Talos Rules 2024-05-14
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2024-29996: A coding deficiency exists in Microsoft Windows Common Log File System Driver that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 63427 through 63428, Snort 3: GID 1, SID 300909.

Microsoft Vulnerability CVE-2024-30025: A coding deficiency exists in Microsoft Windows Common Log File System Driver that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 63419 through 63420, Snort 3: GID 1, SID 300906.

Microsoft Vulnerability CVE-2024-30032: A coding deficiency exists in Microsoft Windows DWM Core Library that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 63425 through 63426, Snort 3: GID 1, SID 300908.

Microsoft Vulnerability CVE-2024-30034: A coding deficiency exists in Microsoft Windows Cloud Files Mini Filter Driver that may lead to an information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 63422 through 63423, Snort 3: GID 1, SID 300907.

Microsoft Vulnerability CVE-2024-30035: A coding deficiency exists in Microsoft Windows DWM Core Library that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 63429 through 63430, Snort 3: GID 1, SID 300910.

Microsoft Vulnerability CVE-2024-30037: A coding deficiency exists in Microsoft Windows Common Log File System Driver that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 63431 through 63432, Snort 3: GID 1, SID 300911.

Microsoft Vulnerability CVE-2024-30044: A coding deficiency exists in Microsoft SharePoint Server that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SID 63424, Snort 3: GID 1, SID 63424.

Microsoft Vulnerability CVE-2024-30050: A coding deficiency exists in Microsoft Windows Mark of the Web that may lead to security feature bypass.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 63434 through 63435, Snort 3: GID 1, SID 300912.

Talos also has added and modified multiple rules in the file-executable, os-windows, policy-other, protocol-voip and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2024-05-14 17:35:35 UTC

Snort Subscriber Rules Update

Date: 2024-05-14

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2092000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:63408 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize datetimezone object code execution attempt (server-webapp.rules)
 * 1:63409 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt (server-webapp.rules)
 * 1:63410 <-> DISABLED <-> SERVER-WEBAPP Jorani directory traversal attempt (server-webapp.rules)
 * 1:63411 <-> DISABLED <-> SERVER-WEBAPP Jorani directory traversal attempt (server-webapp.rules)
 * 1:63412 <-> DISABLED <-> SERVER-WEBAPP Jorani directory traversal attempt (server-webapp.rules)
 * 1:63415 <-> DISABLED <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt (server-webapp.rules)
 * 1:63416 <-> DISABLED <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt (server-webapp.rules)
 * 1:63417 <-> DISABLED <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt (server-webapp.rules)
 * 1:63418 <-> DISABLED <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt (server-webapp.rules)
 * 1:63419 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System escalation of privilege attempt (os-windows.rules)
 * 1:63420 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System escalation of privilege attempt (os-windows.rules)
 * 1:63421 <-> DISABLED <-> SERVER-SAMBA Samba nmbd memory corruption attempt (server-samba.rules)
 * 1:63422 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver information disclosure attempt (os-windows.rules)
 * 1:63424 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint authenticated remote code execution attempt (server-webapp.rules)
 * 1:63423 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver information disclosure attempt (os-windows.rules)
 * 1:63425 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core elevation of privilege attempt (os-windows.rules)
 * 1:63426 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core elevation of privilege attempt (os-windows.rules)
 * 1:63427 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:63428 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:63429 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Desktop Window Manager use-after-free attempt (file-executable.rules)
 * 1:63430 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Desktop Window Manager use-after-free attempt (file-executable.rules)
 * 1:63431 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System memory corruption attempt (os-windows.rules)
 * 1:63432 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System memory corruption attempt (os-windows.rules)
 * 1:63433 <-> DISABLED <-> POLICY-OTHER Oracle E-Business Suite sensitive endpoint access attempt (policy-other.rules)
 * 1:63434 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Mark-of-the-Web security feature bypass attempt (os-windows.rules)
 * 1:63435 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Mark-of-the-Web security feature bypass attempt (os-windows.rules)
 * 1:63436 <-> ENABLED <-> SERVER-WEBAPP Commvault CommCell command injection attempt (server-webapp.rules)
 * 1:63437 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt (server-webapp.rules)
 * 1:63438 <-> DISABLED <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt (server-webapp.rules)
 * 1:63439 <-> DISABLED <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt (server-webapp.rules)
 * 1:63440 <-> DISABLED <-> SERVER-SAMBA Samba tree connect andx memory corruption attempt (server-samba.rules)
 * 3:63413 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt (server-webapp.rules)
 * 3:63414 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt (server-webapp.rules)
 * 3:63441 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt (server-webapp.rules)
 * 3:63442 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt (server-webapp.rules)
 * 3:63443 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2024-1986 attack attempt (policy-other.rules)

Modified Rules:


 * 1:51087 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (protocol-voip.rules)
 * 1:51086 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (protocol-voip.rules)
 * 3:63318 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt (file-executable.rules)
 * 3:63317 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt (file-executable.rules)

2024-05-14 17:35:35 UTC

Snort Subscriber Rules Update

Date: 2024-05-14

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091900.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:63434 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Mark-of-the-Web security feature bypass attempt (os-windows.rules)
 * 1:63436 <-> ENABLED <-> SERVER-WEBAPP Commvault CommCell command injection attempt (server-webapp.rules)
 * 1:63435 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Mark-of-the-Web security feature bypass attempt (os-windows.rules)
 * 1:63408 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize datetimezone object code execution attempt (server-webapp.rules)
 * 1:63409 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt (server-webapp.rules)
 * 1:63416 <-> DISABLED <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt (server-webapp.rules)
 * 1:63417 <-> DISABLED <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt (server-webapp.rules)
 * 1:63418 <-> DISABLED <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt (server-webapp.rules)
 * 1:63419 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System escalation of privilege attempt (os-windows.rules)
 * 1:63421 <-> DISABLED <-> SERVER-SAMBA Samba nmbd memory corruption attempt (server-samba.rules)
 * 1:63422 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver information disclosure attempt (os-windows.rules)
 * 1:63423 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver information disclosure attempt (os-windows.rules)
 * 1:63424 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint authenticated remote code execution attempt (server-webapp.rules)
 * 1:63425 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core elevation of privilege attempt (os-windows.rules)
 * 1:63426 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core elevation of privilege attempt (os-windows.rules)
 * 1:63427 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:63428 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:63429 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Desktop Window Manager use-after-free attempt (file-executable.rules)
 * 1:63430 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Desktop Window Manager use-after-free attempt (file-executable.rules)
 * 1:63431 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System memory corruption attempt (os-windows.rules)
 * 1:63432 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System memory corruption attempt (os-windows.rules)
 * 1:63433 <-> DISABLED <-> POLICY-OTHER Oracle E-Business Suite sensitive endpoint access attempt (policy-other.rules)
 * 1:63438 <-> DISABLED <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt (server-webapp.rules)
 * 1:63437 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt (server-webapp.rules)
 * 1:63439 <-> DISABLED <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt (server-webapp.rules)
 * 1:63412 <-> DISABLED <-> SERVER-WEBAPP Jorani directory traversal attempt (server-webapp.rules)
 * 1:63440 <-> DISABLED <-> SERVER-SAMBA Samba tree connect andx memory corruption attempt (server-samba.rules)
 * 1:63411 <-> DISABLED <-> SERVER-WEBAPP Jorani directory traversal attempt (server-webapp.rules)
 * 1:63410 <-> DISABLED <-> SERVER-WEBAPP Jorani directory traversal attempt (server-webapp.rules)
 * 1:63415 <-> DISABLED <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt (server-webapp.rules)
 * 1:63420 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System escalation of privilege attempt (os-windows.rules)
 * 3:63414 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt (server-webapp.rules)
 * 3:63413 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt (server-webapp.rules)
 * 3:63441 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt (server-webapp.rules)
 * 3:63443 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2024-1986 attack attempt (policy-other.rules)
 * 3:63442 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:51086 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (protocol-voip.rules)
 * 1:51087 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (protocol-voip.rules)
 * 3:63318 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt (file-executable.rules)
 * 3:63317 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt (file-executable.rules)

2024-05-14 17:35:35 UTC

Snort Subscriber Rules Update

Date: 2024-05-14

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091801.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:63440 <-> DISABLED <-> SERVER-SAMBA Samba tree connect andx memory corruption attempt (server-samba.rules)
 * 1:63435 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Mark-of-the-Web security feature bypass attempt (os-windows.rules)
 * 1:63434 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Mark-of-the-Web security feature bypass attempt (os-windows.rules)
 * 1:63436 <-> ENABLED <-> SERVER-WEBAPP Commvault CommCell command injection attempt (server-webapp.rules)
 * 1:63431 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System memory corruption attempt (os-windows.rules)
 * 1:63433 <-> DISABLED <-> POLICY-OTHER Oracle E-Business Suite sensitive endpoint access attempt (policy-other.rules)
 * 1:63432 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System memory corruption attempt (os-windows.rules)
 * 1:63437 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt (server-webapp.rules)
 * 1:63438 <-> DISABLED <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt (server-webapp.rules)
 * 1:63439 <-> DISABLED <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt (server-webapp.rules)
 * 1:63429 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Desktop Window Manager use-after-free attempt (file-executable.rules)
 * 1:63409 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt (server-webapp.rules)
 * 1:63417 <-> DISABLED <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt (server-webapp.rules)
 * 1:63428 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:63423 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver information disclosure attempt (os-windows.rules)
 * 1:63425 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core elevation of privilege attempt (os-windows.rules)
 * 1:63424 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint authenticated remote code execution attempt (server-webapp.rules)
 * 1:63426 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core elevation of privilege attempt (os-windows.rules)
 * 1:63427 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:63410 <-> DISABLED <-> SERVER-WEBAPP Jorani directory traversal attempt (server-webapp.rules)
 * 1:63430 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Desktop Window Manager use-after-free attempt (file-executable.rules)
 * 1:63411 <-> DISABLED <-> SERVER-WEBAPP Jorani directory traversal attempt (server-webapp.rules)
 * 1:63408 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize datetimezone object code execution attempt (server-webapp.rules)
 * 1:63415 <-> DISABLED <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt (server-webapp.rules)
 * 1:63412 <-> DISABLED <-> SERVER-WEBAPP Jorani directory traversal attempt (server-webapp.rules)
 * 1:63416 <-> DISABLED <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt (server-webapp.rules)
 * 1:63418 <-> DISABLED <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt (server-webapp.rules)
 * 1:63420 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System escalation of privilege attempt (os-windows.rules)
 * 1:63419 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System escalation of privilege attempt (os-windows.rules)
 * 1:63422 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver information disclosure attempt (os-windows.rules)
 * 1:63421 <-> DISABLED <-> SERVER-SAMBA Samba nmbd memory corruption attempt (server-samba.rules)
 * 3:63442 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt (server-webapp.rules)
 * 3:63414 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt (server-webapp.rules)
 * 3:63443 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2024-1986 attack attempt (policy-other.rules)
 * 3:63413 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt (server-webapp.rules)
 * 3:63441 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:51087 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (protocol-voip.rules)
 * 1:51086 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (protocol-voip.rules)
 * 3:63317 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt (file-executable.rules)
 * 3:63318 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt (file-executable.rules)

2024-05-14 17:35:35 UTC

Snort Subscriber Rules Update

Date: 2024-05-14

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:63412 <-> DISABLED <-> SERVER-WEBAPP Jorani directory traversal attempt (server-webapp.rules)
 * 1:63411 <-> DISABLED <-> SERVER-WEBAPP Jorani directory traversal attempt (server-webapp.rules)
 * 1:63410 <-> DISABLED <-> SERVER-WEBAPP Jorani directory traversal attempt (server-webapp.rules)
 * 1:63409 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt (server-webapp.rules)
 * 1:63415 <-> DISABLED <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt (server-webapp.rules)
 * 1:63439 <-> DISABLED <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt (server-webapp.rules)
 * 1:63438 <-> DISABLED <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt (server-webapp.rules)
 * 1:63416 <-> DISABLED <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt (server-webapp.rules)
 * 1:63408 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize datetimezone object code execution attempt (server-webapp.rules)
 * 1:63422 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver information disclosure attempt (os-windows.rules)
 * 1:63437 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt (server-webapp.rules)
 * 1:63430 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Desktop Window Manager use-after-free attempt (file-executable.rules)
 * 1:63417 <-> DISABLED <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt (server-webapp.rules)
 * 1:63418 <-> DISABLED <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt (server-webapp.rules)
 * 1:63419 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System escalation of privilege attempt (os-windows.rules)
 * 1:63420 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System escalation of privilege attempt (os-windows.rules)
 * 1:63421 <-> DISABLED <-> SERVER-SAMBA Samba nmbd memory corruption attempt (server-samba.rules)
 * 1:63425 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core elevation of privilege attempt (os-windows.rules)
 * 1:63424 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint authenticated remote code execution attempt (server-webapp.rules)
 * 1:63423 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver information disclosure attempt (os-windows.rules)
 * 1:63426 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core elevation of privilege attempt (os-windows.rules)
 * 1:63429 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Desktop Window Manager use-after-free attempt (file-executable.rules)
 * 1:63428 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:63427 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:63433 <-> DISABLED <-> POLICY-OTHER Oracle E-Business Suite sensitive endpoint access attempt (policy-other.rules)
 * 1:63431 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System memory corruption attempt (os-windows.rules)
 * 1:63432 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System memory corruption attempt (os-windows.rules)
 * 1:63440 <-> DISABLED <-> SERVER-SAMBA Samba tree connect andx memory corruption attempt (server-samba.rules)
 * 1:63436 <-> ENABLED <-> SERVER-WEBAPP Commvault CommCell command injection attempt (server-webapp.rules)
 * 1:63435 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Mark-of-the-Web security feature bypass attempt (os-windows.rules)
 * 1:63434 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Mark-of-the-Web security feature bypass attempt (os-windows.rules)
 * 3:63413 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt (server-webapp.rules)
 * 3:63414 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt (server-webapp.rules)
 * 3:63441 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt (server-webapp.rules)
 * 3:63442 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt (server-webapp.rules)
 * 3:63443 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2024-1986 attack attempt (policy-other.rules)

Modified Rules:


 * 1:51086 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (protocol-voip.rules)
 * 1:51087 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (protocol-voip.rules)
 * 3:63318 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt (file-executable.rules)
 * 3:63317 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt (file-executable.rules)

2024-05-14 17:35:35 UTC

Snort Subscriber Rules Update

Date: 2024-05-14

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:63434 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Mark-of-the-Web security feature bypass attempt (os-windows.rules)
 * 1:63433 <-> DISABLED <-> POLICY-OTHER Oracle E-Business Suite sensitive endpoint access attempt (policy-other.rules)
 * 1:63439 <-> DISABLED <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt (server-webapp.rules)
 * 1:63437 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt (server-webapp.rules)
 * 1:63432 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System memory corruption attempt (os-windows.rules)
 * 1:63435 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Mark-of-the-Web security feature bypass attempt (os-windows.rules)
 * 1:63408 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize datetimezone object code execution attempt (server-webapp.rules)
 * 1:63436 <-> ENABLED <-> SERVER-WEBAPP Commvault CommCell command injection attempt (server-webapp.rules)
 * 1:63438 <-> DISABLED <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt (server-webapp.rules)
 * 1:63418 <-> DISABLED <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt (server-webapp.rules)
 * 1:63417 <-> DISABLED <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt (server-webapp.rules)
 * 1:63409 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt (server-webapp.rules)
 * 1:63431 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System memory corruption attempt (os-windows.rules)
 * 1:63411 <-> DISABLED <-> SERVER-WEBAPP Jorani directory traversal attempt (server-webapp.rules)
 * 1:63412 <-> DISABLED <-> SERVER-WEBAPP Jorani directory traversal attempt (server-webapp.rules)
 * 1:63415 <-> DISABLED <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt (server-webapp.rules)
 * 1:63416 <-> DISABLED <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt (server-webapp.rules)
 * 1:63410 <-> DISABLED <-> SERVER-WEBAPP Jorani directory traversal attempt (server-webapp.rules)
 * 1:63419 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System escalation of privilege attempt (os-windows.rules)
 * 1:63420 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System escalation of privilege attempt (os-windows.rules)
 * 1:63421 <-> DISABLED <-> SERVER-SAMBA Samba nmbd memory corruption attempt (server-samba.rules)
 * 1:63422 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver information disclosure attempt (os-windows.rules)
 * 1:63423 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver information disclosure attempt (os-windows.rules)
 * 1:63424 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint authenticated remote code execution attempt (server-webapp.rules)
 * 1:63425 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core elevation of privilege attempt (os-windows.rules)
 * 1:63426 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core elevation of privilege attempt (os-windows.rules)
 * 1:63427 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:63440 <-> DISABLED <-> SERVER-SAMBA Samba tree connect andx memory corruption attempt (server-samba.rules)
 * 1:63428 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:63429 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Desktop Window Manager use-after-free attempt (file-executable.rules)
 * 1:63430 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Desktop Window Manager use-after-free attempt (file-executable.rules)
 * 3:63414 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt (server-webapp.rules)
 * 3:63443 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2024-1986 attack attempt (policy-other.rules)
 * 3:63413 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt (server-webapp.rules)
 * 3:63442 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt (server-webapp.rules)
 * 3:63441 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:51086 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (protocol-voip.rules)
 * 1:51087 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (protocol-voip.rules)
 * 3:63317 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt (file-executable.rules)
 * 3:63318 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt (file-executable.rules)

2024-05-14 17:35:35 UTC

Snort Subscriber Rules Update

Date: 2024-05-14

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:63411 <-> DISABLED <-> SERVER-WEBAPP Jorani directory traversal attempt (server-webapp.rules)
 * 1:63433 <-> DISABLED <-> POLICY-OTHER Oracle E-Business Suite sensitive endpoint access attempt (policy-other.rules)
 * 1:63409 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt (server-webapp.rules)
 * 1:63435 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Mark-of-the-Web security feature bypass attempt (os-windows.rules)
 * 1:63434 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Mark-of-the-Web security feature bypass attempt (os-windows.rules)
 * 1:63438 <-> DISABLED <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt (server-webapp.rules)
 * 1:63437 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt (server-webapp.rules)
 * 1:63440 <-> DISABLED <-> SERVER-SAMBA Samba tree connect andx memory corruption attempt (server-samba.rules)
 * 1:63415 <-> DISABLED <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt (server-webapp.rules)
 * 1:63439 <-> DISABLED <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt (server-webapp.rules)
 * 1:63429 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Desktop Window Manager use-after-free attempt (file-executable.rules)
 * 1:63436 <-> ENABLED <-> SERVER-WEBAPP Commvault CommCell command injection attempt (server-webapp.rules)
 * 1:63412 <-> DISABLED <-> SERVER-WEBAPP Jorani directory traversal attempt (server-webapp.rules)
 * 1:63418 <-> DISABLED <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt (server-webapp.rules)
 * 1:63416 <-> DISABLED <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt (server-webapp.rules)
 * 1:63421 <-> DISABLED <-> SERVER-SAMBA Samba nmbd memory corruption attempt (server-samba.rules)
 * 1:63420 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System escalation of privilege attempt (os-windows.rules)
 * 1:63417 <-> DISABLED <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt (server-webapp.rules)
 * 1:63424 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint authenticated remote code execution attempt (server-webapp.rules)
 * 1:63422 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver information disclosure attempt (os-windows.rules)
 * 1:63425 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core elevation of privilege attempt (os-windows.rules)
 * 1:63428 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:63426 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core elevation of privilege attempt (os-windows.rules)
 * 1:63423 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver information disclosure attempt (os-windows.rules)
 * 1:63427 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:63419 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System escalation of privilege attempt (os-windows.rules)
 * 1:63430 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Desktop Window Manager use-after-free attempt (file-executable.rules)
 * 1:63431 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System memory corruption attempt (os-windows.rules)
 * 1:63432 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System memory corruption attempt (os-windows.rules)
 * 1:63410 <-> DISABLED <-> SERVER-WEBAPP Jorani directory traversal attempt (server-webapp.rules)
 * 1:63408 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize datetimezone object code execution attempt (server-webapp.rules)
 * 3:63442 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt (server-webapp.rules)
 * 3:63413 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt (server-webapp.rules)
 * 3:63443 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2024-1986 attack attempt (policy-other.rules)
 * 3:63441 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt (server-webapp.rules)
 * 3:63414 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:51086 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (protocol-voip.rules)
 * 1:51087 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (protocol-voip.rules)
 * 3:63317 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt (file-executable.rules)
 * 3:63318 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt (file-executable.rules)

2024-05-14 17:35:35 UTC

Snort Subscriber Rules Update

Date: 2024-05-14

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:63433 <-> DISABLED <-> POLICY-OTHER Oracle E-Business Suite sensitive endpoint access attempt (policy-other.rules)
 * 1:63431 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System memory corruption attempt (os-windows.rules)
 * 1:63429 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Desktop Window Manager use-after-free attempt (file-executable.rules)
 * 1:63411 <-> DISABLED <-> SERVER-WEBAPP Jorani directory traversal attempt (server-webapp.rules)
 * 1:63432 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System memory corruption attempt (os-windows.rules)
 * 1:63439 <-> DISABLED <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt (server-webapp.rules)
 * 1:63410 <-> DISABLED <-> SERVER-WEBAPP Jorani directory traversal attempt (server-webapp.rules)
 * 1:63435 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Mark-of-the-Web security feature bypass attempt (os-windows.rules)
 * 1:63436 <-> ENABLED <-> SERVER-WEBAPP Commvault CommCell command injection attempt (server-webapp.rules)
 * 1:63412 <-> DISABLED <-> SERVER-WEBAPP Jorani directory traversal attempt (server-webapp.rules)
 * 1:63409 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt (server-webapp.rules)
 * 1:63430 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Desktop Window Manager use-after-free attempt (file-executable.rules)
 * 1:63416 <-> DISABLED <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt (server-webapp.rules)
 * 1:63417 <-> DISABLED <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt (server-webapp.rules)
 * 1:63426 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core elevation of privilege attempt (os-windows.rules)
 * 1:63418 <-> DISABLED <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt (server-webapp.rules)
 * 1:63420 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System escalation of privilege attempt (os-windows.rules)
 * 1:63424 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint authenticated remote code execution attempt (server-webapp.rules)
 * 1:63423 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver information disclosure attempt (os-windows.rules)
 * 1:63419 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System escalation of privilege attempt (os-windows.rules)
 * 1:63425 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core elevation of privilege attempt (os-windows.rules)
 * 1:63428 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:63421 <-> DISABLED <-> SERVER-SAMBA Samba nmbd memory corruption attempt (server-samba.rules)
 * 1:63422 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver information disclosure attempt (os-windows.rules)
 * 1:63427 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:63438 <-> DISABLED <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt (server-webapp.rules)
 * 1:63434 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Mark-of-the-Web security feature bypass attempt (os-windows.rules)
 * 1:63408 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize datetimezone object code execution attempt (server-webapp.rules)
 * 1:63440 <-> DISABLED <-> SERVER-SAMBA Samba tree connect andx memory corruption attempt (server-samba.rules)
 * 1:63415 <-> DISABLED <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt (server-webapp.rules)
 * 1:63437 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt (server-webapp.rules)
 * 3:63443 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2024-1986 attack attempt (policy-other.rules)
 * 3:63414 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt (server-webapp.rules)
 * 3:63442 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt (server-webapp.rules)
 * 3:63441 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt (server-webapp.rules)
 * 3:63413 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:51086 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (protocol-voip.rules)
 * 1:51087 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (protocol-voip.rules)
 * 3:63318 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt (file-executable.rules)
 * 3:63317 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt (file-executable.rules)

2024-05-14 17:35:35 UTC

Snort Subscriber Rules Update

Date: 2024-05-14

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:63440 <-> DISABLED <-> SERVER-SAMBA Samba tree connect andx memory corruption attempt (server-samba.rules)
 * 1:63436 <-> ENABLED <-> SERVER-WEBAPP Commvault CommCell command injection attempt (server-webapp.rules)
 * 1:63409 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt (server-webapp.rules)
 * 1:63438 <-> DISABLED <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt (server-webapp.rules)
 * 1:63421 <-> DISABLED <-> SERVER-SAMBA Samba nmbd memory corruption attempt (server-samba.rules)
 * 1:63410 <-> DISABLED <-> SERVER-WEBAPP Jorani directory traversal attempt (server-webapp.rules)
 * 1:63437 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt (server-webapp.rules)
 * 1:63416 <-> DISABLED <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt (server-webapp.rules)
 * 1:63412 <-> DISABLED <-> SERVER-WEBAPP Jorani directory traversal attempt (server-webapp.rules)
 * 1:63408 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize datetimezone object code execution attempt (server-webapp.rules)
 * 1:63417 <-> DISABLED <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt (server-webapp.rules)
 * 1:63418 <-> DISABLED <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt (server-webapp.rules)
 * 1:63439 <-> DISABLED <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt (server-webapp.rules)
 * 1:63419 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System escalation of privilege attempt (os-windows.rules)
 * 1:63415 <-> DISABLED <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt (server-webapp.rules)
 * 1:63422 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver information disclosure attempt (os-windows.rules)
 * 1:63435 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Mark-of-the-Web security feature bypass attempt (os-windows.rules)
 * 1:63423 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver information disclosure attempt (os-windows.rules)
 * 1:63424 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint authenticated remote code execution attempt (server-webapp.rules)
 * 1:63425 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core elevation of privilege attempt (os-windows.rules)
 * 1:63426 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core elevation of privilege attempt (os-windows.rules)
 * 1:63427 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:63420 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System escalation of privilege attempt (os-windows.rules)
 * 1:63428 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:63434 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Mark-of-the-Web security feature bypass attempt (os-windows.rules)
 * 1:63429 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Desktop Window Manager use-after-free attempt (file-executable.rules)
 * 1:63430 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Desktop Window Manager use-after-free attempt (file-executable.rules)
 * 1:63431 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System memory corruption attempt (os-windows.rules)
 * 1:63432 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System memory corruption attempt (os-windows.rules)
 * 1:63411 <-> DISABLED <-> SERVER-WEBAPP Jorani directory traversal attempt (server-webapp.rules)
 * 1:63433 <-> DISABLED <-> POLICY-OTHER Oracle E-Business Suite sensitive endpoint access attempt (policy-other.rules)
 * 3:63441 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt (server-webapp.rules)
 * 3:63413 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt (server-webapp.rules)
 * 3:63442 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt (server-webapp.rules)
 * 3:63443 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2024-1986 attack attempt (policy-other.rules)
 * 3:63414 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:51087 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (protocol-voip.rules)
 * 1:51086 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (protocol-voip.rules)
 * 3:63318 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt (file-executable.rules)
 * 3:63317 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt (file-executable.rules)

2024-05-14 17:35:35 UTC

Snort Subscriber Rules Update

Date: 2024-05-14

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:63437 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt (server-webapp.rules)
 * 1:63412 <-> DISABLED <-> SERVER-WEBAPP Jorani directory traversal attempt (server-webapp.rules)
 * 1:63427 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:63416 <-> DISABLED <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt (server-webapp.rules)
 * 1:63409 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt (server-webapp.rules)
 * 1:63425 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core elevation of privilege attempt (os-windows.rules)
 * 1:63440 <-> DISABLED <-> SERVER-SAMBA Samba tree connect andx memory corruption attempt (server-samba.rules)
 * 1:63439 <-> DISABLED <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt (server-webapp.rules)
 * 1:63431 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System memory corruption attempt (os-windows.rules)
 * 1:63435 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Mark-of-the-Web security feature bypass attempt (os-windows.rules)
 * 1:63426 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core elevation of privilege attempt (os-windows.rules)
 * 1:63438 <-> DISABLED <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt (server-webapp.rules)
 * 1:63411 <-> DISABLED <-> SERVER-WEBAPP Jorani directory traversal attempt (server-webapp.rules)
 * 1:63436 <-> ENABLED <-> SERVER-WEBAPP Commvault CommCell command injection attempt (server-webapp.rules)
 * 1:63428 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:63434 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Mark-of-the-Web security feature bypass attempt (os-windows.rules)
 * 1:63430 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Desktop Window Manager use-after-free attempt (file-executable.rules)
 * 1:63429 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Desktop Window Manager use-after-free attempt (file-executable.rules)
 * 1:63418 <-> DISABLED <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt (server-webapp.rules)
 * 1:63421 <-> DISABLED <-> SERVER-SAMBA Samba nmbd memory corruption attempt (server-samba.rules)
 * 1:63422 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver information disclosure attempt (os-windows.rules)
 * 1:63423 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver information disclosure attempt (os-windows.rules)
 * 1:63419 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System escalation of privilege attempt (os-windows.rules)
 * 1:63408 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize datetimezone object code execution attempt (server-webapp.rules)
 * 1:63432 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System memory corruption attempt (os-windows.rules)
 * 1:63417 <-> DISABLED <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt (server-webapp.rules)
 * 1:63415 <-> DISABLED <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt (server-webapp.rules)
 * 1:63424 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint authenticated remote code execution attempt (server-webapp.rules)
 * 1:63420 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System escalation of privilege attempt (os-windows.rules)
 * 1:63410 <-> DISABLED <-> SERVER-WEBAPP Jorani directory traversal attempt (server-webapp.rules)
 * 1:63433 <-> DISABLED <-> POLICY-OTHER Oracle E-Business Suite sensitive endpoint access attempt (policy-other.rules)
 * 3:63442 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt (server-webapp.rules)
 * 3:63413 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt (server-webapp.rules)
 * 3:63443 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2024-1986 attack attempt (policy-other.rules)
 * 3:63414 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt (server-webapp.rules)
 * 3:63441 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:51086 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (protocol-voip.rules)
 * 1:51087 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (protocol-voip.rules)
 * 3:63317 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt (file-executable.rules)
 * 3:63318 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt (file-executable.rules)

2024-05-14 17:35:35 UTC

Snort Subscriber Rules Update

Date: 2024-05-14

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:63435 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Mark-of-the-Web security feature bypass attempt (os-windows.rules)
 * 1:63438 <-> DISABLED <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt (server-webapp.rules)
 * 1:63422 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver information disclosure attempt (os-windows.rules)
 * 1:63411 <-> DISABLED <-> SERVER-WEBAPP Jorani directory traversal attempt (server-webapp.rules)
 * 1:63412 <-> DISABLED <-> SERVER-WEBAPP Jorani directory traversal attempt (server-webapp.rules)
 * 1:63427 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:63440 <-> DISABLED <-> SERVER-SAMBA Samba tree connect andx memory corruption attempt (server-samba.rules)
 * 1:63436 <-> ENABLED <-> SERVER-WEBAPP Commvault CommCell command injection attempt (server-webapp.rules)
 * 1:63432 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System memory corruption attempt (os-windows.rules)
 * 1:63426 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core elevation of privilege attempt (os-windows.rules)
 * 1:63410 <-> DISABLED <-> SERVER-WEBAPP Jorani directory traversal attempt (server-webapp.rules)
 * 1:63408 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize datetimezone object code execution attempt (server-webapp.rules)
 * 1:63433 <-> DISABLED <-> POLICY-OTHER Oracle E-Business Suite sensitive endpoint access attempt (policy-other.rules)
 * 1:63429 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Desktop Window Manager use-after-free attempt (file-executable.rules)
 * 1:63430 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Desktop Window Manager use-after-free attempt (file-executable.rules)
 * 1:63409 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt (server-webapp.rules)
 * 1:63415 <-> DISABLED <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt (server-webapp.rules)
 * 1:63428 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:63439 <-> DISABLED <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt (server-webapp.rules)
 * 1:63437 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt (server-webapp.rules)
 * 1:63417 <-> DISABLED <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt (server-webapp.rules)
 * 1:63416 <-> DISABLED <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt (server-webapp.rules)
 * 1:63431 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System memory corruption attempt (os-windows.rules)
 * 1:63434 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Mark-of-the-Web security feature bypass attempt (os-windows.rules)
 * 1:63418 <-> DISABLED <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt (server-webapp.rules)
 * 1:63419 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System escalation of privilege attempt (os-windows.rules)
 * 1:63420 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System escalation of privilege attempt (os-windows.rules)
 * 1:63421 <-> DISABLED <-> SERVER-SAMBA Samba nmbd memory corruption attempt (server-samba.rules)
 * 1:63423 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver information disclosure attempt (os-windows.rules)
 * 1:63424 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint authenticated remote code execution attempt (server-webapp.rules)
 * 1:63425 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core elevation of privilege attempt (os-windows.rules)
 * 3:63442 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt (server-webapp.rules)
 * 3:63443 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2024-1986 attack attempt (policy-other.rules)
 * 3:63414 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt (server-webapp.rules)
 * 3:63441 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt (server-webapp.rules)
 * 3:63413 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:51086 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (protocol-voip.rules)
 * 1:51087 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (protocol-voip.rules)
 * 3:63317 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt (file-executable.rules)
 * 3:63318 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt (file-executable.rules)

2024-05-14 17:35:35 UTC

Snort Subscriber Rules Update

Date: 2024-05-14

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:63429 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Desktop Window Manager use-after-free attempt (file-executable.rules)
 * 1:63433 <-> DISABLED <-> POLICY-OTHER Oracle E-Business Suite sensitive endpoint access attempt (policy-other.rules)
 * 1:63409 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt (server-webapp.rules)
 * 1:63434 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Mark-of-the-Web security feature bypass attempt (os-windows.rules)
 * 1:63412 <-> DISABLED <-> SERVER-WEBAPP Jorani directory traversal attempt (server-webapp.rules)
 * 1:63417 <-> DISABLED <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt (server-webapp.rules)
 * 1:63416 <-> DISABLED <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt (server-webapp.rules)
 * 1:63408 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize datetimezone object code execution attempt (server-webapp.rules)
 * 1:63418 <-> DISABLED <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt (server-webapp.rules)
 * 1:63411 <-> DISABLED <-> SERVER-WEBAPP Jorani directory traversal attempt (server-webapp.rules)
 * 1:63410 <-> DISABLED <-> SERVER-WEBAPP Jorani directory traversal attempt (server-webapp.rules)
 * 1:63439 <-> DISABLED <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt (server-webapp.rules)
 * 1:63436 <-> ENABLED <-> SERVER-WEBAPP Commvault CommCell command injection attempt (server-webapp.rules)
 * 1:63423 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver information disclosure attempt (os-windows.rules)
 * 1:63421 <-> DISABLED <-> SERVER-SAMBA Samba nmbd memory corruption attempt (server-samba.rules)
 * 1:63426 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core elevation of privilege attempt (os-windows.rules)
 * 1:63427 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 1:63424 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint authenticated remote code execution attempt (server-webapp.rules)
 * 1:63430 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Desktop Window Manager use-after-free attempt (file-executable.rules)
 * 1:63425 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core elevation of privilege attempt (os-windows.rules)
 * 1:63431 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System memory corruption attempt (os-windows.rules)
 * 1:63419 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System escalation of privilege attempt (os-windows.rules)
 * 1:63440 <-> DISABLED <-> SERVER-SAMBA Samba tree connect andx memory corruption attempt (server-samba.rules)
 * 1:63435 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Mark-of-the-Web security feature bypass attempt (os-windows.rules)
 * 1:63420 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System escalation of privilege attempt (os-windows.rules)
 * 1:63415 <-> DISABLED <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt (server-webapp.rules)
 * 1:63438 <-> DISABLED <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt (server-webapp.rules)
 * 1:63432 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System memory corruption attempt (os-windows.rules)
 * 1:63437 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt (server-webapp.rules)
 * 1:63422 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver information disclosure attempt (os-windows.rules)
 * 1:63428 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt (os-windows.rules)
 * 3:63414 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt (server-webapp.rules)
 * 3:63441 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt (server-webapp.rules)
 * 3:63413 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt (server-webapp.rules)
 * 3:63442 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt (server-webapp.rules)
 * 3:63443 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2024-1986 attack attempt (policy-other.rules)

Modified Rules:


 * 1:51086 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (protocol-voip.rules)
 * 1:51087 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (protocol-voip.rules)
 * 3:63317 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt (file-executable.rules)
 * 3:63318 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt (file-executable.rules)

2024-05-14 17:38:16 UTC

Snort Subscriber Rules Update

Date: 2024-05-13-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.0.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300905 <-> SERVER-WEBAPP Jorani directory traversal attempt
* 1:300906 <-> OS-WINDOWS Microsoft Windows Common Log File System escalation of privilege attempt
* 1:300907 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver information disclosure attempt
* 1:300908 <-> OS-WINDOWS Microsoft Windows DWM Core elevation of privilege attempt
* 1:300909 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:300910 <-> FILE-EXECUTABLE Microsoft Windows Desktop Window Manager use-after-free attempt
* 1:300911 <-> OS-WINDOWS Microsoft Windows Common Log File System memory corruption attempt
* 1:300912 <-> OS-WINDOWS Microsoft Windows Mark-of-the-Web security feature bypass attempt
* 1:63408 <-> SERVER-WEBAPP PHP unserialize datetimezone object code execution attempt
* 1:63409 <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt
* 1:63410 <-> SERVER-WEBAPP Jorani directory traversal attempt
* 3:63413 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt
* 3:63414 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt
* 1:63415 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63416 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63417 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63418 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63421 <-> SERVER-SAMBA Samba nmbd memory corruption attempt
* 1:63424 <-> SERVER-WEBAPP Microsoft SharePoint authenticated remote code execution attempt
* 1:63433 <-> POLICY-OTHER Oracle E-Business Suite sensitive endpoint access attempt
* 1:63436 <-> SERVER-WEBAPP Commvault CommCell command injection attempt
* 1:63437 <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt
* 1:63438 <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt
* 1:63439 <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt
* 1:63440 <-> SERVER-SAMBA Samba tree connect andx memory corruption attempt
* 3:63441 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt
* 3:63442 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt
* 3:63443 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2024-1986 attack attempt

Modified Rules:

* 1:51086 <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt
* 1:51087 <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt
* 1:63265 <-> OS-WINDOWS Microsoft Windows DHCP Server denial-of-service attempt
* 3:63317 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt
* 3:63318 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt
* 1:63328 <-> OS-WINDOWS Active Directory integrated DNS memory corrpution attempt
* 1:63329 <-> OS-WINDOWS Active Directory integrated DNS memory corrpution attempt
* 1:63340 <-> OS-WINDOWS Active Directory integrated DNS memory underflow attempt


2024-05-14 17:38:16 UTC

Snort Subscriber Rules Update

Date: 2024-05-13-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.0.3.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300905 <-> SERVER-WEBAPP Jorani directory traversal attempt
* 1:300906 <-> OS-WINDOWS Microsoft Windows Common Log File System escalation of privilege attempt
* 1:300907 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver information disclosure attempt
* 1:300908 <-> OS-WINDOWS Microsoft Windows DWM Core elevation of privilege attempt
* 1:300909 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:300910 <-> FILE-EXECUTABLE Microsoft Windows Desktop Window Manager use-after-free attempt
* 1:300911 <-> OS-WINDOWS Microsoft Windows Common Log File System memory corruption attempt
* 1:300912 <-> OS-WINDOWS Microsoft Windows Mark-of-the-Web security feature bypass attempt
* 1:63408 <-> SERVER-WEBAPP PHP unserialize datetimezone object code execution attempt
* 1:63409 <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt
* 1:63410 <-> SERVER-WEBAPP Jorani directory traversal attempt
* 3:63413 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt
* 3:63414 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt
* 1:63415 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63416 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63417 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63418 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63421 <-> SERVER-SAMBA Samba nmbd memory corruption attempt
* 1:63424 <-> SERVER-WEBAPP Microsoft SharePoint authenticated remote code execution attempt
* 1:63433 <-> POLICY-OTHER Oracle E-Business Suite sensitive endpoint access attempt
* 1:63436 <-> SERVER-WEBAPP Commvault CommCell command injection attempt
* 1:63437 <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt
* 1:63438 <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt
* 1:63439 <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt
* 1:63440 <-> SERVER-SAMBA Samba tree connect andx memory corruption attempt
* 3:63441 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt
* 3:63442 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt
* 3:63443 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2024-1986 attack attempt

Modified Rules:

* 1:51086 <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt
* 1:51087 <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt
* 1:63265 <-> OS-WINDOWS Microsoft Windows DHCP Server denial-of-service attempt
* 3:63317 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt
* 3:63318 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt
* 1:63328 <-> OS-WINDOWS Active Directory integrated DNS memory corrpution attempt
* 1:63329 <-> OS-WINDOWS Active Directory integrated DNS memory corrpution attempt
* 1:63340 <-> OS-WINDOWS Active Directory integrated DNS memory underflow attempt


2024-05-14 17:38:16 UTC

Snort Subscriber Rules Update

Date: 2024-05-13-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.0.3.4.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300905 <-> SERVER-WEBAPP Jorani directory traversal attempt
* 1:300906 <-> OS-WINDOWS Microsoft Windows Common Log File System escalation of privilege attempt
* 1:300907 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver information disclosure attempt
* 1:300908 <-> OS-WINDOWS Microsoft Windows DWM Core elevation of privilege attempt
* 1:300909 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:300910 <-> FILE-EXECUTABLE Microsoft Windows Desktop Window Manager use-after-free attempt
* 1:300911 <-> OS-WINDOWS Microsoft Windows Common Log File System memory corruption attempt
* 1:300912 <-> OS-WINDOWS Microsoft Windows Mark-of-the-Web security feature bypass attempt
* 1:63408 <-> SERVER-WEBAPP PHP unserialize datetimezone object code execution attempt
* 1:63409 <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt
* 1:63410 <-> SERVER-WEBAPP Jorani directory traversal attempt
* 3:63413 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt
* 3:63414 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt
* 1:63415 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63416 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63417 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63418 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63421 <-> SERVER-SAMBA Samba nmbd memory corruption attempt
* 1:63424 <-> SERVER-WEBAPP Microsoft SharePoint authenticated remote code execution attempt
* 1:63433 <-> POLICY-OTHER Oracle E-Business Suite sensitive endpoint access attempt
* 1:63436 <-> SERVER-WEBAPP Commvault CommCell command injection attempt
* 1:63437 <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt
* 1:63438 <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt
* 1:63439 <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt
* 1:63440 <-> SERVER-SAMBA Samba tree connect andx memory corruption attempt
* 3:63441 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt
* 3:63442 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt
* 3:63443 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2024-1986 attack attempt

Modified Rules:

* 1:51086 <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt
* 1:51087 <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt
* 1:63265 <-> OS-WINDOWS Microsoft Windows DHCP Server denial-of-service attempt
* 3:63317 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt
* 3:63318 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt
* 1:63328 <-> OS-WINDOWS Active Directory integrated DNS memory corrpution attempt
* 1:63329 <-> OS-WINDOWS Active Directory integrated DNS memory corrpution attempt
* 1:63340 <-> OS-WINDOWS Active Directory integrated DNS memory underflow attempt


2024-05-14 17:38:16 UTC

Snort Subscriber Rules Update

Date: 2024-05-13-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300905 <-> SERVER-WEBAPP Jorani directory traversal attempt
* 1:300906 <-> OS-WINDOWS Microsoft Windows Common Log File System escalation of privilege attempt
* 1:300907 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver information disclosure attempt
* 1:300908 <-> OS-WINDOWS Microsoft Windows DWM Core elevation of privilege attempt
* 1:300909 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:300910 <-> FILE-EXECUTABLE Microsoft Windows Desktop Window Manager use-after-free attempt
* 1:300911 <-> OS-WINDOWS Microsoft Windows Common Log File System memory corruption attempt
* 1:300912 <-> OS-WINDOWS Microsoft Windows Mark-of-the-Web security feature bypass attempt
* 1:63408 <-> SERVER-WEBAPP PHP unserialize datetimezone object code execution attempt
* 1:63409 <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt
* 1:63410 <-> SERVER-WEBAPP Jorani directory traversal attempt
* 3:63413 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt
* 3:63414 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt
* 1:63415 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63416 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63417 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63418 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63421 <-> SERVER-SAMBA Samba nmbd memory corruption attempt
* 1:63424 <-> SERVER-WEBAPP Microsoft SharePoint authenticated remote code execution attempt
* 1:63433 <-> POLICY-OTHER Oracle E-Business Suite sensitive endpoint access attempt
* 1:63436 <-> SERVER-WEBAPP Commvault CommCell command injection attempt
* 1:63437 <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt
* 1:63438 <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt
* 1:63439 <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt
* 1:63440 <-> SERVER-SAMBA Samba tree connect andx memory corruption attempt
* 3:63441 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt
* 3:63442 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt
* 3:63443 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2024-1986 attack attempt

Modified Rules:

* 1:51086 <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt
* 1:51087 <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt
* 1:63265 <-> OS-WINDOWS Microsoft Windows DHCP Server denial-of-service attempt
* 3:63317 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt
* 3:63318 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt
* 1:63328 <-> OS-WINDOWS Active Directory integrated DNS memory corrpution attempt
* 1:63329 <-> OS-WINDOWS Active Directory integrated DNS memory corrpution attempt
* 1:63340 <-> OS-WINDOWS Active Directory integrated DNS memory underflow attempt


2024-05-14 17:38:16 UTC

Snort Subscriber Rules Update

Date: 2024-05-13-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.0.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300905 <-> SERVER-WEBAPP Jorani directory traversal attempt
* 1:300906 <-> OS-WINDOWS Microsoft Windows Common Log File System escalation of privilege attempt
* 1:300907 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver information disclosure attempt
* 1:300908 <-> OS-WINDOWS Microsoft Windows DWM Core elevation of privilege attempt
* 1:300909 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:300910 <-> FILE-EXECUTABLE Microsoft Windows Desktop Window Manager use-after-free attempt
* 1:300911 <-> OS-WINDOWS Microsoft Windows Common Log File System memory corruption attempt
* 1:300912 <-> OS-WINDOWS Microsoft Windows Mark-of-the-Web security feature bypass attempt
* 1:63408 <-> SERVER-WEBAPP PHP unserialize datetimezone object code execution attempt
* 1:63409 <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt
* 1:63410 <-> SERVER-WEBAPP Jorani directory traversal attempt
* 3:63413 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt
* 3:63414 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt
* 1:63415 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63416 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63417 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63418 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63421 <-> SERVER-SAMBA Samba nmbd memory corruption attempt
* 1:63424 <-> SERVER-WEBAPP Microsoft SharePoint authenticated remote code execution attempt
* 1:63433 <-> POLICY-OTHER Oracle E-Business Suite sensitive endpoint access attempt
* 1:63436 <-> SERVER-WEBAPP Commvault CommCell command injection attempt
* 1:63437 <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt
* 1:63438 <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt
* 1:63439 <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt
* 1:63440 <-> SERVER-SAMBA Samba tree connect andx memory corruption attempt
* 3:63441 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt
* 3:63442 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt
* 3:63443 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2024-1986 attack attempt

Modified Rules:

* 1:51086 <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt
* 1:51087 <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt
* 1:63265 <-> OS-WINDOWS Microsoft Windows DHCP Server denial-of-service attempt
* 3:63317 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt
* 3:63318 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt
* 1:63328 <-> OS-WINDOWS Active Directory integrated DNS memory corrpution attempt
* 1:63329 <-> OS-WINDOWS Active Directory integrated DNS memory corrpution attempt
* 1:63340 <-> OS-WINDOWS Active Directory integrated DNS memory underflow attempt


2024-05-14 17:38:16 UTC

Snort Subscriber Rules Update

Date: 2024-05-13-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.1.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300905 <-> SERVER-WEBAPP Jorani directory traversal attempt
* 1:300906 <-> OS-WINDOWS Microsoft Windows Common Log File System escalation of privilege attempt
* 1:300907 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver information disclosure attempt
* 1:300908 <-> OS-WINDOWS Microsoft Windows DWM Core elevation of privilege attempt
* 1:300909 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:300910 <-> FILE-EXECUTABLE Microsoft Windows Desktop Window Manager use-after-free attempt
* 1:300911 <-> OS-WINDOWS Microsoft Windows Common Log File System memory corruption attempt
* 1:300912 <-> OS-WINDOWS Microsoft Windows Mark-of-the-Web security feature bypass attempt
* 1:63408 <-> SERVER-WEBAPP PHP unserialize datetimezone object code execution attempt
* 1:63409 <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt
* 1:63410 <-> SERVER-WEBAPP Jorani directory traversal attempt
* 3:63413 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt
* 3:63414 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt
* 1:63415 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63416 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63417 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63418 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63421 <-> SERVER-SAMBA Samba nmbd memory corruption attempt
* 1:63424 <-> SERVER-WEBAPP Microsoft SharePoint authenticated remote code execution attempt
* 1:63433 <-> POLICY-OTHER Oracle E-Business Suite sensitive endpoint access attempt
* 1:63436 <-> SERVER-WEBAPP Commvault CommCell command injection attempt
* 1:63437 <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt
* 1:63438 <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt
* 1:63439 <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt
* 1:63440 <-> SERVER-SAMBA Samba tree connect andx memory corruption attempt
* 3:63441 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt
* 3:63442 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt
* 3:63443 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2024-1986 attack attempt

Modified Rules:

* 1:51086 <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt
* 1:51087 <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt
* 1:63265 <-> OS-WINDOWS Microsoft Windows DHCP Server denial-of-service attempt
* 3:63317 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt
* 3:63318 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt
* 1:63328 <-> OS-WINDOWS Active Directory integrated DNS memory corrpution attempt
* 1:63329 <-> OS-WINDOWS Active Directory integrated DNS memory corrpution attempt
* 1:63340 <-> OS-WINDOWS Active Directory integrated DNS memory underflow attempt


2024-05-14 17:38:16 UTC

Snort Subscriber Rules Update

Date: 2024-05-13-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.3.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300905 <-> SERVER-WEBAPP Jorani directory traversal attempt
* 1:300906 <-> OS-WINDOWS Microsoft Windows Common Log File System escalation of privilege attempt
* 1:300907 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver information disclosure attempt
* 1:300908 <-> OS-WINDOWS Microsoft Windows DWM Core elevation of privilege attempt
* 1:300909 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:300910 <-> FILE-EXECUTABLE Microsoft Windows Desktop Window Manager use-after-free attempt
* 1:300911 <-> OS-WINDOWS Microsoft Windows Common Log File System memory corruption attempt
* 1:300912 <-> OS-WINDOWS Microsoft Windows Mark-of-the-Web security feature bypass attempt
* 1:63408 <-> SERVER-WEBAPP PHP unserialize datetimezone object code execution attempt
* 1:63409 <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt
* 1:63410 <-> SERVER-WEBAPP Jorani directory traversal attempt
* 3:63413 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt
* 3:63414 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt
* 1:63415 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63416 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63417 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63418 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63421 <-> SERVER-SAMBA Samba nmbd memory corruption attempt
* 1:63424 <-> SERVER-WEBAPP Microsoft SharePoint authenticated remote code execution attempt
* 1:63433 <-> POLICY-OTHER Oracle E-Business Suite sensitive endpoint access attempt
* 1:63436 <-> SERVER-WEBAPP Commvault CommCell command injection attempt
* 1:63437 <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt
* 1:63438 <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt
* 1:63439 <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt
* 1:63440 <-> SERVER-SAMBA Samba tree connect andx memory corruption attempt
* 3:63441 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt
* 3:63442 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt
* 3:63443 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2024-1986 attack attempt

Modified Rules:

* 1:51086 <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt
* 1:51087 <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt
* 1:63265 <-> OS-WINDOWS Microsoft Windows DHCP Server denial-of-service attempt
* 3:63317 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt
* 3:63318 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt
* 1:63328 <-> OS-WINDOWS Active Directory integrated DNS memory corrpution attempt
* 1:63329 <-> OS-WINDOWS Active Directory integrated DNS memory corrpution attempt
* 1:63340 <-> OS-WINDOWS Active Directory integrated DNS memory underflow attempt


2024-05-14 17:38:16 UTC

Snort Subscriber Rules Update

Date: 2024-05-13-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.4.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300905 <-> SERVER-WEBAPP Jorani directory traversal attempt
* 1:300906 <-> OS-WINDOWS Microsoft Windows Common Log File System escalation of privilege attempt
* 1:300907 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver information disclosure attempt
* 1:300908 <-> OS-WINDOWS Microsoft Windows DWM Core elevation of privilege attempt
* 1:300909 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:300910 <-> FILE-EXECUTABLE Microsoft Windows Desktop Window Manager use-after-free attempt
* 1:300911 <-> OS-WINDOWS Microsoft Windows Common Log File System memory corruption attempt
* 1:300912 <-> OS-WINDOWS Microsoft Windows Mark-of-the-Web security feature bypass attempt
* 1:63408 <-> SERVER-WEBAPP PHP unserialize datetimezone object code execution attempt
* 1:63409 <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt
* 1:63410 <-> SERVER-WEBAPP Jorani directory traversal attempt
* 3:63413 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt
* 3:63414 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt
* 1:63415 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63416 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63417 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63418 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63421 <-> SERVER-SAMBA Samba nmbd memory corruption attempt
* 1:63424 <-> SERVER-WEBAPP Microsoft SharePoint authenticated remote code execution attempt
* 1:63433 <-> POLICY-OTHER Oracle E-Business Suite sensitive endpoint access attempt
* 1:63436 <-> SERVER-WEBAPP Commvault CommCell command injection attempt
* 1:63437 <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt
* 1:63438 <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt
* 1:63439 <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt
* 1:63440 <-> SERVER-SAMBA Samba tree connect andx memory corruption attempt
* 3:63441 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt
* 3:63442 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt
* 3:63443 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2024-1986 attack attempt

Modified Rules:

* 1:51086 <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt
* 1:51087 <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt
* 1:63265 <-> OS-WINDOWS Microsoft Windows DHCP Server denial-of-service attempt
* 3:63317 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt
* 3:63318 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt
* 1:63328 <-> OS-WINDOWS Active Directory integrated DNS memory corrpution attempt
* 1:63329 <-> OS-WINDOWS Active Directory integrated DNS memory corrpution attempt
* 1:63340 <-> OS-WINDOWS Active Directory integrated DNS memory underflow attempt


2024-05-14 17:38:16 UTC

Snort Subscriber Rules Update

Date: 2024-05-13-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.5.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300905 <-> SERVER-WEBAPP Jorani directory traversal attempt
* 1:300906 <-> OS-WINDOWS Microsoft Windows Common Log File System escalation of privilege attempt
* 1:300907 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver information disclosure attempt
* 1:300908 <-> OS-WINDOWS Microsoft Windows DWM Core elevation of privilege attempt
* 1:300909 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:300910 <-> FILE-EXECUTABLE Microsoft Windows Desktop Window Manager use-after-free attempt
* 1:300911 <-> OS-WINDOWS Microsoft Windows Common Log File System memory corruption attempt
* 1:300912 <-> OS-WINDOWS Microsoft Windows Mark-of-the-Web security feature bypass attempt
* 1:63408 <-> SERVER-WEBAPP PHP unserialize datetimezone object code execution attempt
* 1:63409 <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt
* 1:63410 <-> SERVER-WEBAPP Jorani directory traversal attempt
* 3:63413 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt
* 3:63414 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt
* 1:63415 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63416 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63417 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63418 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63421 <-> SERVER-SAMBA Samba nmbd memory corruption attempt
* 1:63424 <-> SERVER-WEBAPP Microsoft SharePoint authenticated remote code execution attempt
* 1:63433 <-> POLICY-OTHER Oracle E-Business Suite sensitive endpoint access attempt
* 1:63436 <-> SERVER-WEBAPP Commvault CommCell command injection attempt
* 1:63437 <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt
* 1:63438 <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt
* 1:63439 <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt
* 1:63440 <-> SERVER-SAMBA Samba tree connect andx memory corruption attempt
* 3:63441 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt
* 3:63442 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt
* 3:63443 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2024-1986 attack attempt

Modified Rules:

* 1:51086 <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt
* 1:51087 <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt
* 1:63265 <-> OS-WINDOWS Microsoft Windows DHCP Server denial-of-service attempt
* 3:63317 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt
* 3:63318 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt
* 1:63328 <-> OS-WINDOWS Active Directory integrated DNS memory corrpution attempt
* 1:63329 <-> OS-WINDOWS Active Directory integrated DNS memory corrpution attempt
* 1:63340 <-> OS-WINDOWS Active Directory integrated DNS memory underflow attempt


2024-05-14 17:38:16 UTC

Snort Subscriber Rules Update

Date: 2024-05-13-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.7.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300905 <-> SERVER-WEBAPP Jorani directory traversal attempt
* 1:300906 <-> OS-WINDOWS Microsoft Windows Common Log File System escalation of privilege attempt
* 1:300907 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver information disclosure attempt
* 1:300908 <-> OS-WINDOWS Microsoft Windows DWM Core elevation of privilege attempt
* 1:300909 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:300910 <-> FILE-EXECUTABLE Microsoft Windows Desktop Window Manager use-after-free attempt
* 1:300911 <-> OS-WINDOWS Microsoft Windows Common Log File System memory corruption attempt
* 1:300912 <-> OS-WINDOWS Microsoft Windows Mark-of-the-Web security feature bypass attempt
* 1:63408 <-> SERVER-WEBAPP PHP unserialize datetimezone object code execution attempt
* 1:63409 <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt
* 1:63410 <-> SERVER-WEBAPP Jorani directory traversal attempt
* 3:63413 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt
* 3:63414 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt
* 1:63415 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63416 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63417 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63418 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63421 <-> SERVER-SAMBA Samba nmbd memory corruption attempt
* 1:63424 <-> SERVER-WEBAPP Microsoft SharePoint authenticated remote code execution attempt
* 1:63433 <-> POLICY-OTHER Oracle E-Business Suite sensitive endpoint access attempt
* 1:63436 <-> SERVER-WEBAPP Commvault CommCell command injection attempt
* 1:63437 <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt
* 1:63438 <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt
* 1:63439 <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt
* 1:63440 <-> SERVER-SAMBA Samba tree connect andx memory corruption attempt
* 3:63441 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt
* 3:63442 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt
* 3:63443 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2024-1986 attack attempt

Modified Rules:

* 1:51086 <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt
* 1:51087 <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt
* 1:63265 <-> OS-WINDOWS Microsoft Windows DHCP Server denial-of-service attempt
* 3:63317 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt
* 3:63318 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt
* 1:63328 <-> OS-WINDOWS Active Directory integrated DNS memory corrpution attempt
* 1:63329 <-> OS-WINDOWS Active Directory integrated DNS memory corrpution attempt
* 1:63340 <-> OS-WINDOWS Active Directory integrated DNS memory underflow attempt


2024-05-14 17:38:16 UTC

Snort Subscriber Rules Update

Date: 2024-05-13-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.9.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300905 <-> SERVER-WEBAPP Jorani directory traversal attempt
* 1:300906 <-> OS-WINDOWS Microsoft Windows Common Log File System escalation of privilege attempt
* 1:300907 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver information disclosure attempt
* 1:300908 <-> OS-WINDOWS Microsoft Windows DWM Core elevation of privilege attempt
* 1:300909 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:300910 <-> FILE-EXECUTABLE Microsoft Windows Desktop Window Manager use-after-free attempt
* 1:300911 <-> OS-WINDOWS Microsoft Windows Common Log File System memory corruption attempt
* 1:300912 <-> OS-WINDOWS Microsoft Windows Mark-of-the-Web security feature bypass attempt
* 1:63408 <-> SERVER-WEBAPP PHP unserialize datetimezone object code execution attempt
* 1:63409 <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt
* 1:63410 <-> SERVER-WEBAPP Jorani directory traversal attempt
* 3:63413 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt
* 3:63414 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt
* 1:63415 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63416 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63417 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63418 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63421 <-> SERVER-SAMBA Samba nmbd memory corruption attempt
* 1:63424 <-> SERVER-WEBAPP Microsoft SharePoint authenticated remote code execution attempt
* 1:63433 <-> POLICY-OTHER Oracle E-Business Suite sensitive endpoint access attempt
* 1:63436 <-> SERVER-WEBAPP Commvault CommCell command injection attempt
* 1:63437 <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt
* 1:63438 <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt
* 1:63439 <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt
* 1:63440 <-> SERVER-SAMBA Samba tree connect andx memory corruption attempt
* 3:63441 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt
* 3:63442 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt
* 3:63443 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2024-1986 attack attempt

Modified Rules:

* 1:51086 <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt
* 1:51087 <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt
* 1:63265 <-> OS-WINDOWS Microsoft Windows DHCP Server denial-of-service attempt
* 3:63317 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt
* 3:63318 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt
* 1:63328 <-> OS-WINDOWS Active Directory integrated DNS memory corrpution attempt
* 1:63329 <-> OS-WINDOWS Active Directory integrated DNS memory corrpution attempt
* 1:63340 <-> OS-WINDOWS Active Directory integrated DNS memory underflow attempt


2024-05-14 17:38:16 UTC

Snort Subscriber Rules Update

Date: 2024-05-13-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.11.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300905 <-> SERVER-WEBAPP Jorani directory traversal attempt
* 1:300906 <-> OS-WINDOWS Microsoft Windows Common Log File System escalation of privilege attempt
* 1:300907 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver information disclosure attempt
* 1:300908 <-> OS-WINDOWS Microsoft Windows DWM Core elevation of privilege attempt
* 1:300909 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:300910 <-> FILE-EXECUTABLE Microsoft Windows Desktop Window Manager use-after-free attempt
* 1:300911 <-> OS-WINDOWS Microsoft Windows Common Log File System memory corruption attempt
* 1:300912 <-> OS-WINDOWS Microsoft Windows Mark-of-the-Web security feature bypass attempt
* 1:63408 <-> SERVER-WEBAPP PHP unserialize datetimezone object code execution attempt
* 1:63409 <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt
* 1:63410 <-> SERVER-WEBAPP Jorani directory traversal attempt
* 3:63413 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt
* 3:63414 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt
* 1:63415 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63416 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63417 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63418 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63421 <-> SERVER-SAMBA Samba nmbd memory corruption attempt
* 1:63424 <-> SERVER-WEBAPP Microsoft SharePoint authenticated remote code execution attempt
* 1:63433 <-> POLICY-OTHER Oracle E-Business Suite sensitive endpoint access attempt
* 1:63436 <-> SERVER-WEBAPP Commvault CommCell command injection attempt
* 1:63437 <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt
* 1:63438 <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt
* 1:63439 <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt
* 1:63440 <-> SERVER-SAMBA Samba tree connect andx memory corruption attempt
* 3:63441 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt
* 3:63442 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt
* 3:63443 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2024-1986 attack attempt

Modified Rules:

* 1:51086 <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt
* 1:51087 <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt
* 1:63265 <-> OS-WINDOWS Microsoft Windows DHCP Server denial-of-service attempt
* 3:63317 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt
* 3:63318 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt
* 1:63328 <-> OS-WINDOWS Active Directory integrated DNS memory corrpution attempt
* 1:63329 <-> OS-WINDOWS Active Directory integrated DNS memory corrpution attempt
* 1:63340 <-> OS-WINDOWS Active Directory integrated DNS memory underflow attempt


2024-05-14 17:38:16 UTC

Snort Subscriber Rules Update

Date: 2024-05-13-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.15.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300905 <-> SERVER-WEBAPP Jorani directory traversal attempt
* 1:300906 <-> OS-WINDOWS Microsoft Windows Common Log File System escalation of privilege attempt
* 1:300907 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver information disclosure attempt
* 1:300908 <-> OS-WINDOWS Microsoft Windows DWM Core elevation of privilege attempt
* 1:300909 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:300910 <-> FILE-EXECUTABLE Microsoft Windows Desktop Window Manager use-after-free attempt
* 1:300911 <-> OS-WINDOWS Microsoft Windows Common Log File System memory corruption attempt
* 1:300912 <-> OS-WINDOWS Microsoft Windows Mark-of-the-Web security feature bypass attempt
* 1:63408 <-> SERVER-WEBAPP PHP unserialize datetimezone object code execution attempt
* 1:63409 <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt
* 1:63410 <-> SERVER-WEBAPP Jorani directory traversal attempt
* 3:63413 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt
* 3:63414 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt
* 1:63415 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63416 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63417 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63418 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63421 <-> SERVER-SAMBA Samba nmbd memory corruption attempt
* 1:63424 <-> SERVER-WEBAPP Microsoft SharePoint authenticated remote code execution attempt
* 1:63433 <-> POLICY-OTHER Oracle E-Business Suite sensitive endpoint access attempt
* 1:63436 <-> SERVER-WEBAPP Commvault CommCell command injection attempt
* 1:63437 <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt
* 1:63438 <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt
* 1:63439 <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt
* 1:63440 <-> SERVER-SAMBA Samba tree connect andx memory corruption attempt
* 3:63441 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt
* 3:63442 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt
* 3:63443 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2024-1986 attack attempt

Modified Rules:

* 1:51086 <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt
* 1:51087 <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt
* 1:63265 <-> OS-WINDOWS Microsoft Windows DHCP Server denial-of-service attempt
* 3:63317 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt
* 3:63318 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt
* 1:63328 <-> OS-WINDOWS Active Directory integrated DNS memory corrpution attempt
* 1:63329 <-> OS-WINDOWS Active Directory integrated DNS memory corrpution attempt
* 1:63340 <-> OS-WINDOWS Active Directory integrated DNS memory underflow attempt


2024-05-14 17:38:17 UTC

Snort Subscriber Rules Update

Date: 2024-05-13-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.18.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300905 <-> SERVER-WEBAPP Jorani directory traversal attempt
* 1:300906 <-> OS-WINDOWS Microsoft Windows Common Log File System escalation of privilege attempt
* 1:300907 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver information disclosure attempt
* 1:300908 <-> OS-WINDOWS Microsoft Windows DWM Core elevation of privilege attempt
* 1:300909 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:300910 <-> FILE-EXECUTABLE Microsoft Windows Desktop Window Manager use-after-free attempt
* 1:300911 <-> OS-WINDOWS Microsoft Windows Common Log File System memory corruption attempt
* 1:300912 <-> OS-WINDOWS Microsoft Windows Mark-of-the-Web security feature bypass attempt
* 1:63408 <-> SERVER-WEBAPP PHP unserialize datetimezone object code execution attempt
* 1:63409 <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt
* 1:63410 <-> SERVER-WEBAPP Jorani directory traversal attempt
* 3:63413 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt
* 3:63414 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt
* 1:63415 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63416 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63417 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63418 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63421 <-> SERVER-SAMBA Samba nmbd memory corruption attempt
* 1:63424 <-> SERVER-WEBAPP Microsoft SharePoint authenticated remote code execution attempt
* 1:63433 <-> POLICY-OTHER Oracle E-Business Suite sensitive endpoint access attempt
* 1:63436 <-> SERVER-WEBAPP Commvault CommCell command injection attempt
* 1:63437 <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt
* 1:63438 <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt
* 1:63439 <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt
* 1:63440 <-> SERVER-SAMBA Samba tree connect andx memory corruption attempt
* 3:63441 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt
* 3:63442 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt
* 3:63443 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2024-1986 attack attempt

Modified Rules:

* 1:51086 <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt
* 1:51087 <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt
* 1:63265 <-> OS-WINDOWS Microsoft Windows DHCP Server denial-of-service attempt
* 3:63317 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt
* 3:63318 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt
* 1:63328 <-> OS-WINDOWS Active Directory integrated DNS memory corrpution attempt
* 1:63329 <-> OS-WINDOWS Active Directory integrated DNS memory corrpution attempt
* 1:63340 <-> OS-WINDOWS Active Directory integrated DNS memory underflow attempt


2024-05-14 17:38:17 UTC

Snort Subscriber Rules Update

Date: 2024-05-13-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.20.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300905 <-> SERVER-WEBAPP Jorani directory traversal attempt
* 1:300906 <-> OS-WINDOWS Microsoft Windows Common Log File System escalation of privilege attempt
* 1:300907 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver information disclosure attempt
* 1:300908 <-> OS-WINDOWS Microsoft Windows DWM Core elevation of privilege attempt
* 1:300909 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:300910 <-> FILE-EXECUTABLE Microsoft Windows Desktop Window Manager use-after-free attempt
* 1:300911 <-> OS-WINDOWS Microsoft Windows Common Log File System memory corruption attempt
* 1:300912 <-> OS-WINDOWS Microsoft Windows Mark-of-the-Web security feature bypass attempt
* 1:63408 <-> SERVER-WEBAPP PHP unserialize datetimezone object code execution attempt
* 1:63409 <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt
* 1:63410 <-> SERVER-WEBAPP Jorani directory traversal attempt
* 3:63413 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt
* 3:63414 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt
* 1:63415 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63416 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63417 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63418 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63421 <-> SERVER-SAMBA Samba nmbd memory corruption attempt
* 1:63424 <-> SERVER-WEBAPP Microsoft SharePoint authenticated remote code execution attempt
* 1:63433 <-> POLICY-OTHER Oracle E-Business Suite sensitive endpoint access attempt
* 1:63436 <-> SERVER-WEBAPP Commvault CommCell command injection attempt
* 1:63437 <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt
* 1:63438 <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt
* 1:63439 <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt
* 1:63440 <-> SERVER-SAMBA Samba tree connect andx memory corruption attempt
* 3:63441 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt
* 3:63442 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt
* 3:63443 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2024-1986 attack attempt

Modified Rules:

* 1:51086 <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt
* 1:51087 <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt
* 1:63265 <-> OS-WINDOWS Microsoft Windows DHCP Server denial-of-service attempt
* 3:63317 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt
* 3:63318 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt
* 1:63328 <-> OS-WINDOWS Active Directory integrated DNS memory corrpution attempt
* 1:63329 <-> OS-WINDOWS Active Directory integrated DNS memory corrpution attempt
* 1:63340 <-> OS-WINDOWS Active Directory integrated DNS memory underflow attempt


2024-05-14 17:38:17 UTC

Snort Subscriber Rules Update

Date: 2024-05-13-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.21.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300905 <-> SERVER-WEBAPP Jorani directory traversal attempt
* 1:300906 <-> OS-WINDOWS Microsoft Windows Common Log File System escalation of privilege attempt
* 1:300907 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver information disclosure attempt
* 1:300908 <-> OS-WINDOWS Microsoft Windows DWM Core elevation of privilege attempt
* 1:300909 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:300910 <-> FILE-EXECUTABLE Microsoft Windows Desktop Window Manager use-after-free attempt
* 1:300911 <-> OS-WINDOWS Microsoft Windows Common Log File System memory corruption attempt
* 1:300912 <-> OS-WINDOWS Microsoft Windows Mark-of-the-Web security feature bypass attempt
* 1:63408 <-> SERVER-WEBAPP PHP unserialize datetimezone object code execution attempt
* 1:63409 <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt
* 1:63410 <-> SERVER-WEBAPP Jorani directory traversal attempt
* 3:63413 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt
* 3:63414 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt
* 1:63415 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63416 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63417 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63418 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63421 <-> SERVER-SAMBA Samba nmbd memory corruption attempt
* 1:63424 <-> SERVER-WEBAPP Microsoft SharePoint authenticated remote code execution attempt
* 1:63433 <-> POLICY-OTHER Oracle E-Business Suite sensitive endpoint access attempt
* 1:63436 <-> SERVER-WEBAPP Commvault CommCell command injection attempt
* 1:63437 <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt
* 1:63438 <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt
* 1:63439 <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt
* 1:63440 <-> SERVER-SAMBA Samba tree connect andx memory corruption attempt
* 3:63441 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt
* 3:63442 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt
* 3:63443 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2024-1986 attack attempt

Modified Rules:

* 1:51086 <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt
* 1:51087 <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt
* 1:63265 <-> OS-WINDOWS Microsoft Windows DHCP Server denial-of-service attempt
* 3:63317 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt
* 3:63318 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt
* 1:63328 <-> OS-WINDOWS Active Directory integrated DNS memory corrpution attempt
* 1:63329 <-> OS-WINDOWS Active Directory integrated DNS memory corrpution attempt
* 1:63340 <-> OS-WINDOWS Active Directory integrated DNS memory underflow attempt


2024-05-14 17:38:17 UTC

Snort Subscriber Rules Update

Date: 2024-05-13-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.35.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300905 <-> SERVER-WEBAPP Jorani directory traversal attempt
* 1:300906 <-> OS-WINDOWS Microsoft Windows Common Log File System escalation of privilege attempt
* 1:300907 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver information disclosure attempt
* 1:300908 <-> OS-WINDOWS Microsoft Windows DWM Core elevation of privilege attempt
* 1:300909 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:300910 <-> FILE-EXECUTABLE Microsoft Windows Desktop Window Manager use-after-free attempt
* 1:300911 <-> OS-WINDOWS Microsoft Windows Common Log File System memory corruption attempt
* 1:300912 <-> OS-WINDOWS Microsoft Windows Mark-of-the-Web security feature bypass attempt
* 1:63408 <-> SERVER-WEBAPP PHP unserialize datetimezone object code execution attempt
* 1:63409 <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt
* 1:63410 <-> SERVER-WEBAPP Jorani directory traversal attempt
* 3:63413 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt
* 3:63414 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt
* 1:63415 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63416 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63417 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63418 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63421 <-> SERVER-SAMBA Samba nmbd memory corruption attempt
* 1:63424 <-> SERVER-WEBAPP Microsoft SharePoint authenticated remote code execution attempt
* 1:63433 <-> POLICY-OTHER Oracle E-Business Suite sensitive endpoint access attempt
* 1:63436 <-> SERVER-WEBAPP Commvault CommCell command injection attempt
* 1:63437 <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt
* 1:63438 <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt
* 1:63439 <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt
* 1:63440 <-> SERVER-SAMBA Samba tree connect andx memory corruption attempt
* 3:63441 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt
* 3:63442 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt
* 3:63443 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2024-1986 attack attempt

Modified Rules:

* 1:51086 <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt
* 1:51087 <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt
* 1:63265 <-> OS-WINDOWS Microsoft Windows DHCP Server denial-of-service attempt
* 3:63317 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt
* 3:63318 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt
* 1:63328 <-> OS-WINDOWS Active Directory integrated DNS memory corrpution attempt
* 1:63329 <-> OS-WINDOWS Active Directory integrated DNS memory corrpution attempt
* 1:63340 <-> OS-WINDOWS Active Directory integrated DNS memory underflow attempt


2024-05-14 17:38:17 UTC

Snort Subscriber Rules Update

Date: 2024-05-13-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.44.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300905 <-> SERVER-WEBAPP Jorani directory traversal attempt
* 1:300906 <-> OS-WINDOWS Microsoft Windows Common Log File System escalation of privilege attempt
* 1:300907 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver information disclosure attempt
* 1:300908 <-> OS-WINDOWS Microsoft Windows DWM Core elevation of privilege attempt
* 1:300909 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:300910 <-> FILE-EXECUTABLE Microsoft Windows Desktop Window Manager use-after-free attempt
* 1:300911 <-> OS-WINDOWS Microsoft Windows Common Log File System memory corruption attempt
* 1:300912 <-> OS-WINDOWS Microsoft Windows Mark-of-the-Web security feature bypass attempt
* 1:63408 <-> SERVER-WEBAPP PHP unserialize datetimezone object code execution attempt
* 1:63409 <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt
* 1:63410 <-> SERVER-WEBAPP Jorani directory traversal attempt
* 3:63413 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt
* 3:63414 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt
* 1:63415 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63416 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63417 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63418 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63421 <-> SERVER-SAMBA Samba nmbd memory corruption attempt
* 1:63424 <-> SERVER-WEBAPP Microsoft SharePoint authenticated remote code execution attempt
* 1:63433 <-> POLICY-OTHER Oracle E-Business Suite sensitive endpoint access attempt
* 1:63436 <-> SERVER-WEBAPP Commvault CommCell command injection attempt
* 1:63437 <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt
* 1:63438 <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt
* 1:63439 <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt
* 1:63440 <-> SERVER-SAMBA Samba tree connect andx memory corruption attempt
* 3:63441 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt
* 3:63442 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt
* 3:63443 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2024-1986 attack attempt

Modified Rules:

* 1:51086 <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt
* 1:51087 <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt
* 1:63265 <-> OS-WINDOWS Microsoft Windows DHCP Server denial-of-service attempt
* 3:63317 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt
* 3:63318 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt
* 1:63328 <-> OS-WINDOWS Active Directory integrated DNS memory corrpution attempt
* 1:63329 <-> OS-WINDOWS Active Directory integrated DNS memory corrpution attempt
* 1:63340 <-> OS-WINDOWS Active Directory integrated DNS memory underflow attempt


2024-05-14 17:38:17 UTC

Snort Subscriber Rules Update

Date: 2024-05-13-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.47.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300905 <-> SERVER-WEBAPP Jorani directory traversal attempt
* 1:300906 <-> OS-WINDOWS Microsoft Windows Common Log File System escalation of privilege attempt
* 1:300907 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver information disclosure attempt
* 1:300908 <-> OS-WINDOWS Microsoft Windows DWM Core elevation of privilege attempt
* 1:300909 <-> OS-WINDOWS Microsoft Windows Common Log File System Driver elevation of privilege attempt
* 1:300910 <-> FILE-EXECUTABLE Microsoft Windows Desktop Window Manager use-after-free attempt
* 1:300911 <-> OS-WINDOWS Microsoft Windows Common Log File System memory corruption attempt
* 1:300912 <-> OS-WINDOWS Microsoft Windows Mark-of-the-Web security feature bypass attempt
* 1:63408 <-> SERVER-WEBAPP PHP unserialize datetimezone object code execution attempt
* 1:63409 <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt
* 1:63410 <-> SERVER-WEBAPP Jorani directory traversal attempt
* 3:63413 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt
* 3:63414 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1979 attack attempt
* 1:63415 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63416 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63417 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63418 <-> SERVER-WEBAPP Fortinet Wireless LAN Manager ezrf_upgrade_images.cgi command injection attempt
* 1:63421 <-> SERVER-SAMBA Samba nmbd memory corruption attempt
* 1:63424 <-> SERVER-WEBAPP Microsoft SharePoint authenticated remote code execution attempt
* 1:63433 <-> POLICY-OTHER Oracle E-Business Suite sensitive endpoint access attempt
* 1:63436 <-> SERVER-WEBAPP Commvault CommCell command injection attempt
* 1:63437 <-> SERVER-WEBAPP Oracle WebLogic local file inclusion attempt
* 1:63438 <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt
* 1:63439 <-> SERVER-WEBAPP Ghost Content Management System directory traversal attempt
* 1:63440 <-> SERVER-SAMBA Samba tree connect andx memory corruption attempt
* 3:63441 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt
* 3:63442 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2024-1984 attack attempt
* 3:63443 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2024-1986 attack attempt

Modified Rules:

* 1:51086 <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt
* 1:51087 <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt
* 1:63265 <-> OS-WINDOWS Microsoft Windows DHCP Server denial-of-service attempt
* 3:63317 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt
* 3:63318 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2024-1972 attack attempt
* 1:63328 <-> OS-WINDOWS Active Directory integrated DNS memory corrpution attempt
* 1:63329 <-> OS-WINDOWS Active Directory integrated DNS memory corrpution attempt
* 1:63340 <-> OS-WINDOWS Active Directory integrated DNS memory underflow attempt