Talos Rules 2021-01-21
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-other, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2021-01-21 13:57:35 UTC

Snort Subscriber Rules Update

Date: 2021-01-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56951 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Medfos-9822521-0 download attempt (malware-other.rules)
 * 1:56952 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Medfos-9822521-0 download attempt (malware-other.rules)
 * 1:56964 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Kovter-9822841-0 download attempt (malware-other.rules)
 * 1:56965 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Kovter-9822841-0 download attempt (malware-other.rules)
 * 1:56966 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedId outbound communication attempt (malware-cnc.rules)
 * 3:56940 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56939 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56938 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56941 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56942 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage directory traversal attempt (server-webapp.rules)
 * 3:56943 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage directory traversal attempt (server-webapp.rules)
 * 3:56944 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage directory traversal attempt (server-webapp.rules)
 * 3:56945 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56946 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN WebUI command injection attempt (server-webapp.rules)
 * 3:56947 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager SQL injection attempt (server-webapp.rules)
 * 3:56950 <-> ENABLED <-> SERVER-WEBAPP Cisco DNA Center command injection attempt (server-webapp.rules)
 * 3:56953 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56954 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager SQL injection attempt (server-webapp.rules)
 * 3:56955 <-> ENABLED <-> POLICY-OTHER Cisco Smart Software Manager Satellite Web UI user creation detected (policy-other.rules)
 * 3:56956 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager session validation request detected (policy-other.rules)
 * 3:56957 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage terminal request detected (policy-other.rules)
 * 3:56958 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage terminal request detected (policy-other.rules)
 * 3:56959 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage enumeration request detected (policy-other.rules)
 * 3:56960 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage enumeration request detected (policy-other.rules)
 * 3:56961 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage enumeration request detected (policy-other.rules)
 * 3:56962 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage configuration request detected (policy-other.rules)
 * 3:56963 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage request detected (policy-other.rules)

Modified Rules:


 * 3:56894 <-> ENABLED <-> FILE-OTHER OpenSSL configuration arbitrary DLL load attempt (file-other.rules)
 * 3:56893 <-> ENABLED <-> FILE-OTHER OpenSSL configuration arbitrary DLL load attempt (file-other.rules)

2021-01-21 13:57:35 UTC

Snort Subscriber Rules Update

Date: 2021-01-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56965 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Kovter-9822841-0 download attempt (malware-other.rules)
 * 1:56951 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Medfos-9822521-0 download attempt (malware-other.rules)
 * 1:56952 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Medfos-9822521-0 download attempt (malware-other.rules)
 * 1:56964 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Kovter-9822841-0 download attempt (malware-other.rules)
 * 1:56966 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedId outbound communication attempt (malware-cnc.rules)
 * 3:56939 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56940 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56944 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage directory traversal attempt (server-webapp.rules)
 * 3:56955 <-> ENABLED <-> POLICY-OTHER Cisco Smart Software Manager Satellite Web UI user creation detected (policy-other.rules)
 * 3:56957 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage terminal request detected (policy-other.rules)
 * 3:56938 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56956 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager session validation request detected (policy-other.rules)
 * 3:56958 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage terminal request detected (policy-other.rules)
 * 3:56959 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage enumeration request detected (policy-other.rules)
 * 3:56961 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage enumeration request detected (policy-other.rules)
 * 3:56941 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56942 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage directory traversal attempt (server-webapp.rules)
 * 3:56943 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage directory traversal attempt (server-webapp.rules)
 * 3:56945 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56946 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN WebUI command injection attempt (server-webapp.rules)
 * 3:56947 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager SQL injection attempt (server-webapp.rules)
 * 3:56950 <-> ENABLED <-> SERVER-WEBAPP Cisco DNA Center command injection attempt (server-webapp.rules)
 * 3:56953 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56954 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager SQL injection attempt (server-webapp.rules)
 * 3:56960 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage enumeration request detected (policy-other.rules)
 * 3:56962 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage configuration request detected (policy-other.rules)
 * 3:56963 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage request detected (policy-other.rules)

Modified Rules:


 * 3:56893 <-> ENABLED <-> FILE-OTHER OpenSSL configuration arbitrary DLL load attempt (file-other.rules)
 * 3:56894 <-> ENABLED <-> FILE-OTHER OpenSSL configuration arbitrary DLL load attempt (file-other.rules)

2021-01-21 13:57:35 UTC

Snort Subscriber Rules Update

Date: 2021-01-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56951 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Medfos-9822521-0 download attempt (malware-other.rules)
 * 1:56952 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Medfos-9822521-0 download attempt (malware-other.rules)
 * 1:56964 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Kovter-9822841-0 download attempt (malware-other.rules)
 * 1:56965 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Kovter-9822841-0 download attempt (malware-other.rules)
 * 1:56966 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedId outbound communication attempt (malware-cnc.rules)
 * 3:56956 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager session validation request detected (policy-other.rules)
 * 3:56938 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56943 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage directory traversal attempt (server-webapp.rules)
 * 3:56942 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage directory traversal attempt (server-webapp.rules)
 * 3:56946 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN WebUI command injection attempt (server-webapp.rules)
 * 3:56950 <-> ENABLED <-> SERVER-WEBAPP Cisco DNA Center command injection attempt (server-webapp.rules)
 * 3:56947 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager SQL injection attempt (server-webapp.rules)
 * 3:56954 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager SQL injection attempt (server-webapp.rules)
 * 3:56953 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56955 <-> ENABLED <-> POLICY-OTHER Cisco Smart Software Manager Satellite Web UI user creation detected (policy-other.rules)
 * 3:56958 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage terminal request detected (policy-other.rules)
 * 3:56963 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage request detected (policy-other.rules)
 * 3:56957 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage terminal request detected (policy-other.rules)
 * 3:56962 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage configuration request detected (policy-other.rules)
 * 3:56960 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage enumeration request detected (policy-other.rules)
 * 3:56961 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage enumeration request detected (policy-other.rules)
 * 3:56959 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage enumeration request detected (policy-other.rules)
 * 3:56945 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56944 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage directory traversal attempt (server-webapp.rules)
 * 3:56940 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56939 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56941 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)

Modified Rules:


 * 3:56893 <-> ENABLED <-> FILE-OTHER OpenSSL configuration arbitrary DLL load attempt (file-other.rules)
 * 3:56894 <-> ENABLED <-> FILE-OTHER OpenSSL configuration arbitrary DLL load attempt (file-other.rules)

2021-01-21 13:57:35 UTC

Snort Subscriber Rules Update

Date: 2021-01-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56951 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Medfos-9822521-0 download attempt (malware-other.rules)
 * 1:56952 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Medfos-9822521-0 download attempt (malware-other.rules)
 * 1:56966 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedId outbound communication attempt (malware-cnc.rules)
 * 1:56964 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Kovter-9822841-0 download attempt (malware-other.rules)
 * 1:56965 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Kovter-9822841-0 download attempt (malware-other.rules)
 * 3:56941 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56945 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56938 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56955 <-> ENABLED <-> POLICY-OTHER Cisco Smart Software Manager Satellite Web UI user creation detected (policy-other.rules)
 * 3:56954 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager SQL injection attempt (server-webapp.rules)
 * 3:56943 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage directory traversal attempt (server-webapp.rules)
 * 3:56944 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage directory traversal attempt (server-webapp.rules)
 * 3:56963 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage request detected (policy-other.rules)
 * 3:56957 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage terminal request detected (policy-other.rules)
 * 3:56960 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage enumeration request detected (policy-other.rules)
 * 3:56950 <-> ENABLED <-> SERVER-WEBAPP Cisco DNA Center command injection attempt (server-webapp.rules)
 * 3:56959 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage enumeration request detected (policy-other.rules)
 * 3:56947 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager SQL injection attempt (server-webapp.rules)
 * 3:56946 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN WebUI command injection attempt (server-webapp.rules)
 * 3:56956 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager session validation request detected (policy-other.rules)
 * 3:56958 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage terminal request detected (policy-other.rules)
 * 3:56939 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56962 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage configuration request detected (policy-other.rules)
 * 3:56953 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56940 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56961 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage enumeration request detected (policy-other.rules)
 * 3:56942 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 3:56893 <-> ENABLED <-> FILE-OTHER OpenSSL configuration arbitrary DLL load attempt (file-other.rules)
 * 3:56894 <-> ENABLED <-> FILE-OTHER OpenSSL configuration arbitrary DLL load attempt (file-other.rules)

