Talos Rules 2021-12-02
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-chrome, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2021-12-02 13:14:48 UTC

Snort Subscriber Rules Update

Date: 2021-12-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091801.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58669 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_TreeManagement1 XML external entity injection attempt (server-webapp.rules)
 * 1:58670 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt (server-webapp.rules)
 * 1:58671 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt (server-webapp.rules)
 * 1:58672 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt (server-webapp.rules)
 * 1:58673 <-> DISABLED <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt (policy-other.rules)
 * 1:58674 <-> DISABLED <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt (policy-other.rules)
 * 1:58675 <-> DISABLED <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt (policy-other.rules)
 * 1:58676 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt (server-webapp.rules)
 * 1:58677 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt (server-webapp.rules)
 * 1:58678 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt (server-webapp.rules)
 * 1:58679 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (server-webapp.rules)
 * 1:58680 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (server-webapp.rules)
 * 1:58681 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (server-webapp.rules)
 * 1:58682 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (server-webapp.rules)
 * 1:58683 <-> DISABLED <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt (browser-chrome.rules)
 * 1:58684 <-> DISABLED <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt (browser-chrome.rules)

Modified Rules:


 * 1:58563 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET foglight service arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:27966 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:19813 <-> DISABLED <-> SERVER-WEBAPP Novell File Reporter Agent stack buffer overflow attempt (server-webapp.rules)
 * 1:27968 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:27967 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:37245 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:28323 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42835 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42834 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42837 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42838 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Backdoor.Chopper (malware-cnc.rules)

2021-12-02 13:14:48 UTC

Snort Subscriber Rules Update

Date: 2021-12-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091800.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58682 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (server-webapp.rules)
 * 1:58678 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt (server-webapp.rules)
 * 1:58680 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (server-webapp.rules)
 * 1:58677 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt (server-webapp.rules)
 * 1:58683 <-> DISABLED <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt (browser-chrome.rules)
 * 1:58684 <-> DISABLED <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt (browser-chrome.rules)
 * 1:58670 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt (server-webapp.rules)
 * 1:58669 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_TreeManagement1 XML external entity injection attempt (server-webapp.rules)
 * 1:58672 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt (server-webapp.rules)
 * 1:58671 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt (server-webapp.rules)
 * 1:58674 <-> DISABLED <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt (policy-other.rules)
 * 1:58673 <-> DISABLED <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt (policy-other.rules)
 * 1:58676 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt (server-webapp.rules)
 * 1:58675 <-> DISABLED <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt (policy-other.rules)
 * 1:58679 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (server-webapp.rules)
 * 1:58681 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:58563 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET foglight service arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:42836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42838 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Backdoor.Chopper (malware-cnc.rules)
 * 1:27968 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:37245 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:27967 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42835 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:28323 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42837 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42834 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:27966 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:19813 <-> DISABLED <-> SERVER-WEBAPP Novell File Reporter Agent stack buffer overflow attempt (server-webapp.rules)

2021-12-02 13:14:48 UTC

Snort Subscriber Rules Update

Date: 2021-12-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58669 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_TreeManagement1 XML external entity injection attempt (server-webapp.rules)
 * 1:58670 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt (server-webapp.rules)
 * 1:58683 <-> DISABLED <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt (browser-chrome.rules)
 * 1:58682 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (server-webapp.rules)
 * 1:58684 <-> DISABLED <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt (browser-chrome.rules)
 * 1:58680 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (server-webapp.rules)
 * 1:58677 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt (server-webapp.rules)
 * 1:58671 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt (server-webapp.rules)
 * 1:58675 <-> DISABLED <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt (policy-other.rules)
 * 1:58681 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (server-webapp.rules)
 * 1:58674 <-> DISABLED <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt (policy-other.rules)
 * 1:58679 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (server-webapp.rules)
 * 1:58676 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt (server-webapp.rules)
 * 1:58672 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt (server-webapp.rules)
 * 1:58678 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt (server-webapp.rules)
 * 1:58673 <-> DISABLED <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt (policy-other.rules)

Modified Rules:


 * 1:58563 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET foglight service arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:42835 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:19813 <-> DISABLED <-> SERVER-WEBAPP Novell File Reporter Agent stack buffer overflow attempt (server-webapp.rules)
 * 1:27968 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:27967 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:28323 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42834 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:27966 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:37245 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42837 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42838 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Backdoor.Chopper (malware-cnc.rules)

2021-12-02 13:14:48 UTC

Snort Subscriber Rules Update

Date: 2021-12-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58679 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (server-webapp.rules)
 * 1:58680 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (server-webapp.rules)
 * 1:58678 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt (server-webapp.rules)
 * 1:58683 <-> DISABLED <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt (browser-chrome.rules)
 * 1:58677 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt (server-webapp.rules)
 * 1:58682 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (server-webapp.rules)
 * 1:58673 <-> DISABLED <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt (policy-other.rules)
 * 1:58681 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (server-webapp.rules)
 * 1:58684 <-> DISABLED <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt (browser-chrome.rules)
 * 1:58669 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_TreeManagement1 XML external entity injection attempt (server-webapp.rules)
 * 1:58675 <-> DISABLED <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt (policy-other.rules)
 * 1:58671 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt (server-webapp.rules)
 * 1:58670 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt (server-webapp.rules)
 * 1:58674 <-> DISABLED <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt (policy-other.rules)
 * 1:58672 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt (server-webapp.rules)
 * 1:58676 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 1:19813 <-> DISABLED <-> SERVER-WEBAPP Novell File Reporter Agent stack buffer overflow attempt (server-webapp.rules)
 * 1:27968 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:37245 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42837 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:27967 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42838 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Backdoor.Chopper (malware-cnc.rules)
 * 1:27966 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:28323 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42835 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:58563 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET foglight service arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:42834 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)

2021-12-02 13:14:48 UTC

Snort Subscriber Rules Update

Date: 2021-12-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58675 <-> DISABLED <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt (policy-other.rules)
 * 1:58673 <-> DISABLED <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt (policy-other.rules)
 * 1:58680 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (server-webapp.rules)
 * 1:58683 <-> DISABLED <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt (browser-chrome.rules)
 * 1:58684 <-> DISABLED <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt (browser-chrome.rules)
 * 1:58671 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt (server-webapp.rules)
 * 1:58674 <-> DISABLED <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt (policy-other.rules)
 * 1:58669 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_TreeManagement1 XML external entity injection attempt (server-webapp.rules)
 * 1:58670 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt (server-webapp.rules)
 * 1:58672 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt (server-webapp.rules)
 * 1:58678 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt (server-webapp.rules)
 * 1:58682 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (server-webapp.rules)
 * 1:58681 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (server-webapp.rules)
 * 1:58676 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt (server-webapp.rules)
 * 1:58677 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt (server-webapp.rules)
 * 1:58679 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:58563 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET foglight service arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:19813 <-> DISABLED <-> SERVER-WEBAPP Novell File Reporter Agent stack buffer overflow attempt (server-webapp.rules)
 * 1:27966 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:27968 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:37245 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:28323 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42835 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:27967 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42837 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42834 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42838 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Backdoor.Chopper (malware-cnc.rules)

2021-12-02 13:14:48 UTC

Snort Subscriber Rules Update

Date: 2021-12-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58682 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (server-webapp.rules)
 * 1:58681 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (server-webapp.rules)
 * 1:58671 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt (server-webapp.rules)
 * 1:58674 <-> DISABLED <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt (policy-other.rules)
 * 1:58680 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (server-webapp.rules)
 * 1:58673 <-> DISABLED <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt (policy-other.rules)
 * 1:58669 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_TreeManagement1 XML external entity injection attempt (server-webapp.rules)
 * 1:58675 <-> DISABLED <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt (policy-other.rules)
 * 1:58679 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (server-webapp.rules)
 * 1:58684 <-> DISABLED <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt (browser-chrome.rules)
 * 1:58676 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt (server-webapp.rules)
 * 1:58678 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt (server-webapp.rules)
 * 1:58677 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt (server-webapp.rules)
 * 1:58683 <-> DISABLED <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt (browser-chrome.rules)
 * 1:58672 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt (server-webapp.rules)
 * 1:58670 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt (server-webapp.rules)

Modified Rules:


 * 1:42838 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Backdoor.Chopper (malware-cnc.rules)
 * 1:27966 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:37245 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:27968 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42835 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:19813 <-> DISABLED <-> SERVER-WEBAPP Novell File Reporter Agent stack buffer overflow attempt (server-webapp.rules)
 * 1:58563 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET foglight service arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:42837 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42834 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:27967 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:28323 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)

2021-12-02 13:14:48 UTC

Snort Subscriber Rules Update

Date: 2021-12-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58682 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (server-webapp.rules)
 * 1:58671 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt (server-webapp.rules)
 * 1:58675 <-> DISABLED <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt (policy-other.rules)
 * 1:58684 <-> DISABLED <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt (browser-chrome.rules)
 * 1:58679 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (server-webapp.rules)
 * 1:58680 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (server-webapp.rules)
 * 1:58681 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (server-webapp.rules)
 * 1:58674 <-> DISABLED <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt (policy-other.rules)
 * 1:58669 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_TreeManagement1 XML external entity injection attempt (server-webapp.rules)
 * 1:58677 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt (server-webapp.rules)
 * 1:58672 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt (server-webapp.rules)
 * 1:58670 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt (server-webapp.rules)
 * 1:58673 <-> DISABLED <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt (policy-other.rules)
 * 1:58678 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt (server-webapp.rules)
 * 1:58683 <-> DISABLED <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt (browser-chrome.rules)
 * 1:58676 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 1:27967 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:37245 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:58563 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET foglight service arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:19813 <-> DISABLED <-> SERVER-WEBAPP Novell File Reporter Agent stack buffer overflow attempt (server-webapp.rules)
 * 1:42835 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:28323 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:27966 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:27968 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42834 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42838 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Backdoor.Chopper (malware-cnc.rules)
 * 1:42837 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)

2021-12-02 13:14:48 UTC

Snort Subscriber Rules Update

Date: 2021-12-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58670 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt (server-webapp.rules)
 * 1:58683 <-> DISABLED <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt (browser-chrome.rules)
 * 1:58682 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (server-webapp.rules)
 * 1:58669 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_TreeManagement1 XML external entity injection attempt (server-webapp.rules)
 * 1:58684 <-> DISABLED <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt (browser-chrome.rules)
 * 1:58673 <-> DISABLED <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt (policy-other.rules)
 * 1:58672 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt (server-webapp.rules)
 * 1:58675 <-> DISABLED <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt (policy-other.rules)
 * 1:58674 <-> DISABLED <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt (policy-other.rules)
 * 1:58681 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (server-webapp.rules)
 * 1:58678 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt (server-webapp.rules)
 * 1:58679 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (server-webapp.rules)
 * 1:58677 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt (server-webapp.rules)
 * 1:58671 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt (server-webapp.rules)
 * 1:58676 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt (server-webapp.rules)
 * 1:58680 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:58563 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET foglight service arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:27966 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:19813 <-> DISABLED <-> SERVER-WEBAPP Novell File Reporter Agent stack buffer overflow attempt (server-webapp.rules)
 * 1:27968 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:37245 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42835 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42837 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:28323 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42838 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Backdoor.Chopper (malware-cnc.rules)
 * 1:27967 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42834 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)

2021-12-02 13:14:48 UTC

Snort Subscriber Rules Update

Date: 2021-12-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58676 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt (server-webapp.rules)
 * 1:58677 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt (server-webapp.rules)
 * 1:58682 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (server-webapp.rules)
 * 1:58675 <-> DISABLED <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt (policy-other.rules)
 * 1:58674 <-> DISABLED <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt (policy-other.rules)
 * 1:58680 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (server-webapp.rules)
 * 1:58670 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt (server-webapp.rules)
 * 1:58678 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt (server-webapp.rules)
 * 1:58671 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt (server-webapp.rules)
 * 1:58683 <-> DISABLED <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt (browser-chrome.rules)
 * 1:58679 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (server-webapp.rules)
 * 1:58684 <-> DISABLED <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt (browser-chrome.rules)
 * 1:58673 <-> DISABLED <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt (policy-other.rules)
 * 1:58672 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt (server-webapp.rules)
 * 1:58669 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_TreeManagement1 XML external entity injection attempt (server-webapp.rules)
 * 1:58681 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:27968 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42834 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42837 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:58563 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET foglight service arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:37245 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42835 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:19813 <-> DISABLED <-> SERVER-WEBAPP Novell File Reporter Agent stack buffer overflow attempt (server-webapp.rules)
 * 1:27966 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:28323 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:27967 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42838 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Backdoor.Chopper (malware-cnc.rules)

2021-12-02 13:14:48 UTC

Snort Subscriber Rules Update

Date: 2021-12-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58682 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (server-webapp.rules)
 * 1:58680 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (server-webapp.rules)
 * 1:58671 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt (server-webapp.rules)
 * 1:58672 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt (server-webapp.rules)
 * 1:58673 <-> DISABLED <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt (policy-other.rules)
 * 1:58674 <-> DISABLED <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt (policy-other.rules)
 * 1:58670 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt (server-webapp.rules)
 * 1:58675 <-> DISABLED <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt (policy-other.rules)
 * 1:58684 <-> DISABLED <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt (browser-chrome.rules)
 * 1:58676 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt (server-webapp.rules)
 * 1:58683 <-> DISABLED <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt (browser-chrome.rules)
 * 1:58677 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt (server-webapp.rules)
 * 1:58678 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt (server-webapp.rules)
 * 1:58679 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (server-webapp.rules)
 * 1:58681 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (server-webapp.rules)
 * 1:58669 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_TreeManagement1 XML external entity injection attempt (server-webapp.rules)

Modified Rules:


 * 1:19813 <-> DISABLED <-> SERVER-WEBAPP Novell File Reporter Agent stack buffer overflow attempt (server-webapp.rules)
 * 1:27966 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:27967 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:58563 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET foglight service arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:27968 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:28323 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:37245 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42834 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42835 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42837 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42838 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Backdoor.Chopper (malware-cnc.rules)

2021-12-02 13:14:48 UTC

Snort Subscriber Rules Update

Date: 2021-12-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58676 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt (snort3-server-webapp.rules)
 * 1:58672 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt (snort3-server-webapp.rules)
 * 1:58680 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (snort3-server-webapp.rules)
 * 1:58669 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_TreeManagement1 XML external entity injection attempt (snort3-server-webapp.rules)
 * 1:58674 <-> DISABLED <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt (snort3-policy-other.rules)
 * 1:58677 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt (snort3-server-webapp.rules)
 * 1:58673 <-> DISABLED <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt (snort3-policy-other.rules)
 * 1:58681 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (snort3-server-webapp.rules)
 * 1:58684 <-> DISABLED <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt (snort3-browser-chrome.rules)
 * 1:58675 <-> DISABLED <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt (snort3-policy-other.rules)
 * 1:58671 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt (snort3-server-webapp.rules)
 * 1:58678 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt (snort3-server-webapp.rules)
 * 1:58682 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (snort3-server-webapp.rules)
 * 1:58683 <-> DISABLED <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt (snort3-browser-chrome.rules)
 * 1:58679 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (snort3-server-webapp.rules)
 * 1:58670 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt (snort3-server-webapp.rules)

Modified Rules:


 * 1:42838 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Backdoor.Chopper (snort3-malware-cnc.rules)
 * 1:19813 <-> DISABLED <-> SERVER-WEBAPP Novell File Reporter Agent stack buffer overflow attempt (snort3-server-webapp.rules)
 * 1:27966 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (snort3-malware-cnc.rules)
 * 1:27967 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (snort3-malware-cnc.rules)
 * 1:58563 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET foglight service arbitrary Java object deserialization attempt (snort3-server-webapp.rules)
 * 1:27968 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (snort3-malware-cnc.rules)
 * 1:28323 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (snort3-malware-cnc.rules)
 * 1:37245 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (snort3-malware-cnc.rules)
 * 1:42834 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (snort3-malware-cnc.rules)
 * 1:42835 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (snort3-malware-cnc.rules)
 * 1:42836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (snort3-malware-cnc.rules)
 * 1:42837 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (snort3-malware-cnc.rules)

2021-12-02 13:14:48 UTC

Snort Subscriber Rules Update

Date: 2021-12-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58682 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (server-webapp.rules)
 * 1:58670 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt (server-webapp.rules)
 * 1:58679 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (server-webapp.rules)
 * 1:58677 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt (server-webapp.rules)
 * 1:58675 <-> DISABLED <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt (policy-other.rules)
 * 1:58669 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_TreeManagement1 XML external entity injection attempt (server-webapp.rules)
 * 1:58683 <-> DISABLED <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt (browser-chrome.rules)
 * 1:58680 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (server-webapp.rules)
 * 1:58684 <-> DISABLED <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt (browser-chrome.rules)
 * 1:58676 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt (server-webapp.rules)
 * 1:58673 <-> DISABLED <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt (policy-other.rules)
 * 1:58674 <-> DISABLED <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt (policy-other.rules)
 * 1:58678 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt (server-webapp.rules)
 * 1:58672 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt (server-webapp.rules)
 * 1:58671 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt (server-webapp.rules)
 * 1:58681 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:58563 <-> DISABLED <-> SERVER-WEBAPP GE MDS PulseNET foglight service arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:42836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:27967 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:27966 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:28323 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42838 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Backdoor.Chopper (malware-cnc.rules)
 * 1:42837 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42834 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:27968 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42835 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:19813 <-> DISABLED <-> SERVER-WEBAPP Novell File Reporter Agent stack buffer overflow attempt (server-webapp.rules)
 * 1:37245 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)

2021-12-02 13:18:09 UTC

Snort Subscriber Rules Update

Date: 2021-12-01-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58669 <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_TreeManagement1 XML external entity injection attempt
* 1:58670 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt
* 1:58671 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt
* 1:58672 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt
* 1:58673 <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt
* 1:58674 <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt
* 1:58675 <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt
* 1:58676 <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt
* 1:58677 <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt
* 1:58678 <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt
* 1:58679 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58680 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58681 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58682 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58683 <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt
* 1:58684 <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt

Modified Rules:

* 1:19813 <-> SERVER-WEBAPP Novell File Reporter Agent stack buffer overflow attempt
* 1:27966 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:27967 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:27968 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:28323 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:37245 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42834 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42835 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42836 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42837 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42838 <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Backdoor.Chopper
* 1:58563 <-> SERVER-WEBAPP GE MDS PulseNET foglight service arbitrary Java object deserialization attempt


2021-12-02 13:18:09 UTC

Snort Subscriber Rules Update

Date: 2021-12-01-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.4.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58669 <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_TreeManagement1 XML external entity injection attempt
* 1:58670 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt
* 1:58671 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt
* 1:58672 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt
* 1:58673 <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt
* 1:58674 <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt
* 1:58675 <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt
* 1:58676 <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt
* 1:58677 <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt
* 1:58678 <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt
* 1:58679 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58680 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58681 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58682 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58683 <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt
* 1:58684 <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt

Modified Rules:

* 1:19813 <-> SERVER-WEBAPP Novell File Reporter Agent stack buffer overflow attempt
* 1:27966 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:27967 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:27968 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:28323 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:37245 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42834 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42835 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42836 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42837 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42838 <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Backdoor.Chopper
* 1:58563 <-> SERVER-WEBAPP GE MDS PulseNET foglight service arbitrary Java object deserialization attempt


2021-12-02 13:18:09 UTC

Snort Subscriber Rules Update

Date: 2021-12-01-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58669 <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_TreeManagement1 XML external entity injection attempt
* 1:58670 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt
* 1:58671 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt
* 1:58672 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt
* 1:58673 <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt
* 1:58674 <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt
* 1:58675 <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt
* 1:58676 <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt
* 1:58677 <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt
* 1:58678 <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt
* 1:58679 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58680 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58681 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58682 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58683 <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt
* 1:58684 <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt

Modified Rules:

* 1:19813 <-> SERVER-WEBAPP Novell File Reporter Agent stack buffer overflow attempt
* 1:27966 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:27967 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:27968 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:28323 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:37245 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42834 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42835 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42836 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42837 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42838 <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Backdoor.Chopper
* 1:58563 <-> SERVER-WEBAPP GE MDS PulseNET foglight service arbitrary Java object deserialization attempt


2021-12-02 13:18:09 UTC

Snort Subscriber Rules Update

Date: 2021-12-01-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58669 <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_TreeManagement1 XML external entity injection attempt
* 1:58670 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt
* 1:58671 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt
* 1:58672 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt
* 1:58673 <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt
* 1:58674 <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt
* 1:58675 <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt
* 1:58676 <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt
* 1:58677 <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt
* 1:58678 <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt
* 1:58679 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58680 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58681 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58682 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58683 <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt
* 1:58684 <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt

Modified Rules:

* 1:19813 <-> SERVER-WEBAPP Novell File Reporter Agent stack buffer overflow attempt
* 1:27966 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:27967 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:27968 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:28323 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:37245 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42834 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42835 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42836 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42837 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42838 <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Backdoor.Chopper
* 1:58563 <-> SERVER-WEBAPP GE MDS PulseNET foglight service arbitrary Java object deserialization attempt


2021-12-02 13:18:09 UTC

Snort Subscriber Rules Update

Date: 2021-12-01-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.1.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58669 <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_TreeManagement1 XML external entity injection attempt
* 1:58670 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt
* 1:58671 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt
* 1:58672 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt
* 1:58673 <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt
* 1:58674 <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt
* 1:58675 <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt
* 1:58676 <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt
* 1:58677 <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt
* 1:58678 <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt
* 1:58679 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58680 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58681 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58682 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58683 <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt
* 1:58684 <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt

Modified Rules:

* 1:19813 <-> SERVER-WEBAPP Novell File Reporter Agent stack buffer overflow attempt
* 1:27966 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:27967 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:27968 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:28323 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:37245 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42834 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42835 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42836 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42837 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42838 <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Backdoor.Chopper
* 1:58563 <-> SERVER-WEBAPP GE MDS PulseNET foglight service arbitrary Java object deserialization attempt


2021-12-02 13:18:09 UTC

Snort Subscriber Rules Update

Date: 2021-12-01-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.3.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58669 <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_TreeManagement1 XML external entity injection attempt
* 1:58670 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt
* 1:58671 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt
* 1:58672 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt
* 1:58673 <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt
* 1:58674 <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt
* 1:58675 <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt
* 1:58676 <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt
* 1:58677 <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt
* 1:58678 <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt
* 1:58679 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58680 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58681 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58682 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58683 <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt
* 1:58684 <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt

Modified Rules:

* 1:19813 <-> SERVER-WEBAPP Novell File Reporter Agent stack buffer overflow attempt
* 1:27966 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:27967 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:27968 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:28323 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:37245 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42834 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42835 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42836 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42837 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42838 <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Backdoor.Chopper
* 1:58563 <-> SERVER-WEBAPP GE MDS PulseNET foglight service arbitrary Java object deserialization attempt


2021-12-02 13:18:09 UTC

Snort Subscriber Rules Update

Date: 2021-12-01-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.4.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58669 <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_TreeManagement1 XML external entity injection attempt
* 1:58670 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt
* 1:58671 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt
* 1:58672 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt
* 1:58673 <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt
* 1:58674 <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt
* 1:58675 <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt
* 1:58676 <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt
* 1:58677 <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt
* 1:58678 <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt
* 1:58679 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58680 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58681 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58682 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58683 <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt
* 1:58684 <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt

Modified Rules:

* 1:19813 <-> SERVER-WEBAPP Novell File Reporter Agent stack buffer overflow attempt
* 1:27966 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:27967 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:27968 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:28323 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:37245 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42834 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42835 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42836 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42837 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42838 <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Backdoor.Chopper
* 1:58563 <-> SERVER-WEBAPP GE MDS PulseNET foglight service arbitrary Java object deserialization attempt


2021-12-02 13:18:10 UTC

Snort Subscriber Rules Update

Date: 2021-12-01-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.5.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58669 <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_TreeManagement1 XML external entity injection attempt
* 1:58670 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt
* 1:58671 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt
* 1:58672 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt
* 1:58673 <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt
* 1:58674 <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt
* 1:58675 <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt
* 1:58676 <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt
* 1:58677 <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt
* 1:58678 <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt
* 1:58679 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58680 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58681 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58682 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58683 <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt
* 1:58684 <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt

Modified Rules:

* 1:19813 <-> SERVER-WEBAPP Novell File Reporter Agent stack buffer overflow attempt
* 1:27966 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:27967 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:27968 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:28323 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:37245 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42834 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42835 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42836 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42837 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42838 <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Backdoor.Chopper
* 1:58563 <-> SERVER-WEBAPP GE MDS PulseNET foglight service arbitrary Java object deserialization attempt


2021-12-02 13:18:10 UTC

Snort Subscriber Rules Update

Date: 2021-12-01-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.7.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58669 <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_TreeManagement1 XML external entity injection attempt
* 1:58670 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt
* 1:58671 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt
* 1:58672 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt
* 1:58673 <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt
* 1:58674 <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt
* 1:58675 <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt
* 1:58676 <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt
* 1:58677 <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt
* 1:58678 <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt
* 1:58679 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58680 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58681 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58682 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58683 <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt
* 1:58684 <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt

Modified Rules:

* 1:19813 <-> SERVER-WEBAPP Novell File Reporter Agent stack buffer overflow attempt
* 1:27966 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:27967 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:27968 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:28323 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:37245 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42834 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42835 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42836 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42837 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42838 <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Backdoor.Chopper
* 1:58563 <-> SERVER-WEBAPP GE MDS PulseNET foglight service arbitrary Java object deserialization attempt


2021-12-02 13:18:10 UTC

Snort Subscriber Rules Update

Date: 2021-12-01-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.9.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58669 <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_TreeManagement1 XML external entity injection attempt
* 1:58670 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt
* 1:58671 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt
* 1:58672 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt
* 1:58673 <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt
* 1:58674 <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt
* 1:58675 <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt
* 1:58676 <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt
* 1:58677 <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt
* 1:58678 <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt
* 1:58679 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58680 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58681 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58682 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58683 <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt
* 1:58684 <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt

Modified Rules:

* 1:19813 <-> SERVER-WEBAPP Novell File Reporter Agent stack buffer overflow attempt
* 1:27966 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:27967 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:27968 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:28323 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:37245 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42834 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42835 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42836 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42837 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42838 <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Backdoor.Chopper
* 1:58563 <-> SERVER-WEBAPP GE MDS PulseNET foglight service arbitrary Java object deserialization attempt


2021-12-02 13:18:10 UTC

Snort Subscriber Rules Update

Date: 2021-12-01-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.11.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58669 <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_TreeManagement1 XML external entity injection attempt
* 1:58670 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt
* 1:58671 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt
* 1:58672 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt
* 1:58673 <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt
* 1:58674 <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt
* 1:58675 <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt
* 1:58676 <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt
* 1:58677 <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt
* 1:58678 <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt
* 1:58679 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58680 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58681 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58682 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58683 <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt
* 1:58684 <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt

Modified Rules:

* 1:19813 <-> SERVER-WEBAPP Novell File Reporter Agent stack buffer overflow attempt
* 1:27966 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:27967 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:27968 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:28323 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:37245 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42834 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42835 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42836 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42837 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42838 <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Backdoor.Chopper
* 1:58563 <-> SERVER-WEBAPP GE MDS PulseNET foglight service arbitrary Java object deserialization attempt


2021-12-02 13:18:10 UTC

Snort Subscriber Rules Update

Date: 2021-12-01-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.15.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58669 <-> SERVER-WEBAPP Trend Micro Control Manager ProductTree_TreeManagement1 XML external entity injection attempt
* 1:58670 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt
* 1:58671 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt
* 1:58672 <-> SERVER-WEBAPP Trend Micro Control Manager CCGIServlet DLPIncidentStatusChangeResult SQL injection attempt
* 1:58673 <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt
* 1:58674 <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt
* 1:58675 <-> POLICY-OTHER Dell SonicWall Email Security administrator account creation attempt
* 1:58676 <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt
* 1:58677 <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt
* 1:58678 <-> SERVER-WEBAPP GE MDS PulseNET FileServlet directory traversal attempt
* 1:58679 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58680 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58681 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58682 <-> SERVER-WEBAPP Trend Micro InterScan Web Security Virtual Appliance command injection attempt
* 1:58683 <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt
* 1:58684 <-> BROWSER-CHROME Google Chrome ScriptProcessorNode race condition exploit attempt

Modified Rules:

* 1:19813 <-> SERVER-WEBAPP Novell File Reporter Agent stack buffer overflow attempt
* 1:27966 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:27967 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:27968 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:28323 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:37245 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42834 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42835 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42836 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42837 <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection
* 1:42838 <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Backdoor.Chopper
* 1:58563 <-> SERVER-WEBAPP GE MDS PulseNET foglight service arbitrary Java object deserialization attempt