Talos Rules 2021-09-23
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, file-other, malware-cnc, malware-other, os-other, os-windows and server-other rule sets to provide coverage for emerging threats from these technologies.

Change logs

2021-09-23 12:38:53 UTC

Snort Subscriber Rules Update

Date: 2021-09-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091801.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58174 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt (malware-other.rules)
 * 1:58175 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt (malware-other.rules)
 * 1:58177 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt (malware-other.rules)
 * 1:58176 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt (malware-other.rules)
 * 1:58178 <-> DISABLED <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt (malware-other.rules)
 * 1:58179 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt (malware-other.rules)
 * 1:58180 <-> DISABLED <-> MALWARE-OTHER Jsp.Webshell.Hsxa download attempt (malware-other.rules)
 * 1:58181 <-> ENABLED <-> MALWARE-OTHER Jsp.Webshell.Hsxa upload attempt (malware-other.rules)
 * 1:58183 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML CTreePos remote code execution attempt (browser-ie.rules)
 * 1:58184 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML CTreePos remote code execution attempt (browser-ie.rules)
 * 1:58185 <-> DISABLED <-> FILE-OTHER Imagemagick Ghostscript 9.50 remote code execution attempt (file-other.rules)
 * 1:58186 <-> DISABLED <-> FILE-OTHER Imagemagick Ghostscript 9.50 remote code execution attempt (file-other.rules)
 * 1:58192 <-> ENABLED <-> OS-OTHER Apple macOS Finder remote code execution inetloc file download attempt (os-other.rules)
 * 1:58193 <-> ENABLED <-> OS-OTHER Apple macOS Finder remote code execution inetloc file download attempt (os-other.rules)
 * 1:58194 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bandidos inbound delivery attempt (malware-other.rules)
 * 1:58195 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bandidos inbound delivery attempt (malware-other.rules)
 * 1:58196 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:58197 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:58198 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:58199 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 3:58182 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Software for CBR8 COPS denial of service attempt (server-other.rules)
 * 3:58187 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt (server-other.rules)
 * 3:58188 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt (server-other.rules)
 * 3:58189 <-> ENABLED <-> POLICY-OTHER Cisco IOS and IOS XE TrustSec deprecated API access detected (policy-other.rules)
 * 3:58191 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt (server-other.rules)
 * 3:58190 <-> ENABLED <-> POLICY-OTHER Cisco IOS and IOS XE TrustSec deprecated API access detected (policy-other.rules)

Modified Rules:


 * 1:57991 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bandidos outbound connection attempt (malware-cnc.rules)
 * 3:58110 <-> ENABLED <-> POLICY-OTHER Cisco BroadWorks administrator account modification detected (policy-other.rules)

2021-09-23 12:38:53 UTC

Snort Subscriber Rules Update

Date: 2021-09-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091800.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58175 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt (malware-other.rules)
 * 1:58196 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:58197 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:58181 <-> ENABLED <-> MALWARE-OTHER Jsp.Webshell.Hsxa upload attempt (malware-other.rules)
 * 1:58177 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt (malware-other.rules)
 * 1:58176 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt (malware-other.rules)
 * 1:58180 <-> DISABLED <-> MALWARE-OTHER Jsp.Webshell.Hsxa download attempt (malware-other.rules)
 * 1:58183 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML CTreePos remote code execution attempt (browser-ie.rules)
 * 1:58179 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt (malware-other.rules)
 * 1:58184 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML CTreePos remote code execution attempt (browser-ie.rules)
 * 1:58185 <-> DISABLED <-> FILE-OTHER Imagemagick Ghostscript 9.50 remote code execution attempt (file-other.rules)
 * 1:58186 <-> DISABLED <-> FILE-OTHER Imagemagick Ghostscript 9.50 remote code execution attempt (file-other.rules)
 * 1:58192 <-> ENABLED <-> OS-OTHER Apple macOS Finder remote code execution inetloc file download attempt (os-other.rules)
 * 1:58193 <-> ENABLED <-> OS-OTHER Apple macOS Finder remote code execution inetloc file download attempt (os-other.rules)
 * 1:58178 <-> DISABLED <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt (malware-other.rules)
 * 1:58174 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt (malware-other.rules)
 * 1:58198 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:58199 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:58194 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bandidos inbound delivery attempt (malware-other.rules)
 * 1:58195 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bandidos inbound delivery attempt (malware-other.rules)
 * 3:58182 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Software for CBR8 COPS denial of service attempt (server-other.rules)
 * 3:58188 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt (server-other.rules)
 * 3:58187 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt (server-other.rules)
 * 3:58190 <-> ENABLED <-> POLICY-OTHER Cisco IOS and IOS XE TrustSec deprecated API access detected (policy-other.rules)
 * 3:58189 <-> ENABLED <-> POLICY-OTHER Cisco IOS and IOS XE TrustSec deprecated API access detected (policy-other.rules)
 * 3:58191 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt (server-other.rules)

Modified Rules:


 * 1:57991 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bandidos outbound connection attempt (malware-cnc.rules)
 * 3:58110 <-> ENABLED <-> POLICY-OTHER Cisco BroadWorks administrator account modification detected (policy-other.rules)

2021-09-23 12:38:53 UTC

Snort Subscriber Rules Update

Date: 2021-09-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58196 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:58195 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bandidos inbound delivery attempt (malware-other.rules)
 * 1:58180 <-> DISABLED <-> MALWARE-OTHER Jsp.Webshell.Hsxa download attempt (malware-other.rules)
 * 1:58174 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt (malware-other.rules)
 * 1:58176 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt (malware-other.rules)
 * 1:58175 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt (malware-other.rules)
 * 1:58194 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bandidos inbound delivery attempt (malware-other.rules)
 * 1:58198 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:58199 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:58181 <-> ENABLED <-> MALWARE-OTHER Jsp.Webshell.Hsxa upload attempt (malware-other.rules)
 * 1:58183 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML CTreePos remote code execution attempt (browser-ie.rules)
 * 1:58184 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML CTreePos remote code execution attempt (browser-ie.rules)
 * 1:58185 <-> DISABLED <-> FILE-OTHER Imagemagick Ghostscript 9.50 remote code execution attempt (file-other.rules)
 * 1:58186 <-> DISABLED <-> FILE-OTHER Imagemagick Ghostscript 9.50 remote code execution attempt (file-other.rules)
 * 1:58192 <-> ENABLED <-> OS-OTHER Apple macOS Finder remote code execution inetloc file download attempt (os-other.rules)
 * 1:58178 <-> DISABLED <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt (malware-other.rules)
 * 1:58193 <-> ENABLED <-> OS-OTHER Apple macOS Finder remote code execution inetloc file download attempt (os-other.rules)
 * 1:58197 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:58179 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt (malware-other.rules)
 * 1:58177 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt (malware-other.rules)
 * 3:58182 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Software for CBR8 COPS denial of service attempt (server-other.rules)
 * 3:58188 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt (server-other.rules)
 * 3:58190 <-> ENABLED <-> POLICY-OTHER Cisco IOS and IOS XE TrustSec deprecated API access detected (policy-other.rules)
 * 3:58189 <-> ENABLED <-> POLICY-OTHER Cisco IOS and IOS XE TrustSec deprecated API access detected (policy-other.rules)
 * 3:58187 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt (server-other.rules)
 * 3:58191 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt (server-other.rules)

Modified Rules:


 * 1:57991 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bandidos outbound connection attempt (malware-cnc.rules)
 * 3:58110 <-> ENABLED <-> POLICY-OTHER Cisco BroadWorks administrator account modification detected (policy-other.rules)

2021-09-23 12:38:53 UTC

Snort Subscriber Rules Update

Date: 2021-09-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58180 <-> DISABLED <-> MALWARE-OTHER Jsp.Webshell.Hsxa download attempt (malware-other.rules)
 * 1:58193 <-> ENABLED <-> OS-OTHER Apple macOS Finder remote code execution inetloc file download attempt (os-other.rules)
 * 1:58181 <-> ENABLED <-> MALWARE-OTHER Jsp.Webshell.Hsxa upload attempt (malware-other.rules)
 * 1:58199 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:58178 <-> DISABLED <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt (malware-other.rules)
 * 1:58174 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt (malware-other.rules)
 * 1:58198 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:58197 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:58194 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bandidos inbound delivery attempt (malware-other.rules)
 * 1:58183 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML CTreePos remote code execution attempt (browser-ie.rules)
 * 1:58184 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML CTreePos remote code execution attempt (browser-ie.rules)
 * 1:58185 <-> DISABLED <-> FILE-OTHER Imagemagick Ghostscript 9.50 remote code execution attempt (file-other.rules)
 * 1:58186 <-> DISABLED <-> FILE-OTHER Imagemagick Ghostscript 9.50 remote code execution attempt (file-other.rules)
 * 1:58175 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt (malware-other.rules)
 * 1:58192 <-> ENABLED <-> OS-OTHER Apple macOS Finder remote code execution inetloc file download attempt (os-other.rules)
 * 1:58179 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt (malware-other.rules)
 * 1:58177 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt (malware-other.rules)
 * 1:58196 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:58176 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt (malware-other.rules)
 * 1:58195 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bandidos inbound delivery attempt (malware-other.rules)
 * 3:58182 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Software for CBR8 COPS denial of service attempt (server-other.rules)
 * 3:58188 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt (server-other.rules)
 * 3:58190 <-> ENABLED <-> POLICY-OTHER Cisco IOS and IOS XE TrustSec deprecated API access detected (policy-other.rules)
 * 3:58187 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt (server-other.rules)
 * 3:58189 <-> ENABLED <-> POLICY-OTHER Cisco IOS and IOS XE TrustSec deprecated API access detected (policy-other.rules)
 * 3:58191 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt (server-other.rules)

Modified Rules:


 * 1:57991 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bandidos outbound connection attempt (malware-cnc.rules)
 * 3:58110 <-> ENABLED <-> POLICY-OTHER Cisco BroadWorks administrator account modification detected (policy-other.rules)

2021-09-23 12:38:53 UTC

Snort Subscriber Rules Update

Date: 2021-09-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58184 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML CTreePos remote code execution attempt (browser-ie.rules)
 * 1:58174 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt (malware-other.rules)
 * 1:58177 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt (malware-other.rules)
 * 1:58199 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:58179 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt (malware-other.rules)
 * 1:58181 <-> ENABLED <-> MALWARE-OTHER Jsp.Webshell.Hsxa upload attempt (malware-other.rules)
 * 1:58196 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:58185 <-> DISABLED <-> FILE-OTHER Imagemagick Ghostscript 9.50 remote code execution attempt (file-other.rules)
 * 1:58186 <-> DISABLED <-> FILE-OTHER Imagemagick Ghostscript 9.50 remote code execution attempt (file-other.rules)
 * 1:58192 <-> ENABLED <-> OS-OTHER Apple macOS Finder remote code execution inetloc file download attempt (os-other.rules)
 * 1:58193 <-> ENABLED <-> OS-OTHER Apple macOS Finder remote code execution inetloc file download attempt (os-other.rules)
 * 1:58183 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML CTreePos remote code execution attempt (browser-ie.rules)
 * 1:58194 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bandidos inbound delivery attempt (malware-other.rules)
 * 1:58197 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:58175 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt (malware-other.rules)
 * 1:58195 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bandidos inbound delivery attempt (malware-other.rules)
 * 1:58180 <-> DISABLED <-> MALWARE-OTHER Jsp.Webshell.Hsxa download attempt (malware-other.rules)
 * 1:58178 <-> DISABLED <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt (malware-other.rules)
 * 1:58176 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt (malware-other.rules)
 * 1:58198 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 3:58188 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt (server-other.rules)
 * 3:58182 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Software for CBR8 COPS denial of service attempt (server-other.rules)
 * 3:58190 <-> ENABLED <-> POLICY-OTHER Cisco IOS and IOS XE TrustSec deprecated API access detected (policy-other.rules)
 * 3:58187 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt (server-other.rules)
 * 3:58189 <-> ENABLED <-> POLICY-OTHER Cisco IOS and IOS XE TrustSec deprecated API access detected (policy-other.rules)
 * 3:58191 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt (server-other.rules)

Modified Rules:


 * 1:57991 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bandidos outbound connection attempt (malware-cnc.rules)
 * 3:58110 <-> ENABLED <-> POLICY-OTHER Cisco BroadWorks administrator account modification detected (policy-other.rules)

2021-09-23 12:38:53 UTC

Snort Subscriber Rules Update

Date: 2021-09-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58176 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt (malware-other.rules)
 * 1:58174 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt (malware-other.rules)
 * 1:58198 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:58185 <-> DISABLED <-> FILE-OTHER Imagemagick Ghostscript 9.50 remote code execution attempt (file-other.rules)
 * 1:58197 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:58192 <-> ENABLED <-> OS-OTHER Apple macOS Finder remote code execution inetloc file download attempt (os-other.rules)
 * 1:58193 <-> ENABLED <-> OS-OTHER Apple macOS Finder remote code execution inetloc file download attempt (os-other.rules)
 * 1:58199 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:58175 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt (malware-other.rules)
 * 1:58184 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML CTreePos remote code execution attempt (browser-ie.rules)
 * 1:58183 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML CTreePos remote code execution attempt (browser-ie.rules)
 * 1:58186 <-> DISABLED <-> FILE-OTHER Imagemagick Ghostscript 9.50 remote code execution attempt (file-other.rules)
 * 1:58178 <-> DISABLED <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt (malware-other.rules)
 * 1:58196 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:58194 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bandidos inbound delivery attempt (malware-other.rules)
 * 1:58179 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt (malware-other.rules)
 * 1:58177 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt (malware-other.rules)
 * 1:58181 <-> ENABLED <-> MALWARE-OTHER Jsp.Webshell.Hsxa upload attempt (malware-other.rules)
 * 1:58180 <-> DISABLED <-> MALWARE-OTHER Jsp.Webshell.Hsxa download attempt (malware-other.rules)
 * 1:58195 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bandidos inbound delivery attempt (malware-other.rules)
 * 3:58187 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt (server-other.rules)
 * 3:58189 <-> ENABLED <-> POLICY-OTHER Cisco IOS and IOS XE TrustSec deprecated API access detected (policy-other.rules)
 * 3:58191 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt (server-other.rules)
 * 3:58182 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Software for CBR8 COPS denial of service attempt (server-other.rules)
 * 3:58188 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt (server-other.rules)
 * 3:58190 <-> ENABLED <-> POLICY-OTHER Cisco IOS and IOS XE TrustSec deprecated API access detected (policy-other.rules)

Modified Rules:


 * 1:57991 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bandidos outbound connection attempt (malware-cnc.rules)
 * 3:58110 <-> ENABLED <-> POLICY-OTHER Cisco BroadWorks administrator account modification detected (policy-other.rules)

2021-09-23 12:38:53 UTC

Snort Subscriber Rules Update

Date: 2021-09-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58195 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bandidos inbound delivery attempt (malware-other.rules)
 * 1:58194 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bandidos inbound delivery attempt (malware-other.rules)
 * 1:58196 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:58181 <-> ENABLED <-> MALWARE-OTHER Jsp.Webshell.Hsxa upload attempt (malware-other.rules)
 * 1:58198 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:58177 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt (malware-other.rules)
 * 1:58183 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML CTreePos remote code execution attempt (browser-ie.rules)
 * 1:58186 <-> DISABLED <-> FILE-OTHER Imagemagick Ghostscript 9.50 remote code execution attempt (file-other.rules)
 * 1:58193 <-> ENABLED <-> OS-OTHER Apple macOS Finder remote code execution inetloc file download attempt (os-other.rules)
 * 1:58185 <-> DISABLED <-> FILE-OTHER Imagemagick Ghostscript 9.50 remote code execution attempt (file-other.rules)
 * 1:58192 <-> ENABLED <-> OS-OTHER Apple macOS Finder remote code execution inetloc file download attempt (os-other.rules)
 * 1:58178 <-> DISABLED <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt (malware-other.rules)
 * 1:58197 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:58175 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt (malware-other.rules)
 * 1:58180 <-> DISABLED <-> MALWARE-OTHER Jsp.Webshell.Hsxa download attempt (malware-other.rules)
 * 1:58199 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:58179 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt (malware-other.rules)
 * 1:58176 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt (malware-other.rules)
 * 1:58174 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt (malware-other.rules)
 * 1:58184 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML CTreePos remote code execution attempt (browser-ie.rules)
 * 3:58188 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt (server-other.rules)
 * 3:58182 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Software for CBR8 COPS denial of service attempt (server-other.rules)
 * 3:58191 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt (server-other.rules)
 * 3:58187 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt (server-other.rules)
 * 3:58189 <-> ENABLED <-> POLICY-OTHER Cisco IOS and IOS XE TrustSec deprecated API access detected (policy-other.rules)
 * 3:58190 <-> ENABLED <-> POLICY-OTHER Cisco IOS and IOS XE TrustSec deprecated API access detected (policy-other.rules)

Modified Rules:


 * 1:57991 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bandidos outbound connection attempt (malware-cnc.rules)
 * 3:58110 <-> ENABLED <-> POLICY-OTHER Cisco BroadWorks administrator account modification detected (policy-other.rules)

2021-09-23 12:38:53 UTC

Snort Subscriber Rules Update

Date: 2021-09-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58195 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bandidos inbound delivery attempt (malware-other.rules)
 * 1:58178 <-> DISABLED <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt (malware-other.rules)
 * 1:58196 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:58194 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bandidos inbound delivery attempt (malware-other.rules)
 * 1:58199 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:58180 <-> DISABLED <-> MALWARE-OTHER Jsp.Webshell.Hsxa download attempt (malware-other.rules)
 * 1:58181 <-> ENABLED <-> MALWARE-OTHER Jsp.Webshell.Hsxa upload attempt (malware-other.rules)
 * 1:58175 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt (malware-other.rules)
 * 1:58174 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt (malware-other.rules)
 * 1:58193 <-> ENABLED <-> OS-OTHER Apple macOS Finder remote code execution inetloc file download attempt (os-other.rules)
 * 1:58183 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML CTreePos remote code execution attempt (browser-ie.rules)
 * 1:58184 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML CTreePos remote code execution attempt (browser-ie.rules)
 * 1:58197 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:58185 <-> DISABLED <-> FILE-OTHER Imagemagick Ghostscript 9.50 remote code execution attempt (file-other.rules)
 * 1:58177 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt (malware-other.rules)
 * 1:58186 <-> DISABLED <-> FILE-OTHER Imagemagick Ghostscript 9.50 remote code execution attempt (file-other.rules)
 * 1:58192 <-> ENABLED <-> OS-OTHER Apple macOS Finder remote code execution inetloc file download attempt (os-other.rules)
 * 1:58198 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:58176 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt (malware-other.rules)
 * 1:58179 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt (malware-other.rules)
 * 3:58188 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt (server-other.rules)
 * 3:58187 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt (server-other.rules)
 * 3:58191 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt (server-other.rules)
 * 3:58190 <-> ENABLED <-> POLICY-OTHER Cisco IOS and IOS XE TrustSec deprecated API access detected (policy-other.rules)
 * 3:58189 <-> ENABLED <-> POLICY-OTHER Cisco IOS and IOS XE TrustSec deprecated API access detected (policy-other.rules)
 * 3:58182 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Software for CBR8 COPS denial of service attempt (server-other.rules)

Modified Rules:


 * 1:57991 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bandidos outbound connection attempt (malware-cnc.rules)
 * 3:58110 <-> ENABLED <-> POLICY-OTHER Cisco BroadWorks administrator account modification detected (policy-other.rules)

2021-09-23 12:38:53 UTC

Snort Subscriber Rules Update

Date: 2021-09-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58192 <-> ENABLED <-> OS-OTHER Apple macOS Finder remote code execution inetloc file download attempt (os-other.rules)
 * 1:58176 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt (malware-other.rules)
 * 1:58175 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt (malware-other.rules)
 * 1:58193 <-> ENABLED <-> OS-OTHER Apple macOS Finder remote code execution inetloc file download attempt (os-other.rules)
 * 1:58174 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt (malware-other.rules)
 * 1:58196 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:58179 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt (malware-other.rules)
 * 1:58183 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML CTreePos remote code execution attempt (browser-ie.rules)
 * 1:58195 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bandidos inbound delivery attempt (malware-other.rules)
 * 1:58177 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt (malware-other.rules)
 * 1:58181 <-> ENABLED <-> MALWARE-OTHER Jsp.Webshell.Hsxa upload attempt (malware-other.rules)
 * 1:58184 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML CTreePos remote code execution attempt (browser-ie.rules)
 * 1:58185 <-> DISABLED <-> FILE-OTHER Imagemagick Ghostscript 9.50 remote code execution attempt (file-other.rules)
 * 1:58178 <-> DISABLED <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt (malware-other.rules)
 * 1:58180 <-> DISABLED <-> MALWARE-OTHER Jsp.Webshell.Hsxa download attempt (malware-other.rules)
 * 1:58194 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bandidos inbound delivery attempt (malware-other.rules)
 * 1:58198 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:58197 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:58186 <-> DISABLED <-> FILE-OTHER Imagemagick Ghostscript 9.50 remote code execution attempt (file-other.rules)
 * 1:58199 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 3:58189 <-> ENABLED <-> POLICY-OTHER Cisco IOS and IOS XE TrustSec deprecated API access detected (policy-other.rules)
 * 3:58188 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt (server-other.rules)
 * 3:58190 <-> ENABLED <-> POLICY-OTHER Cisco IOS and IOS XE TrustSec deprecated API access detected (policy-other.rules)
 * 3:58191 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt (server-other.rules)
 * 3:58187 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt (server-other.rules)
 * 3:58182 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Software for CBR8 COPS denial of service attempt (server-other.rules)

Modified Rules:


 * 1:57991 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bandidos outbound connection attempt (malware-cnc.rules)
 * 3:58110 <-> ENABLED <-> POLICY-OTHER Cisco BroadWorks administrator account modification detected (policy-other.rules)

2021-09-23 12:38:53 UTC

Snort Subscriber Rules Update

Date: 2021-09-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58186 <-> DISABLED <-> FILE-OTHER Imagemagick Ghostscript 9.50 remote code execution attempt (file-other.rules)
 * 1:58196 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:58176 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt (malware-other.rules)
 * 1:58197 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:58177 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt (malware-other.rules)
 * 1:58174 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt (malware-other.rules)
 * 1:58198 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:58185 <-> DISABLED <-> FILE-OTHER Imagemagick Ghostscript 9.50 remote code execution attempt (file-other.rules)
 * 1:58181 <-> ENABLED <-> MALWARE-OTHER Jsp.Webshell.Hsxa upload attempt (malware-other.rules)
 * 1:58178 <-> DISABLED <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt (malware-other.rules)
 * 1:58184 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML CTreePos remote code execution attempt (browser-ie.rules)
 * 1:58179 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt (malware-other.rules)
 * 1:58192 <-> ENABLED <-> OS-OTHER Apple macOS Finder remote code execution inetloc file download attempt (os-other.rules)
 * 1:58194 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bandidos inbound delivery attempt (malware-other.rules)
 * 1:58175 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt (malware-other.rules)
 * 1:58183 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML CTreePos remote code execution attempt (browser-ie.rules)
 * 1:58195 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bandidos inbound delivery attempt (malware-other.rules)
 * 1:58180 <-> DISABLED <-> MALWARE-OTHER Jsp.Webshell.Hsxa download attempt (malware-other.rules)
 * 1:58199 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:58193 <-> ENABLED <-> OS-OTHER Apple macOS Finder remote code execution inetloc file download attempt (os-other.rules)
 * 3:58191 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt (server-other.rules)
 * 3:58188 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt (server-other.rules)
 * 3:58182 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Software for CBR8 COPS denial of service attempt (server-other.rules)
 * 3:58187 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt (server-other.rules)
 * 3:58190 <-> ENABLED <-> POLICY-OTHER Cisco IOS and IOS XE TrustSec deprecated API access detected (policy-other.rules)
 * 3:58189 <-> ENABLED <-> POLICY-OTHER Cisco IOS and IOS XE TrustSec deprecated API access detected (policy-other.rules)

Modified Rules:


 * 1:57991 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bandidos outbound connection attempt (malware-cnc.rules)
 * 3:58110 <-> ENABLED <-> POLICY-OTHER Cisco BroadWorks administrator account modification detected (policy-other.rules)

2021-09-23 12:38:53 UTC

Snort Subscriber Rules Update

Date: 2021-09-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58180 <-> DISABLED <-> MALWARE-OTHER Jsp.Webshell.Hsxa download attempt (snort3-malware-other.rules)
 * 1:58184 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML CTreePos remote code execution attempt (snort3-browser-ie.rules)
 * 1:58179 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt (snort3-malware-other.rules)
 * 1:58176 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt (snort3-malware-other.rules)
 * 1:58186 <-> DISABLED <-> FILE-OTHER Imagemagick Ghostscript 9.50 remote code execution attempt (snort3-file-other.rules)
 * 1:58174 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt (snort3-malware-other.rules)
 * 1:58192 <-> ENABLED <-> OS-OTHER Apple macOS Finder remote code execution inetloc file download attempt (snort3-os-other.rules)
 * 1:58193 <-> ENABLED <-> OS-OTHER Apple macOS Finder remote code execution inetloc file download attempt (snort3-os-other.rules)
 * 1:58183 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML CTreePos remote code execution attempt (snort3-browser-ie.rules)
 * 1:58199 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (snort3-os-windows.rules)
 * 1:58198 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (snort3-os-windows.rules)
 * 1:58194 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bandidos inbound delivery attempt (snort3-malware-other.rules)
 * 1:58175 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt (snort3-malware-other.rules)
 * 1:58181 <-> ENABLED <-> MALWARE-OTHER Jsp.Webshell.Hsxa upload attempt (snort3-malware-other.rules)
 * 1:58177 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt (snort3-malware-other.rules)
 * 1:58195 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bandidos inbound delivery attempt (snort3-malware-other.rules)
 * 1:58185 <-> DISABLED <-> FILE-OTHER Imagemagick Ghostscript 9.50 remote code execution attempt (snort3-file-other.rules)
 * 1:58196 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (snort3-os-windows.rules)
 * 1:58197 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (snort3-os-windows.rules)
 * 1:58178 <-> DISABLED <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt (snort3-malware-other.rules)

Modified Rules:


 * 1:57991 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bandidos outbound connection attempt (snort3-malware-cnc.rules)

2021-09-23 12:38:53 UTC

Snort Subscriber Rules Update

Date: 2021-09-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58195 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bandidos inbound delivery attempt (malware-other.rules)
 * 1:58197 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:58175 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt (malware-other.rules)
 * 1:58174 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt (malware-other.rules)
 * 1:58176 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt (malware-other.rules)
 * 1:58177 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt (malware-other.rules)
 * 1:58198 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:58178 <-> DISABLED <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt (malware-other.rules)
 * 1:58179 <-> ENABLED <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt (malware-other.rules)
 * 1:58180 <-> DISABLED <-> MALWARE-OTHER Jsp.Webshell.Hsxa download attempt (malware-other.rules)
 * 1:58181 <-> ENABLED <-> MALWARE-OTHER Jsp.Webshell.Hsxa upload attempt (malware-other.rules)
 * 1:58183 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML CTreePos remote code execution attempt (browser-ie.rules)
 * 1:58184 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML CTreePos remote code execution attempt (browser-ie.rules)
 * 1:58185 <-> DISABLED <-> FILE-OTHER Imagemagick Ghostscript 9.50 remote code execution attempt (file-other.rules)
 * 1:58194 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bandidos inbound delivery attempt (malware-other.rules)
 * 1:58186 <-> DISABLED <-> FILE-OTHER Imagemagick Ghostscript 9.50 remote code execution attempt (file-other.rules)
 * 1:58192 <-> ENABLED <-> OS-OTHER Apple macOS Finder remote code execution inetloc file download attempt (os-other.rules)
 * 1:58193 <-> ENABLED <-> OS-OTHER Apple macOS Finder remote code execution inetloc file download attempt (os-other.rules)
 * 1:58199 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)
 * 1:58196 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt (os-windows.rules)

Modified Rules:


 * 1:57991 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bandidos outbound connection attempt (malware-cnc.rules)

2021-09-23 12:51:52 UTC

Snort Subscriber Rules Update

Date: 2021-09-22-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58174 <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt
* 1:58175 <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt
* 1:58176 <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt
* 1:58177 <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt
* 1:58178 <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt
* 1:58179 <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt
* 1:58180 <-> MALWARE-OTHER Jsp.Webshell.Hsxa download attempt
* 1:58181 <-> MALWARE-OTHER Jsp.Webshell.Hsxa upload attempt
* 3:58182 <-> SERVER-OTHER Cisco IOS XE Software for CBR8 COPS denial of service attempt
* 1:58183 <-> BROWSER-IE Microsoft Internet Explorer MSHTML CTreePos remote code execution attempt
* 1:58184 <-> BROWSER-IE Microsoft Internet Explorer MSHTML CTreePos remote code execution attempt
* 1:58185 <-> FILE-OTHER Imagemagick Ghostscript 9.50 remote code execution attempt
* 1:58186 <-> FILE-OTHER Imagemagick Ghostscript 9.50 remote code execution attempt
* 3:58187 <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt
* 3:58188 <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt
* 3:58189 <-> POLICY-OTHER Cisco IOS and IOS XE TrustSec deprecated API access detected
* 3:58190 <-> POLICY-OTHER Cisco IOS and IOS XE TrustSec deprecated API access detected
* 3:58191 <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt
* 1:58192 <-> OS-OTHER Apple macOS Finder remote code execution inetloc file download attempt
* 1:58193 <-> OS-OTHER Apple macOS Finder remote code execution inetloc file download attempt
* 1:58194 <-> MALWARE-OTHER Win.Trojan.Bandidos inbound delivery attempt
* 1:58195 <-> MALWARE-OTHER Win.Trojan.Bandidos inbound delivery attempt
* 1:58196 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt
* 1:58197 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt
* 1:58198 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt
* 1:58199 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt

Modified Rules:

* 1:57991 <-> MALWARE-CNC Win.Trojan.Bandidos outbound connection attempt
* 3:58110 <-> POLICY-OTHER Cisco BroadWorks administrator account modification detected


2021-09-23 12:51:52 UTC

Snort Subscriber Rules Update

Date: 2021-09-22-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.4.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58174 <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt
* 1:58175 <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt
* 1:58176 <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt
* 1:58177 <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt
* 1:58178 <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt
* 1:58179 <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt
* 1:58180 <-> MALWARE-OTHER Jsp.Webshell.Hsxa download attempt
* 1:58181 <-> MALWARE-OTHER Jsp.Webshell.Hsxa upload attempt
* 3:58182 <-> SERVER-OTHER Cisco IOS XE Software for CBR8 COPS denial of service attempt
* 1:58183 <-> BROWSER-IE Microsoft Internet Explorer MSHTML CTreePos remote code execution attempt
* 1:58184 <-> BROWSER-IE Microsoft Internet Explorer MSHTML CTreePos remote code execution attempt
* 1:58185 <-> FILE-OTHER Imagemagick Ghostscript 9.50 remote code execution attempt
* 1:58186 <-> FILE-OTHER Imagemagick Ghostscript 9.50 remote code execution attempt
* 3:58187 <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt
* 3:58188 <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt
* 3:58189 <-> POLICY-OTHER Cisco IOS and IOS XE TrustSec deprecated API access detected
* 3:58190 <-> POLICY-OTHER Cisco IOS and IOS XE TrustSec deprecated API access detected
* 3:58191 <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt
* 1:58192 <-> OS-OTHER Apple macOS Finder remote code execution inetloc file download attempt
* 1:58193 <-> OS-OTHER Apple macOS Finder remote code execution inetloc file download attempt
* 1:58194 <-> MALWARE-OTHER Win.Trojan.Bandidos inbound delivery attempt
* 1:58195 <-> MALWARE-OTHER Win.Trojan.Bandidos inbound delivery attempt
* 1:58196 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt
* 1:58197 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt
* 1:58198 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt
* 1:58199 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt

Modified Rules:

* 1:57991 <-> MALWARE-CNC Win.Trojan.Bandidos outbound connection attempt
* 3:58110 <-> POLICY-OTHER Cisco BroadWorks administrator account modification detected


2021-09-23 12:51:52 UTC

Snort Subscriber Rules Update

Date: 2021-09-22-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58174 <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt
* 1:58175 <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt
* 1:58176 <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt
* 1:58177 <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt
* 1:58178 <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt
* 1:58179 <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt
* 1:58180 <-> MALWARE-OTHER Jsp.Webshell.Hsxa download attempt
* 1:58181 <-> MALWARE-OTHER Jsp.Webshell.Hsxa upload attempt
* 3:58182 <-> SERVER-OTHER Cisco IOS XE Software for CBR8 COPS denial of service attempt
* 1:58183 <-> BROWSER-IE Microsoft Internet Explorer MSHTML CTreePos remote code execution attempt
* 1:58184 <-> BROWSER-IE Microsoft Internet Explorer MSHTML CTreePos remote code execution attempt
* 1:58185 <-> FILE-OTHER Imagemagick Ghostscript 9.50 remote code execution attempt
* 1:58186 <-> FILE-OTHER Imagemagick Ghostscript 9.50 remote code execution attempt
* 3:58187 <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt
* 3:58188 <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt
* 3:58189 <-> POLICY-OTHER Cisco IOS and IOS XE TrustSec deprecated API access detected
* 3:58190 <-> POLICY-OTHER Cisco IOS and IOS XE TrustSec deprecated API access detected
* 3:58191 <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt
* 1:58192 <-> OS-OTHER Apple macOS Finder remote code execution inetloc file download attempt
* 1:58193 <-> OS-OTHER Apple macOS Finder remote code execution inetloc file download attempt
* 1:58194 <-> MALWARE-OTHER Win.Trojan.Bandidos inbound delivery attempt
* 1:58195 <-> MALWARE-OTHER Win.Trojan.Bandidos inbound delivery attempt
* 1:58196 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt
* 1:58197 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt
* 1:58198 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt
* 1:58199 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt

Modified Rules:

* 1:57991 <-> MALWARE-CNC Win.Trojan.Bandidos outbound connection attempt
* 3:58110 <-> POLICY-OTHER Cisco BroadWorks administrator account modification detected


2021-09-23 12:51:53 UTC

Snort Subscriber Rules Update

Date: 2021-09-22-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58174 <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt
* 1:58175 <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt
* 1:58176 <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt
* 1:58177 <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt
* 1:58178 <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt
* 1:58179 <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt
* 1:58180 <-> MALWARE-OTHER Jsp.Webshell.Hsxa download attempt
* 1:58181 <-> MALWARE-OTHER Jsp.Webshell.Hsxa upload attempt
* 3:58182 <-> SERVER-OTHER Cisco IOS XE Software for CBR8 COPS denial of service attempt
* 1:58183 <-> BROWSER-IE Microsoft Internet Explorer MSHTML CTreePos remote code execution attempt
* 1:58184 <-> BROWSER-IE Microsoft Internet Explorer MSHTML CTreePos remote code execution attempt
* 1:58185 <-> FILE-OTHER Imagemagick Ghostscript 9.50 remote code execution attempt
* 1:58186 <-> FILE-OTHER Imagemagick Ghostscript 9.50 remote code execution attempt
* 3:58187 <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt
* 3:58188 <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt
* 3:58189 <-> POLICY-OTHER Cisco IOS and IOS XE TrustSec deprecated API access detected
* 3:58190 <-> POLICY-OTHER Cisco IOS and IOS XE TrustSec deprecated API access detected
* 3:58191 <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt
* 1:58192 <-> OS-OTHER Apple macOS Finder remote code execution inetloc file download attempt
* 1:58193 <-> OS-OTHER Apple macOS Finder remote code execution inetloc file download attempt
* 1:58194 <-> MALWARE-OTHER Win.Trojan.Bandidos inbound delivery attempt
* 1:58195 <-> MALWARE-OTHER Win.Trojan.Bandidos inbound delivery attempt
* 1:58196 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt
* 1:58197 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt
* 1:58198 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt
* 1:58199 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt

Modified Rules:

* 1:57991 <-> MALWARE-CNC Win.Trojan.Bandidos outbound connection attempt
* 3:58110 <-> POLICY-OTHER Cisco BroadWorks administrator account modification detected


2021-09-23 12:51:53 UTC

Snort Subscriber Rules Update

Date: 2021-09-22-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.1.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58174 <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt
* 1:58175 <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt
* 1:58176 <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt
* 1:58177 <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt
* 1:58178 <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt
* 1:58179 <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt
* 1:58180 <-> MALWARE-OTHER Jsp.Webshell.Hsxa download attempt
* 1:58181 <-> MALWARE-OTHER Jsp.Webshell.Hsxa upload attempt
* 3:58182 <-> SERVER-OTHER Cisco IOS XE Software for CBR8 COPS denial of service attempt
* 1:58183 <-> BROWSER-IE Microsoft Internet Explorer MSHTML CTreePos remote code execution attempt
* 1:58184 <-> BROWSER-IE Microsoft Internet Explorer MSHTML CTreePos remote code execution attempt
* 1:58185 <-> FILE-OTHER Imagemagick Ghostscript 9.50 remote code execution attempt
* 1:58186 <-> FILE-OTHER Imagemagick Ghostscript 9.50 remote code execution attempt
* 3:58187 <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt
* 3:58188 <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt
* 3:58189 <-> POLICY-OTHER Cisco IOS and IOS XE TrustSec deprecated API access detected
* 3:58190 <-> POLICY-OTHER Cisco IOS and IOS XE TrustSec deprecated API access detected
* 3:58191 <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt
* 1:58192 <-> OS-OTHER Apple macOS Finder remote code execution inetloc file download attempt
* 1:58193 <-> OS-OTHER Apple macOS Finder remote code execution inetloc file download attempt
* 1:58194 <-> MALWARE-OTHER Win.Trojan.Bandidos inbound delivery attempt
* 1:58195 <-> MALWARE-OTHER Win.Trojan.Bandidos inbound delivery attempt
* 1:58196 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt
* 1:58197 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt
* 1:58198 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt
* 1:58199 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt

Modified Rules:

* 1:57991 <-> MALWARE-CNC Win.Trojan.Bandidos outbound connection attempt
* 3:58110 <-> POLICY-OTHER Cisco BroadWorks administrator account modification detected


2021-09-23 12:51:53 UTC

Snort Subscriber Rules Update

Date: 2021-09-22-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.3.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58174 <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt
* 1:58175 <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt
* 1:58176 <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt
* 1:58177 <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt
* 1:58178 <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt
* 1:58179 <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt
* 1:58180 <-> MALWARE-OTHER Jsp.Webshell.Hsxa download attempt
* 1:58181 <-> MALWARE-OTHER Jsp.Webshell.Hsxa upload attempt
* 3:58182 <-> SERVER-OTHER Cisco IOS XE Software for CBR8 COPS denial of service attempt
* 1:58183 <-> BROWSER-IE Microsoft Internet Explorer MSHTML CTreePos remote code execution attempt
* 1:58184 <-> BROWSER-IE Microsoft Internet Explorer MSHTML CTreePos remote code execution attempt
* 1:58185 <-> FILE-OTHER Imagemagick Ghostscript 9.50 remote code execution attempt
* 1:58186 <-> FILE-OTHER Imagemagick Ghostscript 9.50 remote code execution attempt
* 3:58187 <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt
* 3:58188 <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt
* 3:58189 <-> POLICY-OTHER Cisco IOS and IOS XE TrustSec deprecated API access detected
* 3:58190 <-> POLICY-OTHER Cisco IOS and IOS XE TrustSec deprecated API access detected
* 3:58191 <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt
* 1:58192 <-> OS-OTHER Apple macOS Finder remote code execution inetloc file download attempt
* 1:58193 <-> OS-OTHER Apple macOS Finder remote code execution inetloc file download attempt
* 1:58194 <-> MALWARE-OTHER Win.Trojan.Bandidos inbound delivery attempt
* 1:58195 <-> MALWARE-OTHER Win.Trojan.Bandidos inbound delivery attempt
* 1:58196 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt
* 1:58197 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt
* 1:58198 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt
* 1:58199 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt

Modified Rules:

* 1:57991 <-> MALWARE-CNC Win.Trojan.Bandidos outbound connection attempt
* 3:58110 <-> POLICY-OTHER Cisco BroadWorks administrator account modification detected


2021-09-23 12:51:53 UTC

Snort Subscriber Rules Update

Date: 2021-09-22-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.4.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58174 <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt
* 1:58175 <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt
* 1:58176 <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt
* 1:58177 <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt
* 1:58178 <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt
* 1:58179 <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt
* 1:58180 <-> MALWARE-OTHER Jsp.Webshell.Hsxa download attempt
* 1:58181 <-> MALWARE-OTHER Jsp.Webshell.Hsxa upload attempt
* 3:58182 <-> SERVER-OTHER Cisco IOS XE Software for CBR8 COPS denial of service attempt
* 1:58183 <-> BROWSER-IE Microsoft Internet Explorer MSHTML CTreePos remote code execution attempt
* 1:58184 <-> BROWSER-IE Microsoft Internet Explorer MSHTML CTreePos remote code execution attempt
* 1:58185 <-> FILE-OTHER Imagemagick Ghostscript 9.50 remote code execution attempt
* 1:58186 <-> FILE-OTHER Imagemagick Ghostscript 9.50 remote code execution attempt
* 3:58187 <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt
* 3:58188 <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt
* 3:58189 <-> POLICY-OTHER Cisco IOS and IOS XE TrustSec deprecated API access detected
* 3:58190 <-> POLICY-OTHER Cisco IOS and IOS XE TrustSec deprecated API access detected
* 3:58191 <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt
* 1:58192 <-> OS-OTHER Apple macOS Finder remote code execution inetloc file download attempt
* 1:58193 <-> OS-OTHER Apple macOS Finder remote code execution inetloc file download attempt
* 1:58194 <-> MALWARE-OTHER Win.Trojan.Bandidos inbound delivery attempt
* 1:58195 <-> MALWARE-OTHER Win.Trojan.Bandidos inbound delivery attempt
* 1:58196 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt
* 1:58197 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt
* 1:58198 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt
* 1:58199 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt

Modified Rules:

* 1:57991 <-> MALWARE-CNC Win.Trojan.Bandidos outbound connection attempt
* 3:58110 <-> POLICY-OTHER Cisco BroadWorks administrator account modification detected


2021-09-23 12:51:53 UTC

Snort Subscriber Rules Update

Date: 2021-09-22-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.5.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58174 <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt
* 1:58175 <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt
* 1:58176 <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt
* 1:58177 <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt
* 1:58178 <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt
* 1:58179 <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt
* 1:58180 <-> MALWARE-OTHER Jsp.Webshell.Hsxa download attempt
* 1:58181 <-> MALWARE-OTHER Jsp.Webshell.Hsxa upload attempt
* 3:58182 <-> SERVER-OTHER Cisco IOS XE Software for CBR8 COPS denial of service attempt
* 1:58183 <-> BROWSER-IE Microsoft Internet Explorer MSHTML CTreePos remote code execution attempt
* 1:58184 <-> BROWSER-IE Microsoft Internet Explorer MSHTML CTreePos remote code execution attempt
* 1:58185 <-> FILE-OTHER Imagemagick Ghostscript 9.50 remote code execution attempt
* 1:58186 <-> FILE-OTHER Imagemagick Ghostscript 9.50 remote code execution attempt
* 3:58187 <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt
* 3:58188 <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt
* 3:58189 <-> POLICY-OTHER Cisco IOS and IOS XE TrustSec deprecated API access detected
* 3:58190 <-> POLICY-OTHER Cisco IOS and IOS XE TrustSec deprecated API access detected
* 3:58191 <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt
* 1:58192 <-> OS-OTHER Apple macOS Finder remote code execution inetloc file download attempt
* 1:58193 <-> OS-OTHER Apple macOS Finder remote code execution inetloc file download attempt
* 1:58194 <-> MALWARE-OTHER Win.Trojan.Bandidos inbound delivery attempt
* 1:58195 <-> MALWARE-OTHER Win.Trojan.Bandidos inbound delivery attempt
* 1:58196 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt
* 1:58197 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt
* 1:58198 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt
* 1:58199 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt

Modified Rules:

* 1:57991 <-> MALWARE-CNC Win.Trojan.Bandidos outbound connection attempt
* 3:58110 <-> POLICY-OTHER Cisco BroadWorks administrator account modification detected


2021-09-23 12:51:53 UTC

Snort Subscriber Rules Update

Date: 2021-09-22-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.7.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58174 <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt
* 1:58175 <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt
* 1:58176 <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt
* 1:58177 <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt
* 1:58178 <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt
* 1:58179 <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt
* 1:58180 <-> MALWARE-OTHER Jsp.Webshell.Hsxa download attempt
* 1:58181 <-> MALWARE-OTHER Jsp.Webshell.Hsxa upload attempt
* 3:58182 <-> SERVER-OTHER Cisco IOS XE Software for CBR8 COPS denial of service attempt
* 1:58183 <-> BROWSER-IE Microsoft Internet Explorer MSHTML CTreePos remote code execution attempt
* 1:58184 <-> BROWSER-IE Microsoft Internet Explorer MSHTML CTreePos remote code execution attempt
* 1:58185 <-> FILE-OTHER Imagemagick Ghostscript 9.50 remote code execution attempt
* 1:58186 <-> FILE-OTHER Imagemagick Ghostscript 9.50 remote code execution attempt
* 3:58187 <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt
* 3:58188 <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt
* 3:58189 <-> POLICY-OTHER Cisco IOS and IOS XE TrustSec deprecated API access detected
* 3:58190 <-> POLICY-OTHER Cisco IOS and IOS XE TrustSec deprecated API access detected
* 3:58191 <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt
* 1:58192 <-> OS-OTHER Apple macOS Finder remote code execution inetloc file download attempt
* 1:58193 <-> OS-OTHER Apple macOS Finder remote code execution inetloc file download attempt
* 1:58194 <-> MALWARE-OTHER Win.Trojan.Bandidos inbound delivery attempt
* 1:58195 <-> MALWARE-OTHER Win.Trojan.Bandidos inbound delivery attempt
* 1:58196 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt
* 1:58197 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt
* 1:58198 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt
* 1:58199 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt

Modified Rules:

* 1:57991 <-> MALWARE-CNC Win.Trojan.Bandidos outbound connection attempt
* 3:58110 <-> POLICY-OTHER Cisco BroadWorks administrator account modification detected


2021-09-23 12:51:53 UTC

Snort Subscriber Rules Update

Date: 2021-09-22-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.9.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58174 <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt
* 1:58175 <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt
* 1:58176 <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt
* 1:58177 <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt
* 1:58178 <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt
* 1:58179 <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt
* 1:58180 <-> MALWARE-OTHER Jsp.Webshell.Hsxa download attempt
* 1:58181 <-> MALWARE-OTHER Jsp.Webshell.Hsxa upload attempt
* 3:58182 <-> SERVER-OTHER Cisco IOS XE Software for CBR8 COPS denial of service attempt
* 1:58183 <-> BROWSER-IE Microsoft Internet Explorer MSHTML CTreePos remote code execution attempt
* 1:58184 <-> BROWSER-IE Microsoft Internet Explorer MSHTML CTreePos remote code execution attempt
* 1:58185 <-> FILE-OTHER Imagemagick Ghostscript 9.50 remote code execution attempt
* 1:58186 <-> FILE-OTHER Imagemagick Ghostscript 9.50 remote code execution attempt
* 3:58187 <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt
* 3:58188 <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt
* 3:58189 <-> POLICY-OTHER Cisco IOS and IOS XE TrustSec deprecated API access detected
* 3:58190 <-> POLICY-OTHER Cisco IOS and IOS XE TrustSec deprecated API access detected
* 3:58191 <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt
* 1:58192 <-> OS-OTHER Apple macOS Finder remote code execution inetloc file download attempt
* 1:58193 <-> OS-OTHER Apple macOS Finder remote code execution inetloc file download attempt
* 1:58194 <-> MALWARE-OTHER Win.Trojan.Bandidos inbound delivery attempt
* 1:58195 <-> MALWARE-OTHER Win.Trojan.Bandidos inbound delivery attempt
* 1:58196 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt
* 1:58197 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt
* 1:58198 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt
* 1:58199 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt

Modified Rules:

* 1:57991 <-> MALWARE-CNC Win.Trojan.Bandidos outbound connection attempt
* 3:58110 <-> POLICY-OTHER Cisco BroadWorks administrator account modification detected


2021-09-23 12:51:53 UTC

Snort Subscriber Rules Update

Date: 2021-09-22-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.11.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58174 <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt
* 1:58175 <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt
* 1:58176 <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt
* 1:58177 <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt
* 1:58178 <-> MALWARE-OTHER Asp.Webshell.Cmd download attempt
* 1:58179 <-> MALWARE-OTHER Asp.Webshell.Cmd upload attempt
* 1:58180 <-> MALWARE-OTHER Jsp.Webshell.Hsxa download attempt
* 1:58181 <-> MALWARE-OTHER Jsp.Webshell.Hsxa upload attempt
* 3:58182 <-> SERVER-OTHER Cisco IOS XE Software for CBR8 COPS denial of service attempt
* 1:58183 <-> BROWSER-IE Microsoft Internet Explorer MSHTML CTreePos remote code execution attempt
* 1:58184 <-> BROWSER-IE Microsoft Internet Explorer MSHTML CTreePos remote code execution attempt
* 1:58185 <-> FILE-OTHER Imagemagick Ghostscript 9.50 remote code execution attempt
* 1:58186 <-> FILE-OTHER Imagemagick Ghostscript 9.50 remote code execution attempt
* 3:58187 <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt
* 3:58188 <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt
* 3:58189 <-> POLICY-OTHER Cisco IOS and IOS XE TrustSec deprecated API access detected
* 3:58190 <-> POLICY-OTHER Cisco IOS and IOS XE TrustSec deprecated API access detected
* 3:58191 <-> SERVER-OTHER Cisco IOS XE Wireless Controller Software CAPWAP denial of service attempt
* 1:58192 <-> OS-OTHER Apple macOS Finder remote code execution inetloc file download attempt
* 1:58193 <-> OS-OTHER Apple macOS Finder remote code execution inetloc file download attempt
* 1:58194 <-> MALWARE-OTHER Win.Trojan.Bandidos inbound delivery attempt
* 1:58195 <-> MALWARE-OTHER Win.Trojan.Bandidos inbound delivery attempt
* 1:58196 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt
* 1:58197 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt
* 1:58198 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt
* 1:58199 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver privilege escalation attempt

Modified Rules:

* 1:57991 <-> MALWARE-CNC Win.Trojan.Bandidos outbound connection attempt
* 3:58110 <-> POLICY-OTHER Cisco BroadWorks administrator account modification detected