Talos Rules 2021-03-25
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-other, malware-cnc, os-windows, protocol-tftp and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2021-03-25 13:47:00 UTC

Snort Subscriber Rules Update

Date: 2021-03-25

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57342 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules)
 * 1:57341 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork variant beaconing attempt (malware-cnc.rules)
 * 1:57347 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:57348 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 3:57343 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS and IOS-XE Application Environment directory traversal attempt (server-webapp.rules)
 * 3:57345 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software cross site request forgery attempt (server-webapp.rules)
 * 3:57344 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS-XE Software Plug-and-Play command execution attempt (server-webapp.rules)
 * 3:57346 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software cross site request forgery attempt (server-webapp.rules)
 * 3:57349 <-> ENABLED <-> SERVER-OTHER Cisco Virtual Switching System stack buffer overflow attempt (server-other.rules)
 * 3:57350 <-> ENABLED <-> SERVER-OTHER invalid multicast DNS name length response attempt (server-other.rules)
 * 3:57351 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber XMPP mention message denial of service attempt (browser-other.rules)
 * 3:57352 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber XMPP cross site scripting attempt (browser-other.rules)
 * 3:57353 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber XMPP cross site scripting attempt (browser-other.rules)
 * 3:57354 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber XMPP cross site scripting attempt (browser-other.rules)
 * 3:57355 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:57356 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:57357 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:57358 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:57359 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber XMPP information disclosure attempt (browser-other.rules)
 * 3:57360 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt (server-other.rules)

Modified Rules:


 * 1:57311 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules)
 * 1:1443 <-> DISABLED <-> PROTOCOL-TFTP GET passwd (protocol-tftp.rules)
 * 3:53502 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:53501 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:44344 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0439 attack attempt (server-other.rules)

2021-03-25 13:47:00 UTC

Snort Subscriber Rules Update

Date: 2021-03-25

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57347 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:57348 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:57341 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork variant beaconing attempt (malware-cnc.rules)
 * 1:57342 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules)
 * 3:57344 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS-XE Software Plug-and-Play command execution attempt (server-webapp.rules)
 * 3:57358 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:57355 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:57345 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software cross site request forgery attempt (server-webapp.rules)
 * 3:57349 <-> ENABLED <-> SERVER-OTHER Cisco Virtual Switching System stack buffer overflow attempt (server-other.rules)
 * 3:57346 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software cross site request forgery attempt (server-webapp.rules)
 * 3:57343 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS and IOS-XE Application Environment directory traversal attempt (server-webapp.rules)
 * 3:57351 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber XMPP mention message denial of service attempt (browser-other.rules)
 * 3:57352 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber XMPP cross site scripting attempt (browser-other.rules)
 * 3:57353 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber XMPP cross site scripting attempt (browser-other.rules)
 * 3:57354 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber XMPP cross site scripting attempt (browser-other.rules)
 * 3:57356 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:57357 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:57360 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt (server-other.rules)
 * 3:57359 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber XMPP information disclosure attempt (browser-other.rules)
 * 3:57350 <-> ENABLED <-> SERVER-OTHER invalid multicast DNS name length response attempt (server-other.rules)

Modified Rules:


 * 1:57311 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules)
 * 1:1443 <-> DISABLED <-> PROTOCOL-TFTP GET passwd (protocol-tftp.rules)
 * 3:53501 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:53502 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:44344 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0439 attack attempt (server-other.rules)

2021-03-25 13:47:00 UTC

Snort Subscriber Rules Update

Date: 2021-03-25

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57342 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules)
 * 1:57347 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:57341 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork variant beaconing attempt (malware-cnc.rules)
 * 1:57348 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 3:57356 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:57359 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber XMPP information disclosure attempt (browser-other.rules)
 * 3:57360 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt (server-other.rules)
 * 3:57352 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber XMPP cross site scripting attempt (browser-other.rules)
 * 3:57346 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software cross site request forgery attempt (server-webapp.rules)
 * 3:57358 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:57345 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software cross site request forgery attempt (server-webapp.rules)
 * 3:57349 <-> ENABLED <-> SERVER-OTHER Cisco Virtual Switching System stack buffer overflow attempt (server-other.rules)
 * 3:57353 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber XMPP cross site scripting attempt (browser-other.rules)
 * 3:57355 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:57354 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber XMPP cross site scripting attempt (browser-other.rules)
 * 3:57343 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS and IOS-XE Application Environment directory traversal attempt (server-webapp.rules)
 * 3:57350 <-> ENABLED <-> SERVER-OTHER invalid multicast DNS name length response attempt (server-other.rules)
 * 3:57344 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS-XE Software Plug-and-Play command execution attempt (server-webapp.rules)
 * 3:57357 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:57351 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber XMPP mention message denial of service attempt (browser-other.rules)

Modified Rules:


 * 1:57311 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules)
 * 1:1443 <-> DISABLED <-> PROTOCOL-TFTP GET passwd (protocol-tftp.rules)
 * 3:44344 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0439 attack attempt (server-other.rules)
 * 3:53502 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:53501 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)

2021-03-25 13:47:00 UTC

Snort Subscriber Rules Update

Date: 2021-03-25

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57341 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork variant beaconing attempt (malware-cnc.rules)
 * 1:57348 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:57347 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:57342 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules)
 * 3:57357 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:57355 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:57344 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS-XE Software Plug-and-Play command execution attempt (server-webapp.rules)
 * 3:57359 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber XMPP information disclosure attempt (browser-other.rules)
 * 3:57346 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software cross site request forgery attempt (server-webapp.rules)
 * 3:57360 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt (server-other.rules)
 * 3:57343 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS and IOS-XE Application Environment directory traversal attempt (server-webapp.rules)
 * 3:57358 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:57353 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber XMPP cross site scripting attempt (browser-other.rules)
 * 3:57354 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber XMPP cross site scripting attempt (browser-other.rules)
 * 3:57349 <-> ENABLED <-> SERVER-OTHER Cisco Virtual Switching System stack buffer overflow attempt (server-other.rules)
 * 3:57351 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber XMPP mention message denial of service attempt (browser-other.rules)
 * 3:57352 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber XMPP cross site scripting attempt (browser-other.rules)
 * 3:57345 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software cross site request forgery attempt (server-webapp.rules)
 * 3:57350 <-> ENABLED <-> SERVER-OTHER invalid multicast DNS name length response attempt (server-other.rules)
 * 3:57356 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:57311 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules)
 * 1:1443 <-> DISABLED <-> PROTOCOL-TFTP GET passwd (protocol-tftp.rules)
 * 3:53501 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:44344 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0439 attack attempt (server-other.rules)
 * 3:53502 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)

2021-03-25 13:47:00 UTC

Snort Subscriber Rules Update

Date: 2021-03-25

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57342 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules)
 * 1:57348 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:57347 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:57341 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork variant beaconing attempt (malware-cnc.rules)
 * 3:57344 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS-XE Software Plug-and-Play command execution attempt (server-webapp.rules)
 * 3:57356 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:57357 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:57358 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:57360 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt (server-other.rules)
 * 3:57351 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber XMPP mention message denial of service attempt (browser-other.rules)
 * 3:57349 <-> ENABLED <-> SERVER-OTHER Cisco Virtual Switching System stack buffer overflow attempt (server-other.rules)
 * 3:57343 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS and IOS-XE Application Environment directory traversal attempt (server-webapp.rules)
 * 3:57346 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software cross site request forgery attempt (server-webapp.rules)
 * 3:57350 <-> ENABLED <-> SERVER-OTHER invalid multicast DNS name length response attempt (server-other.rules)
 * 3:57354 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber XMPP cross site scripting attempt (browser-other.rules)
 * 3:57345 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software cross site request forgery attempt (server-webapp.rules)
 * 3:57355 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:57352 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber XMPP cross site scripting attempt (browser-other.rules)
 * 3:57359 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber XMPP information disclosure attempt (browser-other.rules)
 * 3:57353 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber XMPP cross site scripting attempt (browser-other.rules)

Modified Rules:


 * 1:57311 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules)
 * 1:1443 <-> DISABLED <-> PROTOCOL-TFTP GET passwd (protocol-tftp.rules)
 * 3:44344 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0439 attack attempt (server-other.rules)
 * 3:53501 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:53502 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)

2021-03-25 13:47:00 UTC

Snort Subscriber Rules Update

Date: 2021-03-25

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57347 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:57342 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules)
 * 1:57348 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:57341 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork variant beaconing attempt (malware-cnc.rules)
 * 3:57344 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS-XE Software Plug-and-Play command execution attempt (server-webapp.rules)
 * 3:57358 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:57359 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber XMPP information disclosure attempt (browser-other.rules)
 * 3:57345 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software cross site request forgery attempt (server-webapp.rules)
 * 3:57354 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber XMPP cross site scripting attempt (browser-other.rules)
 * 3:57343 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS and IOS-XE Application Environment directory traversal attempt (server-webapp.rules)
 * 3:57350 <-> ENABLED <-> SERVER-OTHER invalid multicast DNS name length response attempt (server-other.rules)
 * 3:57357 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:57351 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber XMPP mention message denial of service attempt (browser-other.rules)
 * 3:57349 <-> ENABLED <-> SERVER-OTHER Cisco Virtual Switching System stack buffer overflow attempt (server-other.rules)
 * 3:57360 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt (server-other.rules)
 * 3:57352 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber XMPP cross site scripting attempt (browser-other.rules)
 * 3:57356 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:57353 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber XMPP cross site scripting attempt (browser-other.rules)
 * 3:57346 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software cross site request forgery attempt (server-webapp.rules)
 * 3:57355 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:1443 <-> DISABLED <-> PROTOCOL-TFTP GET passwd (protocol-tftp.rules)
 * 1:57311 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules)
 * 3:44344 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0439 attack attempt (server-other.rules)
 * 3:53501 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:53502 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)

2021-03-25 13:47:00 UTC

Snort Subscriber Rules Update

Date: 2021-03-25

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57341 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork variant beaconing attempt (malware-cnc.rules)
 * 1:57342 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules)
 * 1:57347 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:57348 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 3:57344 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS-XE Software Plug-and-Play command execution attempt (server-webapp.rules)
 * 3:57343 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS and IOS-XE Application Environment directory traversal attempt (server-webapp.rules)
 * 3:57350 <-> ENABLED <-> SERVER-OTHER invalid multicast DNS name length response attempt (server-other.rules)
 * 3:57351 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber XMPP mention message denial of service attempt (browser-other.rules)
 * 3:57349 <-> ENABLED <-> SERVER-OTHER Cisco Virtual Switching System stack buffer overflow attempt (server-other.rules)
 * 3:57345 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software cross site request forgery attempt (server-webapp.rules)
 * 3:57359 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber XMPP information disclosure attempt (browser-other.rules)
 * 3:57346 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software cross site request forgery attempt (server-webapp.rules)
 * 3:57353 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber XMPP cross site scripting attempt (browser-other.rules)
 * 3:57352 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber XMPP cross site scripting attempt (browser-other.rules)
 * 3:57354 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber XMPP cross site scripting attempt (browser-other.rules)
 * 3:57355 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:57356 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:57358 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:57360 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt (server-other.rules)
 * 3:57357 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:1443 <-> DISABLED <-> PROTOCOL-TFTP GET passwd (protocol-tftp.rules)
 * 1:57311 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules)
 * 3:53502 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:44344 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0439 attack attempt (server-other.rules)
 * 3:53501 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)

2021-03-25 13:47:00 UTC

Snort Subscriber Rules Update

Date: 2021-03-25

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57341 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork variant beaconing attempt (malware-cnc.rules)
 * 1:57348 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:57342 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules)
 * 1:57347 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 3:57344 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS-XE Software Plug-and-Play command execution attempt (server-webapp.rules)
 * 3:57343 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS and IOS-XE Application Environment directory traversal attempt (server-webapp.rules)
 * 3:57358 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:57357 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:57359 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber XMPP information disclosure attempt (browser-other.rules)
 * 3:57351 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber XMPP mention message denial of service attempt (browser-other.rules)
 * 3:57360 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt (server-other.rules)
 * 3:57352 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber XMPP cross site scripting attempt (browser-other.rules)
 * 3:57356 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:57349 <-> ENABLED <-> SERVER-OTHER Cisco Virtual Switching System stack buffer overflow attempt (server-other.rules)
 * 3:57346 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software cross site request forgery attempt (server-webapp.rules)
 * 3:57354 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber XMPP cross site scripting attempt (browser-other.rules)
 * 3:57345 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software cross site request forgery attempt (server-webapp.rules)
 * 3:57350 <-> ENABLED <-> SERVER-OTHER invalid multicast DNS name length response attempt (server-other.rules)
 * 3:57355 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:57353 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber XMPP cross site scripting attempt (browser-other.rules)

Modified Rules:


 * 1:1443 <-> DISABLED <-> PROTOCOL-TFTP GET passwd (protocol-tftp.rules)
 * 1:57311 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules)
 * 3:53502 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:44344 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0439 attack attempt (server-other.rules)
 * 3:53501 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)

2021-03-25 13:47:00 UTC

Snort Subscriber Rules Update

Date: 2021-03-25

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57341 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork variant beaconing attempt (snort3-malware-cnc.rules)
 * 1:57347 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (snort3-os-windows.rules)
 * 1:57342 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (snort3-malware-cnc.rules)
 * 1:57348 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (snort3-os-windows.rules)

Modified Rules:


 * 1:1443 <-> DISABLED <-> PROTOCOL-TFTP GET passwd (snort3-protocol-tftp.rules)
 * 1:57311 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (snort3-malware-cnc.rules)

2021-03-25 13:47:00 UTC

Snort Subscriber Rules Update

Date: 2021-03-25

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57342 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules)
 * 1:57341 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork variant beaconing attempt (malware-cnc.rules)
 * 1:57347 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:57348 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 3:57358 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:57353 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber XMPP cross site scripting attempt (browser-other.rules)
 * 3:57346 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software cross site request forgery attempt (server-webapp.rules)
 * 3:57357 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:57354 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber XMPP cross site scripting attempt (browser-other.rules)
 * 3:57352 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber XMPP cross site scripting attempt (browser-other.rules)
 * 3:57356 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:57355 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:57351 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber XMPP mention message denial of service attempt (browser-other.rules)
 * 3:57349 <-> ENABLED <-> SERVER-OTHER Cisco Virtual Switching System stack buffer overflow attempt (server-other.rules)
 * 3:57344 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS-XE Software Plug-and-Play command execution attempt (server-webapp.rules)
 * 3:57359 <-> ENABLED <-> BROWSER-OTHER Cisco Jabber XMPP information disclosure attempt (browser-other.rules)
 * 3:57345 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software cross site request forgery attempt (server-webapp.rules)
 * 3:57360 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt (server-other.rules)
 * 3:57343 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS and IOS-XE Application Environment directory traversal attempt (server-webapp.rules)
 * 3:57350 <-> ENABLED <-> SERVER-OTHER invalid multicast DNS name length response attempt (server-other.rules)

Modified Rules:


 * 1:57311 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules)
 * 1:1443 <-> DISABLED <-> PROTOCOL-TFTP GET passwd (protocol-tftp.rules)
 * 3:53501 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:53502 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:44344 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0439 attack attempt (server-other.rules)