2021-01-21 13:57:35 UTC

Snort Subscriber Rules Update

Date: 2021-01-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56966 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedId outbound communication attempt (malware-cnc.rules)
 * 1:56952 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Medfos-9822521-0 download attempt (malware-other.rules)
 * 1:56951 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Medfos-9822521-0 download attempt (malware-other.rules)
 * 1:56964 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Kovter-9822841-0 download attempt (malware-other.rules)
 * 1:56965 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Kovter-9822841-0 download attempt (malware-other.rules)
 * 3:56961 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage enumeration request detected (policy-other.rules)
 * 3:56950 <-> ENABLED <-> SERVER-WEBAPP Cisco DNA Center command injection attempt (server-webapp.rules)
 * 3:56947 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager SQL injection attempt (server-webapp.rules)
 * 3:56962 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage configuration request detected (policy-other.rules)
 * 3:56953 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56956 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager session validation request detected (policy-other.rules)
 * 3:56946 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN WebUI command injection attempt (server-webapp.rules)
 * 3:56963 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage request detected (policy-other.rules)
 * 3:56958 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage terminal request detected (policy-other.rules)
 * 3:56944 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage directory traversal attempt (server-webapp.rules)
 * 3:56959 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage enumeration request detected (policy-other.rules)
 * 3:56957 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage terminal request detected (policy-other.rules)
 * 3:56960 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage enumeration request detected (policy-other.rules)
 * 3:56943 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage directory traversal attempt (server-webapp.rules)
 * 3:56954 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager SQL injection attempt (server-webapp.rules)
 * 3:56940 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56942 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage directory traversal attempt (server-webapp.rules)
 * 3:56955 <-> ENABLED <-> POLICY-OTHER Cisco Smart Software Manager Satellite Web UI user creation detected (policy-other.rules)
 * 3:56939 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56941 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56938 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56945 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)

Modified Rules:


 * 3:56894 <-> ENABLED <-> FILE-OTHER OpenSSL configuration arbitrary DLL load attempt (file-other.rules)
 * 3:56893 <-> ENABLED <-> FILE-OTHER OpenSSL configuration arbitrary DLL load attempt (file-other.rules)

2021-01-21 13:57:35 UTC

Snort Subscriber Rules Update

Date: 2021-01-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56966 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedId outbound communication attempt (malware-cnc.rules)
 * 1:56951 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Medfos-9822521-0 download attempt (malware-other.rules)
 * 1:56952 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Medfos-9822521-0 download attempt (malware-other.rules)
 * 1:56964 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Kovter-9822841-0 download attempt (malware-other.rules)
 * 1:56965 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Kovter-9822841-0 download attempt (malware-other.rules)
 * 3:56953 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56939 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56959 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage enumeration request detected (policy-other.rules)
 * 3:56938 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56958 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage terminal request detected (policy-other.rules)
 * 3:56960 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage enumeration request detected (policy-other.rules)
 * 3:56957 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage terminal request detected (policy-other.rules)
 * 3:56954 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager SQL injection attempt (server-webapp.rules)
 * 3:56955 <-> ENABLED <-> POLICY-OTHER Cisco Smart Software Manager Satellite Web UI user creation detected (policy-other.rules)
 * 3:56943 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage directory traversal attempt (server-webapp.rules)
 * 3:56963 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage request detected (policy-other.rules)
 * 3:56956 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager session validation request detected (policy-other.rules)
 * 3:56950 <-> ENABLED <-> SERVER-WEBAPP Cisco DNA Center command injection attempt (server-webapp.rules)
 * 3:56942 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage directory traversal attempt (server-webapp.rules)
 * 3:56944 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage directory traversal attempt (server-webapp.rules)
 * 3:56947 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager SQL injection attempt (server-webapp.rules)
 * 3:56962 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage configuration request detected (policy-other.rules)
 * 3:56940 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56946 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN WebUI command injection attempt (server-webapp.rules)
 * 3:56961 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage enumeration request detected (policy-other.rules)
 * 3:56941 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56945 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)

Modified Rules:


 * 3:56894 <-> ENABLED <-> FILE-OTHER OpenSSL configuration arbitrary DLL load attempt (file-other.rules)
 * 3:56893 <-> ENABLED <-> FILE-OTHER OpenSSL configuration arbitrary DLL load attempt (file-other.rules)

2021-01-21 13:57:35 UTC

Snort Subscriber Rules Update

Date: 2021-01-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56966 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedId outbound communication attempt (malware-cnc.rules)
 * 1:56952 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Medfos-9822521-0 download attempt (malware-other.rules)
 * 1:56965 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Kovter-9822841-0 download attempt (malware-other.rules)
 * 1:56951 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Medfos-9822521-0 download attempt (malware-other.rules)
 * 1:56964 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Kovter-9822841-0 download attempt (malware-other.rules)
 * 3:56946 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN WebUI command injection attempt (server-webapp.rules)
 * 3:56938 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56960 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage enumeration request detected (policy-other.rules)
 * 3:56955 <-> ENABLED <-> POLICY-OTHER Cisco Smart Software Manager Satellite Web UI user creation detected (policy-other.rules)
 * 3:56959 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage enumeration request detected (policy-other.rules)
 * 3:56939 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56950 <-> ENABLED <-> SERVER-WEBAPP Cisco DNA Center command injection attempt (server-webapp.rules)
 * 3:56961 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage enumeration request detected (policy-other.rules)
 * 3:56943 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage directory traversal attempt (server-webapp.rules)
 * 3:56963 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage request detected (policy-other.rules)
 * 3:56962 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage configuration request detected (policy-other.rules)
 * 3:56944 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage directory traversal attempt (server-webapp.rules)
 * 3:56957 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage terminal request detected (policy-other.rules)
 * 3:56942 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage directory traversal attempt (server-webapp.rules)
 * 3:56958 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage terminal request detected (policy-other.rules)
 * 3:56945 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56954 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager SQL injection attempt (server-webapp.rules)
 * 3:56953 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56947 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager SQL injection attempt (server-webapp.rules)
 * 3:56956 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager session validation request detected (policy-other.rules)
 * 3:56941 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56940 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)

Modified Rules:


 * 3:56894 <-> ENABLED <-> FILE-OTHER OpenSSL configuration arbitrary DLL load attempt (file-other.rules)
 * 3:56893 <-> ENABLED <-> FILE-OTHER OpenSSL configuration arbitrary DLL load attempt (file-other.rules)

2021-01-21 13:57:35 UTC

Snort Subscriber Rules Update

Date: 2021-01-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56964 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Kovter-9822841-0 download attempt (malware-other.rules)
 * 1:56966 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedId outbound communication attempt (malware-cnc.rules)
 * 1:56951 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Medfos-9822521-0 download attempt (malware-other.rules)
 * 1:56952 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Medfos-9822521-0 download attempt (malware-other.rules)
 * 1:56965 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Kovter-9822841-0 download attempt (malware-other.rules)
 * 3:56938 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56963 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage request detected (policy-other.rules)
 * 3:56940 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56943 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage directory traversal attempt (server-webapp.rules)
 * 3:56962 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage configuration request detected (policy-other.rules)
 * 3:56959 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage enumeration request detected (policy-other.rules)
 * 3:56960 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage enumeration request detected (policy-other.rules)
 * 3:56944 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage directory traversal attempt (server-webapp.rules)
 * 3:56958 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage terminal request detected (policy-other.rules)
 * 3:56947 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager SQL injection attempt (server-webapp.rules)
 * 3:56939 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56955 <-> ENABLED <-> POLICY-OTHER Cisco Smart Software Manager Satellite Web UI user creation detected (policy-other.rules)
 * 3:56954 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager SQL injection attempt (server-webapp.rules)
 * 3:56945 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56941 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56957 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage terminal request detected (policy-other.rules)
 * 3:56953 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56950 <-> ENABLED <-> SERVER-WEBAPP Cisco DNA Center command injection attempt (server-webapp.rules)
 * 3:56956 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager session validation request detected (policy-other.rules)
 * 3:56961 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage enumeration request detected (policy-other.rules)
 * 3:56946 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN WebUI command injection attempt (server-webapp.rules)
 * 3:56942 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 3:56894 <-> ENABLED <-> FILE-OTHER OpenSSL configuration arbitrary DLL load attempt (file-other.rules)
 * 3:56893 <-> ENABLED <-> FILE-OTHER OpenSSL configuration arbitrary DLL load attempt (file-other.rules)

2021-01-21 13:57:35 UTC

Snort Subscriber Rules Update

Date: 2021-01-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56964 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Kovter-9822841-0 download attempt (snort3-malware-other.rules)
 * 1:56965 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Kovter-9822841-0 download attempt (snort3-malware-other.rules)
 * 1:56952 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Medfos-9822521-0 download attempt (snort3-malware-other.rules)
 * 1:56966 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedId outbound communication attempt (snort3-malware-cnc.rules)
 * 1:56951 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Medfos-9822521-0 download attempt (snort3-malware-other.rules)

Modified Rules:



2021-01-21 13:57:35 UTC

Snort Subscriber Rules Update

Date: 2021-01-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:56952 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Medfos-9822521-0 download attempt (malware-other.rules)
 * 1:56964 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Kovter-9822841-0 download attempt (malware-other.rules)
 * 1:56965 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Kovter-9822841-0 download attempt (malware-other.rules)
 * 1:56951 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Medfos-9822521-0 download attempt (malware-other.rules)
 * 1:56966 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedId outbound communication attempt (malware-cnc.rules)
 * 3:56963 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage request detected (policy-other.rules)
 * 3:56946 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN WebUI command injection attempt (server-webapp.rules)
 * 3:56955 <-> ENABLED <-> POLICY-OTHER Cisco Smart Software Manager Satellite Web UI user creation detected (policy-other.rules)
 * 3:56953 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56956 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager session validation request detected (policy-other.rules)
 * 3:56945 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56940 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56950 <-> ENABLED <-> SERVER-WEBAPP Cisco DNA Center command injection attempt (server-webapp.rules)
 * 3:56943 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage directory traversal attempt (server-webapp.rules)
 * 3:56957 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage terminal request detected (policy-other.rules)
 * 3:56941 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56947 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager SQL injection attempt (server-webapp.rules)
 * 3:56954 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager SQL injection attempt (server-webapp.rules)
 * 3:56959 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage enumeration request detected (policy-other.rules)
 * 3:56958 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage terminal request detected (policy-other.rules)
 * 3:56960 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage enumeration request detected (policy-other.rules)
 * 3:56944 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage directory traversal attempt (server-webapp.rules)
 * 3:56942 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage directory traversal attempt (server-webapp.rules)
 * 3:56938 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56961 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage enumeration request detected (policy-other.rules)
 * 3:56939 <-> ENABLED <-> SERVER-WEBAPP Cisco Smart Software Manager Satellite Web UI command injection attempt (server-webapp.rules)
 * 3:56962 <-> ENABLED <-> POLICY-OTHER Cisco SD-WAN vManage configuration request detected (policy-other.rules)

Modified Rules:


 * 3:56894 <-> ENABLED <-> FILE-OTHER OpenSSL configuration arbitrary DLL load attempt (file-other.rules)
 * 3:56893 <-> ENABLED <-> FILE-OTHER OpenSSL configuration arbitrary DLL load attempt (file-other.rules)