Talos Rules 2020-07-16
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the malware-cnc, malware-other, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2020-07-16 12:34:27 UTC

Snort Subscriber Rules Update

Date: 2020-07-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54566 <-> ENABLED <-> SERVER-WEBAPP Park Ticketing Management System SQL injection attempt (server-webapp.rules)
 * 1:54565 <-> ENABLED <-> SERVER-WEBAPP Park Ticketing Management System SQL injection attempt (server-webapp.rules)
 * 1:54559 <-> ENABLED <-> SERVER-WEBAPP Park Ticketing Management System SQL injection attempt (server-webapp.rules)
 * 1:54558 <-> ENABLED <-> SERVER-WEBAPP Park Ticketing Management System SQL injection attempt (server-webapp.rules)
 * 1:54556 <-> ENABLED <-> SERVER-WEBAPP BSA Radar local file inclusion attempt (server-webapp.rules)
 * 1:54555 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant payload download attempt (malware-cnc.rules)
 * 1:54554 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant payload download attempt (malware-cnc.rules)
 * 1:54537 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Netwire-8821558-0 download attempt (malware-other.rules)
 * 1:54536 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Netwire-8821558-0 download attempt (malware-other.rules)
 * 1:54574 <-> DISABLED <-> POLICY-OTHER SAP NetWeaver AS LM Configuration Wizard access detected (policy-other.rules)
 * 1:54573 <-> DISABLED <-> POLICY-OTHER SAP NetWeaver AS LM Configuration Wizard access detected (policy-other.rules)
 * 1:54572 <-> ENABLED <-> SERVER-WEBAPP SAP NetWeaver AS LM Configuration Wizard directory traversal attempt (server-webapp.rules)
 * 1:54571 <-> ENABLED <-> SERVER-WEBAPP SAP NetWeaver AS LM Configuration Wizard directory traversal attempt (server-webapp.rules)
 * 1:54570 <-> ENABLED <-> SERVER-WEBAPP Barangay Management System SQL injection attempt (server-webapp.rules)
 * 1:54569 <-> ENABLED <-> SERVER-WEBAPP Barangay Management System SQL injection attempt (server-webapp.rules)
 * 1:54567 <-> ENABLED <-> SERVER-WEBAPP Park Ticketing Management System SQL injection attempt (server-webapp.rules)
 * 3:54548 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54560 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54538 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:54539 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:54540 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:54541 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:54553 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage file upload detected (policy-other.rules)
 * 3:54552 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers null pointer dereference attempt (server-webapp.rules)
 * 3:54551 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54568 <-> ENABLED <-> POLICY-OTHER Cisco Prime License Manager password reset detected (policy-other.rules)
 * 3:54564 <-> ENABLED <-> POLICY-OTHER Cisco RV Series Routers configuration download detected (policy-other.rules)
 * 3:54563 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54550 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54549 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54542 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers heap buffer overflow attempt (server-webapp.rules)
 * 3:54562 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54543 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers heap buffer overflow attempt (server-webapp.rules)
 * 3:54544 <-> ENABLED <-> POLICY-OTHER Cisco RV110W Router default credential login detected (policy-other.rules)
 * 3:54545 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage arbitrary Java object deserialization attempt (server-webapp.rules)
 * 3:54546 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage cypher query language injection attempt (server-webapp.rules)
 * 3:54561 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54547 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage cypher query language injection attempt (server-webapp.rules)
 * 3:54557 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers authentication bypass attempt (server-webapp.rules)

Modified Rules:


 * 1:54484 <-> ENABLED <-> SERVER-WEBAPP F5 BIG-IP Traffic Management User Interface remote code execution attempt (server-webapp.rules)
 * 1:54518 <-> ENABLED <-> SERVER-OTHER Microsoft Windows DNS server remote integer overflow attempt (server-other.rules)

2020-07-16 12:34:27 UTC

Snort Subscriber Rules Update

Date: 2020-07-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54554 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant payload download attempt (malware-cnc.rules)
 * 1:54558 <-> ENABLED <-> SERVER-WEBAPP Park Ticketing Management System SQL injection attempt (server-webapp.rules)
 * 1:54555 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant payload download attempt (malware-cnc.rules)
 * 1:54556 <-> ENABLED <-> SERVER-WEBAPP BSA Radar local file inclusion attempt (server-webapp.rules)
 * 1:54536 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Netwire-8821558-0 download attempt (malware-other.rules)
 * 1:54537 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Netwire-8821558-0 download attempt (malware-other.rules)
 * 1:54573 <-> DISABLED <-> POLICY-OTHER SAP NetWeaver AS LM Configuration Wizard access detected (policy-other.rules)
 * 1:54574 <-> DISABLED <-> POLICY-OTHER SAP NetWeaver AS LM Configuration Wizard access detected (policy-other.rules)
 * 1:54571 <-> ENABLED <-> SERVER-WEBAPP SAP NetWeaver AS LM Configuration Wizard directory traversal attempt (server-webapp.rules)
 * 1:54572 <-> ENABLED <-> SERVER-WEBAPP SAP NetWeaver AS LM Configuration Wizard directory traversal attempt (server-webapp.rules)
 * 1:54569 <-> ENABLED <-> SERVER-WEBAPP Barangay Management System SQL injection attempt (server-webapp.rules)
 * 1:54570 <-> ENABLED <-> SERVER-WEBAPP Barangay Management System SQL injection attempt (server-webapp.rules)
 * 1:54566 <-> ENABLED <-> SERVER-WEBAPP Park Ticketing Management System SQL injection attempt (server-webapp.rules)
 * 1:54567 <-> ENABLED <-> SERVER-WEBAPP Park Ticketing Management System SQL injection attempt (server-webapp.rules)
 * 1:54559 <-> ENABLED <-> SERVER-WEBAPP Park Ticketing Management System SQL injection attempt (server-webapp.rules)
 * 1:54565 <-> ENABLED <-> SERVER-WEBAPP Park Ticketing Management System SQL injection attempt (server-webapp.rules)
 * 3:54548 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54551 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54564 <-> ENABLED <-> POLICY-OTHER Cisco RV Series Routers configuration download detected (policy-other.rules)
 * 3:54560 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54561 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54547 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage cypher query language injection attempt (server-webapp.rules)
 * 3:54568 <-> ENABLED <-> POLICY-OTHER Cisco Prime License Manager password reset detected (policy-other.rules)
 * 3:54562 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54553 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage file upload detected (policy-other.rules)
 * 3:54563 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54552 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers null pointer dereference attempt (server-webapp.rules)
 * 3:54549 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54557 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers authentication bypass attempt (server-webapp.rules)
 * 3:54538 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:54550 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54539 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:54540 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:54541 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:54542 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers heap buffer overflow attempt (server-webapp.rules)
 * 3:54543 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers heap buffer overflow attempt (server-webapp.rules)
 * 3:54544 <-> ENABLED <-> POLICY-OTHER Cisco RV110W Router default credential login detected (policy-other.rules)
 * 3:54545 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage arbitrary Java object deserialization attempt (server-webapp.rules)
 * 3:54546 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage cypher query language injection attempt (server-webapp.rules)

Modified Rules:


 * 1:54484 <-> ENABLED <-> SERVER-WEBAPP F5 BIG-IP Traffic Management User Interface remote code execution attempt (server-webapp.rules)
 * 1:54518 <-> ENABLED <-> SERVER-OTHER Microsoft Windows DNS server remote integer overflow attempt (server-other.rules)

2020-07-16 12:34:27 UTC

Snort Subscriber Rules Update

Date: 2020-07-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54554 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant payload download attempt (malware-cnc.rules)
 * 1:54556 <-> ENABLED <-> SERVER-WEBAPP BSA Radar local file inclusion attempt (server-webapp.rules)
 * 1:54558 <-> ENABLED <-> SERVER-WEBAPP Park Ticketing Management System SQL injection attempt (server-webapp.rules)
 * 1:54555 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant payload download attempt (malware-cnc.rules)
 * 1:54537 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Netwire-8821558-0 download attempt (malware-other.rules)
 * 1:54574 <-> DISABLED <-> POLICY-OTHER SAP NetWeaver AS LM Configuration Wizard access detected (policy-other.rules)
 * 1:54572 <-> ENABLED <-> SERVER-WEBAPP SAP NetWeaver AS LM Configuration Wizard directory traversal attempt (server-webapp.rules)
 * 1:54573 <-> DISABLED <-> POLICY-OTHER SAP NetWeaver AS LM Configuration Wizard access detected (policy-other.rules)
 * 1:54570 <-> ENABLED <-> SERVER-WEBAPP Barangay Management System SQL injection attempt (server-webapp.rules)
 * 1:54571 <-> ENABLED <-> SERVER-WEBAPP SAP NetWeaver AS LM Configuration Wizard directory traversal attempt (server-webapp.rules)
 * 1:54567 <-> ENABLED <-> SERVER-WEBAPP Park Ticketing Management System SQL injection attempt (server-webapp.rules)
 * 1:54569 <-> ENABLED <-> SERVER-WEBAPP Barangay Management System SQL injection attempt (server-webapp.rules)
 * 1:54566 <-> ENABLED <-> SERVER-WEBAPP Park Ticketing Management System SQL injection attempt (server-webapp.rules)
 * 1:54565 <-> ENABLED <-> SERVER-WEBAPP Park Ticketing Management System SQL injection attempt (server-webapp.rules)
 * 1:54559 <-> ENABLED <-> SERVER-WEBAPP Park Ticketing Management System SQL injection attempt (server-webapp.rules)
 * 1:54536 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Netwire-8821558-0 download attempt (malware-other.rules)
 * 3:54564 <-> ENABLED <-> POLICY-OTHER Cisco RV Series Routers configuration download detected (policy-other.rules)
 * 3:54551 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54548 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54561 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54553 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage file upload detected (policy-other.rules)
 * 3:54549 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54547 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage cypher query language injection attempt (server-webapp.rules)
 * 3:54568 <-> ENABLED <-> POLICY-OTHER Cisco Prime License Manager password reset detected (policy-other.rules)
 * 3:54562 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54560 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54538 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:54539 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:54540 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:54541 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:54542 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers heap buffer overflow attempt (server-webapp.rules)
 * 3:54543 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers heap buffer overflow attempt (server-webapp.rules)
 * 3:54544 <-> ENABLED <-> POLICY-OTHER Cisco RV110W Router default credential login detected (policy-other.rules)
 * 3:54545 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage arbitrary Java object deserialization attempt (server-webapp.rules)
 * 3:54546 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage cypher query language injection attempt (server-webapp.rules)
 * 3:54557 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers authentication bypass attempt (server-webapp.rules)
 * 3:54550 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54563 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54552 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers null pointer dereference attempt (server-webapp.rules)

Modified Rules:


 * 1:54518 <-> ENABLED <-> SERVER-OTHER Microsoft Windows DNS server remote integer overflow attempt (server-other.rules)
 * 1:54484 <-> ENABLED <-> SERVER-WEBAPP F5 BIG-IP Traffic Management User Interface remote code execution attempt (server-webapp.rules)

2020-07-16 12:34:27 UTC

Snort Subscriber Rules Update

Date: 2020-07-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54556 <-> ENABLED <-> SERVER-WEBAPP BSA Radar local file inclusion attempt (server-webapp.rules)
 * 1:54536 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Netwire-8821558-0 download attempt (malware-other.rules)
 * 1:54558 <-> ENABLED <-> SERVER-WEBAPP Park Ticketing Management System SQL injection attempt (server-webapp.rules)
 * 1:54555 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant payload download attempt (malware-cnc.rules)
 * 1:54537 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Netwire-8821558-0 download attempt (malware-other.rules)
 * 1:54571 <-> ENABLED <-> SERVER-WEBAPP SAP NetWeaver AS LM Configuration Wizard directory traversal attempt (server-webapp.rules)
 * 1:54574 <-> DISABLED <-> POLICY-OTHER SAP NetWeaver AS LM Configuration Wizard access detected (policy-other.rules)
 * 1:54572 <-> ENABLED <-> SERVER-WEBAPP SAP NetWeaver AS LM Configuration Wizard directory traversal attempt (server-webapp.rules)
 * 1:54573 <-> DISABLED <-> POLICY-OTHER SAP NetWeaver AS LM Configuration Wizard access detected (policy-other.rules)
 * 1:54570 <-> ENABLED <-> SERVER-WEBAPP Barangay Management System SQL injection attempt (server-webapp.rules)
 * 1:54566 <-> ENABLED <-> SERVER-WEBAPP Park Ticketing Management System SQL injection attempt (server-webapp.rules)
 * 1:54567 <-> ENABLED <-> SERVER-WEBAPP Park Ticketing Management System SQL injection attempt (server-webapp.rules)
 * 1:54569 <-> ENABLED <-> SERVER-WEBAPP Barangay Management System SQL injection attempt (server-webapp.rules)
 * 1:54565 <-> ENABLED <-> SERVER-WEBAPP Park Ticketing Management System SQL injection attempt (server-webapp.rules)
 * 1:54559 <-> ENABLED <-> SERVER-WEBAPP Park Ticketing Management System SQL injection attempt (server-webapp.rules)
 * 1:54554 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant payload download attempt (malware-cnc.rules)
 * 3:54551 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54548 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54564 <-> ENABLED <-> POLICY-OTHER Cisco RV Series Routers configuration download detected (policy-other.rules)
 * 3:54549 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54547 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage cypher query language injection attempt (server-webapp.rules)
 * 3:54568 <-> ENABLED <-> POLICY-OTHER Cisco Prime License Manager password reset detected (policy-other.rules)
 * 3:54561 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54553 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage file upload detected (policy-other.rules)
 * 3:54538 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:54539 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:54540 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:54541 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:54542 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers heap buffer overflow attempt (server-webapp.rules)
 * 3:54543 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers heap buffer overflow attempt (server-webapp.rules)
 * 3:54544 <-> ENABLED <-> POLICY-OTHER Cisco RV110W Router default credential login detected (policy-other.rules)
 * 3:54545 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage arbitrary Java object deserialization attempt (server-webapp.rules)
 * 3:54546 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage cypher query language injection attempt (server-webapp.rules)
 * 3:54557 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers authentication bypass attempt (server-webapp.rules)
 * 3:54550 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54560 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54562 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54563 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54552 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers null pointer dereference attempt (server-webapp.rules)

Modified Rules:


 * 1:54518 <-> ENABLED <-> SERVER-OTHER Microsoft Windows DNS server remote integer overflow attempt (server-other.rules)
 * 1:54484 <-> ENABLED <-> SERVER-WEBAPP F5 BIG-IP Traffic Management User Interface remote code execution attempt (server-webapp.rules)

2020-07-16 12:34:27 UTC

Snort Subscriber Rules Update

Date: 2020-07-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54556 <-> ENABLED <-> SERVER-WEBAPP BSA Radar local file inclusion attempt (server-webapp.rules)
 * 1:54536 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Netwire-8821558-0 download attempt (malware-other.rules)
 * 1:54573 <-> DISABLED <-> POLICY-OTHER SAP NetWeaver AS LM Configuration Wizard access detected (policy-other.rules)
 * 1:54558 <-> ENABLED <-> SERVER-WEBAPP Park Ticketing Management System SQL injection attempt (server-webapp.rules)
 * 1:54555 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant payload download attempt (malware-cnc.rules)
 * 1:54571 <-> ENABLED <-> SERVER-WEBAPP SAP NetWeaver AS LM Configuration Wizard directory traversal attempt (server-webapp.rules)
 * 1:54572 <-> ENABLED <-> SERVER-WEBAPP SAP NetWeaver AS LM Configuration Wizard directory traversal attempt (server-webapp.rules)
 * 1:54574 <-> DISABLED <-> POLICY-OTHER SAP NetWeaver AS LM Configuration Wizard access detected (policy-other.rules)
 * 1:54567 <-> ENABLED <-> SERVER-WEBAPP Park Ticketing Management System SQL injection attempt (server-webapp.rules)
 * 1:54570 <-> ENABLED <-> SERVER-WEBAPP Barangay Management System SQL injection attempt (server-webapp.rules)
 * 1:54566 <-> ENABLED <-> SERVER-WEBAPP Park Ticketing Management System SQL injection attempt (server-webapp.rules)
 * 1:54569 <-> ENABLED <-> SERVER-WEBAPP Barangay Management System SQL injection attempt (server-webapp.rules)
 * 1:54565 <-> ENABLED <-> SERVER-WEBAPP Park Ticketing Management System SQL injection attempt (server-webapp.rules)
 * 1:54559 <-> ENABLED <-> SERVER-WEBAPP Park Ticketing Management System SQL injection attempt (server-webapp.rules)
 * 1:54537 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Netwire-8821558-0 download attempt (malware-other.rules)
 * 1:54554 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant payload download attempt (malware-cnc.rules)
 * 3:54548 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54551 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54552 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers null pointer dereference attempt (server-webapp.rules)
 * 3:54564 <-> ENABLED <-> POLICY-OTHER Cisco RV Series Routers configuration download detected (policy-other.rules)
 * 3:54568 <-> ENABLED <-> POLICY-OTHER Cisco Prime License Manager password reset detected (policy-other.rules)
 * 3:54547 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage cypher query language injection attempt (server-webapp.rules)
 * 3:54560 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54550 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54538 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:54539 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:54540 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:54553 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage file upload detected (policy-other.rules)
 * 3:54541 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:54542 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers heap buffer overflow attempt (server-webapp.rules)
 * 3:54543 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers heap buffer overflow attempt (server-webapp.rules)
 * 3:54557 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers authentication bypass attempt (server-webapp.rules)
 * 3:54544 <-> ENABLED <-> POLICY-OTHER Cisco RV110W Router default credential login detected (policy-other.rules)
 * 3:54545 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage arbitrary Java object deserialization attempt (server-webapp.rules)
 * 3:54546 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage cypher query language injection attempt (server-webapp.rules)
 * 3:54561 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54562 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54563 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54549 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)

Modified Rules:


 * 1:54484 <-> ENABLED <-> SERVER-WEBAPP F5 BIG-IP Traffic Management User Interface remote code execution attempt (server-webapp.rules)
 * 1:54518 <-> ENABLED <-> SERVER-OTHER Microsoft Windows DNS server remote integer overflow attempt (server-other.rules)

2020-07-16 12:34:27 UTC

Snort Subscriber Rules Update

Date: 2020-07-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54554 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant payload download attempt (malware-cnc.rules)
 * 1:54537 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Netwire-8821558-0 download attempt (malware-other.rules)
 * 1:54566 <-> ENABLED <-> SERVER-WEBAPP Park Ticketing Management System SQL injection attempt (server-webapp.rules)
 * 1:54556 <-> ENABLED <-> SERVER-WEBAPP BSA Radar local file inclusion attempt (server-webapp.rules)
 * 1:54536 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Netwire-8821558-0 download attempt (malware-other.rules)
 * 1:54558 <-> ENABLED <-> SERVER-WEBAPP Park Ticketing Management System SQL injection attempt (server-webapp.rules)
 * 1:54574 <-> DISABLED <-> POLICY-OTHER SAP NetWeaver AS LM Configuration Wizard access detected (policy-other.rules)
 * 1:54567 <-> ENABLED <-> SERVER-WEBAPP Park Ticketing Management System SQL injection attempt (server-webapp.rules)
 * 1:54573 <-> DISABLED <-> POLICY-OTHER SAP NetWeaver AS LM Configuration Wizard access detected (policy-other.rules)
 * 1:54570 <-> ENABLED <-> SERVER-WEBAPP Barangay Management System SQL injection attempt (server-webapp.rules)
 * 1:54571 <-> ENABLED <-> SERVER-WEBAPP SAP NetWeaver AS LM Configuration Wizard directory traversal attempt (server-webapp.rules)
 * 1:54572 <-> ENABLED <-> SERVER-WEBAPP SAP NetWeaver AS LM Configuration Wizard directory traversal attempt (server-webapp.rules)
 * 1:54555 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant payload download attempt (malware-cnc.rules)
 * 1:54565 <-> ENABLED <-> SERVER-WEBAPP Park Ticketing Management System SQL injection attempt (server-webapp.rules)
 * 1:54569 <-> ENABLED <-> SERVER-WEBAPP Barangay Management System SQL injection attempt (server-webapp.rules)
 * 1:54559 <-> ENABLED <-> SERVER-WEBAPP Park Ticketing Management System SQL injection attempt (server-webapp.rules)
 * 3:54551 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54564 <-> ENABLED <-> POLICY-OTHER Cisco RV Series Routers configuration download detected (policy-other.rules)
 * 3:54550 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54548 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54547 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage cypher query language injection attempt (server-webapp.rules)
 * 3:54538 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:54539 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:54540 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:54541 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:54542 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers heap buffer overflow attempt (server-webapp.rules)
 * 3:54543 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers heap buffer overflow attempt (server-webapp.rules)
 * 3:54544 <-> ENABLED <-> POLICY-OTHER Cisco RV110W Router default credential login detected (policy-other.rules)
 * 3:54560 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54545 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage arbitrary Java object deserialization attempt (server-webapp.rules)
 * 3:54561 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54562 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54563 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54546 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage cypher query language injection attempt (server-webapp.rules)
 * 3:54557 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers authentication bypass attempt (server-webapp.rules)
 * 3:54553 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage file upload detected (policy-other.rules)
 * 3:54549 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54568 <-> ENABLED <-> POLICY-OTHER Cisco Prime License Manager password reset detected (policy-other.rules)
 * 3:54552 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers null pointer dereference attempt (server-webapp.rules)

Modified Rules:


 * 1:54518 <-> ENABLED <-> SERVER-OTHER Microsoft Windows DNS server remote integer overflow attempt (server-other.rules)
 * 1:54484 <-> ENABLED <-> SERVER-WEBAPP F5 BIG-IP Traffic Management User Interface remote code execution attempt (server-webapp.rules)

2020-07-16 12:34:27 UTC

Snort Subscriber Rules Update

Date: 2020-07-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54571 <-> ENABLED <-> SERVER-WEBAPP SAP NetWeaver AS LM Configuration Wizard directory traversal attempt (snort3-server-webapp.rules)
 * 1:54565 <-> ENABLED <-> SERVER-WEBAPP Park Ticketing Management System SQL injection attempt (snort3-server-webapp.rules)
 * 1:54536 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Netwire-8821558-0 download attempt (snort3-malware-other.rules)
 * 1:54573 <-> DISABLED <-> POLICY-OTHER SAP NetWeaver AS LM Configuration Wizard access detected (snort3-policy-other.rules)
 * 1:54574 <-> DISABLED <-> POLICY-OTHER SAP NetWeaver AS LM Configuration Wizard access detected (snort3-policy-other.rules)
 * 1:54569 <-> ENABLED <-> SERVER-WEBAPP Barangay Management System SQL injection attempt (snort3-server-webapp.rules)
 * 1:54559 <-> ENABLED <-> SERVER-WEBAPP Park Ticketing Management System SQL injection attempt (snort3-server-webapp.rules)
 * 1:54537 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Netwire-8821558-0 download attempt (snort3-malware-other.rules)
 * 1:54555 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant payload download attempt (snort3-malware-cnc.rules)
 * 1:54554 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant payload download attempt (snort3-malware-cnc.rules)
 * 1:54556 <-> ENABLED <-> SERVER-WEBAPP BSA Radar local file inclusion attempt (snort3-server-webapp.rules)
 * 1:54570 <-> ENABLED <-> SERVER-WEBAPP Barangay Management System SQL injection attempt (snort3-server-webapp.rules)
 * 1:54566 <-> ENABLED <-> SERVER-WEBAPP Park Ticketing Management System SQL injection attempt (snort3-server-webapp.rules)
 * 1:54572 <-> ENABLED <-> SERVER-WEBAPP SAP NetWeaver AS LM Configuration Wizard directory traversal attempt (snort3-server-webapp.rules)
 * 1:54567 <-> ENABLED <-> SERVER-WEBAPP Park Ticketing Management System SQL injection attempt (snort3-server-webapp.rules)
 * 1:54558 <-> ENABLED <-> SERVER-WEBAPP Park Ticketing Management System SQL injection attempt (snort3-server-webapp.rules)

Modified Rules:


 * 1:54518 <-> ENABLED <-> SERVER-OTHER Microsoft Windows DNS server remote integer overflow attempt (snort3-server-other.rules)
 * 1:54484 <-> ENABLED <-> SERVER-WEBAPP F5 BIG-IP Traffic Management User Interface remote code execution attempt (snort3-server-webapp.rules)

2020-07-16 12:34:27 UTC

Snort Subscriber Rules Update

Date: 2020-07-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54537 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Netwire-8821558-0 download attempt (malware-other.rules)
 * 1:54567 <-> ENABLED <-> SERVER-WEBAPP Park Ticketing Management System SQL injection attempt (server-webapp.rules)
 * 1:54570 <-> ENABLED <-> SERVER-WEBAPP Barangay Management System SQL injection attempt (server-webapp.rules)
 * 1:54566 <-> ENABLED <-> SERVER-WEBAPP Park Ticketing Management System SQL injection attempt (server-webapp.rules)
 * 1:54569 <-> ENABLED <-> SERVER-WEBAPP Barangay Management System SQL injection attempt (server-webapp.rules)
 * 1:54559 <-> ENABLED <-> SERVER-WEBAPP Park Ticketing Management System SQL injection attempt (server-webapp.rules)
 * 1:54573 <-> DISABLED <-> POLICY-OTHER SAP NetWeaver AS LM Configuration Wizard access detected (policy-other.rules)
 * 1:54556 <-> ENABLED <-> SERVER-WEBAPP BSA Radar local file inclusion attempt (server-webapp.rules)
 * 1:54565 <-> ENABLED <-> SERVER-WEBAPP Park Ticketing Management System SQL injection attempt (server-webapp.rules)
 * 1:54536 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Netwire-8821558-0 download attempt (malware-other.rules)
 * 1:54574 <-> DISABLED <-> POLICY-OTHER SAP NetWeaver AS LM Configuration Wizard access detected (policy-other.rules)
 * 1:54555 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant payload download attempt (malware-cnc.rules)
 * 1:54554 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant payload download attempt (malware-cnc.rules)
 * 1:54572 <-> ENABLED <-> SERVER-WEBAPP SAP NetWeaver AS LM Configuration Wizard directory traversal attempt (server-webapp.rules)
 * 1:54558 <-> ENABLED <-> SERVER-WEBAPP Park Ticketing Management System SQL injection attempt (server-webapp.rules)
 * 1:54571 <-> ENABLED <-> SERVER-WEBAPP SAP NetWeaver AS LM Configuration Wizard directory traversal attempt (server-webapp.rules)
 * 3:54549 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54553 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage file upload detected (policy-other.rules)
 * 3:54557 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers authentication bypass attempt (server-webapp.rules)
 * 3:54551 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54562 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54561 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54538 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:54539 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:54550 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54552 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers null pointer dereference attempt (server-webapp.rules)
 * 3:54547 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage cypher query language injection attempt (server-webapp.rules)
 * 3:54540 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:54541 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:54542 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers heap buffer overflow attempt (server-webapp.rules)
 * 3:54563 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54564 <-> ENABLED <-> POLICY-OTHER Cisco RV Series Routers configuration download detected (policy-other.rules)
 * 3:54543 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers heap buffer overflow attempt (server-webapp.rules)
 * 3:54568 <-> ENABLED <-> POLICY-OTHER Cisco Prime License Manager password reset detected (policy-other.rules)
 * 3:54544 <-> ENABLED <-> POLICY-OTHER Cisco RV110W Router default credential login detected (policy-other.rules)
 * 3:54545 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage arbitrary Java object deserialization attempt (server-webapp.rules)
 * 3:54546 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage cypher query language injection attempt (server-webapp.rules)
 * 3:54560 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)
 * 3:54548 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules)

Modified Rules:


 * 1:54484 <-> ENABLED <-> SERVER-WEBAPP F5 BIG-IP Traffic Management User Interface remote code execution attempt (server-webapp.rules)