Talos Rules 2024-07-03
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-executable, file-other, file-pdf, malware-cnc, malware-other, policy-other, protocol-rpc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2024-07-03 17:24:09 UTC

Snort Subscriber Rules Update

Date: 2024-07-03

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2092000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:63635 <-> DISABLED <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt (server-webapp.rules)
 * 1:63636 <-> DISABLED <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt (server-webapp.rules)
 * 1:63637 <-> DISABLED <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt (server-webapp.rules)
 * 1:63638 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt (server-webapp.rules)
 * 1:63639 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt (server-webapp.rules)
 * 1:63640 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt (server-webapp.rules)
 * 1:63641 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt (server-webapp.rules)
 * 1:63642 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt (server-webapp.rules)
 * 1:63643 <-> DISABLED <-> SERVER-WEBAPP FusionPBX exec.php arbitrary command execution attempt (server-webapp.rules)
 * 1:63644 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt (server-webapp.rules)
 * 1:63645 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt (server-webapp.rules)
 * 1:63646 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt (server-webapp.rules)
 * 1:63647 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt (server-webapp.rules)
 * 1:63648 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt (server-webapp.rules)
 * 1:63649 <-> DISABLED <-> SERVER-WEBAPP IBM QRadar remote code execution attempt (server-webapp.rules)
 * 1:63650 <-> DISABLED <-> SERVER-WEBAPP IBM QRadar remote code execution attempt (server-webapp.rules)
 * 1:63651 <-> DISABLED <-> SERVER-WEBAPP IBM QRadar remote code execution attempt (server-webapp.rules)
 * 1:63652 <-> ENABLED <-> SERVER-WEBAPP Fortinet FortiSIEM command injection attempt (server-webapp.rules)
 * 1:63659 <-> DISABLED <-> SERVER-OTHER OpenSSH unauthenticated remote code execution attempt (server-other.rules)
 * 1:63664 <-> DISABLED <-> FILE-EXECUTABLE ClamAV UPX executable out-of-bounds read attempt (file-executable.rules)
 * 1:63665 <-> DISABLED <-> FILE-EXECUTABLE ClamAV UPX executable out-of-bounds read attempt (file-executable.rules)
 * 1:63666 <-> DISABLED <-> POLICY-OTHER GoAhead Embedded Web Server use after free attempt (policy-other.rules)
 * 1:63667 <-> DISABLED <-> SERVER-WEBAPP Joomla CMS mod_random_image cross site scripting attempt (server-webapp.rules)
 * 1:63668 <-> DISABLED <-> SERVER-WEBAPP Joomla CMS mod_random_image cross site scripting attempt (server-webapp.rules)
 * 1:63669 <-> DISABLED <-> MALWARE-CNC Go.Proxy.ReverseSSH outbound connection (malware-cnc.rules)
 * 1:63670 <-> DISABLED <-> MALWARE-OTHER Go.Proxy.ReverseSSH binary (malware-other.rules)
 * 1:63671 <-> DISABLED <-> MALWARE-OTHER Go.Proxy.ReverseSSH binary (malware-other.rules)
 * 1:63672 <-> DISABLED <-> MALWARE-OTHER Win.Loader.pkr_ce1a variant download attempt (malware-other.rules)
 * 1:63673 <-> DISABLED <-> MALWARE-OTHER Win.Loader.pkr_ce1a variant download attempt (malware-other.rules)
 * 1:63674 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Babuk variant download attempt (malware-other.rules)
 * 1:63675 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Babuk variant download attempt (malware-other.rules)
 * 1:63676 <-> DISABLED <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt (server-webapp.rules)
 * 1:63677 <-> DISABLED <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt (server-webapp.rules)
 * 1:63678 <-> DISABLED <-> PROTOCOL-RPC CA ARCserve Backup authentication service denial of service attempt (protocol-rpc.rules)
 * 1:63679 <-> DISABLED <-> POLICY-OTHER Nagios XI API key regeneration attempt detected (policy-other.rules)
 * 1:63680 <-> DISABLED <-> FILE-OTHER Adobe InDesign HyperlinkURLDestination parsing remote code execution attempt (file-other.rules)
 * 1:63681 <-> DISABLED <-> FILE-OTHER Adobe InDesign HyperlinkURLDestination parsing remote code execution attempt (file-other.rules)
 * 1:63682 <-> DISABLED <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt (file-other.rules)
 * 1:63683 <-> DISABLED <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt (file-other.rules)
 * 1:63684 <-> DISABLED <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt (file-other.rules)
 * 1:63685 <-> DISABLED <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt (file-other.rules)
 * 3:63653 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt (file-other.rules)
 * 3:63655 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt (file-other.rules)
 * 3:63654 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt (file-other.rules)
 * 3:63656 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt (file-other.rules)
 * 3:63657 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt (file-other.rules)
 * 3:63658 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt (file-other.rules)
 * 3:63660 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt (file-pdf.rules)
 * 3:63661 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt (file-pdf.rules)
 * 3:63662 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt (file-pdf.rules)
 * 3:63663 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:33654 <-> DISABLED <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt (server-other.rules)

2024-07-03 17:24:09 UTC

Snort Subscriber Rules Update

Date: 2024-07-03

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091900.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:63635 <-> DISABLED <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt (server-webapp.rules)
 * 1:63676 <-> DISABLED <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt (server-webapp.rules)
 * 1:63677 <-> DISABLED <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt (server-webapp.rules)
 * 1:63641 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt (server-webapp.rules)
 * 1:63642 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt (server-webapp.rules)
 * 1:63639 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt (server-webapp.rules)
 * 1:63638 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt (server-webapp.rules)
 * 1:63645 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt (server-webapp.rules)
 * 1:63646 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt (server-webapp.rules)
 * 1:63647 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt (server-webapp.rules)
 * 1:63648 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt (server-webapp.rules)
 * 1:63649 <-> DISABLED <-> SERVER-WEBAPP IBM QRadar remote code execution attempt (server-webapp.rules)
 * 1:63650 <-> DISABLED <-> SERVER-WEBAPP IBM QRadar remote code execution attempt (server-webapp.rules)
 * 1:63651 <-> DISABLED <-> SERVER-WEBAPP IBM QRadar remote code execution attempt (server-webapp.rules)
 * 1:63652 <-> ENABLED <-> SERVER-WEBAPP Fortinet FortiSIEM command injection attempt (server-webapp.rules)
 * 1:63659 <-> DISABLED <-> SERVER-OTHER OpenSSH unauthenticated remote code execution attempt (server-other.rules)
 * 1:63664 <-> DISABLED <-> FILE-EXECUTABLE ClamAV UPX executable out-of-bounds read attempt (file-executable.rules)
 * 1:63665 <-> DISABLED <-> FILE-EXECUTABLE ClamAV UPX executable out-of-bounds read attempt (file-executable.rules)
 * 1:63666 <-> DISABLED <-> POLICY-OTHER GoAhead Embedded Web Server use after free attempt (policy-other.rules)
 * 1:63667 <-> DISABLED <-> SERVER-WEBAPP Joomla CMS mod_random_image cross site scripting attempt (server-webapp.rules)
 * 1:63668 <-> DISABLED <-> SERVER-WEBAPP Joomla CMS mod_random_image cross site scripting attempt (server-webapp.rules)
 * 1:63669 <-> DISABLED <-> MALWARE-CNC Go.Proxy.ReverseSSH outbound connection (malware-cnc.rules)
 * 1:63670 <-> DISABLED <-> MALWARE-OTHER Go.Proxy.ReverseSSH binary (malware-other.rules)
 * 1:63671 <-> DISABLED <-> MALWARE-OTHER Go.Proxy.ReverseSSH binary (malware-other.rules)
 * 1:63672 <-> DISABLED <-> MALWARE-OTHER Win.Loader.pkr_ce1a variant download attempt (malware-other.rules)
 * 1:63673 <-> DISABLED <-> MALWARE-OTHER Win.Loader.pkr_ce1a variant download attempt (malware-other.rules)
 * 1:63674 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Babuk variant download attempt (malware-other.rules)
 * 1:63675 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Babuk variant download attempt (malware-other.rules)
 * 1:63637 <-> DISABLED <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt (server-webapp.rules)
 * 1:63678 <-> DISABLED <-> PROTOCOL-RPC CA ARCserve Backup authentication service denial of service attempt (protocol-rpc.rules)
 * 1:63679 <-> DISABLED <-> POLICY-OTHER Nagios XI API key regeneration attempt detected (policy-other.rules)
 * 1:63680 <-> DISABLED <-> FILE-OTHER Adobe InDesign HyperlinkURLDestination parsing remote code execution attempt (file-other.rules)
 * 1:63681 <-> DISABLED <-> FILE-OTHER Adobe InDesign HyperlinkURLDestination parsing remote code execution attempt (file-other.rules)
 * 1:63640 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt (server-webapp.rules)
 * 1:63682 <-> DISABLED <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt (file-other.rules)
 * 1:63683 <-> DISABLED <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt (file-other.rules)
 * 1:63684 <-> DISABLED <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt (file-other.rules)
 * 1:63685 <-> DISABLED <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt (file-other.rules)
 * 1:63636 <-> DISABLED <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt (server-webapp.rules)
 * 1:63643 <-> DISABLED <-> SERVER-WEBAPP FusionPBX exec.php arbitrary command execution attempt (server-webapp.rules)
 * 1:63644 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt (server-webapp.rules)
 * 3:63653 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt (file-other.rules)
 * 3:63660 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt (file-pdf.rules)
 * 3:63662 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt (file-pdf.rules)
 * 3:63656 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt (file-other.rules)
 * 3:63655 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt (file-other.rules)
 * 3:63654 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt (file-other.rules)
 * 3:63657 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt (file-other.rules)
 * 3:63658 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt (file-other.rules)
 * 3:63661 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt (file-pdf.rules)
 * 3:63663 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:33654 <-> DISABLED <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt (server-other.rules)

2024-07-03 17:24:09 UTC

Snort Subscriber Rules Update

Date: 2024-07-03

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091801.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:63678 <-> DISABLED <-> PROTOCOL-RPC CA ARCserve Backup authentication service denial of service attempt (protocol-rpc.rules)
 * 1:63680 <-> DISABLED <-> FILE-OTHER Adobe InDesign HyperlinkURLDestination parsing remote code execution attempt (file-other.rules)
 * 1:63679 <-> DISABLED <-> POLICY-OTHER Nagios XI API key regeneration attempt detected (policy-other.rules)
 * 1:63643 <-> DISABLED <-> SERVER-WEBAPP FusionPBX exec.php arbitrary command execution attempt (server-webapp.rules)
 * 1:63637 <-> DISABLED <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt (server-webapp.rules)
 * 1:63681 <-> DISABLED <-> FILE-OTHER Adobe InDesign HyperlinkURLDestination parsing remote code execution attempt (file-other.rules)
 * 1:63682 <-> DISABLED <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt (file-other.rules)
 * 1:63683 <-> DISABLED <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt (file-other.rules)
 * 1:63642 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt (server-webapp.rules)
 * 1:63684 <-> DISABLED <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt (file-other.rules)
 * 1:63685 <-> DISABLED <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt (file-other.rules)
 * 1:63644 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt (server-webapp.rules)
 * 1:63676 <-> DISABLED <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt (server-webapp.rules)
 * 1:63636 <-> DISABLED <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt (server-webapp.rules)
 * 1:63640 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt (server-webapp.rules)
 * 1:63647 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt (server-webapp.rules)
 * 1:63648 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt (server-webapp.rules)
 * 1:63649 <-> DISABLED <-> SERVER-WEBAPP IBM QRadar remote code execution attempt (server-webapp.rules)
 * 1:63650 <-> DISABLED <-> SERVER-WEBAPP IBM QRadar remote code execution attempt (server-webapp.rules)
 * 1:63651 <-> DISABLED <-> SERVER-WEBAPP IBM QRadar remote code execution attempt (server-webapp.rules)
 * 1:63652 <-> ENABLED <-> SERVER-WEBAPP Fortinet FortiSIEM command injection attempt (server-webapp.rules)
 * 1:63659 <-> DISABLED <-> SERVER-OTHER OpenSSH unauthenticated remote code execution attempt (server-other.rules)
 * 1:63664 <-> DISABLED <-> FILE-EXECUTABLE ClamAV UPX executable out-of-bounds read attempt (file-executable.rules)
 * 1:63666 <-> DISABLED <-> POLICY-OTHER GoAhead Embedded Web Server use after free attempt (policy-other.rules)
 * 1:63668 <-> DISABLED <-> SERVER-WEBAPP Joomla CMS mod_random_image cross site scripting attempt (server-webapp.rules)
 * 1:63670 <-> DISABLED <-> MALWARE-OTHER Go.Proxy.ReverseSSH binary (malware-other.rules)
 * 1:63669 <-> DISABLED <-> MALWARE-CNC Go.Proxy.ReverseSSH outbound connection (malware-cnc.rules)
 * 1:63671 <-> DISABLED <-> MALWARE-OTHER Go.Proxy.ReverseSSH binary (malware-other.rules)
 * 1:63672 <-> DISABLED <-> MALWARE-OTHER Win.Loader.pkr_ce1a variant download attempt (malware-other.rules)
 * 1:63673 <-> DISABLED <-> MALWARE-OTHER Win.Loader.pkr_ce1a variant download attempt (malware-other.rules)
 * 1:63674 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Babuk variant download attempt (malware-other.rules)
 * 1:63675 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Babuk variant download attempt (malware-other.rules)
 * 1:63638 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt (server-webapp.rules)
 * 1:63645 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt (server-webapp.rules)
 * 1:63646 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt (server-webapp.rules)
 * 1:63677 <-> DISABLED <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt (server-webapp.rules)
 * 1:63639 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt (server-webapp.rules)
 * 1:63635 <-> DISABLED <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt (server-webapp.rules)
 * 1:63641 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt (server-webapp.rules)
 * 1:63665 <-> DISABLED <-> FILE-EXECUTABLE ClamAV UPX executable out-of-bounds read attempt (file-executable.rules)
 * 1:63667 <-> DISABLED <-> SERVER-WEBAPP Joomla CMS mod_random_image cross site scripting attempt (server-webapp.rules)
 * 3:63654 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt (file-other.rules)
 * 3:63655 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt (file-other.rules)
 * 3:63656 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt (file-other.rules)
 * 3:63658 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt (file-other.rules)
 * 3:63657 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt (file-other.rules)
 * 3:63660 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt (file-pdf.rules)
 * 3:63661 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt (file-pdf.rules)
 * 3:63653 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt (file-other.rules)
 * 3:63662 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt (file-pdf.rules)
 * 3:63663 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:33654 <-> DISABLED <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt (server-other.rules)

2024-07-03 17:24:09 UTC

Snort Subscriber Rules Update

Date: 2024-07-03

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:63636 <-> DISABLED <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt (server-webapp.rules)
 * 1:63681 <-> DISABLED <-> FILE-OTHER Adobe InDesign HyperlinkURLDestination parsing remote code execution attempt (file-other.rules)
 * 1:63680 <-> DISABLED <-> FILE-OTHER Adobe InDesign HyperlinkURLDestination parsing remote code execution attempt (file-other.rules)
 * 1:63677 <-> DISABLED <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt (server-webapp.rules)
 * 1:63639 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt (server-webapp.rules)
 * 1:63679 <-> DISABLED <-> POLICY-OTHER Nagios XI API key regeneration attempt detected (policy-other.rules)
 * 1:63678 <-> DISABLED <-> PROTOCOL-RPC CA ARCserve Backup authentication service denial of service attempt (protocol-rpc.rules)
 * 1:63683 <-> DISABLED <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt (file-other.rules)
 * 1:63640 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt (server-webapp.rules)
 * 1:63682 <-> DISABLED <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt (file-other.rules)
 * 1:63684 <-> DISABLED <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt (file-other.rules)
 * 1:63638 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt (server-webapp.rules)
 * 1:63665 <-> DISABLED <-> FILE-EXECUTABLE ClamAV UPX executable out-of-bounds read attempt (file-executable.rules)
 * 1:63635 <-> DISABLED <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt (server-webapp.rules)
 * 1:63666 <-> DISABLED <-> POLICY-OTHER GoAhead Embedded Web Server use after free attempt (policy-other.rules)
 * 1:63667 <-> DISABLED <-> SERVER-WEBAPP Joomla CMS mod_random_image cross site scripting attempt (server-webapp.rules)
 * 1:63642 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt (server-webapp.rules)
 * 1:63641 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt (server-webapp.rules)
 * 1:63644 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt (server-webapp.rules)
 * 1:63645 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt (server-webapp.rules)
 * 1:63647 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt (server-webapp.rules)
 * 1:63646 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt (server-webapp.rules)
 * 1:63649 <-> DISABLED <-> SERVER-WEBAPP IBM QRadar remote code execution attempt (server-webapp.rules)
 * 1:63651 <-> DISABLED <-> SERVER-WEBAPP IBM QRadar remote code execution attempt (server-webapp.rules)
 * 1:63650 <-> DISABLED <-> SERVER-WEBAPP IBM QRadar remote code execution attempt (server-webapp.rules)
 * 1:63648 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt (server-webapp.rules)
 * 1:63659 <-> DISABLED <-> SERVER-OTHER OpenSSH unauthenticated remote code execution attempt (server-other.rules)
 * 1:63652 <-> ENABLED <-> SERVER-WEBAPP Fortinet FortiSIEM command injection attempt (server-webapp.rules)
 * 1:63676 <-> DISABLED <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt (server-webapp.rules)
 * 1:63668 <-> DISABLED <-> SERVER-WEBAPP Joomla CMS mod_random_image cross site scripting attempt (server-webapp.rules)
 * 1:63669 <-> DISABLED <-> MALWARE-CNC Go.Proxy.ReverseSSH outbound connection (malware-cnc.rules)
 * 1:63670 <-> DISABLED <-> MALWARE-OTHER Go.Proxy.ReverseSSH binary (malware-other.rules)
 * 1:63637 <-> DISABLED <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt (server-webapp.rules)
 * 1:63664 <-> DISABLED <-> FILE-EXECUTABLE ClamAV UPX executable out-of-bounds read attempt (file-executable.rules)
 * 1:63643 <-> DISABLED <-> SERVER-WEBAPP FusionPBX exec.php arbitrary command execution attempt (server-webapp.rules)
 * 1:63671 <-> DISABLED <-> MALWARE-OTHER Go.Proxy.ReverseSSH binary (malware-other.rules)
 * 1:63672 <-> DISABLED <-> MALWARE-OTHER Win.Loader.pkr_ce1a variant download attempt (malware-other.rules)
 * 1:63685 <-> DISABLED <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt (file-other.rules)
 * 1:63673 <-> DISABLED <-> MALWARE-OTHER Win.Loader.pkr_ce1a variant download attempt (malware-other.rules)
 * 1:63674 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Babuk variant download attempt (malware-other.rules)
 * 1:63675 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Babuk variant download attempt (malware-other.rules)
 * 3:63653 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt (file-other.rules)
 * 3:63656 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt (file-other.rules)
 * 3:63655 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt (file-other.rules)
 * 3:63661 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt (file-pdf.rules)
 * 3:63658 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt (file-other.rules)
 * 3:63657 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt (file-other.rules)
 * 3:63660 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt (file-pdf.rules)
 * 3:63662 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt (file-pdf.rules)
 * 3:63654 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt (file-other.rules)
 * 3:63663 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:33654 <-> DISABLED <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt (server-other.rules)

2024-07-03 17:24:09 UTC

Snort Subscriber Rules Update

Date: 2024-07-03

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:63679 <-> DISABLED <-> POLICY-OTHER Nagios XI API key regeneration attempt detected (policy-other.rules)
 * 1:63677 <-> DISABLED <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt (server-webapp.rules)
 * 1:63645 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt (server-webapp.rules)
 * 1:63684 <-> DISABLED <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt (file-other.rules)
 * 1:63635 <-> DISABLED <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt (server-webapp.rules)
 * 1:63639 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt (server-webapp.rules)
 * 1:63685 <-> DISABLED <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt (file-other.rules)
 * 1:63638 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt (server-webapp.rules)
 * 1:63683 <-> DISABLED <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt (file-other.rules)
 * 1:63676 <-> DISABLED <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt (server-webapp.rules)
 * 1:63682 <-> DISABLED <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt (file-other.rules)
 * 1:63680 <-> DISABLED <-> FILE-OTHER Adobe InDesign HyperlinkURLDestination parsing remote code execution attempt (file-other.rules)
 * 1:63681 <-> DISABLED <-> FILE-OTHER Adobe InDesign HyperlinkURLDestination parsing remote code execution attempt (file-other.rules)
 * 1:63647 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt (server-webapp.rules)
 * 1:63651 <-> DISABLED <-> SERVER-WEBAPP IBM QRadar remote code execution attempt (server-webapp.rules)
 * 1:63641 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt (server-webapp.rules)
 * 1:63636 <-> DISABLED <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt (server-webapp.rules)
 * 1:63642 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt (server-webapp.rules)
 * 1:63643 <-> DISABLED <-> SERVER-WEBAPP FusionPBX exec.php arbitrary command execution attempt (server-webapp.rules)
 * 1:63664 <-> DISABLED <-> FILE-EXECUTABLE ClamAV UPX executable out-of-bounds read attempt (file-executable.rules)
 * 1:63666 <-> DISABLED <-> POLICY-OTHER GoAhead Embedded Web Server use after free attempt (policy-other.rules)
 * 1:63667 <-> DISABLED <-> SERVER-WEBAPP Joomla CMS mod_random_image cross site scripting attempt (server-webapp.rules)
 * 1:63668 <-> DISABLED <-> SERVER-WEBAPP Joomla CMS mod_random_image cross site scripting attempt (server-webapp.rules)
 * 1:63671 <-> DISABLED <-> MALWARE-OTHER Go.Proxy.ReverseSSH binary (malware-other.rules)
 * 1:63670 <-> DISABLED <-> MALWARE-OTHER Go.Proxy.ReverseSSH binary (malware-other.rules)
 * 1:63665 <-> DISABLED <-> FILE-EXECUTABLE ClamAV UPX executable out-of-bounds read attempt (file-executable.rules)
 * 1:63672 <-> DISABLED <-> MALWARE-OTHER Win.Loader.pkr_ce1a variant download attempt (malware-other.rules)
 * 1:63674 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Babuk variant download attempt (malware-other.rules)
 * 1:63669 <-> DISABLED <-> MALWARE-CNC Go.Proxy.ReverseSSH outbound connection (malware-cnc.rules)
 * 1:63673 <-> DISABLED <-> MALWARE-OTHER Win.Loader.pkr_ce1a variant download attempt (malware-other.rules)
 * 1:63646 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt (server-webapp.rules)
 * 1:63652 <-> ENABLED <-> SERVER-WEBAPP Fortinet FortiSIEM command injection attempt (server-webapp.rules)
 * 1:63659 <-> DISABLED <-> SERVER-OTHER OpenSSH unauthenticated remote code execution attempt (server-other.rules)
 * 1:63637 <-> DISABLED <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt (server-webapp.rules)
 * 1:63644 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt (server-webapp.rules)
 * 1:63649 <-> DISABLED <-> SERVER-WEBAPP IBM QRadar remote code execution attempt (server-webapp.rules)
 * 1:63678 <-> DISABLED <-> PROTOCOL-RPC CA ARCserve Backup authentication service denial of service attempt (protocol-rpc.rules)
 * 1:63675 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Babuk variant download attempt (malware-other.rules)
 * 1:63648 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt (server-webapp.rules)
 * 1:63650 <-> DISABLED <-> SERVER-WEBAPP IBM QRadar remote code execution attempt (server-webapp.rules)
 * 1:63640 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt (server-webapp.rules)
 * 3:63656 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt (file-other.rules)
 * 3:63657 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt (file-other.rules)
 * 3:63660 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt (file-pdf.rules)
 * 3:63655 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt (file-other.rules)
 * 3:63663 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt (file-pdf.rules)
 * 3:63653 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt (file-other.rules)
 * 3:63658 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt (file-other.rules)
 * 3:63662 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt (file-pdf.rules)
 * 3:63661 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt (file-pdf.rules)
 * 3:63654 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt (file-other.rules)

Modified Rules:


 * 1:33654 <-> DISABLED <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt (server-other.rules)

2024-07-03 17:24:09 UTC

Snort Subscriber Rules Update

Date: 2024-07-03

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:63635 <-> DISABLED <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt (server-webapp.rules)
 * 1:63684 <-> DISABLED <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt (file-other.rules)
 * 1:63643 <-> DISABLED <-> SERVER-WEBAPP FusionPBX exec.php arbitrary command execution attempt (server-webapp.rules)
 * 1:63644 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt (server-webapp.rules)
 * 1:63675 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Babuk variant download attempt (malware-other.rules)
 * 1:63637 <-> DISABLED <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt (server-webapp.rules)
 * 1:63679 <-> DISABLED <-> POLICY-OTHER Nagios XI API key regeneration attempt detected (policy-other.rules)
 * 1:63639 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt (server-webapp.rules)
 * 1:63672 <-> DISABLED <-> MALWARE-OTHER Win.Loader.pkr_ce1a variant download attempt (malware-other.rules)
 * 1:63683 <-> DISABLED <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt (file-other.rules)
 * 1:63681 <-> DISABLED <-> FILE-OTHER Adobe InDesign HyperlinkURLDestination parsing remote code execution attempt (file-other.rules)
 * 1:63674 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Babuk variant download attempt (malware-other.rules)
 * 1:63682 <-> DISABLED <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt (file-other.rules)
 * 1:63636 <-> DISABLED <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt (server-webapp.rules)
 * 1:63678 <-> DISABLED <-> PROTOCOL-RPC CA ARCserve Backup authentication service denial of service attempt (protocol-rpc.rules)
 * 1:63680 <-> DISABLED <-> FILE-OTHER Adobe InDesign HyperlinkURLDestination parsing remote code execution attempt (file-other.rules)
 * 1:63638 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt (server-webapp.rules)
 * 1:63645 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt (server-webapp.rules)
 * 1:63646 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt (server-webapp.rules)
 * 1:63640 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt (server-webapp.rules)
 * 1:63647 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt (server-webapp.rules)
 * 1:63648 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt (server-webapp.rules)
 * 1:63671 <-> DISABLED <-> MALWARE-OTHER Go.Proxy.ReverseSSH binary (malware-other.rules)
 * 1:63641 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt (server-webapp.rules)
 * 1:63649 <-> DISABLED <-> SERVER-WEBAPP IBM QRadar remote code execution attempt (server-webapp.rules)
 * 1:63650 <-> DISABLED <-> SERVER-WEBAPP IBM QRadar remote code execution attempt (server-webapp.rules)
 * 1:63651 <-> DISABLED <-> SERVER-WEBAPP IBM QRadar remote code execution attempt (server-webapp.rules)
 * 1:63652 <-> ENABLED <-> SERVER-WEBAPP Fortinet FortiSIEM command injection attempt (server-webapp.rules)
 * 1:63659 <-> DISABLED <-> SERVER-OTHER OpenSSH unauthenticated remote code execution attempt (server-other.rules)
 * 1:63664 <-> DISABLED <-> FILE-EXECUTABLE ClamAV UPX executable out-of-bounds read attempt (file-executable.rules)
 * 1:63668 <-> DISABLED <-> SERVER-WEBAPP Joomla CMS mod_random_image cross site scripting attempt (server-webapp.rules)
 * 1:63676 <-> DISABLED <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt (server-webapp.rules)
 * 1:63665 <-> DISABLED <-> FILE-EXECUTABLE ClamAV UPX executable out-of-bounds read attempt (file-executable.rules)
 * 1:63667 <-> DISABLED <-> SERVER-WEBAPP Joomla CMS mod_random_image cross site scripting attempt (server-webapp.rules)
 * 1:63642 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt (server-webapp.rules)
 * 1:63666 <-> DISABLED <-> POLICY-OTHER GoAhead Embedded Web Server use after free attempt (policy-other.rules)
 * 1:63670 <-> DISABLED <-> MALWARE-OTHER Go.Proxy.ReverseSSH binary (malware-other.rules)
 * 1:63673 <-> DISABLED <-> MALWARE-OTHER Win.Loader.pkr_ce1a variant download attempt (malware-other.rules)
 * 1:63677 <-> DISABLED <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt (server-webapp.rules)
 * 1:63685 <-> DISABLED <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt (file-other.rules)
 * 1:63669 <-> DISABLED <-> MALWARE-CNC Go.Proxy.ReverseSSH outbound connection (malware-cnc.rules)
 * 3:63655 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt (file-other.rules)
 * 3:63663 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt (file-pdf.rules)
 * 3:63661 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt (file-pdf.rules)
 * 3:63653 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt (file-other.rules)
 * 3:63657 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt (file-other.rules)
 * 3:63660 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt (file-pdf.rules)
 * 3:63662 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt (file-pdf.rules)
 * 3:63658 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt (file-other.rules)
 * 3:63656 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt (file-other.rules)
 * 3:63654 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt (file-other.rules)

Modified Rules:


 * 1:33654 <-> DISABLED <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt (server-other.rules)

2024-07-03 17:24:09 UTC

Snort Subscriber Rules Update

Date: 2024-07-03

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:63642 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt (server-webapp.rules)
 * 1:63639 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt (server-webapp.rules)
 * 1:63685 <-> DISABLED <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt (file-other.rules)
 * 1:63637 <-> DISABLED <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt (server-webapp.rules)
 * 1:63675 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Babuk variant download attempt (malware-other.rules)
 * 1:63644 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt (server-webapp.rules)
 * 1:63635 <-> DISABLED <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt (server-webapp.rules)
 * 1:63680 <-> DISABLED <-> FILE-OTHER Adobe InDesign HyperlinkURLDestination parsing remote code execution attempt (file-other.rules)
 * 1:63651 <-> DISABLED <-> SERVER-WEBAPP IBM QRadar remote code execution attempt (server-webapp.rules)
 * 1:63681 <-> DISABLED <-> FILE-OTHER Adobe InDesign HyperlinkURLDestination parsing remote code execution attempt (file-other.rules)
 * 1:63683 <-> DISABLED <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt (file-other.rules)
 * 1:63677 <-> DISABLED <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt (server-webapp.rules)
 * 1:63664 <-> DISABLED <-> FILE-EXECUTABLE ClamAV UPX executable out-of-bounds read attempt (file-executable.rules)
 * 1:63667 <-> DISABLED <-> SERVER-WEBAPP Joomla CMS mod_random_image cross site scripting attempt (server-webapp.rules)
 * 1:63668 <-> DISABLED <-> SERVER-WEBAPP Joomla CMS mod_random_image cross site scripting attempt (server-webapp.rules)
 * 1:63671 <-> DISABLED <-> MALWARE-OTHER Go.Proxy.ReverseSSH binary (malware-other.rules)
 * 1:63672 <-> DISABLED <-> MALWARE-OTHER Win.Loader.pkr_ce1a variant download attempt (malware-other.rules)
 * 1:63679 <-> DISABLED <-> POLICY-OTHER Nagios XI API key regeneration attempt detected (policy-other.rules)
 * 1:63665 <-> DISABLED <-> FILE-EXECUTABLE ClamAV UPX executable out-of-bounds read attempt (file-executable.rules)
 * 1:63666 <-> DISABLED <-> POLICY-OTHER GoAhead Embedded Web Server use after free attempt (policy-other.rules)
 * 1:63669 <-> DISABLED <-> MALWARE-CNC Go.Proxy.ReverseSSH outbound connection (malware-cnc.rules)
 * 1:63670 <-> DISABLED <-> MALWARE-OTHER Go.Proxy.ReverseSSH binary (malware-other.rules)
 * 1:63673 <-> DISABLED <-> MALWARE-OTHER Win.Loader.pkr_ce1a variant download attempt (malware-other.rules)
 * 1:63674 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Babuk variant download attempt (malware-other.rules)
 * 1:63647 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt (server-webapp.rules)
 * 1:63640 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt (server-webapp.rules)
 * 1:63638 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt (server-webapp.rules)
 * 1:63684 <-> DISABLED <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt (file-other.rules)
 * 1:63641 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt (server-webapp.rules)
 * 1:63636 <-> DISABLED <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt (server-webapp.rules)
 * 1:63643 <-> DISABLED <-> SERVER-WEBAPP FusionPBX exec.php arbitrary command execution attempt (server-webapp.rules)
 * 1:63645 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt (server-webapp.rules)
 * 1:63646 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt (server-webapp.rules)
 * 1:63649 <-> DISABLED <-> SERVER-WEBAPP IBM QRadar remote code execution attempt (server-webapp.rules)
 * 1:63650 <-> DISABLED <-> SERVER-WEBAPP IBM QRadar remote code execution attempt (server-webapp.rules)
 * 1:63652 <-> ENABLED <-> SERVER-WEBAPP Fortinet FortiSIEM command injection attempt (server-webapp.rules)
 * 1:63659 <-> DISABLED <-> SERVER-OTHER OpenSSH unauthenticated remote code execution attempt (server-other.rules)
 * 1:63682 <-> DISABLED <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt (file-other.rules)
 * 1:63676 <-> DISABLED <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt (server-webapp.rules)
 * 1:63678 <-> DISABLED <-> PROTOCOL-RPC CA ARCserve Backup authentication service denial of service attempt (protocol-rpc.rules)
 * 1:63648 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt (server-webapp.rules)
 * 3:63654 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt (file-other.rules)
 * 3:63660 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt (file-pdf.rules)
 * 3:63653 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt (file-other.rules)
 * 3:63661 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt (file-pdf.rules)
 * 3:63655 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt (file-other.rules)
 * 3:63663 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt (file-pdf.rules)
 * 3:63656 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt (file-other.rules)
 * 3:63658 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt (file-other.rules)
 * 3:63657 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt (file-other.rules)
 * 3:63662 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:33654 <-> DISABLED <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt (server-other.rules)

2024-07-03 17:24:09 UTC

Snort Subscriber Rules Update

Date: 2024-07-03

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:63679 <-> DISABLED <-> POLICY-OTHER Nagios XI API key regeneration attempt detected (policy-other.rules)
 * 1:63672 <-> DISABLED <-> MALWARE-OTHER Win.Loader.pkr_ce1a variant download attempt (malware-other.rules)
 * 1:63643 <-> DISABLED <-> SERVER-WEBAPP FusionPBX exec.php arbitrary command execution attempt (server-webapp.rules)
 * 1:63666 <-> DISABLED <-> POLICY-OTHER GoAhead Embedded Web Server use after free attempt (policy-other.rules)
 * 1:63644 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt (server-webapp.rules)
 * 1:63678 <-> DISABLED <-> PROTOCOL-RPC CA ARCserve Backup authentication service denial of service attempt (protocol-rpc.rules)
 * 1:63642 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt (server-webapp.rules)
 * 1:63683 <-> DISABLED <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt (file-other.rules)
 * 1:63670 <-> DISABLED <-> MALWARE-OTHER Go.Proxy.ReverseSSH binary (malware-other.rules)
 * 1:63645 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt (server-webapp.rules)
 * 1:63636 <-> DISABLED <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt (server-webapp.rules)
 * 1:63635 <-> DISABLED <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt (server-webapp.rules)
 * 1:63675 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Babuk variant download attempt (malware-other.rules)
 * 1:63667 <-> DISABLED <-> SERVER-WEBAPP Joomla CMS mod_random_image cross site scripting attempt (server-webapp.rules)
 * 1:63681 <-> DISABLED <-> FILE-OTHER Adobe InDesign HyperlinkURLDestination parsing remote code execution attempt (file-other.rules)
 * 1:63647 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt (server-webapp.rules)
 * 1:63648 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt (server-webapp.rules)
 * 1:63649 <-> DISABLED <-> SERVER-WEBAPP IBM QRadar remote code execution attempt (server-webapp.rules)
 * 1:63638 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt (server-webapp.rules)
 * 1:63650 <-> DISABLED <-> SERVER-WEBAPP IBM QRadar remote code execution attempt (server-webapp.rules)
 * 1:63651 <-> DISABLED <-> SERVER-WEBAPP IBM QRadar remote code execution attempt (server-webapp.rules)
 * 1:63652 <-> ENABLED <-> SERVER-WEBAPP Fortinet FortiSIEM command injection attempt (server-webapp.rules)
 * 1:63659 <-> DISABLED <-> SERVER-OTHER OpenSSH unauthenticated remote code execution attempt (server-other.rules)
 * 1:63664 <-> DISABLED <-> FILE-EXECUTABLE ClamAV UPX executable out-of-bounds read attempt (file-executable.rules)
 * 1:63668 <-> DISABLED <-> SERVER-WEBAPP Joomla CMS mod_random_image cross site scripting attempt (server-webapp.rules)
 * 1:63641 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt (server-webapp.rules)
 * 1:63676 <-> DISABLED <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt (server-webapp.rules)
 * 1:63680 <-> DISABLED <-> FILE-OTHER Adobe InDesign HyperlinkURLDestination parsing remote code execution attempt (file-other.rules)
 * 1:63665 <-> DISABLED <-> FILE-EXECUTABLE ClamAV UPX executable out-of-bounds read attempt (file-executable.rules)
 * 1:63684 <-> DISABLED <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt (file-other.rules)
 * 1:63669 <-> DISABLED <-> MALWARE-CNC Go.Proxy.ReverseSSH outbound connection (malware-cnc.rules)
 * 1:63639 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt (server-webapp.rules)
 * 1:63682 <-> DISABLED <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt (file-other.rules)
 * 1:63674 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Babuk variant download attempt (malware-other.rules)
 * 1:63677 <-> DISABLED <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt (server-webapp.rules)
 * 1:63640 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt (server-webapp.rules)
 * 1:63685 <-> DISABLED <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt (file-other.rules)
 * 1:63671 <-> DISABLED <-> MALWARE-OTHER Go.Proxy.ReverseSSH binary (malware-other.rules)
 * 1:63673 <-> DISABLED <-> MALWARE-OTHER Win.Loader.pkr_ce1a variant download attempt (malware-other.rules)
 * 1:63646 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt (server-webapp.rules)
 * 1:63637 <-> DISABLED <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt (server-webapp.rules)
 * 3:63656 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt (file-other.rules)
 * 3:63657 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt (file-other.rules)
 * 3:63658 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt (file-other.rules)
 * 3:63655 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt (file-other.rules)
 * 3:63653 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt (file-other.rules)
 * 3:63660 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt (file-pdf.rules)
 * 3:63654 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt (file-other.rules)
 * 3:63661 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt (file-pdf.rules)
 * 3:63662 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt (file-pdf.rules)
 * 3:63663 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:33654 <-> DISABLED <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt (server-other.rules)

2024-07-03 17:24:09 UTC

Snort Subscriber Rules Update

Date: 2024-07-03

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:63666 <-> DISABLED <-> POLICY-OTHER GoAhead Embedded Web Server use after free attempt (policy-other.rules)
 * 1:63636 <-> DISABLED <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt (server-webapp.rules)
 * 1:63639 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt (server-webapp.rules)
 * 1:63675 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Babuk variant download attempt (malware-other.rules)
 * 1:63651 <-> DISABLED <-> SERVER-WEBAPP IBM QRadar remote code execution attempt (server-webapp.rules)
 * 1:63678 <-> DISABLED <-> PROTOCOL-RPC CA ARCserve Backup authentication service denial of service attempt (protocol-rpc.rules)
 * 1:63685 <-> DISABLED <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt (file-other.rules)
 * 1:63638 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt (server-webapp.rules)
 * 1:63650 <-> DISABLED <-> SERVER-WEBAPP IBM QRadar remote code execution attempt (server-webapp.rules)
 * 1:63681 <-> DISABLED <-> FILE-OTHER Adobe InDesign HyperlinkURLDestination parsing remote code execution attempt (file-other.rules)
 * 1:63670 <-> DISABLED <-> MALWARE-OTHER Go.Proxy.ReverseSSH binary (malware-other.rules)
 * 1:63684 <-> DISABLED <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt (file-other.rules)
 * 1:63644 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt (server-webapp.rules)
 * 1:63642 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt (server-webapp.rules)
 * 1:63640 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt (server-webapp.rules)
 * 1:63649 <-> DISABLED <-> SERVER-WEBAPP IBM QRadar remote code execution attempt (server-webapp.rules)
 * 1:63674 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Babuk variant download attempt (malware-other.rules)
 * 1:63683 <-> DISABLED <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt (file-other.rules)
 * 1:63647 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt (server-webapp.rules)
 * 1:63676 <-> DISABLED <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt (server-webapp.rules)
 * 1:63643 <-> DISABLED <-> SERVER-WEBAPP FusionPBX exec.php arbitrary command execution attempt (server-webapp.rules)
 * 1:63667 <-> DISABLED <-> SERVER-WEBAPP Joomla CMS mod_random_image cross site scripting attempt (server-webapp.rules)
 * 1:63652 <-> ENABLED <-> SERVER-WEBAPP Fortinet FortiSIEM command injection attempt (server-webapp.rules)
 * 1:63637 <-> DISABLED <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt (server-webapp.rules)
 * 1:63659 <-> DISABLED <-> SERVER-OTHER OpenSSH unauthenticated remote code execution attempt (server-other.rules)
 * 1:63668 <-> DISABLED <-> SERVER-WEBAPP Joomla CMS mod_random_image cross site scripting attempt (server-webapp.rules)
 * 1:63665 <-> DISABLED <-> FILE-EXECUTABLE ClamAV UPX executable out-of-bounds read attempt (file-executable.rules)
 * 1:63672 <-> DISABLED <-> MALWARE-OTHER Win.Loader.pkr_ce1a variant download attempt (malware-other.rules)
 * 1:63669 <-> DISABLED <-> MALWARE-CNC Go.Proxy.ReverseSSH outbound connection (malware-cnc.rules)
 * 1:63682 <-> DISABLED <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt (file-other.rules)
 * 1:63680 <-> DISABLED <-> FILE-OTHER Adobe InDesign HyperlinkURLDestination parsing remote code execution attempt (file-other.rules)
 * 1:63646 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt (server-webapp.rules)
 * 1:63641 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt (server-webapp.rules)
 * 1:63645 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt (server-webapp.rules)
 * 1:63679 <-> DISABLED <-> POLICY-OTHER Nagios XI API key regeneration attempt detected (policy-other.rules)
 * 1:63671 <-> DISABLED <-> MALWARE-OTHER Go.Proxy.ReverseSSH binary (malware-other.rules)
 * 1:63673 <-> DISABLED <-> MALWARE-OTHER Win.Loader.pkr_ce1a variant download attempt (malware-other.rules)
 * 1:63648 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt (server-webapp.rules)
 * 1:63635 <-> DISABLED <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt (server-webapp.rules)
 * 1:63664 <-> DISABLED <-> FILE-EXECUTABLE ClamAV UPX executable out-of-bounds read attempt (file-executable.rules)
 * 1:63677 <-> DISABLED <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt (server-webapp.rules)
 * 3:63653 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt (file-other.rules)
 * 3:63661 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt (file-pdf.rules)
 * 3:63657 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt (file-other.rules)
 * 3:63660 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt (file-pdf.rules)
 * 3:63663 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt (file-pdf.rules)
 * 3:63658 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt (file-other.rules)
 * 3:63654 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt (file-other.rules)
 * 3:63655 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt (file-other.rules)
 * 3:63656 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt (file-other.rules)
 * 3:63662 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:33654 <-> DISABLED <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt (server-other.rules)

2024-07-03 17:24:09 UTC

Snort Subscriber Rules Update

Date: 2024-07-03

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:63638 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt (server-webapp.rules)
 * 1:63643 <-> DISABLED <-> SERVER-WEBAPP FusionPBX exec.php arbitrary command execution attempt (server-webapp.rules)
 * 1:63644 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt (server-webapp.rules)
 * 1:63676 <-> DISABLED <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt (server-webapp.rules)
 * 1:63635 <-> DISABLED <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt (server-webapp.rules)
 * 1:63681 <-> DISABLED <-> FILE-OTHER Adobe InDesign HyperlinkURLDestination parsing remote code execution attempt (file-other.rules)
 * 1:63678 <-> DISABLED <-> PROTOCOL-RPC CA ARCserve Backup authentication service denial of service attempt (protocol-rpc.rules)
 * 1:63672 <-> DISABLED <-> MALWARE-OTHER Win.Loader.pkr_ce1a variant download attempt (malware-other.rules)
 * 1:63683 <-> DISABLED <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt (file-other.rules)
 * 1:63642 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt (server-webapp.rules)
 * 1:63639 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt (server-webapp.rules)
 * 1:63667 <-> DISABLED <-> SERVER-WEBAPP Joomla CMS mod_random_image cross site scripting attempt (server-webapp.rules)
 * 1:63647 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt (server-webapp.rules)
 * 1:63636 <-> DISABLED <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt (server-webapp.rules)
 * 1:63668 <-> DISABLED <-> SERVER-WEBAPP Joomla CMS mod_random_image cross site scripting attempt (server-webapp.rules)
 * 1:63648 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt (server-webapp.rules)
 * 1:63649 <-> DISABLED <-> SERVER-WEBAPP IBM QRadar remote code execution attempt (server-webapp.rules)
 * 1:63650 <-> DISABLED <-> SERVER-WEBAPP IBM QRadar remote code execution attempt (server-webapp.rules)
 * 1:63637 <-> DISABLED <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt (server-webapp.rules)
 * 1:63675 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Babuk variant download attempt (malware-other.rules)
 * 1:63684 <-> DISABLED <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt (file-other.rules)
 * 1:63645 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt (server-webapp.rules)
 * 1:63666 <-> DISABLED <-> POLICY-OTHER GoAhead Embedded Web Server use after free attempt (policy-other.rules)
 * 1:63640 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt (server-webapp.rules)
 * 1:63651 <-> DISABLED <-> SERVER-WEBAPP IBM QRadar remote code execution attempt (server-webapp.rules)
 * 1:63652 <-> ENABLED <-> SERVER-WEBAPP Fortinet FortiSIEM command injection attempt (server-webapp.rules)
 * 1:63659 <-> DISABLED <-> SERVER-OTHER OpenSSH unauthenticated remote code execution attempt (server-other.rules)
 * 1:63664 <-> DISABLED <-> FILE-EXECUTABLE ClamAV UPX executable out-of-bounds read attempt (file-executable.rules)
 * 1:63646 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt (server-webapp.rules)
 * 1:63682 <-> DISABLED <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt (file-other.rules)
 * 1:63677 <-> DISABLED <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt (server-webapp.rules)
 * 1:63671 <-> DISABLED <-> MALWARE-OTHER Go.Proxy.ReverseSSH binary (malware-other.rules)
 * 1:63673 <-> DISABLED <-> MALWARE-OTHER Win.Loader.pkr_ce1a variant download attempt (malware-other.rules)
 * 1:63685 <-> DISABLED <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt (file-other.rules)
 * 1:63665 <-> DISABLED <-> FILE-EXECUTABLE ClamAV UPX executable out-of-bounds read attempt (file-executable.rules)
 * 1:63679 <-> DISABLED <-> POLICY-OTHER Nagios XI API key regeneration attempt detected (policy-other.rules)
 * 1:63669 <-> DISABLED <-> MALWARE-CNC Go.Proxy.ReverseSSH outbound connection (malware-cnc.rules)
 * 1:63680 <-> DISABLED <-> FILE-OTHER Adobe InDesign HyperlinkURLDestination parsing remote code execution attempt (file-other.rules)
 * 1:63670 <-> DISABLED <-> MALWARE-OTHER Go.Proxy.ReverseSSH binary (malware-other.rules)
 * 1:63641 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt (server-webapp.rules)
 * 1:63674 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Babuk variant download attempt (malware-other.rules)
 * 3:63660 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt (file-pdf.rules)
 * 3:63663 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt (file-pdf.rules)
 * 3:63656 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt (file-other.rules)
 * 3:63661 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt (file-pdf.rules)
 * 3:63658 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt (file-other.rules)
 * 3:63662 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt (file-pdf.rules)
 * 3:63654 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt (file-other.rules)
 * 3:63655 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt (file-other.rules)
 * 3:63657 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt (file-other.rules)
 * 3:63653 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt (file-other.rules)

Modified Rules:


 * 1:33654 <-> DISABLED <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt (server-other.rules)

2024-07-03 17:24:09 UTC

Snort Subscriber Rules Update

Date: 2024-07-03

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:63649 <-> DISABLED <-> SERVER-WEBAPP IBM QRadar remote code execution attempt (server-webapp.rules)
 * 1:63646 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt (server-webapp.rules)
 * 1:63639 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt (server-webapp.rules)
 * 1:63641 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt (server-webapp.rules)
 * 1:63678 <-> DISABLED <-> PROTOCOL-RPC CA ARCserve Backup authentication service denial of service attempt (protocol-rpc.rules)
 * 1:63685 <-> DISABLED <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt (file-other.rules)
 * 1:63636 <-> DISABLED <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt (server-webapp.rules)
 * 1:63674 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Babuk variant download attempt (malware-other.rules)
 * 1:63683 <-> DISABLED <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt (file-other.rules)
 * 1:63675 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Babuk variant download attempt (malware-other.rules)
 * 1:63647 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt (server-webapp.rules)
 * 1:63684 <-> DISABLED <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt (file-other.rules)
 * 1:63679 <-> DISABLED <-> POLICY-OTHER Nagios XI API key regeneration attempt detected (policy-other.rules)
 * 1:63650 <-> DISABLED <-> SERVER-WEBAPP IBM QRadar remote code execution attempt (server-webapp.rules)
 * 1:63681 <-> DISABLED <-> FILE-OTHER Adobe InDesign HyperlinkURLDestination parsing remote code execution attempt (file-other.rules)
 * 1:63648 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt (server-webapp.rules)
 * 1:63638 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt (server-webapp.rules)
 * 1:63682 <-> DISABLED <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt (file-other.rules)
 * 1:63645 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt (server-webapp.rules)
 * 1:63644 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt (server-webapp.rules)
 * 1:63652 <-> ENABLED <-> SERVER-WEBAPP Fortinet FortiSIEM command injection attempt (server-webapp.rules)
 * 1:63659 <-> DISABLED <-> SERVER-OTHER OpenSSH unauthenticated remote code execution attempt (server-other.rules)
 * 1:63680 <-> DISABLED <-> FILE-OTHER Adobe InDesign HyperlinkURLDestination parsing remote code execution attempt (file-other.rules)
 * 1:63651 <-> DISABLED <-> SERVER-WEBAPP IBM QRadar remote code execution attempt (server-webapp.rules)
 * 1:63677 <-> DISABLED <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt (server-webapp.rules)
 * 1:63676 <-> DISABLED <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt (server-webapp.rules)
 * 1:63643 <-> DISABLED <-> SERVER-WEBAPP FusionPBX exec.php arbitrary command execution attempt (server-webapp.rules)
 * 1:63637 <-> DISABLED <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt (server-webapp.rules)
 * 1:63664 <-> DISABLED <-> FILE-EXECUTABLE ClamAV UPX executable out-of-bounds read attempt (file-executable.rules)
 * 1:63668 <-> DISABLED <-> SERVER-WEBAPP Joomla CMS mod_random_image cross site scripting attempt (server-webapp.rules)
 * 1:63667 <-> DISABLED <-> SERVER-WEBAPP Joomla CMS mod_random_image cross site scripting attempt (server-webapp.rules)
 * 1:63673 <-> DISABLED <-> MALWARE-OTHER Win.Loader.pkr_ce1a variant download attempt (malware-other.rules)
 * 1:63640 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt (server-webapp.rules)
 * 1:63642 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt (server-webapp.rules)
 * 1:63635 <-> DISABLED <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt (server-webapp.rules)
 * 1:63671 <-> DISABLED <-> MALWARE-OTHER Go.Proxy.ReverseSSH binary (malware-other.rules)
 * 1:63672 <-> DISABLED <-> MALWARE-OTHER Win.Loader.pkr_ce1a variant download attempt (malware-other.rules)
 * 1:63665 <-> DISABLED <-> FILE-EXECUTABLE ClamAV UPX executable out-of-bounds read attempt (file-executable.rules)
 * 1:63666 <-> DISABLED <-> POLICY-OTHER GoAhead Embedded Web Server use after free attempt (policy-other.rules)
 * 1:63669 <-> DISABLED <-> MALWARE-CNC Go.Proxy.ReverseSSH outbound connection (malware-cnc.rules)
 * 1:63670 <-> DISABLED <-> MALWARE-OTHER Go.Proxy.ReverseSSH binary (malware-other.rules)
 * 3:63663 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt (file-pdf.rules)
 * 3:63660 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt (file-pdf.rules)
 * 3:63655 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt (file-other.rules)
 * 3:63661 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt (file-pdf.rules)
 * 3:63662 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt (file-pdf.rules)
 * 3:63656 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt (file-other.rules)
 * 3:63658 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt (file-other.rules)
 * 3:63654 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt (file-other.rules)
 * 3:63657 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt (file-other.rules)
 * 3:63653 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt (file-other.rules)

Modified Rules:


 * 1:33654 <-> DISABLED <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt (server-other.rules)

2024-07-03 17:27:23 UTC

Snort Subscriber Rules Update

Date: 2024-07-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.0.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300948 <-> SERVER-WEBAPP PHP phar_parse_tarfile method integer overflow attempt
* 1:300949 <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt
* 1:300950 <-> FILE-EXECUTABLE ClamAV UPX executable out-of-bounds read attempt
* 1:300951 <-> SERVER-WEBAPP Joomla CMS mod_random_image cross site scripting attempt
* 1:300952 <-> MALWARE-OTHER Go.Proxy.ReverseSSH binary
* 1:300953 <-> MALWARE-OTHER Win.Loader.pkr_ce1a variant download attempt
* 1:300954 <-> MALWARE-OTHER Win.Ransomware.Babuk variant download attempt
* 1:300955 <-> FILE-OTHER Adobe InDesign HyperlinkURLDestination parsing remote code execution attempt
* 1:300956 <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt
* 1:300957 <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt
* 1:63635 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63636 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63637 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63638 <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt
* 1:63639 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63640 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63641 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63642 <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt
* 1:63643 <-> SERVER-WEBAPP FusionPBX exec.php arbitrary command execution attempt
* 1:63644 <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt
* 1:63645 <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt
* 1:63646 <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt
* 1:63649 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63650 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63651 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63652 <-> SERVER-WEBAPP Fortinet FortiSIEM command injection attempt
* 3:63653 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt
* 3:63654 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt
* 3:63655 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63656 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63657 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63658 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 1:63659 <-> SERVER-OTHER OpenSSH unauthenticated remote code execution attempt
* 3:63660 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt
* 3:63661 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt
* 3:63662 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt
* 3:63663 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt
* 1:63666 <-> POLICY-OTHER GoAhead Embedded Web Server use after free attempt
* 1:63669 <-> MALWARE-CNC Go.Proxy.ReverseSSH outbound connection
* 1:63676 <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt
* 1:63677 <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt
* 1:63678 <-> PROTOCOL-RPC CA ARCserve Backup authentication service denial of service attempt
* 1:63679 <-> POLICY-OTHER Nagios XI API key regeneration attempt detected

Modified Rules:

* 1:33654 <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt
* 1:38511 <-> SERVER-WEBAPP Novell Service Desk directory traversal attempt


2024-07-03 17:27:24 UTC

Snort Subscriber Rules Update

Date: 2024-07-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.0.3.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300948 <-> SERVER-WEBAPP PHP phar_parse_tarfile method integer overflow attempt
* 1:300949 <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt
* 1:300950 <-> FILE-EXECUTABLE ClamAV UPX executable out-of-bounds read attempt
* 1:300951 <-> SERVER-WEBAPP Joomla CMS mod_random_image cross site scripting attempt
* 1:300952 <-> MALWARE-OTHER Go.Proxy.ReverseSSH binary
* 1:300953 <-> MALWARE-OTHER Win.Loader.pkr_ce1a variant download attempt
* 1:300954 <-> MALWARE-OTHER Win.Ransomware.Babuk variant download attempt
* 1:300955 <-> FILE-OTHER Adobe InDesign HyperlinkURLDestination parsing remote code execution attempt
* 1:300956 <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt
* 1:300957 <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt
* 1:63635 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63636 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63637 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63638 <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt
* 1:63639 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63640 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63641 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63642 <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt
* 1:63643 <-> SERVER-WEBAPP FusionPBX exec.php arbitrary command execution attempt
* 1:63644 <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt
* 1:63645 <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt
* 1:63646 <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt
* 1:63649 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63650 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63651 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63652 <-> SERVER-WEBAPP Fortinet FortiSIEM command injection attempt
* 3:63653 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt
* 3:63654 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt
* 3:63655 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63656 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63657 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63658 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 1:63659 <-> SERVER-OTHER OpenSSH unauthenticated remote code execution attempt
* 3:63660 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt
* 3:63661 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt
* 3:63662 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt
* 3:63663 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt
* 1:63666 <-> POLICY-OTHER GoAhead Embedded Web Server use after free attempt
* 1:63669 <-> MALWARE-CNC Go.Proxy.ReverseSSH outbound connection
* 1:63676 <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt
* 1:63677 <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt
* 1:63678 <-> PROTOCOL-RPC CA ARCserve Backup authentication service denial of service attempt
* 1:63679 <-> POLICY-OTHER Nagios XI API key regeneration attempt detected

Modified Rules:

* 1:33654 <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt
* 1:38511 <-> SERVER-WEBAPP Novell Service Desk directory traversal attempt


2024-07-03 17:27:24 UTC

Snort Subscriber Rules Update

Date: 2024-07-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.0.3.4.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300948 <-> SERVER-WEBAPP PHP phar_parse_tarfile method integer overflow attempt
* 1:300949 <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt
* 1:300950 <-> FILE-EXECUTABLE ClamAV UPX executable out-of-bounds read attempt
* 1:300951 <-> SERVER-WEBAPP Joomla CMS mod_random_image cross site scripting attempt
* 1:300952 <-> MALWARE-OTHER Go.Proxy.ReverseSSH binary
* 1:300953 <-> MALWARE-OTHER Win.Loader.pkr_ce1a variant download attempt
* 1:300954 <-> MALWARE-OTHER Win.Ransomware.Babuk variant download attempt
* 1:300955 <-> FILE-OTHER Adobe InDesign HyperlinkURLDestination parsing remote code execution attempt
* 1:300956 <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt
* 1:300957 <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt
* 1:63635 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63636 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63637 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63638 <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt
* 1:63639 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63640 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63641 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63642 <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt
* 1:63643 <-> SERVER-WEBAPP FusionPBX exec.php arbitrary command execution attempt
* 1:63644 <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt
* 1:63645 <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt
* 1:63646 <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt
* 1:63649 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63650 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63651 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63652 <-> SERVER-WEBAPP Fortinet FortiSIEM command injection attempt
* 3:63653 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt
* 3:63654 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt
* 3:63655 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63656 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63657 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63658 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 1:63659 <-> SERVER-OTHER OpenSSH unauthenticated remote code execution attempt
* 3:63660 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt
* 3:63661 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt
* 3:63662 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt
* 3:63663 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt
* 1:63666 <-> POLICY-OTHER GoAhead Embedded Web Server use after free attempt
* 1:63669 <-> MALWARE-CNC Go.Proxy.ReverseSSH outbound connection
* 1:63676 <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt
* 1:63677 <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt
* 1:63678 <-> PROTOCOL-RPC CA ARCserve Backup authentication service denial of service attempt
* 1:63679 <-> POLICY-OTHER Nagios XI API key regeneration attempt detected

Modified Rules:

* 1:33654 <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt
* 1:38511 <-> SERVER-WEBAPP Novell Service Desk directory traversal attempt


2024-07-03 17:27:24 UTC

Snort Subscriber Rules Update

Date: 2024-07-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300948 <-> SERVER-WEBAPP PHP phar_parse_tarfile method integer overflow attempt
* 1:300949 <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt
* 1:300950 <-> FILE-EXECUTABLE ClamAV UPX executable out-of-bounds read attempt
* 1:300951 <-> SERVER-WEBAPP Joomla CMS mod_random_image cross site scripting attempt
* 1:300952 <-> MALWARE-OTHER Go.Proxy.ReverseSSH binary
* 1:300953 <-> MALWARE-OTHER Win.Loader.pkr_ce1a variant download attempt
* 1:300954 <-> MALWARE-OTHER Win.Ransomware.Babuk variant download attempt
* 1:300955 <-> FILE-OTHER Adobe InDesign HyperlinkURLDestination parsing remote code execution attempt
* 1:300956 <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt
* 1:300957 <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt
* 1:63635 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63636 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63637 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63638 <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt
* 1:63639 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63640 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63641 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63642 <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt
* 1:63643 <-> SERVER-WEBAPP FusionPBX exec.php arbitrary command execution attempt
* 1:63644 <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt
* 1:63645 <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt
* 1:63646 <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt
* 1:63649 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63650 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63651 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63652 <-> SERVER-WEBAPP Fortinet FortiSIEM command injection attempt
* 3:63653 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt
* 3:63654 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt
* 3:63655 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63656 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63657 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63658 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 1:63659 <-> SERVER-OTHER OpenSSH unauthenticated remote code execution attempt
* 3:63660 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt
* 3:63661 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt
* 3:63662 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt
* 3:63663 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt
* 1:63666 <-> POLICY-OTHER GoAhead Embedded Web Server use after free attempt
* 1:63669 <-> MALWARE-CNC Go.Proxy.ReverseSSH outbound connection
* 1:63676 <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt
* 1:63677 <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt
* 1:63678 <-> PROTOCOL-RPC CA ARCserve Backup authentication service denial of service attempt
* 1:63679 <-> POLICY-OTHER Nagios XI API key regeneration attempt detected

Modified Rules:

* 1:33654 <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt
* 1:38511 <-> SERVER-WEBAPP Novell Service Desk directory traversal attempt


2024-07-03 17:27:24 UTC

Snort Subscriber Rules Update

Date: 2024-07-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.0.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300948 <-> SERVER-WEBAPP PHP phar_parse_tarfile method integer overflow attempt
* 1:300949 <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt
* 1:300950 <-> FILE-EXECUTABLE ClamAV UPX executable out-of-bounds read attempt
* 1:300951 <-> SERVER-WEBAPP Joomla CMS mod_random_image cross site scripting attempt
* 1:300952 <-> MALWARE-OTHER Go.Proxy.ReverseSSH binary
* 1:300953 <-> MALWARE-OTHER Win.Loader.pkr_ce1a variant download attempt
* 1:300954 <-> MALWARE-OTHER Win.Ransomware.Babuk variant download attempt
* 1:300955 <-> FILE-OTHER Adobe InDesign HyperlinkURLDestination parsing remote code execution attempt
* 1:300956 <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt
* 1:300957 <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt
* 1:63635 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63636 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63637 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63638 <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt
* 1:63639 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63640 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63641 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63642 <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt
* 1:63643 <-> SERVER-WEBAPP FusionPBX exec.php arbitrary command execution attempt
* 1:63644 <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt
* 1:63645 <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt
* 1:63646 <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt
* 1:63649 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63650 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63651 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63652 <-> SERVER-WEBAPP Fortinet FortiSIEM command injection attempt
* 3:63653 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt
* 3:63654 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt
* 3:63655 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63656 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63657 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63658 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 1:63659 <-> SERVER-OTHER OpenSSH unauthenticated remote code execution attempt
* 3:63660 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt
* 3:63661 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt
* 3:63662 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt
* 3:63663 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt
* 1:63666 <-> POLICY-OTHER GoAhead Embedded Web Server use after free attempt
* 1:63669 <-> MALWARE-CNC Go.Proxy.ReverseSSH outbound connection
* 1:63676 <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt
* 1:63677 <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt
* 1:63678 <-> PROTOCOL-RPC CA ARCserve Backup authentication service denial of service attempt
* 1:63679 <-> POLICY-OTHER Nagios XI API key regeneration attempt detected

Modified Rules:

* 1:33654 <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt
* 1:38511 <-> SERVER-WEBAPP Novell Service Desk directory traversal attempt


2024-07-03 17:27:24 UTC

Snort Subscriber Rules Update

Date: 2024-07-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.1.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300948 <-> SERVER-WEBAPP PHP phar_parse_tarfile method integer overflow attempt
* 1:300949 <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt
* 1:300950 <-> FILE-EXECUTABLE ClamAV UPX executable out-of-bounds read attempt
* 1:300951 <-> SERVER-WEBAPP Joomla CMS mod_random_image cross site scripting attempt
* 1:300952 <-> MALWARE-OTHER Go.Proxy.ReverseSSH binary
* 1:300953 <-> MALWARE-OTHER Win.Loader.pkr_ce1a variant download attempt
* 1:300954 <-> MALWARE-OTHER Win.Ransomware.Babuk variant download attempt
* 1:300955 <-> FILE-OTHER Adobe InDesign HyperlinkURLDestination parsing remote code execution attempt
* 1:300956 <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt
* 1:300957 <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt
* 1:63635 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63636 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63637 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63638 <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt
* 1:63639 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63640 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63641 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63642 <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt
* 1:63643 <-> SERVER-WEBAPP FusionPBX exec.php arbitrary command execution attempt
* 1:63644 <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt
* 1:63645 <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt
* 1:63646 <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt
* 1:63649 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63650 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63651 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63652 <-> SERVER-WEBAPP Fortinet FortiSIEM command injection attempt
* 3:63653 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt
* 3:63654 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt
* 3:63655 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63656 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63657 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63658 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 1:63659 <-> SERVER-OTHER OpenSSH unauthenticated remote code execution attempt
* 3:63660 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt
* 3:63661 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt
* 3:63662 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt
* 3:63663 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt
* 1:63666 <-> POLICY-OTHER GoAhead Embedded Web Server use after free attempt
* 1:63669 <-> MALWARE-CNC Go.Proxy.ReverseSSH outbound connection
* 1:63676 <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt
* 1:63677 <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt
* 1:63678 <-> PROTOCOL-RPC CA ARCserve Backup authentication service denial of service attempt
* 1:63679 <-> POLICY-OTHER Nagios XI API key regeneration attempt detected

Modified Rules:

* 1:33654 <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt
* 1:38511 <-> SERVER-WEBAPP Novell Service Desk directory traversal attempt


2024-07-03 17:27:24 UTC

Snort Subscriber Rules Update

Date: 2024-07-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.3.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300948 <-> SERVER-WEBAPP PHP phar_parse_tarfile method integer overflow attempt
* 1:300949 <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt
* 1:300950 <-> FILE-EXECUTABLE ClamAV UPX executable out-of-bounds read attempt
* 1:300951 <-> SERVER-WEBAPP Joomla CMS mod_random_image cross site scripting attempt
* 1:300952 <-> MALWARE-OTHER Go.Proxy.ReverseSSH binary
* 1:300953 <-> MALWARE-OTHER Win.Loader.pkr_ce1a variant download attempt
* 1:300954 <-> MALWARE-OTHER Win.Ransomware.Babuk variant download attempt
* 1:300955 <-> FILE-OTHER Adobe InDesign HyperlinkURLDestination parsing remote code execution attempt
* 1:300956 <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt
* 1:300957 <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt
* 1:63635 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63636 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63637 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63638 <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt
* 1:63639 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63640 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63641 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63642 <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt
* 1:63643 <-> SERVER-WEBAPP FusionPBX exec.php arbitrary command execution attempt
* 1:63644 <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt
* 1:63645 <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt
* 1:63646 <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt
* 1:63649 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63650 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63651 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63652 <-> SERVER-WEBAPP Fortinet FortiSIEM command injection attempt
* 3:63653 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt
* 3:63654 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt
* 3:63655 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63656 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63657 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63658 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 1:63659 <-> SERVER-OTHER OpenSSH unauthenticated remote code execution attempt
* 3:63660 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt
* 3:63661 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt
* 3:63662 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt
* 3:63663 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt
* 1:63666 <-> POLICY-OTHER GoAhead Embedded Web Server use after free attempt
* 1:63669 <-> MALWARE-CNC Go.Proxy.ReverseSSH outbound connection
* 1:63676 <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt
* 1:63677 <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt
* 1:63678 <-> PROTOCOL-RPC CA ARCserve Backup authentication service denial of service attempt
* 1:63679 <-> POLICY-OTHER Nagios XI API key regeneration attempt detected

Modified Rules:

* 1:33654 <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt
* 1:38511 <-> SERVER-WEBAPP Novell Service Desk directory traversal attempt


2024-07-03 17:27:24 UTC

Snort Subscriber Rules Update

Date: 2024-07-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.4.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300948 <-> SERVER-WEBAPP PHP phar_parse_tarfile method integer overflow attempt
* 1:300949 <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt
* 1:300950 <-> FILE-EXECUTABLE ClamAV UPX executable out-of-bounds read attempt
* 1:300951 <-> SERVER-WEBAPP Joomla CMS mod_random_image cross site scripting attempt
* 1:300952 <-> MALWARE-OTHER Go.Proxy.ReverseSSH binary
* 1:300953 <-> MALWARE-OTHER Win.Loader.pkr_ce1a variant download attempt
* 1:300954 <-> MALWARE-OTHER Win.Ransomware.Babuk variant download attempt
* 1:300955 <-> FILE-OTHER Adobe InDesign HyperlinkURLDestination parsing remote code execution attempt
* 1:300956 <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt
* 1:300957 <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt
* 1:63635 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63636 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63637 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63638 <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt
* 1:63639 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63640 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63641 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63642 <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt
* 1:63643 <-> SERVER-WEBAPP FusionPBX exec.php arbitrary command execution attempt
* 1:63644 <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt
* 1:63645 <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt
* 1:63646 <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt
* 1:63649 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63650 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63651 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63652 <-> SERVER-WEBAPP Fortinet FortiSIEM command injection attempt
* 3:63653 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt
* 3:63654 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt
* 3:63655 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63656 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63657 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63658 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 1:63659 <-> SERVER-OTHER OpenSSH unauthenticated remote code execution attempt
* 3:63660 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt
* 3:63661 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt
* 3:63662 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt
* 3:63663 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt
* 1:63666 <-> POLICY-OTHER GoAhead Embedded Web Server use after free attempt
* 1:63669 <-> MALWARE-CNC Go.Proxy.ReverseSSH outbound connection
* 1:63676 <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt
* 1:63677 <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt
* 1:63678 <-> PROTOCOL-RPC CA ARCserve Backup authentication service denial of service attempt
* 1:63679 <-> POLICY-OTHER Nagios XI API key regeneration attempt detected

Modified Rules:

* 1:33654 <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt
* 1:38511 <-> SERVER-WEBAPP Novell Service Desk directory traversal attempt


2024-07-03 17:27:24 UTC

Snort Subscriber Rules Update

Date: 2024-07-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.5.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300948 <-> SERVER-WEBAPP PHP phar_parse_tarfile method integer overflow attempt
* 1:300949 <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt
* 1:300950 <-> FILE-EXECUTABLE ClamAV UPX executable out-of-bounds read attempt
* 1:300951 <-> SERVER-WEBAPP Joomla CMS mod_random_image cross site scripting attempt
* 1:300952 <-> MALWARE-OTHER Go.Proxy.ReverseSSH binary
* 1:300953 <-> MALWARE-OTHER Win.Loader.pkr_ce1a variant download attempt
* 1:300954 <-> MALWARE-OTHER Win.Ransomware.Babuk variant download attempt
* 1:300955 <-> FILE-OTHER Adobe InDesign HyperlinkURLDestination parsing remote code execution attempt
* 1:300956 <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt
* 1:300957 <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt
* 1:63635 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63636 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63637 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63638 <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt
* 1:63639 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63640 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63641 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63642 <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt
* 1:63643 <-> SERVER-WEBAPP FusionPBX exec.php arbitrary command execution attempt
* 1:63644 <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt
* 1:63645 <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt
* 1:63646 <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt
* 1:63649 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63650 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63651 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63652 <-> SERVER-WEBAPP Fortinet FortiSIEM command injection attempt
* 3:63653 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt
* 3:63654 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt
* 3:63655 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63656 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63657 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63658 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 1:63659 <-> SERVER-OTHER OpenSSH unauthenticated remote code execution attempt
* 3:63660 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt
* 3:63661 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt
* 3:63662 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt
* 3:63663 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt
* 1:63666 <-> POLICY-OTHER GoAhead Embedded Web Server use after free attempt
* 1:63669 <-> MALWARE-CNC Go.Proxy.ReverseSSH outbound connection
* 1:63676 <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt
* 1:63677 <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt
* 1:63678 <-> PROTOCOL-RPC CA ARCserve Backup authentication service denial of service attempt
* 1:63679 <-> POLICY-OTHER Nagios XI API key regeneration attempt detected

Modified Rules:

* 1:33654 <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt
* 1:38511 <-> SERVER-WEBAPP Novell Service Desk directory traversal attempt


2024-07-03 17:27:24 UTC

Snort Subscriber Rules Update

Date: 2024-07-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.7.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300948 <-> SERVER-WEBAPP PHP phar_parse_tarfile method integer overflow attempt
* 1:300949 <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt
* 1:300950 <-> FILE-EXECUTABLE ClamAV UPX executable out-of-bounds read attempt
* 1:300951 <-> SERVER-WEBAPP Joomla CMS mod_random_image cross site scripting attempt
* 1:300952 <-> MALWARE-OTHER Go.Proxy.ReverseSSH binary
* 1:300953 <-> MALWARE-OTHER Win.Loader.pkr_ce1a variant download attempt
* 1:300954 <-> MALWARE-OTHER Win.Ransomware.Babuk variant download attempt
* 1:300955 <-> FILE-OTHER Adobe InDesign HyperlinkURLDestination parsing remote code execution attempt
* 1:300956 <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt
* 1:300957 <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt
* 1:63635 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63636 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63637 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63638 <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt
* 1:63639 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63640 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63641 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63642 <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt
* 1:63643 <-> SERVER-WEBAPP FusionPBX exec.php arbitrary command execution attempt
* 1:63644 <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt
* 1:63645 <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt
* 1:63646 <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt
* 1:63649 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63650 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63651 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63652 <-> SERVER-WEBAPP Fortinet FortiSIEM command injection attempt
* 3:63653 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt
* 3:63654 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt
* 3:63655 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63656 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63657 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63658 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 1:63659 <-> SERVER-OTHER OpenSSH unauthenticated remote code execution attempt
* 3:63660 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt
* 3:63661 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt
* 3:63662 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt
* 3:63663 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt
* 1:63666 <-> POLICY-OTHER GoAhead Embedded Web Server use after free attempt
* 1:63669 <-> MALWARE-CNC Go.Proxy.ReverseSSH outbound connection
* 1:63676 <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt
* 1:63677 <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt
* 1:63678 <-> PROTOCOL-RPC CA ARCserve Backup authentication service denial of service attempt
* 1:63679 <-> POLICY-OTHER Nagios XI API key regeneration attempt detected

Modified Rules:

* 1:33654 <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt
* 1:38511 <-> SERVER-WEBAPP Novell Service Desk directory traversal attempt


2024-07-03 17:27:24 UTC

Snort Subscriber Rules Update

Date: 2024-07-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.9.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300948 <-> SERVER-WEBAPP PHP phar_parse_tarfile method integer overflow attempt
* 1:300949 <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt
* 1:300950 <-> FILE-EXECUTABLE ClamAV UPX executable out-of-bounds read attempt
* 1:300951 <-> SERVER-WEBAPP Joomla CMS mod_random_image cross site scripting attempt
* 1:300952 <-> MALWARE-OTHER Go.Proxy.ReverseSSH binary
* 1:300953 <-> MALWARE-OTHER Win.Loader.pkr_ce1a variant download attempt
* 1:300954 <-> MALWARE-OTHER Win.Ransomware.Babuk variant download attempt
* 1:300955 <-> FILE-OTHER Adobe InDesign HyperlinkURLDestination parsing remote code execution attempt
* 1:300956 <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt
* 1:300957 <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt
* 1:63635 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63636 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63637 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63638 <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt
* 1:63639 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63640 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63641 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63642 <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt
* 1:63643 <-> SERVER-WEBAPP FusionPBX exec.php arbitrary command execution attempt
* 1:63644 <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt
* 1:63645 <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt
* 1:63646 <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt
* 1:63649 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63650 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63651 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63652 <-> SERVER-WEBAPP Fortinet FortiSIEM command injection attempt
* 3:63653 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt
* 3:63654 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt
* 3:63655 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63656 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63657 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63658 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 1:63659 <-> SERVER-OTHER OpenSSH unauthenticated remote code execution attempt
* 3:63660 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt
* 3:63661 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt
* 3:63662 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt
* 3:63663 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt
* 1:63666 <-> POLICY-OTHER GoAhead Embedded Web Server use after free attempt
* 1:63669 <-> MALWARE-CNC Go.Proxy.ReverseSSH outbound connection
* 1:63676 <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt
* 1:63677 <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt
* 1:63678 <-> PROTOCOL-RPC CA ARCserve Backup authentication service denial of service attempt
* 1:63679 <-> POLICY-OTHER Nagios XI API key regeneration attempt detected

Modified Rules:

* 1:33654 <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt
* 1:38511 <-> SERVER-WEBAPP Novell Service Desk directory traversal attempt


2024-07-03 17:27:24 UTC

Snort Subscriber Rules Update

Date: 2024-07-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.2.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300948 <-> SERVER-WEBAPP PHP phar_parse_tarfile method integer overflow attempt
* 1:300949 <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt
* 1:300950 <-> FILE-EXECUTABLE ClamAV UPX executable out-of-bounds read attempt
* 1:300951 <-> SERVER-WEBAPP Joomla CMS mod_random_image cross site scripting attempt
* 1:300952 <-> MALWARE-OTHER Go.Proxy.ReverseSSH binary
* 1:300953 <-> MALWARE-OTHER Win.Loader.pkr_ce1a variant download attempt
* 1:300954 <-> MALWARE-OTHER Win.Ransomware.Babuk variant download attempt
* 1:300955 <-> FILE-OTHER Adobe InDesign HyperlinkURLDestination parsing remote code execution attempt
* 1:300956 <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt
* 1:300957 <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt
* 1:63635 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63636 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63637 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63638 <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt
* 1:63639 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63640 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63641 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63642 <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt
* 1:63643 <-> SERVER-WEBAPP FusionPBX exec.php arbitrary command execution attempt
* 1:63644 <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt
* 1:63645 <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt
* 1:63646 <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt
* 1:63649 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63650 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63651 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63652 <-> SERVER-WEBAPP Fortinet FortiSIEM command injection attempt
* 3:63653 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt
* 3:63654 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt
* 3:63655 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63656 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63657 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63658 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 1:63659 <-> SERVER-OTHER OpenSSH unauthenticated remote code execution attempt
* 3:63660 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt
* 3:63661 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt
* 3:63662 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt
* 3:63663 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt
* 1:63666 <-> POLICY-OTHER GoAhead Embedded Web Server use after free attempt
* 1:63669 <-> MALWARE-CNC Go.Proxy.ReverseSSH outbound connection
* 1:63676 <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt
* 1:63677 <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt
* 1:63678 <-> PROTOCOL-RPC CA ARCserve Backup authentication service denial of service attempt
* 1:63679 <-> POLICY-OTHER Nagios XI API key regeneration attempt detected

Modified Rules:

* 1:33654 <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt
* 1:38511 <-> SERVER-WEBAPP Novell Service Desk directory traversal attempt


2024-07-03 17:27:24 UTC

Snort Subscriber Rules Update

Date: 2024-07-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.11.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300948 <-> SERVER-WEBAPP PHP phar_parse_tarfile method integer overflow attempt
* 1:300949 <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt
* 1:300950 <-> FILE-EXECUTABLE ClamAV UPX executable out-of-bounds read attempt
* 1:300951 <-> SERVER-WEBAPP Joomla CMS mod_random_image cross site scripting attempt
* 1:300952 <-> MALWARE-OTHER Go.Proxy.ReverseSSH binary
* 1:300953 <-> MALWARE-OTHER Win.Loader.pkr_ce1a variant download attempt
* 1:300954 <-> MALWARE-OTHER Win.Ransomware.Babuk variant download attempt
* 1:300955 <-> FILE-OTHER Adobe InDesign HyperlinkURLDestination parsing remote code execution attempt
* 1:300956 <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt
* 1:300957 <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt
* 1:63635 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63636 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63637 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63638 <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt
* 1:63639 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63640 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63641 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63642 <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt
* 1:63643 <-> SERVER-WEBAPP FusionPBX exec.php arbitrary command execution attempt
* 1:63644 <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt
* 1:63645 <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt
* 1:63646 <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt
* 1:63649 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63650 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63651 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63652 <-> SERVER-WEBAPP Fortinet FortiSIEM command injection attempt
* 3:63653 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt
* 3:63654 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt
* 3:63655 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63656 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63657 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63658 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 1:63659 <-> SERVER-OTHER OpenSSH unauthenticated remote code execution attempt
* 3:63660 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt
* 3:63661 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt
* 3:63662 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt
* 3:63663 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt
* 1:63666 <-> POLICY-OTHER GoAhead Embedded Web Server use after free attempt
* 1:63669 <-> MALWARE-CNC Go.Proxy.ReverseSSH outbound connection
* 1:63676 <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt
* 1:63677 <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt
* 1:63678 <-> PROTOCOL-RPC CA ARCserve Backup authentication service denial of service attempt
* 1:63679 <-> POLICY-OTHER Nagios XI API key regeneration attempt detected

Modified Rules:

* 1:33654 <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt
* 1:38511 <-> SERVER-WEBAPP Novell Service Desk directory traversal attempt


2024-07-03 17:27:24 UTC

Snort Subscriber Rules Update

Date: 2024-07-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.15.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300948 <-> SERVER-WEBAPP PHP phar_parse_tarfile method integer overflow attempt
* 1:300949 <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt
* 1:300950 <-> FILE-EXECUTABLE ClamAV UPX executable out-of-bounds read attempt
* 1:300951 <-> SERVER-WEBAPP Joomla CMS mod_random_image cross site scripting attempt
* 1:300952 <-> MALWARE-OTHER Go.Proxy.ReverseSSH binary
* 1:300953 <-> MALWARE-OTHER Win.Loader.pkr_ce1a variant download attempt
* 1:300954 <-> MALWARE-OTHER Win.Ransomware.Babuk variant download attempt
* 1:300955 <-> FILE-OTHER Adobe InDesign HyperlinkURLDestination parsing remote code execution attempt
* 1:300956 <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt
* 1:300957 <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt
* 1:63635 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63636 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63637 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63638 <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt
* 1:63639 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63640 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63641 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63642 <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt
* 1:63643 <-> SERVER-WEBAPP FusionPBX exec.php arbitrary command execution attempt
* 1:63644 <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt
* 1:63645 <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt
* 1:63646 <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt
* 1:63649 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63650 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63651 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63652 <-> SERVER-WEBAPP Fortinet FortiSIEM command injection attempt
* 3:63653 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt
* 3:63654 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt
* 3:63655 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63656 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63657 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63658 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 1:63659 <-> SERVER-OTHER OpenSSH unauthenticated remote code execution attempt
* 3:63660 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt
* 3:63661 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt
* 3:63662 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt
* 3:63663 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt
* 1:63666 <-> POLICY-OTHER GoAhead Embedded Web Server use after free attempt
* 1:63669 <-> MALWARE-CNC Go.Proxy.ReverseSSH outbound connection
* 1:63676 <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt
* 1:63677 <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt
* 1:63678 <-> PROTOCOL-RPC CA ARCserve Backup authentication service denial of service attempt
* 1:63679 <-> POLICY-OTHER Nagios XI API key regeneration attempt detected

Modified Rules:

* 1:33654 <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt
* 1:38511 <-> SERVER-WEBAPP Novell Service Desk directory traversal attempt


2024-07-03 17:27:24 UTC

Snort Subscriber Rules Update

Date: 2024-07-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.18.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300948 <-> SERVER-WEBAPP PHP phar_parse_tarfile method integer overflow attempt
* 1:300949 <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt
* 1:300950 <-> FILE-EXECUTABLE ClamAV UPX executable out-of-bounds read attempt
* 1:300951 <-> SERVER-WEBAPP Joomla CMS mod_random_image cross site scripting attempt
* 1:300952 <-> MALWARE-OTHER Go.Proxy.ReverseSSH binary
* 1:300953 <-> MALWARE-OTHER Win.Loader.pkr_ce1a variant download attempt
* 1:300954 <-> MALWARE-OTHER Win.Ransomware.Babuk variant download attempt
* 1:300955 <-> FILE-OTHER Adobe InDesign HyperlinkURLDestination parsing remote code execution attempt
* 1:300956 <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt
* 1:300957 <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt
* 1:63635 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63636 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63637 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63638 <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt
* 1:63639 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63640 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63641 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63642 <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt
* 1:63643 <-> SERVER-WEBAPP FusionPBX exec.php arbitrary command execution attempt
* 1:63644 <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt
* 1:63645 <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt
* 1:63646 <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt
* 1:63649 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63650 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63651 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63652 <-> SERVER-WEBAPP Fortinet FortiSIEM command injection attempt
* 3:63653 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt
* 3:63654 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt
* 3:63655 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63656 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63657 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63658 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 1:63659 <-> SERVER-OTHER OpenSSH unauthenticated remote code execution attempt
* 3:63660 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt
* 3:63661 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt
* 3:63662 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt
* 3:63663 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt
* 1:63666 <-> POLICY-OTHER GoAhead Embedded Web Server use after free attempt
* 1:63669 <-> MALWARE-CNC Go.Proxy.ReverseSSH outbound connection
* 1:63676 <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt
* 1:63677 <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt
* 1:63678 <-> PROTOCOL-RPC CA ARCserve Backup authentication service denial of service attempt
* 1:63679 <-> POLICY-OTHER Nagios XI API key regeneration attempt detected

Modified Rules:

* 1:33654 <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt
* 1:38511 <-> SERVER-WEBAPP Novell Service Desk directory traversal attempt


2024-07-03 17:27:24 UTC

Snort Subscriber Rules Update

Date: 2024-07-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.20.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300948 <-> SERVER-WEBAPP PHP phar_parse_tarfile method integer overflow attempt
* 1:300949 <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt
* 1:300950 <-> FILE-EXECUTABLE ClamAV UPX executable out-of-bounds read attempt
* 1:300951 <-> SERVER-WEBAPP Joomla CMS mod_random_image cross site scripting attempt
* 1:300952 <-> MALWARE-OTHER Go.Proxy.ReverseSSH binary
* 1:300953 <-> MALWARE-OTHER Win.Loader.pkr_ce1a variant download attempt
* 1:300954 <-> MALWARE-OTHER Win.Ransomware.Babuk variant download attempt
* 1:300955 <-> FILE-OTHER Adobe InDesign HyperlinkURLDestination parsing remote code execution attempt
* 1:300956 <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt
* 1:300957 <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt
* 1:63635 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63636 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63637 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63638 <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt
* 1:63639 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63640 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63641 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63642 <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt
* 1:63643 <-> SERVER-WEBAPP FusionPBX exec.php arbitrary command execution attempt
* 1:63644 <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt
* 1:63645 <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt
* 1:63646 <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt
* 1:63649 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63650 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63651 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63652 <-> SERVER-WEBAPP Fortinet FortiSIEM command injection attempt
* 3:63653 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt
* 3:63654 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt
* 3:63655 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63656 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63657 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63658 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 1:63659 <-> SERVER-OTHER OpenSSH unauthenticated remote code execution attempt
* 3:63660 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt
* 3:63661 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt
* 3:63662 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt
* 3:63663 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt
* 1:63666 <-> POLICY-OTHER GoAhead Embedded Web Server use after free attempt
* 1:63669 <-> MALWARE-CNC Go.Proxy.ReverseSSH outbound connection
* 1:63676 <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt
* 1:63677 <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt
* 1:63678 <-> PROTOCOL-RPC CA ARCserve Backup authentication service denial of service attempt
* 1:63679 <-> POLICY-OTHER Nagios XI API key regeneration attempt detected

Modified Rules:

* 1:33654 <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt
* 1:38511 <-> SERVER-WEBAPP Novell Service Desk directory traversal attempt


2024-07-03 17:27:24 UTC

Snort Subscriber Rules Update

Date: 2024-07-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.21.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300948 <-> SERVER-WEBAPP PHP phar_parse_tarfile method integer overflow attempt
* 1:300949 <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt
* 1:300950 <-> FILE-EXECUTABLE ClamAV UPX executable out-of-bounds read attempt
* 1:300951 <-> SERVER-WEBAPP Joomla CMS mod_random_image cross site scripting attempt
* 1:300952 <-> MALWARE-OTHER Go.Proxy.ReverseSSH binary
* 1:300953 <-> MALWARE-OTHER Win.Loader.pkr_ce1a variant download attempt
* 1:300954 <-> MALWARE-OTHER Win.Ransomware.Babuk variant download attempt
* 1:300955 <-> FILE-OTHER Adobe InDesign HyperlinkURLDestination parsing remote code execution attempt
* 1:300956 <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt
* 1:300957 <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt
* 1:63635 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63636 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63637 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63638 <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt
* 1:63639 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63640 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63641 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63642 <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt
* 1:63643 <-> SERVER-WEBAPP FusionPBX exec.php arbitrary command execution attempt
* 1:63644 <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt
* 1:63645 <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt
* 1:63646 <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt
* 1:63649 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63650 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63651 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63652 <-> SERVER-WEBAPP Fortinet FortiSIEM command injection attempt
* 3:63653 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt
* 3:63654 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt
* 3:63655 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63656 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63657 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63658 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 1:63659 <-> SERVER-OTHER OpenSSH unauthenticated remote code execution attempt
* 3:63660 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt
* 3:63661 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt
* 3:63662 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt
* 3:63663 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt
* 1:63666 <-> POLICY-OTHER GoAhead Embedded Web Server use after free attempt
* 1:63669 <-> MALWARE-CNC Go.Proxy.ReverseSSH outbound connection
* 1:63676 <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt
* 1:63677 <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt
* 1:63678 <-> PROTOCOL-RPC CA ARCserve Backup authentication service denial of service attempt
* 1:63679 <-> POLICY-OTHER Nagios XI API key regeneration attempt detected

Modified Rules:

* 1:33654 <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt
* 1:38511 <-> SERVER-WEBAPP Novell Service Desk directory traversal attempt


2024-07-03 17:27:24 UTC

Snort Subscriber Rules Update

Date: 2024-07-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.35.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300948 <-> SERVER-WEBAPP PHP phar_parse_tarfile method integer overflow attempt
* 1:300949 <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt
* 1:300950 <-> FILE-EXECUTABLE ClamAV UPX executable out-of-bounds read attempt
* 1:300951 <-> SERVER-WEBAPP Joomla CMS mod_random_image cross site scripting attempt
* 1:300952 <-> MALWARE-OTHER Go.Proxy.ReverseSSH binary
* 1:300953 <-> MALWARE-OTHER Win.Loader.pkr_ce1a variant download attempt
* 1:300954 <-> MALWARE-OTHER Win.Ransomware.Babuk variant download attempt
* 1:300955 <-> FILE-OTHER Adobe InDesign HyperlinkURLDestination parsing remote code execution attempt
* 1:300956 <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt
* 1:300957 <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt
* 1:63635 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63636 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63637 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63638 <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt
* 1:63639 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63640 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63641 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63642 <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt
* 1:63643 <-> SERVER-WEBAPP FusionPBX exec.php arbitrary command execution attempt
* 1:63644 <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt
* 1:63645 <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt
* 1:63646 <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt
* 1:63649 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63650 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63651 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63652 <-> SERVER-WEBAPP Fortinet FortiSIEM command injection attempt
* 3:63653 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt
* 3:63654 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt
* 3:63655 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63656 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63657 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63658 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 1:63659 <-> SERVER-OTHER OpenSSH unauthenticated remote code execution attempt
* 3:63660 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt
* 3:63661 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt
* 3:63662 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt
* 3:63663 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt
* 1:63666 <-> POLICY-OTHER GoAhead Embedded Web Server use after free attempt
* 1:63669 <-> MALWARE-CNC Go.Proxy.ReverseSSH outbound connection
* 1:63676 <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt
* 1:63677 <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt
* 1:63678 <-> PROTOCOL-RPC CA ARCserve Backup authentication service denial of service attempt
* 1:63679 <-> POLICY-OTHER Nagios XI API key regeneration attempt detected

Modified Rules:

* 1:33654 <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt
* 1:38511 <-> SERVER-WEBAPP Novell Service Desk directory traversal attempt


2024-07-03 17:27:24 UTC

Snort Subscriber Rules Update

Date: 2024-07-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.44.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300948 <-> SERVER-WEBAPP PHP phar_parse_tarfile method integer overflow attempt
* 1:300949 <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt
* 1:300950 <-> FILE-EXECUTABLE ClamAV UPX executable out-of-bounds read attempt
* 1:300951 <-> SERVER-WEBAPP Joomla CMS mod_random_image cross site scripting attempt
* 1:300952 <-> MALWARE-OTHER Go.Proxy.ReverseSSH binary
* 1:300953 <-> MALWARE-OTHER Win.Loader.pkr_ce1a variant download attempt
* 1:300954 <-> MALWARE-OTHER Win.Ransomware.Babuk variant download attempt
* 1:300955 <-> FILE-OTHER Adobe InDesign HyperlinkURLDestination parsing remote code execution attempt
* 1:300956 <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt
* 1:300957 <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt
* 1:63635 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63636 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63637 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63638 <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt
* 1:63639 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63640 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63641 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63642 <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt
* 1:63643 <-> SERVER-WEBAPP FusionPBX exec.php arbitrary command execution attempt
* 1:63644 <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt
* 1:63645 <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt
* 1:63646 <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt
* 1:63649 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63650 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63651 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63652 <-> SERVER-WEBAPP Fortinet FortiSIEM command injection attempt
* 3:63653 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt
* 3:63654 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt
* 3:63655 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63656 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63657 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63658 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 1:63659 <-> SERVER-OTHER OpenSSH unauthenticated remote code execution attempt
* 3:63660 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt
* 3:63661 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt
* 3:63662 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt
* 3:63663 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt
* 1:63666 <-> POLICY-OTHER GoAhead Embedded Web Server use after free attempt
* 1:63669 <-> MALWARE-CNC Go.Proxy.ReverseSSH outbound connection
* 1:63676 <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt
* 1:63677 <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt
* 1:63678 <-> PROTOCOL-RPC CA ARCserve Backup authentication service denial of service attempt
* 1:63679 <-> POLICY-OTHER Nagios XI API key regeneration attempt detected

Modified Rules:

* 1:33654 <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt
* 1:38511 <-> SERVER-WEBAPP Novell Service Desk directory traversal attempt


2024-07-03 17:27:24 UTC

Snort Subscriber Rules Update

Date: 2024-07-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.47.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300948 <-> SERVER-WEBAPP PHP phar_parse_tarfile method integer overflow attempt
* 1:300949 <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt
* 1:300950 <-> FILE-EXECUTABLE ClamAV UPX executable out-of-bounds read attempt
* 1:300951 <-> SERVER-WEBAPP Joomla CMS mod_random_image cross site scripting attempt
* 1:300952 <-> MALWARE-OTHER Go.Proxy.ReverseSSH binary
* 1:300953 <-> MALWARE-OTHER Win.Loader.pkr_ce1a variant download attempt
* 1:300954 <-> MALWARE-OTHER Win.Ransomware.Babuk variant download attempt
* 1:300955 <-> FILE-OTHER Adobe InDesign HyperlinkURLDestination parsing remote code execution attempt
* 1:300956 <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt
* 1:300957 <-> FILE-OTHER Adobe DNG SDK DecodeImage out of bounds read attempt
* 1:63635 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63636 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63637 <-> SERVER-WEBAPP Cacti graphs.php SQL injection attempt
* 1:63638 <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt
* 1:63639 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63640 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63641 <-> SERVER-WEBAPP Sophos Web Appliance command injection attempt
* 1:63642 <-> SERVER-WEBAPP Sophos Web Appliance admin account password change attempt
* 1:63643 <-> SERVER-WEBAPP FusionPBX exec.php arbitrary command execution attempt
* 1:63644 <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt
* 1:63645 <-> SERVER-WEBAPP Trend Micro InterScan Web Security buffer overflow attempt
* 1:63646 <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning licensestatus jsp directory traversal attempt
* 1:63649 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63650 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63651 <-> SERVER-WEBAPP IBM QRadar remote code execution attempt
* 1:63652 <-> SERVER-WEBAPP Fortinet FortiSIEM command injection attempt
* 3:63653 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt
* 3:63654 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2012 attack attempt
* 3:63655 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63656 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63657 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 3:63658 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2024-2013 attack attempt
* 1:63659 <-> SERVER-OTHER OpenSSH unauthenticated remote code execution attempt
* 3:63660 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt
* 3:63661 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2009 attack attempt
* 3:63662 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt
* 3:63663 <-> FILE-PDF TRUFFLEHUNTER TALOS-2024-2011 attack attempt
* 1:63666 <-> POLICY-OTHER GoAhead Embedded Web Server use after free attempt
* 1:63669 <-> MALWARE-CNC Go.Proxy.ReverseSSH outbound connection
* 1:63676 <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt
* 1:63677 <-> SERVER-WEBAPP Jenkins Core FileParameterValue directory traversal attempt
* 1:63678 <-> PROTOCOL-RPC CA ARCserve Backup authentication service denial of service attempt
* 1:63679 <-> POLICY-OTHER Nagios XI API key regeneration attempt detected

Modified Rules:

* 1:33654 <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt
* 1:38511 <-> SERVER-WEBAPP Novell Service Desk directory traversal attempt