outbound connection (malware-cnc.rules)
 * 1:58095 <-> DISABLED <-> MALWARE-OTHER Asp.Webshell.Ajan download attempt (malware-other.rules)
 * 1:58082 <-> DISABLED <-> BROWSER-CHROME Chromium V8 type confusion attempt (browser-chrome.rules)

Modified Rules:



2021-09-02 13:04:52 UTC

Snort Subscriber Rules Update

Date: 2021-09-01-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.11.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58081 <-> BROWSER-CHROME Chromium V8 type confusion attempt
* 1:58082 <-> BROWSER-CHROME Chromium V8 type confusion attempt
* 1:58083 <-> MALWARE-OTHER Vbs.Worm.HWorm variant script download attempt
* 1:58084 <-> MALWARE-OTHER Vbs.Worm.HWorm variant script download attempt
* 1:58085 <-> MALWARE-OTHER Win.Trojan.Aspire variant binary download attempt
* 1:58086 <-> MALWARE-OTHER Win.Trojan.Aspire variant binary download attempt
* 1:58087 <-> MALWARE-CNC Win.Trojan.njRAT variant outbound connection
* 1:58088 <-> MALWARE-CNC Win.Trojan.Aspire variant outbound connection
* 1:58089 <-> MALWARE-OTHER Php.Webshell.Phpshell3 upload attempt
* 1:58090 <-> MALWARE-OTHER Php.Webshell.Phpshell3 upload attempt
* 1:58091 <-> MALWARE-OTHER Php.Webshell.Phpshell3 download attempt
* 1:58092 <-> MALWARE-OTHER Php.Webshell.Phpshell3 download attempt
* 1:58093 <-> SERVER-WEBAPP Atlassian Confluence OGNL injection remote code execution attempt
* 1:58094 <-> SERVER-WEBAPP Atlassian Confluence OGNL injection remote code execution attempt
* 1:58095 <-> MALWARE-OTHER Asp.Webshell.Ajan download attempt
* 1:58096 <-> MALWARE-OTHER Asp.Webshell.Ajan upload attempt
* 3:58097 <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt
* 3:58098 <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt
* 3:58099 <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt
* 3:58100 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1367 attack attempt
* 3:58101 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1367 attack attempt
* 1:58102 <-> FILE-PDF Adobe Reader ESObject use after free attempt
* 1:58103 <-> FILE-PDF Adobe Reader ESObject use after free attempt
* 3:58104 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2021-1361 attack attempt

Modified Rules:



2021-09-02 13:04:52 UTC

Snort Subscriber Rules Update

Date: 2021-09-01-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58081 <-> BROWSER-CHROME Chromium V8 type confusion attempt
* 1:58082 <-> BROWSER-CHROME Chromium V8 type confusion attempt
* 1:58083 <-> MALWARE-OTHER Vbs.Worm.HWorm variant script download attempt
* 1:58084 <-> MALWARE-OTHER Vbs.Worm.HWorm variant script download attempt
* 1:58085 <-> MALWARE-OTHER Win.Trojan.Aspire variant binary download attempt
* 1:58086 <-> MALWARE-OTHER Win.Trojan.Aspire variant binary download attempt
* 1:58087 <-> MALWARE-CNC Win.Trojan.njRAT variant outbound connection
* 1:58088 <-> MALWARE-CNC Win.Trojan.Aspire variant outbound connection
* 1:58089 <-> MALWARE-OTHER Php.Webshell.Phpshell3 upload attempt
* 1:58090 <-> MALWARE-OTHER Php.Webshell.Phpshell3 upload attempt
* 1:58091 <-> MALWARE-OTHER Php.Webshell.Phpshell3 download attempt
* 1:58092 <-> MALWARE-OTHER Php.Webshell.Phpshell3 download attempt
* 1:58093 <-> SERVER-WEBAPP Atlassian Confluence OGNL injection remote code execution attempt
* 1:58094 <-> SERVER-WEBAPP Atlassian Confluence OGNL injection remote code execution attempt
* 1:58095 <-> MALWARE-OTHER Asp.Webshell.Ajan download attempt
* 1:58096 <-> MALWARE-OTHER Asp.Webshell.Ajan upload attempt
* 3:58097 <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt
* 3:58098 <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt
* 3:58099 <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt
* 3:58100 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1367 attack attempt
* 3:58101 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1367 attack attempt
* 1:58102 <-> FILE-PDF Adobe Reader ESObject use after free attempt
* 1:58103 <-> FILE-PDF Adobe Reader ESObject use after free attempt
* 3:58104 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2021-1361 attack attempt

