Snort - Network Intrusion Detection & Prevention System

Talos Rules 2021-10-07

This release adds and modifies rules in several categories.

Talos is releasing SID 58276 (SID 300053 for Snort3) as coverage for CVE-2021-41773, an Apache HTTP server directory traversal vulnerability which can lead to remote code execution.

Talos has added and modified multiple rules in the malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

3150

2021-10-07 13:22:43 UTC

Snort Subscriber Rules Update

Date: 2021-10-06-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.5.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt
* 3:58254 <-> SERVER-WEBAPP Cisco Identity Services Engine command execution attempt
* 3:58255 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58256 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58257 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58258 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58259 <-> SERVER-WEBAPP Cisco Intersight Virtual Appliance command injection attempt
* 1:58260 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58261 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58262 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58263 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58264 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58265 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58266 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58267 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58268 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58269 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58270 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58271 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58272 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58273 <-> SERVER-WEBAPP QNAP HBS 3 authorization bypass attempt
* 1:58274 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt
* 1:58275 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt
* 1:58277 <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt
* 1:58278 <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt
* 1:58279 <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt
* 1:58280 <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt
* 1:58281 <-> MALWARE-CNC Win.Dropper.SquirrelWaffle C2 HTTP response

Modified Rules:

* 1:37732 <-> POLICY-OTHER eicar test string download attempt
* 1:45909 <-> MALWARE-CNC CobaltStrike trial version inbound beacon response

3170

2021-10-07 13:22:43 UTC

Snort Subscriber Rules Update

Date: 2021-10-06-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.7.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt
* 3:58254 <-> SERVER-WEBAPP Cisco Identity Services Engine command execution attempt
* 3:58255 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58256 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58257 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58258 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58259 <-> SERVER-WEBAPP Cisco Intersight Virtual Appliance command injection attempt
* 1:58260 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58261 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58262 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58263 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58264 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58265 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58266 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58267 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58268 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58269 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58270 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58271 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58272 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58273 <-> SERVER-WEBAPP QNAP HBS 3 authorization bypass attempt
* 1:58274 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt
* 1:58275 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt
* 1:58277 <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt
* 1:58278 <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt
* 1:58279 <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt
* 1:58280 <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt
* 1:58281 <-> MALWARE-CNC Win.Dropper.SquirrelWaffle C2 HTTP response

Modified Rules:

* 1:37732 <-> POLICY-OTHER eicar test string download attempt
* 1:45909 <-> MALWARE-CNC CobaltStrike trial version inbound beacon response

3190

2021-10-07 13:22:43 UTC

Snort Subscriber Rules Update

Date: 2021-10-06-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.9.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt
* 3:58254 <-> SERVER-WEBAPP Cisco Identity Services Engine command execution attempt
* 3:58255 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58256 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58257 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58258 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58259 <-> SERVER-WEBAPP Cisco Intersight Virtual Appliance command injection attempt
* 1:58260 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58261 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58262 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58263 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58264 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58265 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58266 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58267 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58268 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58269 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58270 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58271 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58272 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58273 <-> SERVER-WEBAPP QNAP HBS 3 authorization bypass attempt
* 1:58274 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt
* 1:58275 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt
* 1:58277 <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt
* 1:58278 <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt
* 1:58279 <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt
* 1:58280 <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt
* 1:58281 <-> MALWARE-CNC Win.Dropper.SquirrelWaffle C2 HTTP response

Modified Rules:

* 1:37732 <-> POLICY-OTHER eicar test string download attempt
* 1:45909 <-> MALWARE-CNC CobaltStrike trial version inbound beacon response

31110

2021-10-07 13:22:43 UTC

Snort Subscriber Rules Update

Date: 2021-10-06-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.11.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt
* 3:58254 <-> SERVER-WEBAPP Cisco Identity Services Engine command execution attempt
* 3:58255 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58256 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58257 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58258 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58259 <-> SERVER-WEBAPP Cisco Intersight Virtual Appliance command injection attempt
* 1:58260 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58261 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58262 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58263 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58264 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58265 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58266 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58267 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58268 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58269 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58270 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58271 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58272 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58273 <-> SERVER-WEBAPP QNAP HBS 3 authorization bypass attempt
* 1:58274 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt
* 1:58275 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt
* 1:58277 <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt
* 1:58278 <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt
* 1:58279 <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt
* 1:58280 <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt
* 1:58281 <-> MALWARE-CNC Win.Dropper.SquirrelWaffle C2 HTTP response

Modified Rules:

* 1:37732 <-> POLICY-OTHER eicar test string download attempt
* 1:45909 <-> MALWARE-CNC CobaltStrike trial version inbound beacon response

3140

2021-10-07 13:22:43 UTC

Snort Subscriber Rules Update

Date: 2021-10-06-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.4.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt
* 3:58254 <-> SERVER-WEBAPP Cisco Identity Services Engine command execution attempt
* 3:58255 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58256 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58257 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58258 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58259 <-> SERVER-WEBAPP Cisco Intersight Virtual Appliance command injection attempt
* 1:58260 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58261 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58262 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58263 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58264 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58265 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58266 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58267 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58268 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58269 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58270 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58271 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58272 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58273 <-> SERVER-WEBAPP QNAP HBS 3 authorization bypass attempt
* 1:58274 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt
* 1:58275 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt
* 1:58277 <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt
* 1:58278 <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt
* 1:58279 <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt
* 1:58280 <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt
* 1:58281 <-> MALWARE-CNC Win.Dropper.SquirrelWaffle C2 HTTP response

Modified Rules:

* 1:37732 <-> POLICY-OTHER eicar test string download attempt
* 1:45909 <-> MALWARE-CNC CobaltStrike trial version inbound beacon response

3130

2021-10-07 13:22:43 UTC

Snort Subscriber Rules Update

Date: 2021-10-06-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.3.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt
* 3:58254 <-> SERVER-WEBAPP Cisco Identity Services Engine command execution attempt
* 3:58255 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58256 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58257 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58258 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58259 <-> SERVER-WEBAPP Cisco Intersight Virtual Appliance command injection attempt
* 1:58260 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58261 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58262 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58263 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58264 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58265 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58266 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58267 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58268 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58269 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58270 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58271 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58272 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58273 <-> SERVER-WEBAPP QNAP HBS 3 authorization bypass attempt
* 1:58274 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt
* 1:58275 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt
* 1:58277 <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt
* 1:58278 <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt
* 1:58279 <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt
* 1:58280 <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt
* 1:58281 <-> MALWARE-CNC Win.Dropper.SquirrelWaffle C2 HTTP response

Modified Rules:

* 1:37732 <-> POLICY-OTHER eicar test string download attempt
* 1:45909 <-> MALWARE-CNC CobaltStrike trial version inbound beacon response

3110

2021-10-07 13:22:43 UTC

Snort Subscriber Rules Update

Date: 2021-10-06-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.1.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt
* 3:58254 <-> SERVER-WEBAPP Cisco Identity Services Engine command execution attempt
* 3:58255 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58256 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58257 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58258 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58259 <-> SERVER-WEBAPP Cisco Intersight Virtual Appliance command injection attempt
* 1:58260 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58261 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58262 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58263 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58264 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58265 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58266 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58267 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58268 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58269 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58270 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58271 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58272 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58273 <-> SERVER-WEBAPP QNAP HBS 3 authorization bypass attempt
* 1:58274 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt
* 1:58275 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt
* 1:58277 <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt
* 1:58278 <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt
* 1:58279 <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt
* 1:58280 <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt
* 1:58281 <-> MALWARE-CNC Win.Dropper.SquirrelWaffle C2 HTTP response

Modified Rules:

* 1:37732 <-> POLICY-OTHER eicar test string download attempt
* 1:45909 <-> MALWARE-CNC CobaltStrike trial version inbound beacon response

3101

2021-10-07 13:22:43 UTC

Snort Subscriber Rules Update

Date: 2021-10-06-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt
* 3:58254 <-> SERVER-WEBAPP Cisco Identity Services Engine command execution attempt
* 3:58255 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58256 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58257 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58258 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58259 <-> SERVER-WEBAPP Cisco Intersight Virtual Appliance command injection attempt
* 1:58260 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58261 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58262 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58263 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58264 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58265 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58266 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58267 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58268 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58269 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58270 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58271 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58272 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58273 <-> SERVER-WEBAPP QNAP HBS 3 authorization bypass attempt
* 1:58274 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt
* 1:58275 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt
* 1:58277 <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt
* 1:58278 <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt
* 1:58279 <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt
* 1:58280 <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt
* 1:58281 <-> MALWARE-CNC Win.Dropper.SquirrelWaffle C2 HTTP response

Modified Rules:

* 1:37732 <-> POLICY-OTHER eicar test string download attempt
* 1:45909 <-> MALWARE-CNC CobaltStrike trial version inbound beacon response

3100

2021-10-07 13:22:43 UTC

Snort Subscriber Rules Update

Date: 2021-10-06-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt
* 3:58254 <-> SERVER-WEBAPP Cisco Identity Services Engine command execution attempt
* 3:58255 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58256 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58257 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58258 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58259 <-> SERVER-WEBAPP Cisco Intersight Virtual Appliance command injection attempt
* 1:58260 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58261 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58262 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58263 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58264 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58265 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58266 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58267 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58268 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58269 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58270 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58271 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58272 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58273 <-> SERVER-WEBAPP QNAP HBS 3 authorization bypass attempt
* 1:58274 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt
* 1:58275 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt
* 1:58277 <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt
* 1:58278 <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt
* 1:58279 <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt
* 1:58280 <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt
* 1:58281 <-> MALWARE-CNC Win.Dropper.SquirrelWaffle C2 HTTP response

Modified Rules:

* 1:37732 <-> POLICY-OTHER eicar test string download attempt
* 1:45909 <-> MALWARE-CNC CobaltStrike trial version inbound beacon response

3034

2021-10-07 13:22:43 UTC

Snort Subscriber Rules Update

Date: 2021-10-06-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.4.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt
* 3:58254 <-> SERVER-WEBAPP Cisco Identity Services Engine command execution attempt
* 3:58255 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58256 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58257 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58258 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58259 <-> SERVER-WEBAPP Cisco Intersight Virtual Appliance command injection attempt
* 1:58260 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58261 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58262 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58263 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58264 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58265 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58266 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58267 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58268 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58269 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58270 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58271 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58272 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58273 <-> SERVER-WEBAPP QNAP HBS 3 authorization bypass attempt
* 1:58274 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt
* 1:58275 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt
* 1:58277 <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt
* 1:58278 <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt
* 1:58279 <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt
* 1:58280 <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt
* 1:58281 <-> MALWARE-CNC Win.Dropper.SquirrelWaffle C2 HTTP response

Modified Rules:

* 1:37732 <-> POLICY-OTHER eicar test string download attempt
* 1:45909 <-> MALWARE-CNC CobaltStrike trial version inbound beacon response

3031

2021-10-07 13:22:43 UTC

Snort Subscriber Rules Update

Date: 2021-10-06-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt
* 3:58254 <-> SERVER-WEBAPP Cisco Identity Services Engine command execution attempt
* 3:58255 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58256 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58257 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58258 <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt
* 3:58259 <-> SERVER-WEBAPP Cisco Intersight Virtual Appliance command injection attempt
* 1:58260 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58261 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58262 <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt
* 1:58263 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58264 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58265 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58266 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58267 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58268 <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt
* 1:58269 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58270 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58271 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58272 <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt
* 1:58273 <-> SERVER-WEBAPP QNAP HBS 3 authorization bypass attempt
* 1:58274 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt
* 1:58275 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt
* 1:58277 <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt
* 1:58278 <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt
* 1:58279 <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt
* 1:58280 <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt
* 1:58281 <-> MALWARE-CNC Win.Dropper.SquirrelWaffle C2 HTTP response

Modified Rules:

* 1:37732 <-> POLICY-OTHER eicar test string download attempt
* 1:45909 <-> MALWARE-CNC CobaltStrike trial version inbound beacon response

2983

2021-10-07 13:22:43 UTC

Snort Subscriber Rules Update

Date: 2021-10-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58263 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58262 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58280 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58279 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58261 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58260 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58264 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58265 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58266 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58267 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58268 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58269 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58270 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58271 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58272 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58273 <-> ENABLED <-> SERVER-WEBAPP QNAP HBS 3 authorization bypass attempt (server-webapp.rules)
 * 1:58278 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58274 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (server-webapp.rules)
 * 1:58275 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (server-webapp.rules)
 * 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (server-webapp.rules)
 * 1:58277 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58281 <-> ENABLED <-> MALWARE-CNC Win.Dropper.SquirrelWaffle C2 HTTP response (malware-cnc.rules)

Modified Rules:


 * 1:37732 <-> ENABLED <-> POLICY-OTHER eicar test string download attempt (policy-other.rules)
 * 1:45909 <-> DISABLED <-> MALWARE-CNC CobaltStrike trial version inbound beacon response (malware-cnc.rules)

3000

2021-10-07 13:22:43 UTC

Snort Subscriber Rules Update

Date: 2021-10-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58272 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (snort3-server-webapp.rules)
 * 1:58266 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (snort3-server-webapp.rules)
 * 1:58264 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (snort3-server-webapp.rules)
 * 1:58280 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (snort3-malware-cnc.rules)
 * 1:58260 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (snort3-server-webapp.rules)
 * 1:58267 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (snort3-server-webapp.rules)
 * 1:58261 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (snort3-server-webapp.rules)
 * 1:58279 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (snort3-malware-cnc.rules)
 * 1:58281 <-> ENABLED <-> MALWARE-CNC Win.Dropper.SquirrelWaffle C2 HTTP response (snort3-malware-cnc.rules)
 * 1:58273 <-> ENABLED <-> SERVER-WEBAPP QNAP HBS 3 authorization bypass attempt (snort3-server-webapp.rules)
 * 1:58274 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (snort3-server-webapp.rules)
 * 1:58275 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (snort3-server-webapp.rules)
 * 1:300053 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (snort3-native.rules)
 * 1:58270 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (snort3-server-webapp.rules)
 * 1:58268 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (snort3-server-webapp.rules)
 * 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (snort3-server-webapp.rules)
 * 1:58277 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (snort3-malware-cnc.rules)
 * 1:58265 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (snort3-server-webapp.rules)
 * 1:58271 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (snort3-server-webapp.rules)
 * 1:58263 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (snort3-server-webapp.rules)
 * 1:58269 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (snort3-server-webapp.rules)
 * 1:58278 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (snort3-malware-cnc.rules)
 * 1:58262 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (snort3-server-webapp.rules)

Modified Rules:


 * 1:37732 <-> ENABLED <-> POLICY-OTHER eicar test string download attempt (snort3-policy-other.rules)
 * 1:45909 <-> DISABLED <-> MALWARE-CNC CobaltStrike trial version inbound beacon response (snort3-malware-cnc.rules)

29111

2021-10-07 13:22:43 UTC

Snort Subscriber Rules Update

Date: 2021-10-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58267 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58280 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58261 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58278 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58281 <-> ENABLED <-> MALWARE-CNC Win.Dropper.SquirrelWaffle C2 HTTP response (malware-cnc.rules)
 * 1:58260 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58263 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58264 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58279 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58277 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58266 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58269 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58271 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58270 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58272 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58262 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58265 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58274 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (server-webapp.rules)
 * 1:58273 <-> ENABLED <-> SERVER-WEBAPP QNAP HBS 3 authorization bypass attempt (server-webapp.rules)
 * 1:58268 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (server-webapp.rules)
 * 1:58275 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (server-webapp.rules)
 * 3:58254 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine command execution attempt (server-webapp.rules)
 * 3:58255 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58256 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58257 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58258 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58259 <-> ENABLED <-> SERVER-WEBAPP Cisco Intersight Virtual Appliance command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:37732 <-> ENABLED <-> POLICY-OTHER eicar test string download attempt (policy-other.rules)
 * 1:45909 <-> DISABLED <-> MALWARE-CNC CobaltStrike trial version inbound beacon response (malware-cnc.rules)

29130

2021-10-07 13:22:43 UTC

Snort Subscriber Rules Update

Date: 2021-10-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58265 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58260 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58277 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58268 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58272 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58281 <-> ENABLED <-> MALWARE-CNC Win.Dropper.SquirrelWaffle C2 HTTP response (malware-cnc.rules)
 * 1:58267 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58263 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58278 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58270 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58271 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58266 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58264 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58280 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58279 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58274 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (server-webapp.rules)
 * 1:58262 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58273 <-> ENABLED <-> SERVER-WEBAPP QNAP HBS 3 authorization bypass attempt (server-webapp.rules)
 * 1:58269 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58275 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (server-webapp.rules)
 * 1:58261 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (server-webapp.rules)
 * 3:58254 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine command execution attempt (server-webapp.rules)
 * 3:58255 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58256 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58257 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58258 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58259 <-> ENABLED <-> SERVER-WEBAPP Cisco Intersight Virtual Appliance command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:37732 <-> ENABLED <-> POLICY-OTHER eicar test string download attempt (policy-other.rules)
 * 1:45909 <-> DISABLED <-> MALWARE-CNC CobaltStrike trial version inbound beacon response (malware-cnc.rules)

29141

2021-10-07 13:22:43 UTC

Snort Subscriber Rules Update

Date: 2021-10-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58260 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58280 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (server-webapp.rules)
 * 1:58261 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58264 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58262 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58272 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58279 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58271 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58265 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58273 <-> ENABLED <-> SERVER-WEBAPP QNAP HBS 3 authorization bypass attempt (server-webapp.rules)
 * 1:58267 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58269 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58278 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58270 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58268 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58281 <-> ENABLED <-> MALWARE-CNC Win.Dropper.SquirrelWaffle C2 HTTP response (malware-cnc.rules)
 * 1:58266 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58275 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (server-webapp.rules)
 * 1:58277 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58274 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (server-webapp.rules)
 * 1:58263 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 3:58256 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58254 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine command execution attempt (server-webapp.rules)
 * 3:58259 <-> ENABLED <-> SERVER-WEBAPP Cisco Intersight Virtual Appliance command injection attempt (server-webapp.rules)
 * 3:58258 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58257 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58255 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:45909 <-> DISABLED <-> MALWARE-CNC CobaltStrike trial version inbound beacon response (malware-cnc.rules)
 * 1:37732 <-> ENABLED <-> POLICY-OTHER eicar test string download attempt (policy-other.rules)

29151

2021-10-07 13:22:43 UTC

Snort Subscriber Rules Update

Date: 2021-10-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58260 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58266 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58270 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58277 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58263 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58279 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58261 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58281 <-> ENABLED <-> MALWARE-CNC Win.Dropper.SquirrelWaffle C2 HTTP response (malware-cnc.rules)
 * 1:58268 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58267 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58271 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58264 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58272 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58269 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58274 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (server-webapp.rules)
 * 1:58273 <-> ENABLED <-> SERVER-WEBAPP QNAP HBS 3 authorization bypass attempt (server-webapp.rules)
 * 1:58275 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (server-webapp.rules)
 * 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (server-webapp.rules)
 * 1:58265 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58262 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58280 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58278 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 3:58254 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine command execution attempt (server-webapp.rules)
 * 3:58255 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58256 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58257 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58258 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58259 <-> ENABLED <-> SERVER-WEBAPP Cisco Intersight Virtual Appliance command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:37732 <-> ENABLED <-> POLICY-OTHER eicar test string download attempt (policy-other.rules)
 * 1:45909 <-> DISABLED <-> MALWARE-CNC CobaltStrike trial version inbound beacon response (malware-cnc.rules)

29160

2021-10-07 13:22:43 UTC

Snort Subscriber Rules Update

Date: 2021-10-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58268 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58270 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58264 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58271 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58280 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58261 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58272 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58279 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58263 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58278 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58267 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58265 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58260 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58266 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58281 <-> ENABLED <-> MALWARE-CNC Win.Dropper.SquirrelWaffle C2 HTTP response (malware-cnc.rules)
 * 1:58262 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (server-webapp.rules)
 * 1:58275 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (server-webapp.rules)
 * 1:58273 <-> ENABLED <-> SERVER-WEBAPP QNAP HBS 3 authorization bypass attempt (server-webapp.rules)
 * 1:58274 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (server-webapp.rules)
 * 1:58277 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58269 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 3:58258 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58254 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine command execution attempt (server-webapp.rules)
 * 3:58255 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58259 <-> ENABLED <-> SERVER-WEBAPP Cisco Intersight Virtual Appliance command injection attempt (server-webapp.rules)
 * 3:58257 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58256 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:45909 <-> DISABLED <-> MALWARE-CNC CobaltStrike trial version inbound beacon response (malware-cnc.rules)
 * 1:37732 <-> ENABLED <-> POLICY-OTHER eicar test string download attempt (policy-other.rules)

29161

2021-10-07 13:22:43 UTC

Snort Subscriber Rules Update

Date: 2021-10-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58277 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58280 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58275 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (server-webapp.rules)
 * 1:58263 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58269 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58264 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58260 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58278 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58266 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58262 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58273 <-> ENABLED <-> SERVER-WEBAPP QNAP HBS 3 authorization bypass attempt (server-webapp.rules)
 * 1:58272 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58261 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58279 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (server-webapp.rules)
 * 1:58265 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58268 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58267 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58270 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58271 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58281 <-> ENABLED <-> MALWARE-CNC Win.Dropper.SquirrelWaffle C2 HTTP response (malware-cnc.rules)
 * 1:58274 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (server-webapp.rules)
 * 3:58254 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine command execution attempt (server-webapp.rules)
 * 3:58255 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58256 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58257 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58258 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58259 <-> ENABLED <-> SERVER-WEBAPP Cisco Intersight Virtual Appliance command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:45909 <-> DISABLED <-> MALWARE-CNC CobaltStrike trial version inbound beacon response (malware-cnc.rules)
 * 1:37732 <-> ENABLED <-> POLICY-OTHER eicar test string download attempt (policy-other.rules)

29170

2021-10-07 13:22:43 UTC

Snort Subscriber Rules Update

Date: 2021-10-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58278 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58279 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58271 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58263 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58272 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58267 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58264 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58281 <-> ENABLED <-> MALWARE-CNC Win.Dropper.SquirrelWaffle C2 HTTP response (malware-cnc.rules)
 * 1:58277 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58261 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58266 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58270 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58275 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (server-webapp.rules)
 * 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (server-webapp.rules)
 * 1:58268 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58269 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58273 <-> ENABLED <-> SERVER-WEBAPP QNAP HBS 3 authorization bypass attempt (server-webapp.rules)
 * 1:58280 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58260 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58265 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58274 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (server-webapp.rules)
 * 1:58262 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 3:58254 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine command execution attempt (server-webapp.rules)
 * 3:58255 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58256 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58257 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58258 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58259 <-> ENABLED <-> SERVER-WEBAPP Cisco Intersight Virtual Appliance command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:37732 <-> ENABLED <-> POLICY-OTHER eicar test string download attempt (policy-other.rules)
 * 1:45909 <-> DISABLED <-> MALWARE-CNC CobaltStrike trial version inbound beacon response (malware-cnc.rules)

29171

2021-10-07 13:22:43 UTC

Snort Subscriber Rules Update

Date: 2021-10-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58267 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58281 <-> ENABLED <-> MALWARE-CNC Win.Dropper.SquirrelWaffle C2 HTTP response (malware-cnc.rules)
 * 1:58278 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58265 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58270 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58266 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58271 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58272 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58273 <-> ENABLED <-> SERVER-WEBAPP QNAP HBS 3 authorization bypass attempt (server-webapp.rules)
 * 1:58274 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (server-webapp.rules)
 * 1:58275 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (server-webapp.rules)
 * 1:58280 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58261 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (server-webapp.rules)
 * 1:58277 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58262 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58268 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58264 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58260 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58263 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58269 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58279 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 3:58254 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine command execution attempt (server-webapp.rules)
 * 3:58255 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58256 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58257 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58258 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58259 <-> ENABLED <-> SERVER-WEBAPP Cisco Intersight Virtual Appliance command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:37732 <-> ENABLED <-> POLICY-OTHER eicar test string download attempt (policy-other.rules)
 * 1:45909 <-> DISABLED <-> MALWARE-CNC CobaltStrike trial version inbound beacon response (malware-cnc.rules)

29180

2021-10-07 13:22:43 UTC

Snort Subscriber Rules Update

Date: 2021-10-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091800.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58280 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58279 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58274 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (server-webapp.rules)
 * 1:58281 <-> ENABLED <-> MALWARE-CNC Win.Dropper.SquirrelWaffle C2 HTTP response (malware-cnc.rules)
 * 1:58261 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58264 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58260 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58265 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58266 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58267 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58268 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58269 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58270 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58271 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58272 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (server-webapp.rules)
 * 1:58275 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (server-webapp.rules)
 * 1:58277 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58278 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58262 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58263 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58273 <-> ENABLED <-> SERVER-WEBAPP QNAP HBS 3 authorization bypass attempt (server-webapp.rules)
 * 3:58257 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58255 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58254 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine command execution attempt (server-webapp.rules)
 * 3:58256 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58259 <-> ENABLED <-> SERVER-WEBAPP Cisco Intersight Virtual Appliance command injection attempt (server-webapp.rules)
 * 3:58258 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:37732 <-> ENABLED <-> POLICY-OTHER eicar test string download attempt (policy-other.rules)
 * 1:45909 <-> DISABLED <-> MALWARE-CNC CobaltStrike trial version inbound beacon response (malware-cnc.rules)

29181

2021-10-07 13:22:43 UTC

Snort Subscriber Rules Update

Date: 2021-10-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091801.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58260 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58261 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58262 <-> DISABLED <-> SERVER-WEBAPP AlienVault Unified Security Management SQL injection attempt (server-webapp.rules)
 * 1:58263 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58264 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58265 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58266 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58267 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58268 <-> DISABLED <-> SERVER-WEBAPP MailEnable Enterprise Premium directory traversal attempt (server-webapp.rules)
 * 1:58269 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58270 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58271 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58272 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus username command injection attempt (server-webapp.rules)
 * 1:58273 <-> ENABLED <-> SERVER-WEBAPP QNAP HBS 3 authorization bypass attempt (server-webapp.rules)
 * 1:58274 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (server-webapp.rules)
 * 1:58275 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center faultDevParasSet expression language injection attempt (server-webapp.rules)
 * 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (server-webapp.rules)
 * 1:58277 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58278 <-> ENABLED <-> MALWARE-CNC Xls.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58279 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58280 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.SquirrelWaffle download attempt (malware-cnc.rules)
 * 1:58281 <-> ENABLED <-> MALWARE-CNC Win.Dropper.SquirrelWaffle C2 HTTP response (malware-cnc.rules)
 * 3:58254 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine command execution attempt (server-webapp.rules)
 * 3:58256 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58255 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58258 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58257 <-> ENABLED <-> SERVER-WEBAPP Cisco Analog Telephone Adapter command injection attempt (server-webapp.rules)
 * 3:58259 <-> ENABLED <-> SERVER-WEBAPP Cisco Intersight Virtual Appliance command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:45909 <-> DISABLED <-> MALWARE-CNC CobaltStrike trial version inbound beacon response (malware-cnc.rules)
 * 1:37732 <-> ENABLED <-> POLICY-OTHER eicar test string download attempt (policy-other.rules)