Talos Rules 2021-06-29
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-chrome, exploit-kit, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2021-06-29 13:54:30 UTC

Snort Subscriber Rules Update

Date: 2021-06-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091800.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57835 <-> DISABLED <-> SERVER-WEBAPP Nagios XI command injection attempt (server-webapp.rules)
 * 1:57836 <-> DISABLED <-> SERVER-WEBAPP Nagios XI command injection attempt (server-webapp.rules)
 * 1:57837 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (browser-chrome.rules)
 * 1:57838 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (browser-chrome.rules)
 * 1:57839 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (browser-chrome.rules)
 * 1:57840 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (browser-chrome.rules)
 * 1:57841 <-> DISABLED <-> SERVER-WEBAPP Nagios Fusion command injection attempt (server-webapp.rules)
 * 1:57842 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57843 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57844 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57845 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57846 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57847 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection (malware-cnc.rules)
 * 1:57848 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection (malware-cnc.rules)
 * 1:57849 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection (malware-cnc.rules)
 * 1:57850 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.VictoryDll variant download attempt (malware-other.rules)
 * 1:57851 <-> DISABLED <-> MALWARE-OTHER Doc.Dropper.RoyalRoadRTF variant download attempt (malware-other.rules)
 * 1:57852 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.VictoryDll variant download attempt (malware-other.rules)
 * 1:57853 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.VictoryDll variant download attempt (malware-other.rules)
 * 1:57854 <-> DISABLED <-> MALWARE-OTHER Doc.Dropper.RoyalRoadRTF variant download attempt (malware-other.rules)
 * 1:57855 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.VictoryDll variant download attempt (malware-other.rules)
 * 1:57856 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA cross site scripting attempt (server-webapp.rules)
 * 1:57857 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA cross site scripting attempt (server-webapp.rules)
 * 1:57858 <-> ENABLED <-> MALWARE-CNC Win.Downloader.VictoryDll outbound connection attempt (malware-cnc.rules)
 * 1:57859 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.BazaCall variant phishing e-mail detected (malware-other.rules)
 * 1:57860 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (server-webapp.rules)
 * 1:57861 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (server-webapp.rules)
 * 1:57862 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (server-webapp.rules)
 * 1:57863 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (server-webapp.rules)
 * 1:57864 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57865 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit download attempt (malware-cnc.rules)
 * 1:57866 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57867 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit download attempt (malware-cnc.rules)
 * 1:57868 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57869 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57870 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57871 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit download attempt (malware-cnc.rules)

Modified Rules:


 * 1:26527 <-> DISABLED <-> EXPLOIT-KIT Unix.Backdoor.Cdorked possible blackhole request attempt (exploit-kit.rules)
 * 3:57783 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1324 attack attempt (server-webapp.rules)
 * 3:57784 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1324 attack attempt (server-webapp.rules)

2021-06-29 13:54:30 UTC

Snort Subscriber Rules Update

Date: 2021-06-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57866 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57865 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit download attempt (malware-cnc.rules)
 * 1:57867 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit download attempt (malware-cnc.rules)
 * 1:57836 <-> DISABLED <-> SERVER-WEBAPP Nagios XI command injection attempt (server-webapp.rules)
 * 1:57838 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (browser-chrome.rules)
 * 1:57839 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (browser-chrome.rules)
 * 1:57840 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (browser-chrome.rules)
 * 1:57841 <-> DISABLED <-> SERVER-WEBAPP Nagios Fusion command injection attempt (server-webapp.rules)
 * 1:57842 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57843 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57844 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57845 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57846 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57847 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection (malware-cnc.rules)
 * 1:57848 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection (malware-cnc.rules)
 * 1:57849 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection (malware-cnc.rules)
 * 1:57850 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.VictoryDll variant download attempt (malware-other.rules)
 * 1:57851 <-> DISABLED <-> MALWARE-OTHER Doc.Dropper.RoyalRoadRTF variant download attempt (malware-other.rules)
 * 1:57852 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.VictoryDll variant download attempt (malware-other.rules)
 * 1:57853 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.VictoryDll variant download attempt (malware-other.rules)
 * 1:57854 <-> DISABLED <-> MALWARE-OTHER Doc.Dropper.RoyalRoadRTF variant download attempt (malware-other.rules)
 * 1:57855 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.VictoryDll variant download attempt (malware-other.rules)
 * 1:57856 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA cross site scripting attempt (server-webapp.rules)
 * 1:57857 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA cross site scripting attempt (server-webapp.rules)
 * 1:57858 <-> ENABLED <-> MALWARE-CNC Win.Downloader.VictoryDll outbound connection attempt (malware-cnc.rules)
 * 1:57859 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.BazaCall variant phishing e-mail detected (malware-other.rules)
 * 1:57860 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (server-webapp.rules)
 * 1:57861 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (server-webapp.rules)
 * 1:57862 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (server-webapp.rules)
 * 1:57863 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (server-webapp.rules)
 * 1:57864 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57835 <-> DISABLED <-> SERVER-WEBAPP Nagios XI command injection attempt (server-webapp.rules)
 * 1:57868 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57869 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57870 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57871 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit download attempt (malware-cnc.rules)
 * 1:57837 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (browser-chrome.rules)

Modified Rules:


 * 1:26527 <-> DISABLED <-> EXPLOIT-KIT Unix.Backdoor.Cdorked possible blackhole request attempt (exploit-kit.rules)
 * 3:57783 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1324 attack attempt (server-webapp.rules)
 * 3:57784 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1324 attack attempt (server-webapp.rules)

2021-06-29 13:54:30 UTC

Snort Subscriber Rules Update

Date: 2021-06-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57859 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.BazaCall variant phishing e-mail detected (malware-other.rules)
 * 1:57860 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (server-webapp.rules)
 * 1:57870 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57871 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit download attempt (malware-cnc.rules)
 * 1:57861 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (server-webapp.rules)
 * 1:57865 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit download attempt (malware-cnc.rules)
 * 1:57866 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57867 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit download attempt (malware-cnc.rules)
 * 1:57868 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57869 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57854 <-> DISABLED <-> MALWARE-OTHER Doc.Dropper.RoyalRoadRTF variant download attempt (malware-other.rules)
 * 1:57835 <-> DISABLED <-> SERVER-WEBAPP Nagios XI command injection attempt (server-webapp.rules)
 * 1:57836 <-> DISABLED <-> SERVER-WEBAPP Nagios XI command injection attempt (server-webapp.rules)
 * 1:57837 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (browser-chrome.rules)
 * 1:57838 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (browser-chrome.rules)
 * 1:57839 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (browser-chrome.rules)
 * 1:57840 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (browser-chrome.rules)
 * 1:57841 <-> DISABLED <-> SERVER-WEBAPP Nagios Fusion command injection attempt (server-webapp.rules)
 * 1:57842 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57843 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57844 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57845 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57846 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57847 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection (malware-cnc.rules)
 * 1:57848 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection (malware-cnc.rules)
 * 1:57849 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection (malware-cnc.rules)
 * 1:57850 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.VictoryDll variant download attempt (malware-other.rules)
 * 1:57851 <-> DISABLED <-> MALWARE-OTHER Doc.Dropper.RoyalRoadRTF variant download attempt (malware-other.rules)
 * 1:57852 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.VictoryDll variant download attempt (malware-other.rules)
 * 1:57855 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.VictoryDll variant download attempt (malware-other.rules)
 * 1:57856 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA cross site scripting attempt (server-webapp.rules)
 * 1:57857 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA cross site scripting attempt (server-webapp.rules)
 * 1:57858 <-> ENABLED <-> MALWARE-CNC Win.Downloader.VictoryDll outbound connection attempt (malware-cnc.rules)
 * 1:57863 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (server-webapp.rules)
 * 1:57864 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57862 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (server-webapp.rules)
 * 1:57853 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.VictoryDll variant download attempt (malware-other.rules)

Modified Rules:


 * 1:26527 <-> DISABLED <-> EXPLOIT-KIT Unix.Backdoor.Cdorked possible blackhole request attempt (exploit-kit.rules)
 * 3:57783 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1324 attack attempt (server-webapp.rules)
 * 3:57784 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1324 attack attempt (server-webapp.rules)

2021-06-29 13:54:30 UTC

Snort Subscriber Rules Update

Date: 2021-06-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57859 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.BazaCall variant phishing e-mail detected (malware-other.rules)
 * 1:57860 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (server-webapp.rules)
 * 1:57863 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (server-webapp.rules)
 * 1:57864 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57861 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (server-webapp.rules)
 * 1:57835 <-> DISABLED <-> SERVER-WEBAPP Nagios XI command injection attempt (server-webapp.rules)
 * 1:57867 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit download attempt (malware-cnc.rules)
 * 1:57870 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57868 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57865 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit download attempt (malware-cnc.rules)
 * 1:57866 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57869 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57862 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (server-webapp.rules)
 * 1:57871 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit download attempt (malware-cnc.rules)
 * 1:57837 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (browser-chrome.rules)
 * 1:57839 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (browser-chrome.rules)
 * 1:57838 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (browser-chrome.rules)
 * 1:57841 <-> DISABLED <-> SERVER-WEBAPP Nagios Fusion command injection attempt (server-webapp.rules)
 * 1:57840 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (browser-chrome.rules)
 * 1:57843 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57842 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57845 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57844 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57847 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection (malware-cnc.rules)
 * 1:57846 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57849 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection (malware-cnc.rules)
 * 1:57848 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection (malware-cnc.rules)
 * 1:57851 <-> DISABLED <-> MALWARE-OTHER Doc.Dropper.RoyalRoadRTF variant download attempt (malware-other.rules)
 * 1:57850 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.VictoryDll variant download attempt (malware-other.rules)
 * 1:57852 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.VictoryDll variant download attempt (malware-other.rules)
 * 1:57854 <-> DISABLED <-> MALWARE-OTHER Doc.Dropper.RoyalRoadRTF variant download attempt (malware-other.rules)
 * 1:57853 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.VictoryDll variant download attempt (malware-other.rules)
 * 1:57836 <-> DISABLED <-> SERVER-WEBAPP Nagios XI command injection attempt (server-webapp.rules)
 * 1:57856 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA cross site scripting attempt (server-webapp.rules)
 * 1:57855 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.VictoryDll variant download attempt (malware-other.rules)
 * 1:57858 <-> ENABLED <-> MALWARE-CNC Win.Downloader.VictoryDll outbound connection attempt (malware-cnc.rules)
 * 1:57857 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA cross site scripting attempt (server-webapp.rules)

Modified Rules:


 * 1:26527 <-> DISABLED <-> EXPLOIT-KIT Unix.Backdoor.Cdorked possible blackhole request attempt (exploit-kit.rules)
 * 3:57783 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1324 attack attempt (server-webapp.rules)
 * 3:57784 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1324 attack attempt (server-webapp.rules)

2021-06-29 13:54:30 UTC

Snort Subscriber Rules Update

Date: 2021-06-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57864 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57862 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (server-webapp.rules)
 * 1:57838 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (browser-chrome.rules)
 * 1:57866 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57867 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit download attempt (malware-cnc.rules)
 * 1:57868 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57869 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57870 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57871 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit download attempt (malware-cnc.rules)
 * 1:57863 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (server-webapp.rules)
 * 1:57837 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (browser-chrome.rules)
 * 1:57853 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.VictoryDll variant download attempt (malware-other.rules)
 * 1:57858 <-> ENABLED <-> MALWARE-CNC Win.Downloader.VictoryDll outbound connection attempt (malware-cnc.rules)
 * 1:57842 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57844 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57841 <-> DISABLED <-> SERVER-WEBAPP Nagios Fusion command injection attempt (server-webapp.rules)
 * 1:57846 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57840 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (browser-chrome.rules)
 * 1:57848 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection (malware-cnc.rules)
 * 1:57845 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57843 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57850 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.VictoryDll variant download attempt (malware-other.rules)
 * 1:57849 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection (malware-cnc.rules)
 * 1:57847 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection (malware-cnc.rules)
 * 1:57852 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.VictoryDll variant download attempt (malware-other.rules)
 * 1:57854 <-> DISABLED <-> MALWARE-OTHER Doc.Dropper.RoyalRoadRTF variant download attempt (malware-other.rules)
 * 1:57851 <-> DISABLED <-> MALWARE-OTHER Doc.Dropper.RoyalRoadRTF variant download attempt (malware-other.rules)
 * 1:57865 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit download attempt (malware-cnc.rules)
 * 1:57855 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.VictoryDll variant download attempt (malware-other.rules)
 * 1:57856 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA cross site scripting attempt (server-webapp.rules)
 * 1:57857 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA cross site scripting attempt (server-webapp.rules)
 * 1:57859 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.BazaCall variant phishing e-mail detected (malware-other.rules)
 * 1:57860 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (server-webapp.rules)
 * 1:57861 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (server-webapp.rules)
 * 1:57836 <-> DISABLED <-> SERVER-WEBAPP Nagios XI command injection attempt (server-webapp.rules)
 * 1:57835 <-> DISABLED <-> SERVER-WEBAPP Nagios XI command injection attempt (server-webapp.rules)
 * 1:57839 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (browser-chrome.rules)

Modified Rules:


 * 1:26527 <-> DISABLED <-> EXPLOIT-KIT Unix.Backdoor.Cdorked possible blackhole request attempt (exploit-kit.rules)
 * 3:57783 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1324 attack attempt (server-webapp.rules)
 * 3:57784 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1324 attack attempt (server-webapp.rules)

2021-06-29 13:54:30 UTC

Snort Subscriber Rules Update

Date: 2021-06-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57853 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.VictoryDll variant download attempt (malware-other.rules)
 * 1:57863 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (server-webapp.rules)
 * 1:57835 <-> DISABLED <-> SERVER-WEBAPP Nagios XI command injection attempt (server-webapp.rules)
 * 1:57862 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (server-webapp.rules)
 * 1:57864 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57867 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit download attempt (malware-cnc.rules)
 * 1:57871 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit download attempt (malware-cnc.rules)
 * 1:57865 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit download attempt (malware-cnc.rules)
 * 1:57866 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57870 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57869 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57861 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (server-webapp.rules)
 * 1:57860 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (server-webapp.rules)
 * 1:57843 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57839 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (browser-chrome.rules)
 * 1:57840 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (browser-chrome.rules)
 * 1:57846 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57842 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57836 <-> DISABLED <-> SERVER-WEBAPP Nagios XI command injection attempt (server-webapp.rules)
 * 1:57844 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57849 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection (malware-cnc.rules)
 * 1:57847 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection (malware-cnc.rules)
 * 1:57841 <-> DISABLED <-> SERVER-WEBAPP Nagios Fusion command injection attempt (server-webapp.rules)
 * 1:57852 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.VictoryDll variant download attempt (malware-other.rules)
 * 1:57850 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.VictoryDll variant download attempt (malware-other.rules)
 * 1:57845 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57837 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (browser-chrome.rules)
 * 1:57848 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection (malware-cnc.rules)
 * 1:57851 <-> DISABLED <-> MALWARE-OTHER Doc.Dropper.RoyalRoadRTF variant download attempt (malware-other.rules)
 * 1:57856 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA cross site scripting attempt (server-webapp.rules)
 * 1:57855 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.VictoryDll variant download attempt (malware-other.rules)
 * 1:57854 <-> DISABLED <-> MALWARE-OTHER Doc.Dropper.RoyalRoadRTF variant download attempt (malware-other.rules)
 * 1:57838 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (browser-chrome.rules)
 * 1:57859 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.BazaCall variant phishing e-mail detected (malware-other.rules)
 * 1:57858 <-> ENABLED <-> MALWARE-CNC Win.Downloader.VictoryDll outbound connection attempt (malware-cnc.rules)
 * 1:57857 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA cross site scripting attempt (server-webapp.rules)
 * 1:57868 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:26527 <-> DISABLED <-> EXPLOIT-KIT Unix.Backdoor.Cdorked possible blackhole request attempt (exploit-kit.rules)
 * 3:57783 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1324 attack attempt (server-webapp.rules)
 * 3:57784 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1324 attack attempt (server-webapp.rules)

2021-06-29 13:54:30 UTC

Snort Subscriber Rules Update

Date: 2021-06-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57837 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (browser-chrome.rules)
 * 1:57867 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit download attempt (malware-cnc.rules)
 * 1:57865 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit download attempt (malware-cnc.rules)
 * 1:57835 <-> DISABLED <-> SERVER-WEBAPP Nagios XI command injection attempt (server-webapp.rules)
 * 1:57839 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (browser-chrome.rules)
 * 1:57870 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57868 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57847 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection (malware-cnc.rules)
 * 1:57861 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (server-webapp.rules)
 * 1:57843 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57844 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57846 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57848 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection (malware-cnc.rules)
 * 1:57842 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57845 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57850 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.VictoryDll variant download attempt (malware-other.rules)
 * 1:57856 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA cross site scripting attempt (server-webapp.rules)
 * 1:57853 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.VictoryDll variant download attempt (malware-other.rules)
 * 1:57855 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.VictoryDll variant download attempt (malware-other.rules)
 * 1:57852 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.VictoryDll variant download attempt (malware-other.rules)
 * 1:57857 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA cross site scripting attempt (server-webapp.rules)
 * 1:57860 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (server-webapp.rules)
 * 1:57851 <-> DISABLED <-> MALWARE-OTHER Doc.Dropper.RoyalRoadRTF variant download attempt (malware-other.rules)
 * 1:57858 <-> ENABLED <-> MALWARE-CNC Win.Downloader.VictoryDll outbound connection attempt (malware-cnc.rules)
 * 1:57859 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.BazaCall variant phishing e-mail detected (malware-other.rules)
 * 1:57854 <-> DISABLED <-> MALWARE-OTHER Doc.Dropper.RoyalRoadRTF variant download attempt (malware-other.rules)
 * 1:57862 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (server-webapp.rules)
 * 1:57863 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (server-webapp.rules)
 * 1:57849 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection (malware-cnc.rules)
 * 1:57841 <-> DISABLED <-> SERVER-WEBAPP Nagios Fusion command injection attempt (server-webapp.rules)
 * 1:57836 <-> DISABLED <-> SERVER-WEBAPP Nagios XI command injection attempt (server-webapp.rules)
 * 1:57864 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57871 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit download attempt (malware-cnc.rules)
 * 1:57840 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (browser-chrome.rules)
 * 1:57866 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57838 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (browser-chrome.rules)
 * 1:57869 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:26527 <-> DISABLED <-> EXPLOIT-KIT Unix.Backdoor.Cdorked possible blackhole request attempt (exploit-kit.rules)
 * 3:57783 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1324 attack attempt (server-webapp.rules)
 * 3:57784 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1324 attack attempt (server-webapp.rules)

2021-06-29 13:54:30 UTC

Snort Subscriber Rules Update

Date: 2021-06-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57860 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (server-webapp.rules)
 * 1:57862 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (server-webapp.rules)
 * 1:57864 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57842 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57867 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit download attempt (malware-cnc.rules)
 * 1:57861 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (server-webapp.rules)
 * 1:57855 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.VictoryDll variant download attempt (malware-other.rules)
 * 1:57839 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (browser-chrome.rules)
 * 1:57835 <-> DISABLED <-> SERVER-WEBAPP Nagios XI command injection attempt (server-webapp.rules)
 * 1:57840 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (browser-chrome.rules)
 * 1:57837 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (browser-chrome.rules)
 * 1:57854 <-> DISABLED <-> MALWARE-OTHER Doc.Dropper.RoyalRoadRTF variant download attempt (malware-other.rules)
 * 1:57841 <-> DISABLED <-> SERVER-WEBAPP Nagios Fusion command injection attempt (server-webapp.rules)
 * 1:57848 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection (malware-cnc.rules)
 * 1:57843 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57851 <-> DISABLED <-> MALWARE-OTHER Doc.Dropper.RoyalRoadRTF variant download attempt (malware-other.rules)
 * 1:57844 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57859 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.BazaCall variant phishing e-mail detected (malware-other.rules)
 * 1:57846 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57849 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection (malware-cnc.rules)
 * 1:57850 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.VictoryDll variant download attempt (malware-other.rules)
 * 1:57836 <-> DISABLED <-> SERVER-WEBAPP Nagios XI command injection attempt (server-webapp.rules)
 * 1:57852 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.VictoryDll variant download attempt (malware-other.rules)
 * 1:57853 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.VictoryDll variant download attempt (malware-other.rules)
 * 1:57838 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (browser-chrome.rules)
 * 1:57845 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57870 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57871 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit download attempt (malware-cnc.rules)
 * 1:57847 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection (malware-cnc.rules)
 * 1:57857 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA cross site scripting attempt (server-webapp.rules)
 * 1:57865 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit download attempt (malware-cnc.rules)
 * 1:57863 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (server-webapp.rules)
 * 1:57858 <-> ENABLED <-> MALWARE-CNC Win.Downloader.VictoryDll outbound connection attempt (malware-cnc.rules)
 * 1:57869 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57868 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57866 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57856 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA cross site scripting attempt (server-webapp.rules)

Modified Rules:


 * 1:26527 <-> DISABLED <-> EXPLOIT-KIT Unix.Backdoor.Cdorked possible blackhole request attempt (exploit-kit.rules)
 * 3:57783 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1324 attack attempt (server-webapp.rules)
 * 3:57784 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1324 attack attempt (server-webapp.rules)

2021-06-29 13:54:30 UTC

Snort Subscriber Rules Update

Date: 2021-06-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57844 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57865 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit download attempt (malware-cnc.rules)
 * 1:57862 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (server-webapp.rules)
 * 1:57854 <-> DISABLED <-> MALWARE-OTHER Doc.Dropper.RoyalRoadRTF variant download attempt (malware-other.rules)
 * 1:57860 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (server-webapp.rules)
 * 1:57859 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.BazaCall variant phishing e-mail detected (malware-other.rules)
 * 1:57853 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.VictoryDll variant download attempt (malware-other.rules)
 * 1:57839 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (browser-chrome.rules)
 * 1:57857 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA cross site scripting attempt (server-webapp.rules)
 * 1:57837 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (browser-chrome.rules)
 * 1:57871 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit download attempt (malware-cnc.rules)
 * 1:57868 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57850 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.VictoryDll variant download attempt (malware-other.rules)
 * 1:57849 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection (malware-cnc.rules)
 * 1:57867 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit download attempt (malware-cnc.rules)
 * 1:57869 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57856 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA cross site scripting attempt (server-webapp.rules)
 * 1:57846 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57870 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57847 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection (malware-cnc.rules)
 * 1:57861 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (server-webapp.rules)
 * 1:57863 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (server-webapp.rules)
 * 1:57866 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57858 <-> ENABLED <-> MALWARE-CNC Win.Downloader.VictoryDll outbound connection attempt (malware-cnc.rules)
 * 1:57852 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.VictoryDll variant download attempt (malware-other.rules)
 * 1:57841 <-> DISABLED <-> SERVER-WEBAPP Nagios Fusion command injection attempt (server-webapp.rules)
 * 1:57836 <-> DISABLED <-> SERVER-WEBAPP Nagios XI command injection attempt (server-webapp.rules)
 * 1:57851 <-> DISABLED <-> MALWARE-OTHER Doc.Dropper.RoyalRoadRTF variant download attempt (malware-other.rules)
 * 1:57843 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57845 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57838 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (browser-chrome.rules)
 * 1:57855 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.VictoryDll variant download attempt (malware-other.rules)
 * 1:57835 <-> DISABLED <-> SERVER-WEBAPP Nagios XI command injection attempt (server-webapp.rules)
 * 1:57840 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (browser-chrome.rules)
 * 1:57848 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection (malware-cnc.rules)
 * 1:57842 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57864 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:26527 <-> DISABLED <-> EXPLOIT-KIT Unix.Backdoor.Cdorked possible blackhole request attempt (exploit-kit.rules)
 * 3:57784 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1324 attack attempt (server-webapp.rules)
 * 3:57783 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1324 attack attempt (server-webapp.rules)

2021-06-29 13:54:30 UTC

Snort Subscriber Rules Update

Date: 2021-06-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57865 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit download attempt (malware-cnc.rules)
 * 1:57838 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (browser-chrome.rules)
 * 1:57843 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57837 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (browser-chrome.rules)
 * 1:57840 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (browser-chrome.rules)
 * 1:57849 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection (malware-cnc.rules)
 * 1:57866 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57844 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57870 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57839 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (browser-chrome.rules)
 * 1:57855 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.VictoryDll variant download attempt (malware-other.rules)
 * 1:57836 <-> DISABLED <-> SERVER-WEBAPP Nagios XI command injection attempt (server-webapp.rules)
 * 1:57851 <-> DISABLED <-> MALWARE-OTHER Doc.Dropper.RoyalRoadRTF variant download attempt (malware-other.rules)
 * 1:57869 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57861 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (server-webapp.rules)
 * 1:57850 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.VictoryDll variant download attempt (malware-other.rules)
 * 1:57857 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA cross site scripting attempt (server-webapp.rules)
 * 1:57868 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57848 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection (malware-cnc.rules)
 * 1:57863 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (server-webapp.rules)
 * 1:57842 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57856 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA cross site scripting attempt (server-webapp.rules)
 * 1:57853 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.VictoryDll variant download attempt (malware-other.rules)
 * 1:57847 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection (malware-cnc.rules)
 * 1:57859 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.BazaCall variant phishing e-mail detected (malware-other.rules)
 * 1:57860 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (server-webapp.rules)
 * 1:57845 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57867 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit download attempt (malware-cnc.rules)
 * 1:57864 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57846 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57841 <-> DISABLED <-> SERVER-WEBAPP Nagios Fusion command injection attempt (server-webapp.rules)
 * 1:57852 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.VictoryDll variant download attempt (malware-other.rules)
 * 1:57871 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit download attempt (malware-cnc.rules)
 * 1:57835 <-> DISABLED <-> SERVER-WEBAPP Nagios XI command injection attempt (server-webapp.rules)
 * 1:57862 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (server-webapp.rules)
 * 1:57854 <-> DISABLED <-> MALWARE-OTHER Doc.Dropper.RoyalRoadRTF variant download attempt (malware-other.rules)
 * 1:57858 <-> ENABLED <-> MALWARE-CNC Win.Downloader.VictoryDll outbound connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:26527 <-> DISABLED <-> EXPLOIT-KIT Unix.Backdoor.Cdorked possible blackhole request attempt (exploit-kit.rules)
 * 3:57783 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1324 attack attempt (server-webapp.rules)
 * 3:57784 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1324 attack attempt (server-webapp.rules)

2021-06-29 13:54:30 UTC

Snort Subscriber Rules Update

Date: 2021-06-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57865 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit download attempt (snort3-malware-cnc.rules)
 * 1:57836 <-> DISABLED <-> SERVER-WEBAPP Nagios XI command injection attempt (snort3-server-webapp.rules)
 * 1:57837 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (snort3-browser-chrome.rules)
 * 1:57871 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit download attempt (snort3-malware-cnc.rules)
 * 1:57869 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (snort3-malware-cnc.rules)
 * 1:57870 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (snort3-malware-cnc.rules)
 * 1:57838 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (snort3-browser-chrome.rules)
 * 1:57839 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (snort3-browser-chrome.rules)
 * 1:57840 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (snort3-browser-chrome.rules)
 * 1:57841 <-> DISABLED <-> SERVER-WEBAPP Nagios Fusion command injection attempt (snort3-server-webapp.rules)
 * 1:57842 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (snort3-malware-cnc.rules)
 * 1:57866 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (snort3-malware-cnc.rules)
 * 1:57843 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (snort3-malware-cnc.rules)
 * 1:57844 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (snort3-malware-cnc.rules)
 * 1:57845 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (snort3-malware-cnc.rules)
 * 1:57846 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (snort3-malware-cnc.rules)
 * 1:57847 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection (snort3-malware-cnc.rules)
 * 1:57848 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection (snort3-malware-cnc.rules)
 * 1:57849 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection (snort3-malware-cnc.rules)
 * 1:57850 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.VictoryDll variant download attempt (snort3-malware-other.rules)
 * 1:57851 <-> DISABLED <-> MALWARE-OTHER Doc.Dropper.RoyalRoadRTF variant download attempt (snort3-malware-other.rules)
 * 1:57852 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.VictoryDll variant download attempt (snort3-malware-other.rules)
 * 1:57863 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (snort3-server-webapp.rules)
 * 1:57853 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.VictoryDll variant download attempt (snort3-malware-other.rules)
 * 1:57854 <-> DISABLED <-> MALWARE-OTHER Doc.Dropper.RoyalRoadRTF variant download attempt (snort3-malware-other.rules)
 * 1:57855 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.VictoryDll variant download attempt (snort3-malware-other.rules)
 * 1:57856 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA cross site scripting attempt (snort3-server-webapp.rules)
 * 1:57857 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA cross site scripting attempt (snort3-server-webapp.rules)
 * 1:57835 <-> DISABLED <-> SERVER-WEBAPP Nagios XI command injection attempt (snort3-server-webapp.rules)
 * 1:57858 <-> ENABLED <-> MALWARE-CNC Win.Downloader.VictoryDll outbound connection attempt (snort3-malware-cnc.rules)
 * 1:57859 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.BazaCall variant phishing e-mail detected (snort3-malware-other.rules)
 * 1:57868 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (snort3-malware-cnc.rules)
 * 1:57867 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit download attempt (snort3-malware-cnc.rules)
 * 1:57860 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (snort3-server-webapp.rules)
 * 1:57861 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (snort3-server-webapp.rules)
 * 1:57862 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (snort3-server-webapp.rules)
 * 1:57864 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (snort3-malware-cnc.rules)

Modified Rules:


 * 1:26527 <-> DISABLED <-> EXPLOIT-KIT Unix.Backdoor.Cdorked possible blackhole request attempt (snort3-exploit-kit.rules)

2021-06-29 13:54:30 UTC

Snort Subscriber Rules Update

Date: 2021-06-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57864 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57860 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (server-webapp.rules)
 * 1:57870 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57863 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (server-webapp.rules)
 * 1:57858 <-> ENABLED <-> MALWARE-CNC Win.Downloader.VictoryDll outbound connection attempt (malware-cnc.rules)
 * 1:57857 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA cross site scripting attempt (server-webapp.rules)
 * 1:57836 <-> DISABLED <-> SERVER-WEBAPP Nagios XI command injection attempt (server-webapp.rules)
 * 1:57844 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57871 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit download attempt (malware-cnc.rules)
 * 1:57843 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57866 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57861 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (server-webapp.rules)
 * 1:57838 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (browser-chrome.rules)
 * 1:57859 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.BazaCall variant phishing e-mail detected (malware-other.rules)
 * 1:57839 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (browser-chrome.rules)
 * 1:57868 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57848 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection (malware-cnc.rules)
 * 1:57847 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection (malware-cnc.rules)
 * 1:57849 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection (malware-cnc.rules)
 * 1:57855 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.VictoryDll variant download attempt (malware-other.rules)
 * 1:57852 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.VictoryDll variant download attempt (malware-other.rules)
 * 1:57867 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit download attempt (malware-cnc.rules)
 * 1:57837 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (browser-chrome.rules)
 * 1:57856 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA cross site scripting attempt (server-webapp.rules)
 * 1:57841 <-> DISABLED <-> SERVER-WEBAPP Nagios Fusion command injection attempt (server-webapp.rules)
 * 1:57850 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.VictoryDll variant download attempt (malware-other.rules)
 * 1:57840 <-> DISABLED <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt (browser-chrome.rules)
 * 1:57842 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57846 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57851 <-> DISABLED <-> MALWARE-OTHER Doc.Dropper.RoyalRoadRTF variant download attempt (malware-other.rules)
 * 1:57869 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit outbound connection attempt (malware-cnc.rules)
 * 1:57854 <-> DISABLED <-> MALWARE-OTHER Doc.Dropper.RoyalRoadRTF variant download attempt (malware-other.rules)
 * 1:57853 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.VictoryDll variant download attempt (malware-other.rules)
 * 1:57835 <-> DISABLED <-> SERVER-WEBAPP Nagios XI command injection attempt (server-webapp.rules)
 * 1:57865 <-> ENABLED <-> MALWARE-CNC Netfilter rootkit download attempt (malware-cnc.rules)
 * 1:57845 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection (malware-cnc.rules)
 * 1:57862 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:26527 <-> DISABLED <-> EXPLOIT-KIT Unix.Backdoor.Cdorked possible blackhole request attempt (exploit-kit.rules)
 * 3:57783 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1324 attack attempt (server-webapp.rules)
 * 3:57784 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1324 attack attempt (server-webapp.rules)

2021-06-29 13:56:18 UTC

Snort Subscriber Rules Update

Date: 2021-06-28-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300039 <-> FILE-JAVA Oracle Java ImagingLib buffer overflow attempt
* 1:57835 <-> SERVER-WEBAPP Nagios XI command injection attempt
* 1:57836 <-> SERVER-WEBAPP Nagios XI command injection attempt
* 1:57837 <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt
* 1:57838 <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt
* 1:57839 <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt
* 1:57840 <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt
* 1:57841 <-> SERVER-WEBAPP Nagios Fusion command injection attempt
* 1:57842 <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection
* 1:57843 <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection
* 1:57844 <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection
* 1:57845 <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection
* 1:57846 <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection
* 1:57847 <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection
* 1:57848 <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection
* 1:57849 <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection
* 1:57850 <-> MALWARE-OTHER Win.Backdoor.VictoryDll variant download attempt
* 1:57851 <-> MALWARE-OTHER Doc.Dropper.RoyalRoadRTF variant download attempt
* 1:57852 <-> MALWARE-OTHER Win.Downloader.VictoryDll variant download attempt
* 1:57853 <-> MALWARE-OTHER Win.Backdoor.VictoryDll variant download attempt
* 1:57854 <-> MALWARE-OTHER Doc.Dropper.RoyalRoadRTF variant download attempt
* 1:57855 <-> MALWARE-OTHER Win.Downloader.VictoryDll variant download attempt
* 1:57856 <-> SERVER-WEBAPP Cisco ASA cross site scripting attempt
* 1:57857 <-> SERVER-WEBAPP Cisco ASA cross site scripting attempt
* 1:57858 <-> MALWARE-CNC Win.Downloader.VictoryDll outbound connection attempt
* 1:57859 <-> MALWARE-OTHER Win.Trojan.BazaCall variant phishing e-mail detected
* 1:57860 <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt
* 1:57861 <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt
* 1:57862 <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt
* 1:57863 <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt
* 1:57864 <-> MALWARE-CNC Netfilter rootkit outbound connection attempt
* 1:57865 <-> MALWARE-CNC Netfilter rootkit download attempt
* 1:57866 <-> MALWARE-CNC Netfilter rootkit outbound connection attempt
* 1:57867 <-> MALWARE-CNC Netfilter rootkit download attempt
* 1:57868 <-> MALWARE-CNC Netfilter rootkit outbound connection attempt
* 1:57869 <-> MALWARE-CNC Netfilter rootkit outbound connection attempt
* 1:57870 <-> MALWARE-CNC Netfilter rootkit outbound connection attempt
* 1:57871 <-> MALWARE-CNC Netfilter rootkit download attempt

Modified Rules:

* 1:26527 <-> EXPLOIT-KIT Unix.Backdoor.Cdorked possible blackhole request attempt


2021-06-29 13:56:19 UTC

Snort Subscriber Rules Update

Date: 2021-06-28-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.4.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300039 <-> FILE-JAVA Oracle Java ImagingLib buffer overflow attempt
* 1:57835 <-> SERVER-WEBAPP Nagios XI command injection attempt
* 1:57836 <-> SERVER-WEBAPP Nagios XI command injection attempt
* 1:57837 <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt
* 1:57838 <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt
* 1:57839 <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt
* 1:57840 <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt
* 1:57841 <-> SERVER-WEBAPP Nagios Fusion command injection attempt
* 1:57842 <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection
* 1:57843 <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection
* 1:57844 <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection
* 1:57845 <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection
* 1:57846 <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection
* 1:57847 <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection
* 1:57848 <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection
* 1:57849 <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection
* 1:57850 <-> MALWARE-OTHER Win.Backdoor.VictoryDll variant download attempt
* 1:57851 <-> MALWARE-OTHER Doc.Dropper.RoyalRoadRTF variant download attempt
* 1:57852 <-> MALWARE-OTHER Win.Downloader.VictoryDll variant download attempt
* 1:57853 <-> MALWARE-OTHER Win.Backdoor.VictoryDll variant download attempt
* 1:57854 <-> MALWARE-OTHER Doc.Dropper.RoyalRoadRTF variant download attempt
* 1:57855 <-> MALWARE-OTHER Win.Downloader.VictoryDll variant download attempt
* 1:57856 <-> SERVER-WEBAPP Cisco ASA cross site scripting attempt
* 1:57857 <-> SERVER-WEBAPP Cisco ASA cross site scripting attempt
* 1:57858 <-> MALWARE-CNC Win.Downloader.VictoryDll outbound connection attempt
* 1:57859 <-> MALWARE-OTHER Win.Trojan.BazaCall variant phishing e-mail detected
* 1:57860 <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt
* 1:57861 <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt
* 1:57862 <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt
* 1:57863 <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt
* 1:57864 <-> MALWARE-CNC Netfilter rootkit outbound connection attempt
* 1:57865 <-> MALWARE-CNC Netfilter rootkit download attempt
* 1:57866 <-> MALWARE-CNC Netfilter rootkit outbound connection attempt
* 1:57867 <-> MALWARE-CNC Netfilter rootkit download attempt
* 1:57868 <-> MALWARE-CNC Netfilter rootkit outbound connection attempt
* 1:57869 <-> MALWARE-CNC Netfilter rootkit outbound connection attempt
* 1:57870 <-> MALWARE-CNC Netfilter rootkit outbound connection attempt
* 1:57871 <-> MALWARE-CNC Netfilter rootkit download attempt

Modified Rules:

* 1:26527 <-> EXPLOIT-KIT Unix.Backdoor.Cdorked possible blackhole request attempt


2021-06-29 13:56:19 UTC

Snort Subscriber Rules Update

Date: 2021-06-28-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300039 <-> FILE-JAVA Oracle Java ImagingLib buffer overflow attempt
* 1:57835 <-> SERVER-WEBAPP Nagios XI command injection attempt
* 1:57836 <-> SERVER-WEBAPP Nagios XI command injection attempt
* 1:57837 <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt
* 1:57838 <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt
* 1:57839 <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt
* 1:57840 <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt
* 1:57841 <-> SERVER-WEBAPP Nagios Fusion command injection attempt
* 1:57842 <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection
* 1:57843 <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection
* 1:57844 <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection
* 1:57845 <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection
* 1:57846 <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection
* 1:57847 <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection
* 1:57848 <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection
* 1:57849 <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection
* 1:57850 <-> MALWARE-OTHER Win.Backdoor.VictoryDll variant download attempt
* 1:57851 <-> MALWARE-OTHER Doc.Dropper.RoyalRoadRTF variant download attempt
* 1:57852 <-> MALWARE-OTHER Win.Downloader.VictoryDll variant download attempt
* 1:57853 <-> MALWARE-OTHER Win.Backdoor.VictoryDll variant download attempt
* 1:57854 <-> MALWARE-OTHER Doc.Dropper.RoyalRoadRTF variant download attempt
* 1:57855 <-> MALWARE-OTHER Win.Downloader.VictoryDll variant download attempt
* 1:57856 <-> SERVER-WEBAPP Cisco ASA cross site scripting attempt
* 1:57857 <-> SERVER-WEBAPP Cisco ASA cross site scripting attempt
* 1:57858 <-> MALWARE-CNC Win.Downloader.VictoryDll outbound connection attempt
* 1:57859 <-> MALWARE-OTHER Win.Trojan.BazaCall variant phishing e-mail detected
* 1:57860 <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt
* 1:57861 <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt
* 1:57862 <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt
* 1:57863 <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt
* 1:57864 <-> MALWARE-CNC Netfilter rootkit outbound connection attempt
* 1:57865 <-> MALWARE-CNC Netfilter rootkit download attempt
* 1:57866 <-> MALWARE-CNC Netfilter rootkit outbound connection attempt
* 1:57867 <-> MALWARE-CNC Netfilter rootkit download attempt
* 1:57868 <-> MALWARE-CNC Netfilter rootkit outbound connection attempt
* 1:57869 <-> MALWARE-CNC Netfilter rootkit outbound connection attempt
* 1:57870 <-> MALWARE-CNC Netfilter rootkit outbound connection attempt
* 1:57871 <-> MALWARE-CNC Netfilter rootkit download attempt

Modified Rules:

* 1:26527 <-> EXPLOIT-KIT Unix.Backdoor.Cdorked possible blackhole request attempt


2021-06-29 13:56:19 UTC

Snort Subscriber Rules Update

Date: 2021-06-28-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300039 <-> FILE-JAVA Oracle Java ImagingLib buffer overflow attempt
* 1:57835 <-> SERVER-WEBAPP Nagios XI command injection attempt
* 1:57836 <-> SERVER-WEBAPP Nagios XI command injection attempt
* 1:57837 <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt
* 1:57838 <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt
* 1:57839 <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt
* 1:57840 <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt
* 1:57841 <-> SERVER-WEBAPP Nagios Fusion command injection attempt
* 1:57842 <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection
* 1:57843 <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection
* 1:57844 <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection
* 1:57845 <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection
* 1:57846 <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection
* 1:57847 <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection
* 1:57848 <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection
* 1:57849 <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection
* 1:57850 <-> MALWARE-OTHER Win.Backdoor.VictoryDll variant download attempt
* 1:57851 <-> MALWARE-OTHER Doc.Dropper.RoyalRoadRTF variant download attempt
* 1:57852 <-> MALWARE-OTHER Win.Downloader.VictoryDll variant download attempt
* 1:57853 <-> MALWARE-OTHER Win.Backdoor.VictoryDll variant download attempt
* 1:57854 <-> MALWARE-OTHER Doc.Dropper.RoyalRoadRTF variant download attempt
* 1:57855 <-> MALWARE-OTHER Win.Downloader.VictoryDll variant download attempt
* 1:57856 <-> SERVER-WEBAPP Cisco ASA cross site scripting attempt
* 1:57857 <-> SERVER-WEBAPP Cisco ASA cross site scripting attempt
* 1:57858 <-> MALWARE-CNC Win.Downloader.VictoryDll outbound connection attempt
* 1:57859 <-> MALWARE-OTHER Win.Trojan.BazaCall variant phishing e-mail detected
* 1:57860 <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt
* 1:57861 <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt
* 1:57862 <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt
* 1:57863 <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt
* 1:57864 <-> MALWARE-CNC Netfilter rootkit outbound connection attempt
* 1:57865 <-> MALWARE-CNC Netfilter rootkit download attempt
* 1:57866 <-> MALWARE-CNC Netfilter rootkit outbound connection attempt
* 1:57867 <-> MALWARE-CNC Netfilter rootkit download attempt
* 1:57868 <-> MALWARE-CNC Netfilter rootkit outbound connection attempt
* 1:57869 <-> MALWARE-CNC Netfilter rootkit outbound connection attempt
* 1:57870 <-> MALWARE-CNC Netfilter rootkit outbound connection attempt
* 1:57871 <-> MALWARE-CNC Netfilter rootkit download attempt

Modified Rules:

* 1:26527 <-> EXPLOIT-KIT Unix.Backdoor.Cdorked possible blackhole request attempt


2021-06-29 13:56:19 UTC

Snort Subscriber Rules Update

Date: 2021-06-28-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.1.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300039 <-> FILE-JAVA Oracle Java ImagingLib buffer overflow attempt
* 1:57835 <-> SERVER-WEBAPP Nagios XI command injection attempt
* 1:57836 <-> SERVER-WEBAPP Nagios XI command injection attempt
* 1:57837 <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt
* 1:57838 <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt
* 1:57839 <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt
* 1:57840 <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt
* 1:57841 <-> SERVER-WEBAPP Nagios Fusion command injection attempt
* 1:57842 <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection
* 1:57843 <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection
* 1:57844 <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection
* 1:57845 <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection
* 1:57846 <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection
* 1:57847 <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection
* 1:57848 <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection
* 1:57849 <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection
* 1:57850 <-> MALWARE-OTHER Win.Backdoor.VictoryDll variant download attempt
* 1:57851 <-> MALWARE-OTHER Doc.Dropper.RoyalRoadRTF variant download attempt
* 1:57852 <-> MALWARE-OTHER Win.Downloader.VictoryDll variant download attempt
* 1:57853 <-> MALWARE-OTHER Win.Backdoor.VictoryDll variant download attempt
* 1:57854 <-> MALWARE-OTHER Doc.Dropper.RoyalRoadRTF variant download attempt
* 1:57855 <-> MALWARE-OTHER Win.Downloader.VictoryDll variant download attempt
* 1:57856 <-> SERVER-WEBAPP Cisco ASA cross site scripting attempt
* 1:57857 <-> SERVER-WEBAPP Cisco ASA cross site scripting attempt
* 1:57858 <-> MALWARE-CNC Win.Downloader.VictoryDll outbound connection attempt
* 1:57859 <-> MALWARE-OTHER Win.Trojan.BazaCall variant phishing e-mail detected
* 1:57860 <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt
* 1:57861 <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt
* 1:57862 <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt
* 1:57863 <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt
* 1:57864 <-> MALWARE-CNC Netfilter rootkit outbound connection attempt
* 1:57865 <-> MALWARE-CNC Netfilter rootkit download attempt
* 1:57866 <-> MALWARE-CNC Netfilter rootkit outbound connection attempt
* 1:57867 <-> MALWARE-CNC Netfilter rootkit download attempt
* 1:57868 <-> MALWARE-CNC Netfilter rootkit outbound connection attempt
* 1:57869 <-> MALWARE-CNC Netfilter rootkit outbound connection attempt
* 1:57870 <-> MALWARE-CNC Netfilter rootkit outbound connection attempt
* 1:57871 <-> MALWARE-CNC Netfilter rootkit download attempt

Modified Rules:

* 1:26527 <-> EXPLOIT-KIT Unix.Backdoor.Cdorked possible blackhole request attempt


2021-06-29 13:56:19 UTC

Snort Subscriber Rules Update

Date: 2021-06-28-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.3.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300039 <-> FILE-JAVA Oracle Java ImagingLib buffer overflow attempt
* 1:57835 <-> SERVER-WEBAPP Nagios XI command injection attempt
* 1:57836 <-> SERVER-WEBAPP Nagios XI command injection attempt
* 1:57837 <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt
* 1:57838 <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt
* 1:57839 <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt
* 1:57840 <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt
* 1:57841 <-> SERVER-WEBAPP Nagios Fusion command injection attempt
* 1:57842 <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection
* 1:57843 <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection
* 1:57844 <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection
* 1:57845 <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection
* 1:57846 <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection
* 1:57847 <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection
* 1:57848 <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection
* 1:57849 <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection
* 1:57850 <-> MALWARE-OTHER Win.Backdoor.VictoryDll variant download attempt
* 1:57851 <-> MALWARE-OTHER Doc.Dropper.RoyalRoadRTF variant download attempt
* 1:57852 <-> MALWARE-OTHER Win.Downloader.VictoryDll variant download attempt
* 1:57853 <-> MALWARE-OTHER Win.Backdoor.VictoryDll variant download attempt
* 1:57854 <-> MALWARE-OTHER Doc.Dropper.RoyalRoadRTF variant download attempt
* 1:57855 <-> MALWARE-OTHER Win.Downloader.VictoryDll variant download attempt
* 1:57856 <-> SERVER-WEBAPP Cisco ASA cross site scripting attempt
* 1:57857 <-> SERVER-WEBAPP Cisco ASA cross site scripting attempt
* 1:57858 <-> MALWARE-CNC Win.Downloader.VictoryDll outbound connection attempt
* 1:57859 <-> MALWARE-OTHER Win.Trojan.BazaCall variant phishing e-mail detected
* 1:57860 <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt
* 1:57861 <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt
* 1:57862 <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt
* 1:57863 <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt
* 1:57864 <-> MALWARE-CNC Netfilter rootkit outbound connection attempt
* 1:57865 <-> MALWARE-CNC Netfilter rootkit download attempt
* 1:57866 <-> MALWARE-CNC Netfilter rootkit outbound connection attempt
* 1:57867 <-> MALWARE-CNC Netfilter rootkit download attempt
* 1:57868 <-> MALWARE-CNC Netfilter rootkit outbound connection attempt
* 1:57869 <-> MALWARE-CNC Netfilter rootkit outbound connection attempt
* 1:57870 <-> MALWARE-CNC Netfilter rootkit outbound connection attempt
* 1:57871 <-> MALWARE-CNC Netfilter rootkit download attempt

Modified Rules:

* 1:26527 <-> EXPLOIT-KIT Unix.Backdoor.Cdorked possible blackhole request attempt


2021-06-29 13:56:19 UTC

Snort Subscriber Rules Update

Date: 2021-06-28-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.4.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300039 <-> FILE-JAVA Oracle Java ImagingLib buffer overflow attempt
* 1:57835 <-> SERVER-WEBAPP Nagios XI command injection attempt
* 1:57836 <-> SERVER-WEBAPP Nagios XI command injection attempt
* 1:57837 <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt
* 1:57838 <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt
* 1:57839 <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt
* 1:57840 <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt
* 1:57841 <-> SERVER-WEBAPP Nagios Fusion command injection attempt
* 1:57842 <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection
* 1:57843 <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection
* 1:57844 <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection
* 1:57845 <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection
* 1:57846 <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection
* 1:57847 <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection
* 1:57848 <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection
* 1:57849 <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection
* 1:57850 <-> MALWARE-OTHER Win.Backdoor.VictoryDll variant download attempt
* 1:57851 <-> MALWARE-OTHER Doc.Dropper.RoyalRoadRTF variant download attempt
* 1:57852 <-> MALWARE-OTHER Win.Downloader.VictoryDll variant download attempt
* 1:57853 <-> MALWARE-OTHER Win.Backdoor.VictoryDll variant download attempt
* 1:57854 <-> MALWARE-OTHER Doc.Dropper.RoyalRoadRTF variant download attempt
* 1:57855 <-> MALWARE-OTHER Win.Downloader.VictoryDll variant download attempt
* 1:57856 <-> SERVER-WEBAPP Cisco ASA cross site scripting attempt
* 1:57857 <-> SERVER-WEBAPP Cisco ASA cross site scripting attempt
* 1:57858 <-> MALWARE-CNC Win.Downloader.VictoryDll outbound connection attempt
* 1:57859 <-> MALWARE-OTHER Win.Trojan.BazaCall variant phishing e-mail detected
* 1:57860 <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt
* 1:57861 <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt
* 1:57862 <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt
* 1:57863 <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt
* 1:57864 <-> MALWARE-CNC Netfilter rootkit outbound connection attempt
* 1:57865 <-> MALWARE-CNC Netfilter rootkit download attempt
* 1:57866 <-> MALWARE-CNC Netfilter rootkit outbound connection attempt
* 1:57867 <-> MALWARE-CNC Netfilter rootkit download attempt
* 1:57868 <-> MALWARE-CNC Netfilter rootkit outbound connection attempt
* 1:57869 <-> MALWARE-CNC Netfilter rootkit outbound connection attempt
* 1:57870 <-> MALWARE-CNC Netfilter rootkit outbound connection attempt
* 1:57871 <-> MALWARE-CNC Netfilter rootkit download attempt

Modified Rules:

* 1:26527 <-> EXPLOIT-KIT Unix.Backdoor.Cdorked possible blackhole request attempt


2021-06-29 13:56:19 UTC

Snort Subscriber Rules Update

Date: 2021-06-28-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.5.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300039 <-> FILE-JAVA Oracle Java ImagingLib buffer overflow attempt
* 1:57835 <-> SERVER-WEBAPP Nagios XI command injection attempt
* 1:57836 <-> SERVER-WEBAPP Nagios XI command injection attempt
* 1:57837 <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt
* 1:57838 <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt
* 1:57839 <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt
* 1:57840 <-> BROWSER-CHROME Google Chrome NewFixedDoubleArray memory corruption attempt
* 1:57841 <-> SERVER-WEBAPP Nagios Fusion command injection attempt
* 1:57842 <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection
* 1:57843 <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection
* 1:57844 <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection
* 1:57845 <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection
* 1:57846 <-> MALWARE-CNC Win.Trojan.ActionRAT variant outbound connection
* 1:57847 <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection
* 1:57848 <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection
* 1:57849 <-> MALWARE-CNC Win.Trojan.CetaRAT variant outbound connection
* 1:57850 <-> MALWARE-OTHER Win.Backdoor.VictoryDll variant download attempt
* 1:57851 <-> MALWARE-OTHER Doc.Dropper.RoyalRoadRTF variant download attempt
* 1:57852 <-> MALWARE-OTHER Win.Downloader.VictoryDll variant download attempt
* 1:57853 <-> MALWARE-OTHER Win.Backdoor.VictoryDll variant download attempt
* 1:57854 <-> MALWARE-OTHER Doc.Dropper.RoyalRoadRTF variant download attempt
* 1:57855 <-> MALWARE-OTHER Win.Downloader.VictoryDll variant download attempt
* 1:57856 <-> SERVER-WEBAPP Cisco ASA cross site scripting attempt
* 1:57857 <-> SERVER-WEBAPP Cisco ASA cross site scripting attempt
* 1:57858 <-> MALWARE-CNC Win.Downloader.VictoryDll outbound connection attempt
* 1:57859 <-> MALWARE-OTHER Win.Trojan.BazaCall variant phishing e-mail detected
* 1:57860 <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt
* 1:57861 <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt
* 1:57862 <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt
* 1:57863 <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise command injection attempt
* 1:57864 <-> MALWARE-CNC Netfilter rootkit outbound connection attempt
* 1:57865 <-> MALWARE-CNC Netfilter rootkit download attempt
* 1:57866 <-> MALWARE-CNC Netfilter rootkit outbound connection attempt
* 1:57867 <-> MALWARE-CNC Netfilter rootkit download attempt
* 1:57868 <-> MALWARE-CNC Netfilter rootkit outbound connection attempt
* 1:57869 <-> MALWARE-CNC Netfilter rootkit outbound connection attempt
* 1:57870 <-> MALWARE-CNC Netfilter rootkit outbound connection attempt
* 1:57871 <-> MALWARE-CNC Netfilter rootkit download attempt

Modified Rules:

* 1:26527 <-> EXPLOIT-KIT Unix.Backdoor.Cdorked possible blackhole request attempt