Modified Rules:



2021-09-02 13:04:52 UTC

Snort Subscriber Rules Update

Date: 2021-09-01-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.4.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58081 <-> BROWSER-CHROME Chromium V8 type confusion attempt
* 1:58082 <-> BROWSER-CHROME Chromium V8 type confusion attempt
* 1:58083 <-> MALWARE-OTHER Vbs.Worm.HWorm variant script download attempt
* 1:58084 <-> MALWARE-OTHER Vbs.Worm.HWorm variant script download attempt
* 1:58085 <-> MALWARE-OTHER Win.Trojan.Aspire variant binary download attempt
* 1:58086 <-> MALWARE-OTHER Win.Trojan.Aspire variant binary download attempt
* 1:58087 <-> MALWARE-CNC Win.Trojan.njRAT variant outbound connection
* 1:58088 <-> MALWARE-CNC Win.Trojan.Aspire variant outbound connection
* 1:58089 <-> MALWARE-OTHER Php.Webshell.Phpshell3 upload attempt
* 1:58090 <-> MALWARE-OTHER Php.Webshell.Phpshell3 upload attempt
* 1:58091 <-> MALWARE-OTHER Php.Webshell.Phpshell3 download attempt
* 1:58092 <-> MALWARE-OTHER Php.Webshell.Phpshell3 download attempt
* 1:58093 <-> SERVER-WEBAPP Atlassian Confluence OGNL injection remote code execution attempt
* 1:58094 <-> SERVER-WEBAPP Atlassian Confluence OGNL injection remote code execution attempt
* 1:58095 <-> MALWARE-OTHER Asp.Webshell.Ajan download attempt
* 1:58096 <-> MALWARE-OTHER Asp.Webshell.Ajan upload attempt
* 3:58097 <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt
* 3:58098 <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt
* 3:58099 <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt
* 3:58100 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1367 attack attempt
* 3:58101 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1367 attack attempt
* 1:58102 <-> FILE-PDF Adobe Reader ESObject use after free attempt
* 1:58103 <-> FILE-PDF Adobe Reader ESObject use after free attempt
* 3:58104 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2021-1361 attack attempt

Modified Rules:



2021-09-02 13:04:52 UTC

Snort Subscriber Rules Update

Date: 2021-09-01-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58081 <-> BROWSER-CHROME Chromium V8 type confusion attempt
* 1:58082 <-> BROWSER-CHROME Chromium V8 type confusion attempt
* 1:58083 <-> MALWARE-OTHER Vbs.Worm.HWorm variant script download attempt
* 1:58084 <-> MALWARE-OTHER Vbs.Worm.HWorm variant script download attempt
* 1:58085 <-> MALWARE-OTHER Win.Trojan.Aspire variant binary download attempt
* 1:58086 <-> MALWARE-OTHER Win.Trojan.Aspire variant binary download attempt
* 1:58087 <-> MALWARE-CNC Win.Trojan.njRAT variant outbound connection
* 1:58088 <-> MALWARE-CNC Win.Trojan.Aspire variant outbound connection
* 1:58089 <-> MALWARE-OTHER Php.Webshell.Phpshell3 upload attempt
* 1:58090 <-> MALWARE-OTHER Php.Webshell.Phpshell3 upload attempt
* 1:58091 <-> MALWARE-OTHER Php.Webshell.Phpshell3 download attempt
* 1:58092 <-> MALWARE-OTHER Php.Webshell.Phpshell3 download attempt
* 1:58093 <-> SERVER-WEBAPP Atlassian Confluence OGNL injection remote code execution attempt
* 1:58094 <-> SERVER-WEBAPP Atlassian Confluence OGNL injection remote code execution attempt
* 1:58095 <-> MALWARE-OTHER Asp.Webshell.Ajan download attempt
* 1:58096 <-> MALWARE-OTHER Asp.Webshell.Ajan upload attempt
* 3:58097 <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt
* 3:58098 <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt
* 3:58099 <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt
* 3:58100 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1367 attack attempt
* 3:58101 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1367 attack attempt
* 1:58102 <-> FILE-PDF Adobe Reader ESObject use after free attempt
* 1:58103 <-> FILE-PDF Adobe Reader ESObject use after free attempt
* 3:58104 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2021-1361 attack attempt

Modified Rules:



2021-09-02 13:04:52 UTC

Snort Subscriber Rules Update

Date: 2021-09-01-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58081 <-> BROWSER-CHROME Chromium V8 type confusion attempt
* 1:58082 <-> BROWSER-CHROME Chromium V8 type confusion attempt
* 1:58083 <-> MALWARE-OTHER Vbs.Worm.HWorm variant script download attempt
* 1:58084 <-> MALWARE-OTHER Vbs.Worm.HWorm variant script download attempt
* 1:58085 <-> MALWARE-OTHER Win.Trojan.Aspire variant binary download attempt
* 1:58086 <-> MALWARE-OTHER Win.Trojan.Aspire variant binary download attempt
* 1:58087 <-> MALWARE-CNC Win.Trojan.njRAT variant outbound connection
* 1:58088 <-> MALWARE-CNC Win.Trojan.Aspire variant outbound connection
* 1:58089 <-> MALWARE-OTHER Php.Webshell.Phpshell3 upload attempt
* 1:58090 <-> MALWARE-OTHER Php.Webshell.Phpshell3 upload attempt
* 1:58091 <-> MALWARE-OTHER Php.Webshell.Phpshell3 download attempt
* 1:58092 <-> MALWARE-OTHER Php.Webshell.Phpshell3 download attempt
* 1:58093 <-> SERVER-WEBAPP Atlassian Confluence OGNL injection remote code execution attempt
* 1:58094 <-> SERVER-WEBAPP Atlassian Confluence OGNL injection remote code execution attempt
* 1:58095 <-> MALWARE-OTHER Asp.Webshell.Ajan download attempt
* 1:58096 <-> MALWARE-OTHER Asp.Webshell.Ajan upload attempt
* 3:58097 <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt
* 3:58098 <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt
* 3:58099 <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt
* 3:58100 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1367 attack attempt
* 3:58101 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1367 attack attempt
* 1:58102 <-> FILE-PDF Adobe Reader ESObject use after free attempt
* 1:58103 <-> FILE-PDF Adobe Reader ESObject use after free attempt
* 3:58104 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2021-1361 attack attempt

Modified Rules:



2021-09-02 13:04:53 UTC

Snort Subscriber Rules Update

Date: 2021-09-01-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.1.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58081 <-> BROWSER-CHROME Chromium V8 type confusion attempt
* 1:58082 <-> BROWSER-CHROME Chromium V8 type confusion attempt
* 1:58083 <-> MALWARE-OTHER Vbs.Worm.HWorm variant script download attempt
* 1:58084 <-> MALWARE-OTHER Vbs.Worm.HWorm variant script download attempt
* 1:58085 <-> MALWARE-OTHER Win.Trojan.Aspire variant binary download attempt
* 1:58086 <-> MALWARE-OTHER Win.Trojan.Aspire variant binary download attempt
* 1:58087 <-> MALWARE-CNC Win.Trojan.njRAT variant outbound connection
* 1:58088 <-> MALWARE-CNC Win.Trojan.Aspire variant outbound connection
* 1:58089 <-> MALWARE-OTHER Php.Webshell.Phpshell3 upload attempt
* 1:58090 <-> MALWARE-OTHER Php.Webshell.Phpshell3 upload attempt
* 1:58091 <-> MALWARE-OTHER Php.Webshell.Phpshell3 download attempt
* 1:58092 <-> MALWARE-OTHER Php.Webshell.Phpshell3 download attempt
* 1:58093 <-> SERVER-WEBAPP Atlassian Confluence OGNL injection remote code execution attempt
* 1:58094 <-> SERVER-WEBAPP Atlassian Confluence OGNL injection remote code execution attempt
* 1:58095 <-> MALWARE-OTHER Asp.Webshell.Ajan download attempt
* 1:58096 <-> MALWARE-OTHER Asp.Webshell.Ajan upload attempt
* 3:58097 <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt
* 3:58098 <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt
* 3:58099 <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt
* 3:58100 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1367 attack attempt
* 3:58101 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1367 attack attempt
* 1:58102 <-> FILE-PDF Adobe Reader ESObject use after free attempt
* 1:58103 <-> FILE-PDF Adobe Reader ESObject use after free attempt
* 3:58104 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2021-1361 attack attempt

Modified Rules:



2021-09-02 13:04:53 UTC

Snort Subscriber Rules Update

Date: 2021-09-01-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.3.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58081 <-> BROWSER-CHROME Chromium V8 type confusion attempt
* 1:58082 <-> BROWSER-CHROME Chromium V8 type confusion attempt
* 1:58083 <-> MALWARE-OTHER Vbs.Worm.HWorm variant script download attempt
* 1:58084 <-> MALWARE-OTHER Vbs.Worm.HWorm variant script download attempt
* 1:58085 <-> MALWARE-OTHER Win.Trojan.Aspire variant binary download attempt
* 1:58086 <-> MALWARE-OTHER Win.Trojan.Aspire variant binary download attempt
* 1:58087 <-> MALWARE-CNC Win.Trojan.njRAT variant outbound connection
* 1:58088 <-> MALWARE-CNC Win.Trojan.Aspire variant outbound connection
* 1:58089 <-> MALWARE-OTHER Php.Webshell.Phpshell3 upload attempt
* 1:58090 <-> MALWARE-OTHER Php.Webshell.Phpshell3 upload attempt
* 1:58091 <-> MALWARE-OTHER Php.Webshell.Phpshell3 download attempt
* 1:58092 <-> MALWARE-OTHER Php.Webshell.Phpshell3 download attempt
* 1:58093 <-> SERVER-WEBAPP Atlassian Confluence OGNL injection remote code execution attempt
* 1:58094 <-> SERVER-WEBAPP Atlassian Confluence OGNL injection remote code execution attempt
* 1:58095 <-> MALWARE-OTHER Asp.Webshell.Ajan download attempt
* 1:58096 <-> MALWARE-OTHER Asp.Webshell.Ajan upload attempt
* 3:58097 <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt
* 3:58098 <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt
* 3:58099 <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt
* 3:58100 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1367 attack attempt
* 3:58101 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1367 attack attempt
* 1:58102 <-> FILE-PDF Adobe Reader ESObject use after free attempt
* 1:58103 <-> FILE-PDF Adobe Reader ESObject use after free attempt
* 3:58104 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2021-1361 attack attempt

Modified Rules:



2021-09-02 13:04:53 UTC

Snort Subscriber Rules Update

Date: 2021-09-01-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.4.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58081 <-> BROWSER-CHROME Chromium V8 type confusion attempt
* 1:58082 <-> BROWSER-CHROME Chromium V8 type confusion attempt
* 1:58083 <-> MALWARE-OTHER Vbs.Worm.HWorm variant script download attempt
* 1:58084 <-> MALWARE-OTHER Vbs.Worm.HWorm variant script download attempt
* 1:58085 <-> MALWARE-OTHER Win.Trojan.Aspire variant binary download attempt
* 1:58086 <-> MALWARE-OTHER Win.Trojan.Aspire variant binary download attempt
* 1:58087 <-> MALWARE-CNC Win.Trojan.njRAT variant outbound connection
* 1:58088 <-> MALWARE-CNC Win.Trojan.Aspire variant outbound connection
* 1:58089 <-> MALWARE-OTHER Php.Webshell.Phpshell3 upload attempt
* 1:58090 <-> MALWARE-OTHER Php.Webshell.Phpshell3 upload attempt
* 1:58091 <-> MALWARE-OTHER Php.Webshell.Phpshell3 download attempt
* 1:58092 <-> MALWARE-OTHER Php.Webshell.Phpshell3 download attempt
* 1:58093 <-> SERVER-WEBAPP Atlassian Confluence OGNL injection remote code execution attempt
* 1:58094 <-> SERVER-WEBAPP Atlassian Confluence OGNL injection remote code execution attempt
* 1:58095 <-> MALWARE-OTHER Asp.Webshell.Ajan download attempt
* 1:58096 <-> MALWARE-OTHER Asp.Webshell.Ajan upload attempt
* 3:58097 <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt
* 3:58098 <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt
* 3:58099 <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt
* 3:58100 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1367 attack attempt
* 3:58101 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1367 attack attempt
* 1:58102 <-> FILE-PDF Adobe Reader ESObject use after free attempt
* 1:58103 <-> FILE-PDF Adobe Reader ESObject use after free attempt
* 3:58104 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2021-1361 attack attempt

Modified Rules:



2021-09-02 13:04:53 UTC

Snort Subscriber Rules Update

Date: 2021-09-01-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.5.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58081 <-> BROWSER-CHROME Chromium V8 type confusion attempt
* 1:58082 <-> BROWSER-CHROME Chromium V8 type confusion attempt
* 1:58083 <-> MALWARE-OTHER Vbs.Worm.HWorm variant script download attempt
* 1:58084 <-> MALWARE-OTHER Vbs.Worm.HWorm variant script download attempt
* 1:58085 <-> MALWARE-OTHER Win.Trojan.Aspire variant binary download attempt
* 1:58086 <-> MALWARE-OTHER Win.Trojan.Aspire variant binary download attempt
* 1:58087 <-> MALWARE-CNC Win.Trojan.njRAT variant outbound connection
* 1:58088 <-> MALWARE-CNC Win.Trojan.Aspire variant outbound connection
* 1:58089 <-> MALWARE-OTHER Php.Webshell.Phpshell3 upload attempt
* 1:58090 <-> MALWARE-OTHER Php.Webshell.Phpshell3 upload attempt
* 1:58091 <-> MALWARE-OTHER Php.Webshell.Phpshell3 download attempt
* 1:58092 <-> MALWARE-OTHER Php.Webshell.Phpshell3 download attempt
* 1:58093 <-> SERVER-WEBAPP Atlassian Confluence OGNL injection remote code execution attempt
* 1:58094 <-> SERVER-WEBAPP Atlassian Confluence OGNL injection remote code execution attempt
* 1:58095 <-> MALWARE-OTHER Asp.Webshell.Ajan download attempt
* 1:58096 <-> MALWARE-OTHER Asp.Webshell.Ajan upload attempt
* 3:58097 <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt
* 3:58098 <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt
* 3:58099 <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt
* 3:58100 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1367 attack attempt
* 3:58101 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1367 attack attempt
* 1:58102 <-> FILE-PDF Adobe Reader ESObject use after free attempt
* 1:58103 <-> FILE-PDF Adobe Reader ESObject use after free attempt
* 3:58104 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2021-1361 attack attempt

Modified Rules:



2021-09-02 13:04:53 UTC

Snort Subscriber Rules Update

Date: 2021-09-01-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.7.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58081 <-> BROWSER-CHROME Chromium V8 type confusion attempt
* 1:58082 <-> BROWSER-CHROME Chromium V8 type confusion attempt
* 1:58083 <-> MALWARE-OTHER Vbs.Worm.HWorm variant script download attempt
* 1:58084 <-> MALWARE-OTHER Vbs.Worm.HWorm variant script download attempt
* 1:58085 <-> MALWARE-OTHER Win.Trojan.Aspire variant binary download attempt
* 1:58086 <-> MALWARE-OTHER Win.Trojan.Aspire variant binary download attempt
* 1:58087 <-> MALWARE-CNC Win.Trojan.njRAT variant outbound connection
* 1:58088 <-> MALWARE-CNC Win.Trojan.Aspire variant outbound connection
* 1:58089 <-> MALWARE-OTHER Php.Webshell.Phpshell3 upload attempt
* 1:58090 <-> MALWARE-OTHER Php.Webshell.Phpshell3 upload attempt
* 1:58091 <-> MALWARE-OTHER Php.Webshell.Phpshell3 download attempt
* 1:58092 <-> MALWARE-OTHER Php.Webshell.Phpshell3 download attempt
* 1:58093 <-> SERVER-WEBAPP Atlassian Confluence OGNL injection remote code execution attempt
* 1:58094 <-> SERVER-WEBAPP Atlassian Confluence OGNL injection remote code execution attempt
* 1:58095 <-> MALWARE-OTHER Asp.Webshell.Ajan download attempt
* 1:58096 <-> MALWARE-OTHER Asp.Webshell.Ajan upload attempt
* 3:58097 <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt
* 3:58098 <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt
* 3:58099 <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt
* 3:58100 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1367 attack attempt
* 3:58101 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1367 attack attempt
* 1:58102 <-> FILE-PDF Adobe Reader ESObject use after free attempt
* 1:58103 <-> FILE-PDF Adobe Reader ESObject use after free attempt
* 3:58104 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2021-1361 attack attempt

Modified Rules:



2021-09-02 13:04:53 UTC

Snort Subscriber Rules Update

Date: 2021-09-01-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.9.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58081 <-> BROWSER-CHROME Chromium V8 type confusion attempt
* 1:58082 <-> BROWSER-CHROME Chromium V8 type confusion attempt
* 1:58083 <-> MALWARE-OTHER Vbs.Worm.HWorm variant script download attempt
* 1:58084 <-> MALWARE-OTHER Vbs.Worm.HWorm variant script download attempt
* 1:58085 <-> MALWARE-OTHER Win.Trojan.Aspire variant binary download attempt
* 1:58086 <-> MALWARE-OTHER Win.Trojan.Aspire variant binary download attempt
* 1:58087 <-> MALWARE-CNC Win.Trojan.njRAT variant outbound connection
* 1:58088 <-> MALWARE-CNC Win.Trojan.Aspire variant outbound connection
* 1:58089 <-> MALWARE-OTHER Php.Webshell.Phpshell3 upload attempt
* 1:58090 <-> MALWARE-OTHER Php.Webshell.Phpshell3 upload attempt
* 1:58091 <-> MALWARE-OTHER Php.Webshell.Phpshell3 download attempt
* 1:58092 <-> MALWARE-OTHER Php.Webshell.Phpshell3 download attempt
* 1:58093 <-> SERVER-WEBAPP Atlassian Confluence OGNL injection remote code execution attempt
* 1:58094 <-> SERVER-WEBAPP Atlassian Confluence OGNL injection remote code execution attempt
* 1:58095 <-> MALWARE-OTHER Asp.Webshell.Ajan download attempt
* 1:58096 <-> MALWARE-OTHER Asp.Webshell.Ajan upload attempt
* 3:58097 <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt
* 3:58098 <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt
* 3:58099 <-> SERVER-WEBAPP Cisco Enterprise NFVIS authentication bypass attempt
* 3:58100 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1367 attack attempt
* 3:58101 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1367 attack attempt
* 1:58102 <-> FILE-PDF Adobe Reader ESObject use after free attempt
* 1:58103 <-> FILE-PDF Adobe Reader ESObject use after free attempt
* 3:58104 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2021-1361 attack attempt

Modified Rules: