Talos Rules 2022-01-11
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2022-21881: A coding deficiency exists in Microsoft Windows Kernel that may lead to elevation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 58866 through 58867.

Microsoft Vulnerability CVE-2022-21882: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 58859 through 58860.

Microsoft Vulnerability CVE-2022-21887: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 58874 through 58875.

Microsoft Vulnerability CVE-2022-21897: A coding deficiency exists in Microsoft Windows Common Log File System Driver that may lead to an escalation of privilege.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 40689 through 40690.

Microsoft Vulnerability CVE-2022-21907: A coding deficiency exists in HTTP Stack that may lead to remote code execution.

Preprocessors to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 119, SIDs 19 and 31.

Microsoft Vulnerability CVE-2022-21908: A coding deficiency exists in Microsoft Windows Installer that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 58870 through 58871.

Microsoft Vulnerability CVE-2022-21916: A coding deficiency exists in Microsoft Windows Common Log File System Driver that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 58872 through 58873.

Microsoft Vulnerability CVE-2022-21919: A coding deficiency exists in Microsoft Windows User Profile Service that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 58868 through 58869.

Talos also has added and modified multiple rules in the file-other, indicator-obfuscation, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

29190

2022-01-11 20:34:01 UTC

Snort Subscriber Rules Update

Date: 2022-01-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091900.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58854 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58855 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt (server-webapp.rules)
 * 1:58856 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58857 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (server-webapp.rules)
 * 1:58858 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (server-webapp.rules)
 * 1:58859 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:58860 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:58861 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58862 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58863 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt (server-webapp.rules)
 * 1:58864 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58865 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beacon outbound connection (malware-cnc.rules)
 * 1:58866 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58867 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58868 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (os-windows.rules)
 * 1:58869 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (os-windows.rules)
 * 1:58870 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (os-windows.rules)
 * 1:58871 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (os-windows.rules)
 * 1:58872 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58873 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58874 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58875 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)

Modified Rules:


 * 1:1628 <-> DISABLED <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt (server-webapp.rules)
 * 1:40689 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:29105 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:41714 <-> DISABLED <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt (indicator-obfuscation.rules)
 * 1:40690 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:44649 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (malware-other.rules)
 * 1:47085 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt (server-webapp.rules)
 * 1:58336 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (server-webapp.rules)
 * 1:58335 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (server-webapp.rules)

29181

2022-01-11 20:34:01 UTC

Snort Subscriber Rules Update

Date: 2022-01-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091801.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58861 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58862 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58859 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:58867 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58866 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58869 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (os-windows.rules)
 * 1:58868 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (os-windows.rules)
 * 1:58871 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (os-windows.rules)
 * 1:58870 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (os-windows.rules)
 * 1:58857 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (server-webapp.rules)
 * 1:58872 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58856 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58875 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58863 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt (server-webapp.rules)
 * 1:58864 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58865 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beacon outbound connection (malware-cnc.rules)
 * 1:58858 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (server-webapp.rules)
 * 1:58860 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:58873 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58874 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58855 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt (server-webapp.rules)
 * 1:58854 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt (server-webapp.rules)

Modified Rules:


 * 1:1628 <-> DISABLED <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt (server-webapp.rules)
 * 1:40689 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:29105 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:41714 <-> DISABLED <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt (indicator-obfuscation.rules)
 * 1:40690 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:47085 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt (server-webapp.rules)
 * 1:44649 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (malware-other.rules)
 * 1:58336 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (server-webapp.rules)
 * 1:58335 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (server-webapp.rules)

29171

2022-01-11 20:34:01 UTC

Snort Subscriber Rules Update

Date: 2022-01-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58854 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58855 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt (server-webapp.rules)
 * 1:58856 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58857 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (server-webapp.rules)
 * 1:58858 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (server-webapp.rules)
 * 1:58861 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58865 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beacon outbound connection (malware-cnc.rules)
 * 1:58866 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58868 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (os-windows.rules)
 * 1:58862 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58875 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58869 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (os-windows.rules)
 * 1:58867 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58863 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt (server-webapp.rules)
 * 1:58859 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:58864 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58870 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (os-windows.rules)
 * 1:58871 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (os-windows.rules)
 * 1:58872 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58873 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58874 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58860 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)

Modified Rules:


 * 1:29105 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:40690 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:44649 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (malware-other.rules)
 * 1:1628 <-> DISABLED <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt (server-webapp.rules)
 * 1:40689 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:58335 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (server-webapp.rules)
 * 1:41714 <-> DISABLED <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt (indicator-obfuscation.rules)
 * 1:58336 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (server-webapp.rules)
 * 1:47085 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt (server-webapp.rules)

29170

2022-01-11 20:34:01 UTC

Snort Subscriber Rules Update

Date: 2022-01-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58872 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58859 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:58867 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58864 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58855 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt (server-webapp.rules)
 * 1:58860 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:58865 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beacon outbound connection (malware-cnc.rules)
 * 1:58869 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (os-windows.rules)
 * 1:58868 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (os-windows.rules)
 * 1:58870 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (os-windows.rules)
 * 1:58871 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (os-windows.rules)
 * 1:58875 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58857 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (server-webapp.rules)
 * 1:58854 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58856 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58873 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58874 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58863 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt (server-webapp.rules)
 * 1:58862 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58858 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (server-webapp.rules)
 * 1:58866 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58861 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 1:29105 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:40690 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:44649 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (malware-other.rules)
 * 1:1628 <-> DISABLED <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt (server-webapp.rules)
 * 1:58335 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (server-webapp.rules)
 * 1:40689 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:41714 <-> DISABLED <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt (indicator-obfuscation.rules)
 * 1:47085 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt (server-webapp.rules)
 * 1:58336 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (server-webapp.rules)

29161

2022-01-11 20:34:01 UTC

Snort Subscriber Rules Update

Date: 2022-01-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58872 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58855 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt (server-webapp.rules)
 * 1:58873 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58861 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58871 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (os-windows.rules)
 * 1:58867 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58874 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58854 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58859 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:58866 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58856 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58875 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58863 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt (server-webapp.rules)
 * 1:58858 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (server-webapp.rules)
 * 1:58868 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (os-windows.rules)
 * 1:58869 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (os-windows.rules)
 * 1:58864 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58870 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (os-windows.rules)
 * 1:58862 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58865 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beacon outbound connection (malware-cnc.rules)
 * 1:58857 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (server-webapp.rules)
 * 1:58860 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)

Modified Rules:


 * 1:1628 <-> DISABLED <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt (server-webapp.rules)
 * 1:40689 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:41714 <-> DISABLED <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt (indicator-obfuscation.rules)
 * 1:47085 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt (server-webapp.rules)
 * 1:58336 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (server-webapp.rules)
 * 1:40690 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:29105 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58335 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (server-webapp.rules)
 * 1:44649 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (malware-other.rules)

29160

2022-01-11 20:34:01 UTC

Snort Subscriber Rules Update

Date: 2022-01-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58863 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt (server-webapp.rules)
 * 1:58873 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58864 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58866 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58871 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (os-windows.rules)
 * 1:58874 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58867 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58859 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:58855 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt (server-webapp.rules)
 * 1:58868 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (os-windows.rules)
 * 1:58857 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (server-webapp.rules)
 * 1:58861 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58869 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (os-windows.rules)
 * 1:58870 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (os-windows.rules)
 * 1:58875 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58872 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58858 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (server-webapp.rules)
 * 1:58860 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:58856 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58854 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58865 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beacon outbound connection (malware-cnc.rules)
 * 1:58862 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 1:29105 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58336 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (server-webapp.rules)
 * 1:40689 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:58335 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (server-webapp.rules)
 * 1:1628 <-> DISABLED <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt (server-webapp.rules)
 * 1:41714 <-> DISABLED <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt (indicator-obfuscation.rules)
 * 1:40690 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:47085 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt (server-webapp.rules)
 * 1:44649 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (malware-other.rules)

29151

2022-01-11 20:34:01 UTC

Snort Subscriber Rules Update

Date: 2022-01-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58855 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt (server-webapp.rules)
 * 1:58872 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58875 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58854 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58862 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58856 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58863 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt (server-webapp.rules)
 * 1:58865 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beacon outbound connection (malware-cnc.rules)
 * 1:58864 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58871 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (os-windows.rules)
 * 1:58859 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:58857 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (server-webapp.rules)
 * 1:58867 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58861 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58869 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (os-windows.rules)
 * 1:58860 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:58873 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58866 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58868 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (os-windows.rules)
 * 1:58874 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58870 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (os-windows.rules)
 * 1:58858 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (server-webapp.rules)

Modified Rules:


 * 1:40690 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:58336 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (server-webapp.rules)
 * 1:40689 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:47085 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt (server-webapp.rules)
 * 1:58335 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (server-webapp.rules)
 * 1:29105 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:1628 <-> DISABLED <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt (server-webapp.rules)
 * 1:44649 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (malware-other.rules)
 * 1:41714 <-> DISABLED <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt (indicator-obfuscation.rules)

29141

2022-01-11 20:34:01 UTC

Snort Subscriber Rules Update

Date: 2022-01-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58857 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (server-webapp.rules)
 * 1:58867 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58869 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (os-windows.rules)
 * 1:58855 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt (server-webapp.rules)
 * 1:58858 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (server-webapp.rules)
 * 1:58868 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (os-windows.rules)
 * 1:58871 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (os-windows.rules)
 * 1:58859 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:58854 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58875 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58860 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:58864 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58856 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58861 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58872 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58874 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58873 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58866 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58863 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt (server-webapp.rules)
 * 1:58862 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58870 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (os-windows.rules)
 * 1:58865 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beacon outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:47085 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt (server-webapp.rules)
 * 1:41714 <-> DISABLED <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt (indicator-obfuscation.rules)
 * 1:40689 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:1628 <-> DISABLED <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt (server-webapp.rules)
 * 1:29105 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58336 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (server-webapp.rules)
 * 1:40690 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:58335 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (server-webapp.rules)
 * 1:44649 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (malware-other.rules)

29130

2022-01-11 20:34:01 UTC

Snort Subscriber Rules Update

Date: 2022-01-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58860 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:58861 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58865 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beacon outbound connection (malware-cnc.rules)
 * 1:58862 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58859 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:58866 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58854 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58868 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (os-windows.rules)
 * 1:58855 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt (server-webapp.rules)
 * 1:58856 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58857 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (server-webapp.rules)
 * 1:58869 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (os-windows.rules)
 * 1:58867 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58858 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (server-webapp.rules)
 * 1:58870 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (os-windows.rules)
 * 1:58871 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (os-windows.rules)
 * 1:58875 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58872 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58864 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58873 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58874 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58863 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt (server-webapp.rules)

Modified Rules:


 * 1:1628 <-> DISABLED <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt (server-webapp.rules)
 * 1:47085 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt (server-webapp.rules)
 * 1:40690 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:44649 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (malware-other.rules)
 * 1:40689 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:58336 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (server-webapp.rules)
 * 1:29105 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58335 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (server-webapp.rules)
 * 1:41714 <-> DISABLED <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt (indicator-obfuscation.rules)

29111

2022-01-11 20:34:01 UTC

Snort Subscriber Rules Update

Date: 2022-01-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58870 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (os-windows.rules)
 * 1:58855 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt (server-webapp.rules)
 * 1:58864 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58869 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (os-windows.rules)
 * 1:58860 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:58875 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58872 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58874 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58861 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58868 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (os-windows.rules)
 * 1:58873 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58865 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beacon outbound connection (malware-cnc.rules)
 * 1:58858 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (server-webapp.rules)
 * 1:58856 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58862 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58859 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:58867 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58854 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58866 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58871 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (os-windows.rules)
 * 1:58857 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (server-webapp.rules)
 * 1:58863 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt (server-webapp.rules)

Modified Rules:


 * 1:47085 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt (server-webapp.rules)
 * 1:40690 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:58336 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (server-webapp.rules)
 * 1:41714 <-> DISABLED <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt (indicator-obfuscation.rules)
 * 1:58335 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (server-webapp.rules)
 * 1:44649 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (malware-other.rules)
 * 1:29105 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:40689 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:1628 <-> DISABLED <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt (server-webapp.rules)

3000

2022-01-11 20:34:01 UTC

Snort Subscriber Rules Update

Date: 2022-01-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58861 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (snort3-server-webapp.rules)
 * 1:58867 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (snort3-os-windows.rules)
 * 1:58875 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (snort3-os-windows.rules)
 * 1:58865 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beacon outbound connection (snort3-malware-cnc.rules)
 * 1:58864 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (snort3-server-webapp.rules)
 * 1:58866 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (snort3-os-windows.rules)
 * 1:58854 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt (snort3-server-webapp.rules)
 * 1:58862 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (snort3-server-webapp.rules)
 * 1:58868 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (snort3-os-windows.rules)
 * 1:58869 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (snort3-os-windows.rules)
 * 1:58855 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt (snort3-server-webapp.rules)
 * 1:58870 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (snort3-os-windows.rules)
 * 1:58871 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (snort3-os-windows.rules)
 * 1:58872 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (snort3-os-windows.rules)
 * 1:58856 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt (snort3-server-webapp.rules)
 * 1:58873 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (snort3-os-windows.rules)
 * 1:58874 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (snort3-os-windows.rules)
 * 1:58860 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (snort3-os-windows.rules)
 * 1:58857 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (snort3-server-webapp.rules)
 * 1:58858 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (snort3-server-webapp.rules)
 * 1:58859 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (snort3-os-windows.rules)
 * 1:58863 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt (snort3-server-webapp.rules)

Modified Rules:


 * 1:40690 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (snort3-file-other.rules)
 * 1:29105 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (snort3-server-webapp.rules)
 * 1:47085 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt (snort3-server-webapp.rules)
 * 1:58336 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (snort3-server-webapp.rules)
 * 1:1628 <-> DISABLED <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt (snort3-server-webapp.rules)
 * 1:58335 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (snort3-server-webapp.rules)
 * 1:40689 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (snort3-file-other.rules)
 * 1:41714 <-> DISABLED <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt (snort3-indicator-obfuscation.rules)
 * 1:44649 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (snort3-malware-other.rules)

2983

2022-01-11 20:34:01 UTC

Snort Subscriber Rules Update

Date: 2022-01-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:58864 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58872 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)
 * 1:58865 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beacon outbound connection (malware-cnc.rules)
 * 1:58863 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt (server-webapp.rules)
 * 1:58866 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58869 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (os-windows.rules)
 * 1:58871 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (os-windows.rules)
 * 1:58870 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt (os-windows.rules)
 * 1:58855 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt (server-webapp.rules)
 * 1:58860 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:58859 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:58861 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58875 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58867 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58856 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58862 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58874 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt (os-windows.rules)
 * 1:58868 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt (os-windows.rules)
 * 1:58854 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:58857 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (server-webapp.rules)
 * 1:58858 <-> ENABLED <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt (server-webapp.rules)
 * 1:58873 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt (os-windows.rules)

Modified Rules:


 * 1:40689 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:58335 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (server-webapp.rules)
 * 1:44649 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (malware-other.rules)
 * 1:47085 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt (server-webapp.rules)
 * 1:1628 <-> DISABLED <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt (server-webapp.rules)
 * 1:40690 <-> DISABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:41714 <-> DISABLED <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt (indicator-obfuscation.rules)
 * 1:29105 <-> ENABLED <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt (server-webapp.rules)
 * 1:58336 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (server-webapp.rules)

3031

2022-01-11 20:36:25 UTC

Snort Subscriber Rules Update

Date: 2022-01-11-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58854 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt
* 1:58855 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt
* 1:58856 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt
* 1:58857 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58858 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58859 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58860 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58861 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58862 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58863 <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt
* 1:58864 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58866 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58867 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58868 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58869 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58870 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58871 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58872 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58873 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58874 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58875 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt

Modified Rules:

* 1:1628 <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt
* 1:29105 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:41714 <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt
* 1:44649 <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt
* 1:47085 <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt
* 1:58335 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt
* 1:58336 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt

3034

2022-01-11 20:36:25 UTC

Snort Subscriber Rules Update

Date: 2022-01-11-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.4.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58854 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt
* 1:58855 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt
* 1:58856 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt
* 1:58857 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58858 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58859 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58860 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58861 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58862 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58863 <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt
* 1:58864 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58866 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58867 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58868 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58869 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58870 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58871 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58872 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58873 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58874 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58875 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt

Modified Rules:

* 1:1628 <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt
* 1:29105 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:41714 <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt
* 1:44649 <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt
* 1:47085 <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt
* 1:58335 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt
* 1:58336 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt

3100

2022-01-11 20:36:30 UTC

Snort Subscriber Rules Update

Date: 2022-01-11-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58854 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt
* 1:58855 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt
* 1:58856 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt
* 1:58857 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58858 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58859 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58860 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58861 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58862 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58863 <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt
* 1:58864 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58866 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58867 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58868 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58869 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58870 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58871 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58872 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58873 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58874 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58875 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt

Modified Rules:

* 1:1628 <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt
* 1:29105 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:41714 <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt
* 1:44649 <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt
* 1:47085 <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt
* 1:58335 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt
* 1:58336 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt

3101

2022-01-11 20:36:31 UTC

Snort Subscriber Rules Update

Date: 2022-01-11-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58854 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt
* 1:58855 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt
* 1:58856 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt
* 1:58857 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58858 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58859 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58860 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58861 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58862 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58863 <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt
* 1:58864 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58866 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58867 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58868 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58869 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58870 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58871 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58872 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58873 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58874 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58875 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt

Modified Rules:

* 1:1628 <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt
* 1:29105 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:41714 <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt
* 1:44649 <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt
* 1:47085 <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt
* 1:58335 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt
* 1:58336 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt

3110

2022-01-11 20:36:31 UTC

Snort Subscriber Rules Update

Date: 2022-01-11-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.1.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58854 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt
* 1:58855 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt
* 1:58856 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt
* 1:58857 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58858 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58859 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58860 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58861 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58862 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58863 <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt
* 1:58864 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58866 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58867 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58868 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58869 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58870 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58871 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58872 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58873 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58874 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58875 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt

Modified Rules:

* 1:1628 <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt
* 1:29105 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:41714 <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt
* 1:44649 <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt
* 1:47085 <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt
* 1:58335 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt
* 1:58336 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt

3130

2022-01-11 20:36:31 UTC

Snort Subscriber Rules Update

Date: 2022-01-11-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.3.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58854 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt
* 1:58855 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt
* 1:58856 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt
* 1:58857 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58858 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58859 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58860 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58861 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58862 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58863 <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt
* 1:58864 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58866 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58867 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58868 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58869 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58870 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58871 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58872 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58873 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58874 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58875 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt

Modified Rules:

* 1:1628 <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt
* 1:29105 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:41714 <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt
* 1:44649 <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt
* 1:47085 <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt
* 1:58335 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt
* 1:58336 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt

3140

2022-01-11 20:36:31 UTC

Snort Subscriber Rules Update

Date: 2022-01-11-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.4.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58854 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt
* 1:58855 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt
* 1:58856 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt
* 1:58857 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58858 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58859 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58860 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58861 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58862 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58863 <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt
* 1:58864 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58866 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58867 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58868 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58869 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58870 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58871 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58872 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58873 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58874 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58875 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt

Modified Rules:

* 1:1628 <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt
* 1:29105 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:41714 <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt
* 1:44649 <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt
* 1:47085 <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt
* 1:58335 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt
* 1:58336 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt

3150

2022-01-11 20:36:31 UTC

Snort Subscriber Rules Update

Date: 2022-01-11-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.5.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58854 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt
* 1:58855 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt
* 1:58856 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt
* 1:58857 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58858 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58859 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58860 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58861 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58862 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58863 <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt
* 1:58864 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58866 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58867 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58868 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58869 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58870 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58871 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58872 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58873 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58874 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58875 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt

Modified Rules:

* 1:1628 <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt
* 1:29105 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:41714 <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt
* 1:44649 <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt
* 1:47085 <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt
* 1:58335 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt
* 1:58336 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt

3170

2022-01-11 20:36:31 UTC

Snort Subscriber Rules Update

Date: 2022-01-11-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.7.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58854 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt
* 1:58855 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt
* 1:58856 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt
* 1:58857 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58858 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58859 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58860 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58861 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58862 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58863 <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt
* 1:58864 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58866 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58867 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58868 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58869 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58870 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58871 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58872 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58873 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58874 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58875 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt

Modified Rules:

* 1:1628 <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt
* 1:29105 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:41714 <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt
* 1:44649 <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt
* 1:47085 <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt
* 1:58335 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt
* 1:58336 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt

3190

2022-01-11 20:36:32 UTC

Snort Subscriber Rules Update

Date: 2022-01-11-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.9.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58854 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt
* 1:58855 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt
* 1:58856 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt
* 1:58857 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58858 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58859 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58860 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58861 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58862 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58863 <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt
* 1:58864 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58866 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58867 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58868 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58869 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58870 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58871 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58872 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58873 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58874 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58875 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt

Modified Rules:

* 1:1628 <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt
* 1:29105 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:41714 <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt
* 1:44649 <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt
* 1:47085 <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt
* 1:58335 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt
* 1:58336 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt

31110

2022-01-11 20:36:32 UTC

Snort Subscriber Rules Update

Date: 2022-01-11-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.11.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58854 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt
* 1:58855 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt
* 1:58856 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt
* 1:58857 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58858 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58859 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58860 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58861 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58862 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58863 <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt
* 1:58864 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58866 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58867 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58868 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58869 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58870 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58871 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58872 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58873 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58874 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58875 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt

Modified Rules:

* 1:1628 <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt
* 1:29105 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:41714 <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt
* 1:44649 <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt
* 1:47085 <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt
* 1:58335 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt
* 1:58336 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt

31150

2022-01-11 20:36:33 UTC

Snort Subscriber Rules Update

Date: 2022-01-11-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.15.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58854 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt
* 1:58855 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt
* 1:58856 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt
* 1:58857 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58858 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58859 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58860 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58861 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58862 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58863 <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt
* 1:58864 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58866 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58867 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58868 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58869 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58870 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58871 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58872 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58873 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58874 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58875 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt

Modified Rules:

* 1:1628 <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt
* 1:29105 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:41714 <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt
* 1:44649 <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt
* 1:47085 <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt
* 1:58335 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt
* 1:58336 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt

31180

2022-01-11 20:36:33 UTC

Snort Subscriber Rules Update

Date: 2022-01-11-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.18.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:58854 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoDebugServlet arbitrary Java object deserialization attempt
* 1:58855 <-> SERVER-WEBAPP Trend Micro Encryption Email Gateway register2 Client SQL injection attempt
* 1:58856 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center TopoReqServlet arbitrary Java object deserialization attempt
* 1:58857 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58858 <-> SERVER-WEBAPP Tendar Router AC11 stack buffer overflow attempt
* 1:58859 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58860 <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt
* 1:58861 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58862 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58863 <-> SERVER-WEBAPP ManageEngine Desktop Central authentication bypass attempt
* 1:58864 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:58866 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58867 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58868 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58869 <-> OS-WINDOWS Microsoft Windows privilege escalation via path redirection attempt
* 1:58870 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58871 <-> OS-WINDOWS Microsoft Windows 10 elevation of privilege attempt
* 1:58872 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58873 <-> OS-WINDOWS Microsoft Windows Common Log File System driver privilege escalation attempt
* 1:58874 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt
* 1:58875 <-> OS-WINDOWS Microsoft Windows kernel elevation of privilege attempt

Modified Rules:

* 1:1628 <-> SERVER-WEBAPP FormHandler.cgi directory traversal attempt
* 1:29105 <-> SERVER-WEBAPP ManageEngine Desktop Central LogUploader servlets directory traversal attempt
* 1:40689 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:40690 <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt
* 1:41714 <-> INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt
* 1:44649 <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt
* 1:47085 <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt
* 1:58335 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt
* 1:58336 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt