Talos Rules 2023-03-21
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-office, malware-cnc, malware-other, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2023-03-21 13:06:46 UTC

Snort Subscriber Rules Update

Date: 2023-03-21

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2092000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:61481 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.MQsTTang variant download attempt (malware-other.rules)
 * 1:61482 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.MQsTTang variant download attempt (malware-other.rules)
 * 1:61483 <-> DISABLED <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt (server-webapp.rules)
 * 1:61484 <-> DISABLED <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt (server-webapp.rules)
 * 1:61485 <-> DISABLED <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt (server-webapp.rules)
 * 1:61486 <-> DISABLED <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt (server-webapp.rules)
 * 1:61487 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt (os-windows.rules)
 * 1:61488 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt (os-windows.rules)
 * 1:61489 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Mallox variant outbound connection (malware-cnc.rules)
 * 1:61490 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary SMB transfer attempt (malware-other.rules)
 * 1:61491 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary download attempt (malware-other.rules)
 * 1:61492 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary download attempt (malware-other.rules)
 * 1:61493 <-> ENABLED <-> MALWARE-CNC Php.Webshell.Agent outbound connection (malware-cnc.rules)
 * 1:61494 <-> ENABLED <-> MALWARE-CNC Php.Webshell.Agent outbound connection (malware-cnc.rules)
 * 1:61495 <-> DISABLED <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt (malware-other.rules)
 * 1:61496 <-> DISABLED <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt (malware-other.rules)
 * 1:61497 <-> DISABLED <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt (malware-other.rules)
 * 1:61498 <-> DISABLED <-> POLICY-OTHER Plex Media Server LocalAppDataPath modification attempt (policy-other.rules)
 * 1:61499 <-> DISABLED <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt (server-webapp.rules)
 * 1:61500 <-> DISABLED <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt (server-webapp.rules)
 * 1:61501 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt (server-webapp.rules)
 * 1:61502 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt (server-webapp.rules)
 * 1:61505 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook appointment privilege escalation attempt (file-office.rules)
 * 1:61506 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook appointment privilege escalation attempt (file-office.rules)
 * 3:61503 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt (file-office.rules)
 * 3:61504 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt (file-office.rules)

Modified Rules:


 * 1:60671 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60673 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60674 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60675 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60676 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60677 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60678 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60670 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60672 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)

2023-03-21 13:06:46 UTC

Snort Subscriber Rules Update

Date: 2023-03-21

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091900.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:61506 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook appointment privilege escalation attempt (file-office.rules)
 * 1:61488 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt (os-windows.rules)
 * 1:61487 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt (os-windows.rules)
 * 1:61493 <-> ENABLED <-> MALWARE-CNC Php.Webshell.Agent outbound connection (malware-cnc.rules)
 * 1:61492 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary download attempt (malware-other.rules)
 * 1:61490 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary SMB transfer attempt (malware-other.rules)
 * 1:61495 <-> DISABLED <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt (malware-other.rules)
 * 1:61481 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.MQsTTang variant download attempt (malware-other.rules)
 * 1:61482 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.MQsTTang variant download attempt (malware-other.rules)
 * 1:61496 <-> DISABLED <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt (malware-other.rules)
 * 1:61483 <-> DISABLED <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt (server-webapp.rules)
 * 1:61484 <-> DISABLED <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt (server-webapp.rules)
 * 1:61489 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Mallox variant outbound connection (malware-cnc.rules)
 * 1:61491 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary download attempt (malware-other.rules)
 * 1:61497 <-> DISABLED <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt (malware-other.rules)
 * 1:61498 <-> DISABLED <-> POLICY-OTHER Plex Media Server LocalAppDataPath modification attempt (policy-other.rules)
 * 1:61499 <-> DISABLED <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt (server-webapp.rules)
 * 1:61500 <-> DISABLED <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt (server-webapp.rules)
 * 1:61501 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt (server-webapp.rules)
 * 1:61502 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt (server-webapp.rules)
 * 1:61505 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook appointment privilege escalation attempt (file-office.rules)
 * 1:61494 <-> ENABLED <-> MALWARE-CNC Php.Webshell.Agent outbound connection (malware-cnc.rules)
 * 1:61485 <-> DISABLED <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt (server-webapp.rules)
 * 1:61486 <-> DISABLED <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt (server-webapp.rules)
 * 3:61503 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt (file-office.rules)
 * 3:61504 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt (file-office.rules)

Modified Rules:


 * 1:60670 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60678 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60673 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60677 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60676 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60672 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60671 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60674 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60675 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)

2023-03-21 13:06:46 UTC

Snort Subscriber Rules Update

Date: 2023-03-21

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091801.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:61506 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook appointment privilege escalation attempt (file-office.rules)
 * 1:61505 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook appointment privilege escalation attempt (file-office.rules)
 * 1:61498 <-> DISABLED <-> POLICY-OTHER Plex Media Server LocalAppDataPath modification attempt (policy-other.rules)
 * 1:61502 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt (server-webapp.rules)
 * 1:61501 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt (server-webapp.rules)
 * 1:61499 <-> DISABLED <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt (server-webapp.rules)
 * 1:61485 <-> DISABLED <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt (server-webapp.rules)
 * 1:61481 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.MQsTTang variant download attempt (malware-other.rules)
 * 1:61484 <-> DISABLED <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt (server-webapp.rules)
 * 1:61488 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt (os-windows.rules)
 * 1:61489 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Mallox variant outbound connection (malware-cnc.rules)
 * 1:61487 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt (os-windows.rules)
 * 1:61483 <-> DISABLED <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt (server-webapp.rules)
 * 1:61486 <-> DISABLED <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt (server-webapp.rules)
 * 1:61482 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.MQsTTang variant download attempt (malware-other.rules)
 * 1:61490 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary SMB transfer attempt (malware-other.rules)
 * 1:61492 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary download attempt (malware-other.rules)
 * 1:61491 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary download attempt (malware-other.rules)
 * 1:61494 <-> ENABLED <-> MALWARE-CNC Php.Webshell.Agent outbound connection (malware-cnc.rules)
 * 1:61493 <-> ENABLED <-> MALWARE-CNC Php.Webshell.Agent outbound connection (malware-cnc.rules)
 * 1:61496 <-> DISABLED <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt (malware-other.rules)
 * 1:61495 <-> DISABLED <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt (malware-other.rules)
 * 1:61500 <-> DISABLED <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt (server-webapp.rules)
 * 1:61497 <-> DISABLED <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt (malware-other.rules)
 * 3:61503 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt (file-office.rules)
 * 3:61504 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt (file-office.rules)

Modified Rules:


 * 1:60676 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60670 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60671 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60673 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60675 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60672 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60677 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60674 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60678 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)

2023-03-21 13:06:46 UTC

Snort Subscriber Rules Update

Date: 2023-03-21

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:61486 <-> DISABLED <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt (server-webapp.rules)
 * 1:61491 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary download attempt (malware-other.rules)
 * 1:61489 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Mallox variant outbound connection (malware-cnc.rules)
 * 1:61492 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary download attempt (malware-other.rules)
 * 1:61506 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook appointment privilege escalation attempt (file-office.rules)
 * 1:61487 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt (os-windows.rules)
 * 1:61485 <-> DISABLED <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt (server-webapp.rules)
 * 1:61481 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.MQsTTang variant download attempt (malware-other.rules)
 * 1:61505 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook appointment privilege escalation attempt (file-office.rules)
 * 1:61482 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.MQsTTang variant download attempt (malware-other.rules)
 * 1:61490 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary SMB transfer attempt (malware-other.rules)
 * 1:61483 <-> DISABLED <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt (server-webapp.rules)
 * 1:61488 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt (os-windows.rules)
 * 1:61495 <-> DISABLED <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt (malware-other.rules)
 * 1:61484 <-> DISABLED <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt (server-webapp.rules)
 * 1:61496 <-> DISABLED <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt (malware-other.rules)
 * 1:61497 <-> DISABLED <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt (malware-other.rules)
 * 1:61498 <-> DISABLED <-> POLICY-OTHER Plex Media Server LocalAppDataPath modification attempt (policy-other.rules)
 * 1:61499 <-> DISABLED <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt (server-webapp.rules)
 * 1:61500 <-> DISABLED <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt (server-webapp.rules)
 * 1:61501 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt (server-webapp.rules)
 * 1:61502 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt (server-webapp.rules)
 * 1:61493 <-> ENABLED <-> MALWARE-CNC Php.Webshell.Agent outbound connection (malware-cnc.rules)
 * 1:61494 <-> ENABLED <-> MALWARE-CNC Php.Webshell.Agent outbound connection (malware-cnc.rules)
 * 3:61504 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt (file-office.rules)
 * 3:61503 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt (file-office.rules)

Modified Rules:


 * 1:60678 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60670 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60671 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60677 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60673 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60675 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60672 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60674 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60676 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)

2023-03-21 13:06:46 UTC

Snort Subscriber Rules Update

Date: 2023-03-21

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:61506 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook appointment privilege escalation attempt (file-office.rules)
 * 1:61501 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt (server-webapp.rules)
 * 1:61482 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.MQsTTang variant download attempt (malware-other.rules)
 * 1:61497 <-> DISABLED <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt (malware-other.rules)
 * 1:61502 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt (server-webapp.rules)
 * 1:61500 <-> DISABLED <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt (server-webapp.rules)
 * 1:61488 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt (os-windows.rules)
 * 1:61499 <-> DISABLED <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt (server-webapp.rules)
 * 1:61491 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary download attempt (malware-other.rules)
 * 1:61496 <-> DISABLED <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt (malware-other.rules)
 * 1:61505 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook appointment privilege escalation attempt (file-office.rules)
 * 1:61492 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary download attempt (malware-other.rules)
 * 1:61498 <-> DISABLED <-> POLICY-OTHER Plex Media Server LocalAppDataPath modification attempt (policy-other.rules)
 * 1:61484 <-> DISABLED <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt (server-webapp.rules)
 * 1:61489 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Mallox variant outbound connection (malware-cnc.rules)
 * 1:61481 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.MQsTTang variant download attempt (malware-other.rules)
 * 1:61483 <-> DISABLED <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt (server-webapp.rules)
 * 1:61487 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt (os-windows.rules)
 * 1:61486 <-> DISABLED <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt (server-webapp.rules)
 * 1:61485 <-> DISABLED <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt (server-webapp.rules)
 * 1:61490 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary SMB transfer attempt (malware-other.rules)
 * 1:61493 <-> ENABLED <-> MALWARE-CNC Php.Webshell.Agent outbound connection (malware-cnc.rules)
 * 1:61495 <-> DISABLED <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt (malware-other.rules)
 * 1:61494 <-> ENABLED <-> MALWARE-CNC Php.Webshell.Agent outbound connection (malware-cnc.rules)
 * 3:61503 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt (file-office.rules)
 * 3:61504 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt (file-office.rules)

Modified Rules:


 * 1:60674 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60671 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60673 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60676 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60672 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60678 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60670 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60677 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60675 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)

2023-03-21 13:06:46 UTC

Snort Subscriber Rules Update

Date: 2023-03-21

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:61502 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt (server-webapp.rules)
 * 1:61484 <-> DISABLED <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt (server-webapp.rules)
 * 1:61488 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt (os-windows.rules)
 * 1:61501 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt (server-webapp.rules)
 * 1:61483 <-> DISABLED <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt (server-webapp.rules)
 * 1:61490 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary SMB transfer attempt (malware-other.rules)
 * 1:61481 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.MQsTTang variant download attempt (malware-other.rules)
 * 1:61495 <-> DISABLED <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt (malware-other.rules)
 * 1:61485 <-> DISABLED <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt (server-webapp.rules)
 * 1:61491 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary download attempt (malware-other.rules)
 * 1:61493 <-> ENABLED <-> MALWARE-CNC Php.Webshell.Agent outbound connection (malware-cnc.rules)
 * 1:61494 <-> ENABLED <-> MALWARE-CNC Php.Webshell.Agent outbound connection (malware-cnc.rules)
 * 1:61486 <-> DISABLED <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt (server-webapp.rules)
 * 1:61496 <-> DISABLED <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt (malware-other.rules)
 * 1:61498 <-> DISABLED <-> POLICY-OTHER Plex Media Server LocalAppDataPath modification attempt (policy-other.rules)
 * 1:61500 <-> DISABLED <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt (server-webapp.rules)
 * 1:61499 <-> DISABLED <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt (server-webapp.rules)
 * 1:61497 <-> DISABLED <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt (malware-other.rules)
 * 1:61505 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook appointment privilege escalation attempt (file-office.rules)
 * 1:61482 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.MQsTTang variant download attempt (malware-other.rules)
 * 1:61487 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt (os-windows.rules)
 * 1:61489 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Mallox variant outbound connection (malware-cnc.rules)
 * 1:61492 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary download attempt (malware-other.rules)
 * 1:61506 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook appointment privilege escalation attempt (file-office.rules)
 * 3:61504 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt (file-office.rules)
 * 3:61503 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt (file-office.rules)

Modified Rules:


 * 1:60675 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60678 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60677 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60670 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60672 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60674 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60671 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60673 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60676 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)

2023-03-21 13:06:46 UTC

Snort Subscriber Rules Update

Date: 2023-03-21

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:61491 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary download attempt (malware-other.rules)
 * 1:61493 <-> ENABLED <-> MALWARE-CNC Php.Webshell.Agent outbound connection (malware-cnc.rules)
 * 1:61490 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary SMB transfer attempt (malware-other.rules)
 * 1:61506 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook appointment privilege escalation attempt (file-office.rules)
 * 1:61484 <-> DISABLED <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt (server-webapp.rules)
 * 1:61487 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt (os-windows.rules)
 * 1:61485 <-> DISABLED <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt (server-webapp.rules)
 * 1:61488 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt (os-windows.rules)
 * 1:61496 <-> DISABLED <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt (malware-other.rules)
 * 1:61486 <-> DISABLED <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt (server-webapp.rules)
 * 1:61495 <-> DISABLED <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt (malware-other.rules)
 * 1:61499 <-> DISABLED <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt (server-webapp.rules)
 * 1:61481 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.MQsTTang variant download attempt (malware-other.rules)
 * 1:61497 <-> DISABLED <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt (malware-other.rules)
 * 1:61498 <-> DISABLED <-> POLICY-OTHER Plex Media Server LocalAppDataPath modification attempt (policy-other.rules)
 * 1:61501 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt (server-webapp.rules)
 * 1:61500 <-> DISABLED <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt (server-webapp.rules)
 * 1:61502 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt (server-webapp.rules)
 * 1:61505 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook appointment privilege escalation attempt (file-office.rules)
 * 1:61483 <-> DISABLED <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt (server-webapp.rules)
 * 1:61482 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.MQsTTang variant download attempt (malware-other.rules)
 * 1:61489 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Mallox variant outbound connection (malware-cnc.rules)
 * 1:61494 <-> ENABLED <-> MALWARE-CNC Php.Webshell.Agent outbound connection (malware-cnc.rules)
 * 1:61492 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary download attempt (malware-other.rules)
 * 3:61504 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt (file-office.rules)
 * 3:61503 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt (file-office.rules)

Modified Rules:


 * 1:60672 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60670 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60678 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60674 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60676 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60671 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60673 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60675 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60677 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)

2023-03-21 13:06:46 UTC

Snort Subscriber Rules Update

Date: 2023-03-21

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:61483 <-> DISABLED <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt (server-webapp.rules)
 * 1:61489 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Mallox variant outbound connection (malware-cnc.rules)
 * 1:61500 <-> DISABLED <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt (server-webapp.rules)
 * 1:61484 <-> DISABLED <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt (server-webapp.rules)
 * 1:61506 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook appointment privilege escalation attempt (file-office.rules)
 * 1:61488 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt (os-windows.rules)
 * 1:61486 <-> DISABLED <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt (server-webapp.rules)
 * 1:61491 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary download attempt (malware-other.rules)
 * 1:61502 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt (server-webapp.rules)
 * 1:61501 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt (server-webapp.rules)
 * 1:61492 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary download attempt (malware-other.rules)
 * 1:61482 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.MQsTTang variant download attempt (malware-other.rules)
 * 1:61487 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt (os-windows.rules)
 * 1:61493 <-> ENABLED <-> MALWARE-CNC Php.Webshell.Agent outbound connection (malware-cnc.rules)
 * 1:61494 <-> ENABLED <-> MALWARE-CNC Php.Webshell.Agent outbound connection (malware-cnc.rules)
 * 1:61495 <-> DISABLED <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt (malware-other.rules)
 * 1:61496 <-> DISABLED <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt (malware-other.rules)
 * 1:61490 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary SMB transfer attempt (malware-other.rules)
 * 1:61481 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.MQsTTang variant download attempt (malware-other.rules)
 * 1:61497 <-> DISABLED <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt (malware-other.rules)
 * 1:61498 <-> DISABLED <-> POLICY-OTHER Plex Media Server LocalAppDataPath modification attempt (policy-other.rules)
 * 1:61485 <-> DISABLED <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt (server-webapp.rules)
 * 1:61505 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook appointment privilege escalation attempt (file-office.rules)
 * 1:61499 <-> DISABLED <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt (server-webapp.rules)
 * 3:61504 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt (file-office.rules)
 * 3:61503 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt (file-office.rules)

Modified Rules:


 * 1:60677 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60670 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60676 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60675 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60673 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60674 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60672 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60671 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60678 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)

2023-03-21 13:06:46 UTC

Snort Subscriber Rules Update

Date: 2023-03-21

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:61486 <-> DISABLED <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt (server-webapp.rules)
 * 1:61484 <-> DISABLED <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt (server-webapp.rules)
 * 1:61501 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt (server-webapp.rules)
 * 1:61482 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.MQsTTang variant download attempt (malware-other.rules)
 * 1:61490 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary SMB transfer attempt (malware-other.rules)
 * 1:61488 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt (os-windows.rules)
 * 1:61497 <-> DISABLED <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt (malware-other.rules)
 * 1:61494 <-> ENABLED <-> MALWARE-CNC Php.Webshell.Agent outbound connection (malware-cnc.rules)
 * 1:61506 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook appointment privilege escalation attempt (file-office.rules)
 * 1:61496 <-> DISABLED <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt (malware-other.rules)
 * 1:61502 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt (server-webapp.rules)
 * 1:61481 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.MQsTTang variant download attempt (malware-other.rules)
 * 1:61483 <-> DISABLED <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt (server-webapp.rules)
 * 1:61499 <-> DISABLED <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt (server-webapp.rules)
 * 1:61489 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Mallox variant outbound connection (malware-cnc.rules)
 * 1:61498 <-> DISABLED <-> POLICY-OTHER Plex Media Server LocalAppDataPath modification attempt (policy-other.rules)
 * 1:61495 <-> DISABLED <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt (malware-other.rules)
 * 1:61485 <-> DISABLED <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt (server-webapp.rules)
 * 1:61500 <-> DISABLED <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt (server-webapp.rules)
 * 1:61505 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook appointment privilege escalation attempt (file-office.rules)
 * 1:61493 <-> ENABLED <-> MALWARE-CNC Php.Webshell.Agent outbound connection (malware-cnc.rules)
 * 1:61491 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary download attempt (malware-other.rules)
 * 1:61487 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt (os-windows.rules)
 * 1:61492 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary download attempt (malware-other.rules)
 * 3:61504 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt (file-office.rules)
 * 3:61503 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt (file-office.rules)

Modified Rules:


 * 1:60678 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60676 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60675 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60673 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60677 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60672 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60674 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60670 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60671 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)

2023-03-21 13:06:46 UTC

Snort Subscriber Rules Update

Date: 2023-03-21

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:61500 <-> DISABLED <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt (server-webapp.rules)
 * 1:61498 <-> DISABLED <-> POLICY-OTHER Plex Media Server LocalAppDataPath modification attempt (policy-other.rules)
 * 1:61493 <-> ENABLED <-> MALWARE-CNC Php.Webshell.Agent outbound connection (malware-cnc.rules)
 * 1:61482 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.MQsTTang variant download attempt (malware-other.rules)
 * 1:61497 <-> DISABLED <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt (malware-other.rules)
 * 1:61501 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt (server-webapp.rules)
 * 1:61495 <-> DISABLED <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt (malware-other.rules)
 * 1:61496 <-> DISABLED <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt (malware-other.rules)
 * 1:61483 <-> DISABLED <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt (server-webapp.rules)
 * 1:61505 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook appointment privilege escalation attempt (file-office.rules)
 * 1:61487 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt (os-windows.rules)
 * 1:61499 <-> DISABLED <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt (server-webapp.rules)
 * 1:61506 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook appointment privilege escalation attempt (file-office.rules)
 * 1:61488 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt (os-windows.rules)
 * 1:61489 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Mallox variant outbound connection (malware-cnc.rules)
 * 1:61502 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt (server-webapp.rules)
 * 1:61485 <-> DISABLED <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt (server-webapp.rules)
 * 1:61481 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.MQsTTang variant download attempt (malware-other.rules)
 * 1:61494 <-> ENABLED <-> MALWARE-CNC Php.Webshell.Agent outbound connection (malware-cnc.rules)
 * 1:61492 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary download attempt (malware-other.rules)
 * 1:61491 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary download attempt (malware-other.rules)
 * 1:61490 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary SMB transfer attempt (malware-other.rules)
 * 1:61484 <-> DISABLED <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt (server-webapp.rules)
 * 1:61486 <-> DISABLED <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt (server-webapp.rules)
 * 3:61503 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt (file-office.rules)
 * 3:61504 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt (file-office.rules)

Modified Rules:


 * 1:60670 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60671 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60677 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60675 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60678 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60674 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60672 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60676 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60673 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)

2023-03-21 13:06:46 UTC

Snort Subscriber Rules Update

Date: 2023-03-21

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:61499 <-> DISABLED <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt (server-webapp.rules)
 * 1:61487 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt (os-windows.rules)
 * 1:61481 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.MQsTTang variant download attempt (malware-other.rules)
 * 1:61489 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Mallox variant outbound connection (malware-cnc.rules)
 * 1:61505 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook appointment privilege escalation attempt (file-office.rules)
 * 1:61482 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.MQsTTang variant download attempt (malware-other.rules)
 * 1:61484 <-> DISABLED <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt (server-webapp.rules)
 * 1:61486 <-> DISABLED <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt (server-webapp.rules)
 * 1:61483 <-> DISABLED <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt (server-webapp.rules)
 * 1:61501 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt (server-webapp.rules)
 * 1:61500 <-> DISABLED <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt (server-webapp.rules)
 * 1:61492 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary download attempt (malware-other.rules)
 * 1:61493 <-> ENABLED <-> MALWARE-CNC Php.Webshell.Agent outbound connection (malware-cnc.rules)
 * 1:61502 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt (server-webapp.rules)
 * 1:61498 <-> DISABLED <-> POLICY-OTHER Plex Media Server LocalAppDataPath modification attempt (policy-other.rules)
 * 1:61488 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt (os-windows.rules)
 * 1:61506 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook appointment privilege escalation attempt (file-office.rules)
 * 1:61495 <-> DISABLED <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt (malware-other.rules)
 * 1:61497 <-> DISABLED <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt (malware-other.rules)
 * 1:61490 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary SMB transfer attempt (malware-other.rules)
 * 1:61485 <-> DISABLED <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt (server-webapp.rules)
 * 1:61494 <-> ENABLED <-> MALWARE-CNC Php.Webshell.Agent outbound connection (malware-cnc.rules)
 * 1:61491 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary download attempt (malware-other.rules)
 * 1:61496 <-> DISABLED <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt (malware-other.rules)
 * 3:61503 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt (file-office.rules)
 * 3:61504 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt (file-office.rules)

Modified Rules:


 * 1:60670 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60676 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60675 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60674 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60678 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60672 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60671 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60677 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60673 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)

2023-03-21 13:06:46 UTC

Snort Subscriber Rules Update

Date: 2023-03-21

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:61490 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary SMB transfer attempt (snort3-malware-other.rules)
 * 1:61498 <-> ENABLED <-> POLICY-OTHER Plex Media Server LocalAppDataPath modification attempt (snort3-policy-other.rules)
 * 1:61501 <-> ENABLED <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt (snort3-server-webapp.rules)
 * 1:61502 <-> ENABLED <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt (snort3-server-webapp.rules)

Modified Rules:


 * 1:60673 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (snort3-server-webapp.rules)
 * 1:60675 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (snort3-server-webapp.rules)
 * 1:60678 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (snort3-server-webapp.rules)
 * 1:60677 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (snort3-server-webapp.rules)
 * 1:60676 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (snort3-server-webapp.rules)
 * 1:60674 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (snort3-server-webapp.rules)
 * 1:60670 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (snort3-server-webapp.rules)
 * 1:60671 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (snort3-server-webapp.rules)
 * 1:60672 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (snort3-server-webapp.rules)

2023-03-21 13:06:46 UTC

Snort Subscriber Rules Update

Date: 2023-03-21

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:61491 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary download attempt (malware-other.rules)
 * 1:61489 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Mallox variant outbound connection (malware-cnc.rules)
 * 1:61481 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.MQsTTang variant download attempt (malware-other.rules)
 * 1:61499 <-> DISABLED <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt (server-webapp.rules)
 * 1:61500 <-> DISABLED <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt (server-webapp.rules)
 * 1:61493 <-> ENABLED <-> MALWARE-CNC Php.Webshell.Agent outbound connection (malware-cnc.rules)
 * 1:61490 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary SMB transfer attempt (malware-other.rules)
 * 1:61487 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt (os-windows.rules)
 * 1:61494 <-> ENABLED <-> MALWARE-CNC Php.Webshell.Agent outbound connection (malware-cnc.rules)
 * 1:61485 <-> DISABLED <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt (server-webapp.rules)
 * 1:61506 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook appointment privilege escalation attempt (file-office.rules)
 * 1:61501 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt (server-webapp.rules)
 * 1:61505 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook appointment privilege escalation attempt (file-office.rules)
 * 1:61497 <-> DISABLED <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt (malware-other.rules)
 * 1:61498 <-> DISABLED <-> POLICY-OTHER Plex Media Server LocalAppDataPath modification attempt (policy-other.rules)
 * 1:61495 <-> DISABLED <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt (malware-other.rules)
 * 1:61502 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt (server-webapp.rules)
 * 1:61496 <-> DISABLED <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt (malware-other.rules)
 * 1:61482 <-> DISABLED <-> MALWARE-OTHER Win.Backdoor.MQsTTang variant download attempt (malware-other.rules)
 * 1:61492 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary download attempt (malware-other.rules)
 * 1:61483 <-> DISABLED <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt (server-webapp.rules)
 * 1:61486 <-> DISABLED <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt (server-webapp.rules)
 * 1:61488 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt (os-windows.rules)
 * 1:61484 <-> DISABLED <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt (server-webapp.rules)

Modified Rules:


 * 1:60676 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60673 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60672 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60671 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60674 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60675 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60670 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60678 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)
 * 1:60677 <-> DISABLED <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt (server-webapp.rules)

2023-03-21 13:09:11 UTC

Snort Subscriber Rules Update

Date: 2023-03-20-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.0.3.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300465 <-> MALWARE-OTHER Win.Backdoor.MQsTTang variant download attempt
* 1:300466 <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt
* 1:300467 <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary download attempt
* 1:300468 <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt
* 1:300469 <-> FILE-OFFICE Microsoft Office Outlook appointment privilege escalation attempt
* 1:61483 <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt
* 1:61484 <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt
* 1:61485 <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt
* 1:61486 <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt
* 1:61489 <-> MALWARE-CNC Win.Ransomware.Mallox variant outbound connection
* 1:61490 <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary SMB transfer attempt
* 1:61493 <-> MALWARE-CNC Php.Webshell.Agent outbound connection
* 1:61494 <-> MALWARE-CNC Php.Webshell.Agent outbound connection
* 1:61495 <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt
* 1:61498 <-> POLICY-OTHER Plex Media Server LocalAppDataPath modification attempt
* 1:61499 <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt
* 1:61500 <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt
* 1:61501 <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt
* 1:61502 <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt
* 3:61503 <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt
* 3:61504 <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt

Modified Rules:

* 1:60670 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60671 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60672 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60673 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60674 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60675 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60676 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60677 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60678 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt


2023-03-21 13:09:11 UTC

Snort Subscriber Rules Update

Date: 2023-03-20-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.0.3.4.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300465 <-> MALWARE-OTHER Win.Backdoor.MQsTTang variant download attempt
* 1:300466 <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt
* 1:300467 <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary download attempt
* 1:300468 <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt
* 1:300469 <-> FILE-OFFICE Microsoft Office Outlook appointment privilege escalation attempt
* 1:61483 <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt
* 1:61484 <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt
* 1:61485 <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt
* 1:61486 <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt
* 1:61489 <-> MALWARE-CNC Win.Ransomware.Mallox variant outbound connection
* 1:61490 <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary SMB transfer attempt
* 1:61493 <-> MALWARE-CNC Php.Webshell.Agent outbound connection
* 1:61494 <-> MALWARE-CNC Php.Webshell.Agent outbound connection
* 1:61495 <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt
* 1:61498 <-> POLICY-OTHER Plex Media Server LocalAppDataPath modification attempt
* 1:61499 <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt
* 1:61500 <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt
* 1:61501 <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt
* 1:61502 <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt
* 3:61503 <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt
* 3:61504 <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt

Modified Rules:

* 1:60670 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60671 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60672 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60673 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60674 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60675 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60676 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60677 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60678 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt


2023-03-21 13:09:11 UTC

Snort Subscriber Rules Update

Date: 2023-03-20-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300465 <-> MALWARE-OTHER Win.Backdoor.MQsTTang variant download attempt
* 1:300466 <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt
* 1:300467 <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary download attempt
* 1:300468 <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt
* 1:300469 <-> FILE-OFFICE Microsoft Office Outlook appointment privilege escalation attempt
* 1:61483 <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt
* 1:61484 <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt
* 1:61485 <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt
* 1:61486 <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt
* 1:61489 <-> MALWARE-CNC Win.Ransomware.Mallox variant outbound connection
* 1:61490 <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary SMB transfer attempt
* 1:61493 <-> MALWARE-CNC Php.Webshell.Agent outbound connection
* 1:61494 <-> MALWARE-CNC Php.Webshell.Agent outbound connection
* 1:61495 <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt
* 1:61498 <-> POLICY-OTHER Plex Media Server LocalAppDataPath modification attempt
* 1:61499 <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt
* 1:61500 <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt
* 1:61501 <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt
* 1:61502 <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt
* 3:61503 <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt
* 3:61504 <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt

Modified Rules:

* 1:60670 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60671 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60672 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60673 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60674 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60675 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60676 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60677 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60678 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt


2023-03-21 13:09:11 UTC

Snort Subscriber Rules Update

Date: 2023-03-20-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.0.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300465 <-> MALWARE-OTHER Win.Backdoor.MQsTTang variant download attempt
* 1:300466 <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt
* 1:300467 <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary download attempt
* 1:300468 <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt
* 1:300469 <-> FILE-OFFICE Microsoft Office Outlook appointment privilege escalation attempt
* 1:61483 <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt
* 1:61484 <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt
* 1:61485 <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt
* 1:61486 <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt
* 1:61489 <-> MALWARE-CNC Win.Ransomware.Mallox variant outbound connection
* 1:61490 <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary SMB transfer attempt
* 1:61493 <-> MALWARE-CNC Php.Webshell.Agent outbound connection
* 1:61494 <-> MALWARE-CNC Php.Webshell.Agent outbound connection
* 1:61495 <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt
* 1:61498 <-> POLICY-OTHER Plex Media Server LocalAppDataPath modification attempt
* 1:61499 <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt
* 1:61500 <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt
* 1:61501 <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt
* 1:61502 <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt
* 3:61503 <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt
* 3:61504 <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt

Modified Rules:

* 1:60670 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60671 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60672 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60673 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60674 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60675 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60676 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60677 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60678 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt


2023-03-21 13:09:11 UTC

Snort Subscriber Rules Update

Date: 2023-03-20-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.1.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300465 <-> MALWARE-OTHER Win.Backdoor.MQsTTang variant download attempt
* 1:300466 <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt
* 1:300467 <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary download attempt
* 1:300468 <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt
* 1:300469 <-> FILE-OFFICE Microsoft Office Outlook appointment privilege escalation attempt
* 1:61483 <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt
* 1:61484 <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt
* 1:61485 <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt
* 1:61486 <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt
* 1:61489 <-> MALWARE-CNC Win.Ransomware.Mallox variant outbound connection
* 1:61490 <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary SMB transfer attempt
* 1:61493 <-> MALWARE-CNC Php.Webshell.Agent outbound connection
* 1:61494 <-> MALWARE-CNC Php.Webshell.Agent outbound connection
* 1:61495 <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt
* 1:61498 <-> POLICY-OTHER Plex Media Server LocalAppDataPath modification attempt
* 1:61499 <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt
* 1:61500 <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt
* 1:61501 <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt
* 1:61502 <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt
* 3:61503 <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt
* 3:61504 <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt

Modified Rules:

* 1:60670 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60671 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60672 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60673 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60674 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60675 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60676 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60677 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60678 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt


2023-03-21 13:09:11 UTC

Snort Subscriber Rules Update

Date: 2023-03-20-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.3.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300465 <-> MALWARE-OTHER Win.Backdoor.MQsTTang variant download attempt
* 1:300466 <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt
* 1:300467 <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary download attempt
* 1:300468 <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt
* 1:300469 <-> FILE-OFFICE Microsoft Office Outlook appointment privilege escalation attempt
* 1:61483 <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt
* 1:61484 <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt
* 1:61485 <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt
* 1:61486 <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt
* 1:61489 <-> MALWARE-CNC Win.Ransomware.Mallox variant outbound connection
* 1:61490 <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary SMB transfer attempt
* 1:61493 <-> MALWARE-CNC Php.Webshell.Agent outbound connection
* 1:61494 <-> MALWARE-CNC Php.Webshell.Agent outbound connection
* 1:61495 <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt
* 1:61498 <-> POLICY-OTHER Plex Media Server LocalAppDataPath modification attempt
* 1:61499 <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt
* 1:61500 <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt
* 1:61501 <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt
* 1:61502 <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt
* 3:61503 <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt
* 3:61504 <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt

Modified Rules:

* 1:60670 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60671 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60672 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60673 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60674 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60675 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60676 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60677 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60678 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt


2023-03-21 13:09:11 UTC

Snort Subscriber Rules Update

Date: 2023-03-20-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.4.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300465 <-> MALWARE-OTHER Win.Backdoor.MQsTTang variant download attempt
* 1:300466 <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt
* 1:300467 <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary download attempt
* 1:300468 <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt
* 1:300469 <-> FILE-OFFICE Microsoft Office Outlook appointment privilege escalation attempt
* 1:61483 <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt
* 1:61484 <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt
* 1:61485 <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt
* 1:61486 <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt
* 1:61489 <-> MALWARE-CNC Win.Ransomware.Mallox variant outbound connection
* 1:61490 <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary SMB transfer attempt
* 1:61493 <-> MALWARE-CNC Php.Webshell.Agent outbound connection
* 1:61494 <-> MALWARE-CNC Php.Webshell.Agent outbound connection
* 1:61495 <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt
* 1:61498 <-> POLICY-OTHER Plex Media Server LocalAppDataPath modification attempt
* 1:61499 <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt
* 1:61500 <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt
* 1:61501 <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt
* 1:61502 <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt
* 3:61503 <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt
* 3:61504 <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt

Modified Rules:

* 1:60670 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60671 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60672 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60673 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60674 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60675 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60676 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60677 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60678 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt


2023-03-21 13:09:11 UTC

Snort Subscriber Rules Update

Date: 2023-03-20-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.5.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300465 <-> MALWARE-OTHER Win.Backdoor.MQsTTang variant download attempt
* 1:300466 <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt
* 1:300467 <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary download attempt
* 1:300468 <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt
* 1:300469 <-> FILE-OFFICE Microsoft Office Outlook appointment privilege escalation attempt
* 1:61483 <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt
* 1:61484 <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt
* 1:61485 <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt
* 1:61486 <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt
* 1:61489 <-> MALWARE-CNC Win.Ransomware.Mallox variant outbound connection
* 1:61490 <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary SMB transfer attempt
* 1:61493 <-> MALWARE-CNC Php.Webshell.Agent outbound connection
* 1:61494 <-> MALWARE-CNC Php.Webshell.Agent outbound connection
* 1:61495 <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt
* 1:61498 <-> POLICY-OTHER Plex Media Server LocalAppDataPath modification attempt
* 1:61499 <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt
* 1:61500 <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt
* 1:61501 <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt
* 1:61502 <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt
* 3:61503 <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt
* 3:61504 <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt

Modified Rules:

* 1:60670 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60671 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60672 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60673 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60674 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60675 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60676 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60677 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60678 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt


2023-03-21 13:09:11 UTC

Snort Subscriber Rules Update

Date: 2023-03-20-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.7.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300465 <-> MALWARE-OTHER Win.Backdoor.MQsTTang variant download attempt
* 1:300466 <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt
* 1:300467 <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary download attempt
* 1:300468 <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt
* 1:300469 <-> FILE-OFFICE Microsoft Office Outlook appointment privilege escalation attempt
* 1:61483 <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt
* 1:61484 <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt
* 1:61485 <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt
* 1:61486 <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt
* 1:61489 <-> MALWARE-CNC Win.Ransomware.Mallox variant outbound connection
* 1:61490 <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary SMB transfer attempt
* 1:61493 <-> MALWARE-CNC Php.Webshell.Agent outbound connection
* 1:61494 <-> MALWARE-CNC Php.Webshell.Agent outbound connection
* 1:61495 <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt
* 1:61498 <-> POLICY-OTHER Plex Media Server LocalAppDataPath modification attempt
* 1:61499 <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt
* 1:61500 <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt
* 1:61501 <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt
* 1:61502 <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt
* 3:61503 <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt
* 3:61504 <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt

Modified Rules:

* 1:60670 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60671 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60672 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60673 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60674 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60675 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60676 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60677 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60678 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt


2023-03-21 13:09:11 UTC

Snort Subscriber Rules Update

Date: 2023-03-20-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.9.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300465 <-> MALWARE-OTHER Win.Backdoor.MQsTTang variant download attempt
* 1:300466 <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt
* 1:300467 <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary download attempt
* 1:300468 <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt
* 1:300469 <-> FILE-OFFICE Microsoft Office Outlook appointment privilege escalation attempt
* 1:61483 <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt
* 1:61484 <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt
* 1:61485 <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt
* 1:61486 <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt
* 1:61489 <-> MALWARE-CNC Win.Ransomware.Mallox variant outbound connection
* 1:61490 <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary SMB transfer attempt
* 1:61493 <-> MALWARE-CNC Php.Webshell.Agent outbound connection
* 1:61494 <-> MALWARE-CNC Php.Webshell.Agent outbound connection
* 1:61495 <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt
* 1:61498 <-> POLICY-OTHER Plex Media Server LocalAppDataPath modification attempt
* 1:61499 <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt
* 1:61500 <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt
* 1:61501 <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt
* 1:61502 <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt
* 3:61503 <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt
* 3:61504 <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt

Modified Rules:

* 1:60670 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60671 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60672 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60673 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60674 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60675 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60676 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60677 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60678 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt


2023-03-21 13:09:11 UTC

Snort Subscriber Rules Update

Date: 2023-03-20-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.11.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300465 <-> MALWARE-OTHER Win.Backdoor.MQsTTang variant download attempt
* 1:300466 <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt
* 1:300467 <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary download attempt
* 1:300468 <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt
* 1:300469 <-> FILE-OFFICE Microsoft Office Outlook appointment privilege escalation attempt
* 1:61483 <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt
* 1:61484 <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt
* 1:61485 <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt
* 1:61486 <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt
* 1:61489 <-> MALWARE-CNC Win.Ransomware.Mallox variant outbound connection
* 1:61490 <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary SMB transfer attempt
* 1:61493 <-> MALWARE-CNC Php.Webshell.Agent outbound connection
* 1:61494 <-> MALWARE-CNC Php.Webshell.Agent outbound connection
* 1:61495 <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt
* 1:61498 <-> POLICY-OTHER Plex Media Server LocalAppDataPath modification attempt
* 1:61499 <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt
* 1:61500 <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt
* 1:61501 <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt
* 1:61502 <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt
* 3:61503 <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt
* 3:61504 <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt

Modified Rules:

* 1:60670 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60671 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60672 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60673 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60674 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60675 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60676 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60677 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60678 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt


2023-03-21 13:09:11 UTC

Snort Subscriber Rules Update

Date: 2023-03-20-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.15.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300465 <-> MALWARE-OTHER Win.Backdoor.MQsTTang variant download attempt
* 1:300466 <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt
* 1:300467 <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary download attempt
* 1:300468 <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt
* 1:300469 <-> FILE-OFFICE Microsoft Office Outlook appointment privilege escalation attempt
* 1:61483 <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt
* 1:61484 <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt
* 1:61485 <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt
* 1:61486 <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt
* 1:61489 <-> MALWARE-CNC Win.Ransomware.Mallox variant outbound connection
* 1:61490 <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary SMB transfer attempt
* 1:61493 <-> MALWARE-CNC Php.Webshell.Agent outbound connection
* 1:61494 <-> MALWARE-CNC Php.Webshell.Agent outbound connection
* 1:61495 <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt
* 1:61498 <-> POLICY-OTHER Plex Media Server LocalAppDataPath modification attempt
* 1:61499 <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt
* 1:61500 <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt
* 1:61501 <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt
* 1:61502 <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt
* 3:61503 <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt
* 3:61504 <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt

Modified Rules:

* 1:60670 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60671 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60672 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60673 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60674 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60675 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60676 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60677 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60678 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt


2023-03-21 13:09:11 UTC

Snort Subscriber Rules Update

Date: 2023-03-20-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.18.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300465 <-> MALWARE-OTHER Win.Backdoor.MQsTTang variant download attempt
* 1:300466 <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt
* 1:300467 <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary download attempt
* 1:300468 <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt
* 1:300469 <-> FILE-OFFICE Microsoft Office Outlook appointment privilege escalation attempt
* 1:61483 <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt
* 1:61484 <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt
* 1:61485 <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt
* 1:61486 <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt
* 1:61489 <-> MALWARE-CNC Win.Ransomware.Mallox variant outbound connection
* 1:61490 <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary SMB transfer attempt
* 1:61493 <-> MALWARE-CNC Php.Webshell.Agent outbound connection
* 1:61494 <-> MALWARE-CNC Php.Webshell.Agent outbound connection
* 1:61495 <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt
* 1:61498 <-> POLICY-OTHER Plex Media Server LocalAppDataPath modification attempt
* 1:61499 <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt
* 1:61500 <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt
* 1:61501 <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt
* 1:61502 <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt
* 3:61503 <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt
* 3:61504 <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt

Modified Rules:

* 1:60670 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60671 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60672 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60673 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60674 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60675 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60676 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60677 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60678 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt


2023-03-21 13:09:12 UTC

Snort Subscriber Rules Update

Date: 2023-03-20-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.20.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300465 <-> MALWARE-OTHER Win.Backdoor.MQsTTang variant download attempt
* 1:300466 <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt
* 1:300467 <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary download attempt
* 1:300468 <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt
* 1:300469 <-> FILE-OFFICE Microsoft Office Outlook appointment privilege escalation attempt
* 1:61483 <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt
* 1:61484 <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt
* 1:61485 <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt
* 1:61486 <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt
* 1:61489 <-> MALWARE-CNC Win.Ransomware.Mallox variant outbound connection
* 1:61490 <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary SMB transfer attempt
* 1:61493 <-> MALWARE-CNC Php.Webshell.Agent outbound connection
* 1:61494 <-> MALWARE-CNC Php.Webshell.Agent outbound connection
* 1:61495 <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt
* 1:61498 <-> POLICY-OTHER Plex Media Server LocalAppDataPath modification attempt
* 1:61499 <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt
* 1:61500 <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt
* 1:61501 <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt
* 1:61502 <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt
* 3:61503 <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt
* 3:61504 <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt

Modified Rules:

* 1:60670 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60671 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60672 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60673 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60674 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60675 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60676 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60677 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60678 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt


2023-03-21 13:09:12 UTC

Snort Subscriber Rules Update

Date: 2023-03-20-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.21.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300465 <-> MALWARE-OTHER Win.Backdoor.MQsTTang variant download attempt
* 1:300466 <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt
* 1:300467 <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary download attempt
* 1:300468 <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt
* 1:300469 <-> FILE-OFFICE Microsoft Office Outlook appointment privilege escalation attempt
* 1:61483 <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt
* 1:61484 <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt
* 1:61485 <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt
* 1:61486 <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt
* 1:61489 <-> MALWARE-CNC Win.Ransomware.Mallox variant outbound connection
* 1:61490 <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary SMB transfer attempt
* 1:61493 <-> MALWARE-CNC Php.Webshell.Agent outbound connection
* 1:61494 <-> MALWARE-CNC Php.Webshell.Agent outbound connection
* 1:61495 <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt
* 1:61498 <-> POLICY-OTHER Plex Media Server LocalAppDataPath modification attempt
* 1:61499 <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt
* 1:61500 <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt
* 1:61501 <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt
* 1:61502 <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt
* 3:61503 <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt
* 3:61504 <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt

Modified Rules:

* 1:60670 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60671 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60672 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60673 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60674 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60675 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60676 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60677 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60678 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt


2023-03-21 13:09:12 UTC

Snort Subscriber Rules Update

Date: 2023-03-20-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.35.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300465 <-> MALWARE-OTHER Win.Backdoor.MQsTTang variant download attempt
* 1:300466 <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt
* 1:300467 <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary download attempt
* 1:300468 <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt
* 1:300469 <-> FILE-OFFICE Microsoft Office Outlook appointment privilege escalation attempt
* 1:61483 <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt
* 1:61484 <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt
* 1:61485 <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt
* 1:61486 <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt
* 1:61489 <-> MALWARE-CNC Win.Ransomware.Mallox variant outbound connection
* 1:61490 <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary SMB transfer attempt
* 1:61493 <-> MALWARE-CNC Php.Webshell.Agent outbound connection
* 1:61494 <-> MALWARE-CNC Php.Webshell.Agent outbound connection
* 1:61495 <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt
* 1:61498 <-> POLICY-OTHER Plex Media Server LocalAppDataPath modification attempt
* 1:61499 <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt
* 1:61500 <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt
* 1:61501 <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt
* 1:61502 <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt
* 3:61503 <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt
* 3:61504 <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt

Modified Rules:

* 1:60670 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60671 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60672 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60673 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60674 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60675 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60676 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60677 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60678 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt


2023-03-21 13:09:12 UTC

Snort Subscriber Rules Update

Date: 2023-03-20-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.44.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300465 <-> MALWARE-OTHER Win.Backdoor.MQsTTang variant download attempt
* 1:300466 <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt
* 1:300467 <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary download attempt
* 1:300468 <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt
* 1:300469 <-> FILE-OFFICE Microsoft Office Outlook appointment privilege escalation attempt
* 1:61483 <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt
* 1:61484 <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt
* 1:61485 <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt
* 1:61486 <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt
* 1:61489 <-> MALWARE-CNC Win.Ransomware.Mallox variant outbound connection
* 1:61490 <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary SMB transfer attempt
* 1:61493 <-> MALWARE-CNC Php.Webshell.Agent outbound connection
* 1:61494 <-> MALWARE-CNC Php.Webshell.Agent outbound connection
* 1:61495 <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt
* 1:61498 <-> POLICY-OTHER Plex Media Server LocalAppDataPath modification attempt
* 1:61499 <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt
* 1:61500 <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt
* 1:61501 <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt
* 1:61502 <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt
* 3:61503 <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt
* 3:61504 <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt

Modified Rules:

* 1:60670 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60671 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60672 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60673 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60674 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60675 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60676 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60677 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60678 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt


2023-03-21 13:09:12 UTC

Snort Subscriber Rules Update

Date: 2023-03-20-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.47.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300465 <-> MALWARE-OTHER Win.Backdoor.MQsTTang variant download attempt
* 1:300466 <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt
* 1:300467 <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary download attempt
* 1:300468 <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt
* 1:300469 <-> FILE-OFFICE Microsoft Office Outlook appointment privilege escalation attempt
* 1:61483 <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt
* 1:61484 <-> SERVER-WEBAPP Zoho ManageEngine ADSelfService Plus default credentials login attempt
* 1:61485 <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt
* 1:61486 <-> SERVER-WEBAPP FLIR AX8 Camera command injection attempt
* 1:61489 <-> MALWARE-CNC Win.Ransomware.Mallox variant outbound connection
* 1:61490 <-> MALWARE-OTHER Win.Ransomware.Mallox variant binary SMB transfer attempt
* 1:61493 <-> MALWARE-CNC Php.Webshell.Agent outbound connection
* 1:61494 <-> MALWARE-CNC Php.Webshell.Agent outbound connection
* 1:61495 <-> MALWARE-OTHER Ps1.Malware.Powercat shell download attempt
* 1:61498 <-> POLICY-OTHER Plex Media Server LocalAppDataPath modification attempt
* 1:61499 <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt
* 1:61500 <-> SERVER-WEBAPP Plex Media Server arbitrary file upload attempt
* 1:61501 <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt
* 1:61502 <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated RMI code execution attempt
* 3:61503 <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt
* 3:61504 <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2023-1730 attack attempt

Modified Rules:

* 1:60670 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60671 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60672 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60673 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60674 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60675 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60676 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60677 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt
* 1:60678 <-> SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt