Snort - Network Intrusion Detection & Prevention System

Talos Rules 2026-06-04

This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-identify, file-other, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

29200

2026-06-04 13:37:37 UTC

Snort Subscriber Rules Update

Date: 2026-06-04

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2092000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:66539 <-> DISABLED <-> FILE-OTHER LAquis SCADA LGX Report directory traversal attempt (file-other.rules)
 * 1:66540 <-> DISABLED <-> FILE-OTHER LAquis SCADA LGX Report directory traversal attempt (file-other.rules)
 * 1:66541 <-> DISABLED <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt (server-other.rules)
 * 1:66542 <-> DISABLED <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt (server-other.rules)
 * 1:66543 <-> DISABLED <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt (server-other.rules)
 * 1:66544 <-> DISABLED <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt (server-other.rules)
 * 1:66545 <-> DISABLED <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt (server-other.rules)
 * 1:66546 <-> DISABLED <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt (server-other.rules)
 * 1:66547 <-> DISABLED <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt (server-other.rules)
 * 1:66548 <-> DISABLED <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt (server-other.rules)
 * 1:66549 <-> DISABLED <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt (server-other.rules)
 * 1:66550 <-> DISABLED <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt (server-other.rules)
 * 1:66551 <-> DISABLED <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt (server-other.rules)
 * 1:66552 <-> DISABLED <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt (server-other.rules)
 * 1:66553 <-> DISABLED <-> SERVER-APACHE Apache Tomcat remote JSP file upload attempt (server-apache.rules)
 * 1:66554 <-> DISABLED <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt (server-webapp.rules)
 * 1:66555 <-> DISABLED <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt (server-webapp.rules)
 * 1:66556 <-> DISABLED <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt (server-webapp.rules)
 * 1:66557 <-> DISABLED <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt (server-webapp.rules)
 * 1:66558 <-> DISABLED <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt (server-webapp.rules)
 * 1:66559 <-> DISABLED <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt (server-webapp.rules)
 * 1:66560 <-> DISABLED <-> FILE-IDENTIFY EML file attachment detected (file-identify.rules)
 * 1:66561 <-> DISABLED <-> SERVER-WEBAPP ELOG Project ELOG null pointer dereference attempt (server-webapp.rules)
 * 1:66562 <-> DISABLED <-> SERVER-WEBAPP ELOG Project ELOG null pointer dereference attempt (server-webapp.rules)
 * 1:66565 <-> DISABLED <-> SERVER-WEBAPP Apache Superset default SECRET_KEY authentication bypass attempt (server-webapp.rules)
 * 3:66563 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2026-2415 attack attempt (file-other.rules)
 * 3:66564 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2026-2415 attack attempt (file-other.rules)
 * 3:66566 <-> ENABLED <-> SERVER-WEBAPP Cisco Unified Communications Manager server side request forgery attempt (server-webapp.rules)

Modified Rules:


 * 1:65987 <-> DISABLED <-> FILE-OTHER LAquis SCADA LGX Report directory traversal attempt (file-other.rules)
 * 1:18274 <-> DISABLED <-> FILE-IDENTIFY EML file download request (file-identify.rules)
 * 1:65988 <-> DISABLED <-> FILE-OTHER LAquis SCADA LGX Report directory traversal attempt (file-other.rules)

29181

2026-06-04 13:37:37 UTC

Snort Subscriber Rules Update

Date: 2026-06-04

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091801.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:66539 <-> DISABLED <-> FILE-OTHER LAquis SCADA LGX Report directory traversal attempt (file-other.rules)
 * 1:66559 <-> DISABLED <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt (server-webapp.rules)
 * 1:66558 <-> DISABLED <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt (server-webapp.rules)
 * 1:66560 <-> DISABLED <-> FILE-IDENTIFY EML file attachment detected (file-identify.rules)
 * 1:66544 <-> DISABLED <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt (server-other.rules)
 * 1:66545 <-> DISABLED <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt (server-other.rules)
 * 1:66546 <-> DISABLED <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt (server-other.rules)
 * 1:66547 <-> DISABLED <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt (server-other.rules)
 * 1:66548 <-> DISABLED <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt (server-other.rules)
 * 1:66549 <-> DISABLED <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt (server-other.rules)
 * 1:66550 <-> DISABLED <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt (server-other.rules)
 * 1:66551 <-> DISABLED <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt (server-other.rules)
 * 1:66552 <-> DISABLED <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt (server-other.rules)
 * 1:66553 <-> DISABLED <-> SERVER-APACHE Apache Tomcat remote JSP file upload attempt (server-apache.rules)
 * 1:66554 <-> DISABLED <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt (server-webapp.rules)
 * 1:66555 <-> DISABLED <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt (server-webapp.rules)
 * 1:66556 <-> DISABLED <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt (server-webapp.rules)
 * 1:66557 <-> DISABLED <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt (server-webapp.rules)
 * 1:66565 <-> DISABLED <-> SERVER-WEBAPP Apache Superset default SECRET_KEY authentication bypass attempt (server-webapp.rules)
 * 1:66562 <-> DISABLED <-> SERVER-WEBAPP ELOG Project ELOG null pointer dereference attempt (server-webapp.rules)
 * 1:66561 <-> DISABLED <-> SERVER-WEBAPP ELOG Project ELOG null pointer dereference attempt (server-webapp.rules)
 * 1:66543 <-> DISABLED <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt (server-other.rules)
 * 1:66540 <-> DISABLED <-> FILE-OTHER LAquis SCADA LGX Report directory traversal attempt (file-other.rules)
 * 1:66542 <-> DISABLED <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt (server-other.rules)
 * 1:66541 <-> DISABLED <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt (server-other.rules)
 * 3:66563 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2026-2415 attack attempt (file-other.rules)
 * 3:66564 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2026-2415 attack attempt (file-other.rules)
 * 3:66566 <-> ENABLED <-> SERVER-WEBAPP Cisco Unified Communications Manager server side request forgery attempt (server-webapp.rules)

Modified Rules:


 * 1:18274 <-> DISABLED <-> FILE-IDENTIFY EML file download request (file-identify.rules)
 * 1:65987 <-> DISABLED <-> FILE-OTHER LAquis SCADA LGX Report directory traversal attempt (file-other.rules)
 * 1:65988 <-> DISABLED <-> FILE-OTHER LAquis SCADA LGX Report directory traversal attempt (file-other.rules)

29171

2026-06-04 13:37:37 UTC

Snort Subscriber Rules Update

Date: 2026-06-04

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:66560 <-> DISABLED <-> FILE-IDENTIFY EML file attachment detected (file-identify.rules)
 * 1:66559 <-> DISABLED <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt (server-webapp.rules)
 * 1:66558 <-> DISABLED <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt (server-webapp.rules)
 * 1:66561 <-> DISABLED <-> SERVER-WEBAPP ELOG Project ELOG null pointer dereference attempt (server-webapp.rules)
 * 1:66562 <-> DISABLED <-> SERVER-WEBAPP ELOG Project ELOG null pointer dereference attempt (server-webapp.rules)
 * 1:66565 <-> DISABLED <-> SERVER-WEBAPP Apache Superset default SECRET_KEY authentication bypass attempt (server-webapp.rules)
 * 1:66543 <-> DISABLED <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt (server-other.rules)
 * 1:66540 <-> DISABLED <-> FILE-OTHER LAquis SCADA LGX Report directory traversal attempt (file-other.rules)
 * 1:66557 <-> DISABLED <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt (server-webapp.rules)
 * 1:66539 <-> DISABLED <-> FILE-OTHER LAquis SCADA LGX Report directory traversal attempt (file-other.rules)
 * 1:66556 <-> DISABLED <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt (server-webapp.rules)
 * 1:66554 <-> DISABLED <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt (server-webapp.rules)
 * 1:66553 <-> DISABLED <-> SERVER-APACHE Apache Tomcat remote JSP file upload attempt (server-apache.rules)
 * 1:66552 <-> DISABLED <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt (server-other.rules)
 * 1:66555 <-> DISABLED <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt (server-webapp.rules)
 * 1:66542 <-> DISABLED <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt (server-other.rules)
 * 1:66541 <-> DISABLED <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt (server-other.rules)
 * 1:66544 <-> DISABLED <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt (server-other.rules)
 * 1:66545 <-> DISABLED <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt (server-other.rules)
 * 1:66547 <-> DISABLED <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt (server-other.rules)
 * 1:66546 <-> DISABLED <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt (server-other.rules)
 * 1:66549 <-> DISABLED <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt (server-other.rules)
 * 1:66548 <-> DISABLED <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt (server-other.rules)
 * 1:66551 <-> DISABLED <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt (server-other.rules)
 * 1:66550 <-> DISABLED <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt (server-other.rules)
 * 3:66563 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2026-2415 attack attempt (file-other.rules)
 * 3:66566 <-> ENABLED <-> SERVER-WEBAPP Cisco Unified Communications Manager server side request forgery attempt (server-webapp.rules)
 * 3:66564 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2026-2415 attack attempt (file-other.rules)

Modified Rules:


 * 1:65987 <-> DISABLED <-> FILE-OTHER LAquis SCADA LGX Report directory traversal attempt (file-other.rules)
 * 1:18274 <-> DISABLED <-> FILE-IDENTIFY EML file download request (file-identify.rules)
 * 1:65988 <-> DISABLED <-> FILE-OTHER LAquis SCADA LGX Report directory traversal attempt (file-other.rules)

3200

2026-06-04 13:44:15 UTC

Snort Subscriber Rules Update

Date: 2026-06-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.2.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301514 <-> FILE-OTHER LAquis SCADA LGX Report directory traversal attempt
* 1:301515 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301516 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301517 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301518 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301519 <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt
* 1:301520 <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt
* 1:301521 <-> SERVER-WEBAPP pac4j-jwt authentication bypass attempt
* 1:66553 <-> SERVER-APACHE Apache Tomcat remote JSP file upload attempt
* 1:66560 <-> FILE-IDENTIFY EML file attachment detected
* 1:66561 <-> SERVER-WEBAPP ELOG Project ELOG null pointer dereference attempt
* 1:66562 <-> SERVER-WEBAPP ELOG Project ELOG null pointer dereference attempt
* 1:66565 <-> SERVER-WEBAPP Apache Superset default SECRET_KEY authentication bypass attempt
* 3:66563 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2026-2415 attack attempt
* 3:66564 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2026-2415 attack attempt
* 3:66566 <-> SERVER-WEBAPP Cisco Unified Communications Manager server side request forgery attempt

Modified Rules:

* 1:18274 <-> FILE-IDENTIFY EML file download request
* 1:301412 <-> FILE-OTHER LAquis SCADA LGX Report directory traversal attempt
* 1:65064 <-> SERVER-MAIL RoundCube Webmail cross-site scripting attempt

3351

2026-06-04 13:44:15 UTC

Snort Subscriber Rules Update

Date: 2026-06-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.3.5.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301514 <-> FILE-OTHER LAquis SCADA LGX Report directory traversal attempt
* 1:301515 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301516 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301517 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301518 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301519 <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt
* 1:301520 <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt
* 1:301521 <-> SERVER-WEBAPP pac4j-jwt authentication bypass attempt
* 1:66553 <-> SERVER-APACHE Apache Tomcat remote JSP file upload attempt
* 1:66560 <-> FILE-IDENTIFY EML file attachment detected
* 1:66561 <-> SERVER-WEBAPP ELOG Project ELOG null pointer dereference attempt
* 1:66562 <-> SERVER-WEBAPP ELOG Project ELOG null pointer dereference attempt
* 1:66565 <-> SERVER-WEBAPP Apache Superset default SECRET_KEY authentication bypass attempt
* 3:66563 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2026-2415 attack attempt
* 3:66564 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2026-2415 attack attempt
* 3:66566 <-> SERVER-WEBAPP Cisco Unified Communications Manager server side request forgery attempt

Modified Rules:

* 1:18274 <-> FILE-IDENTIFY EML file download request
* 1:301412 <-> FILE-OTHER LAquis SCADA LGX Report directory traversal attempt
* 1:65064 <-> SERVER-MAIL RoundCube Webmail cross-site scripting attempt

3360

2026-06-04 13:44:15 UTC

Snort Subscriber Rules Update

Date: 2026-06-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.3.6.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301514 <-> FILE-OTHER LAquis SCADA LGX Report directory traversal attempt
* 1:301515 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301516 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301517 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301518 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301519 <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt
* 1:301520 <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt
* 1:301521 <-> SERVER-WEBAPP pac4j-jwt authentication bypass attempt
* 1:66553 <-> SERVER-APACHE Apache Tomcat remote JSP file upload attempt
* 1:66560 <-> FILE-IDENTIFY EML file attachment detected
* 1:66561 <-> SERVER-WEBAPP ELOG Project ELOG null pointer dereference attempt
* 1:66562 <-> SERVER-WEBAPP ELOG Project ELOG null pointer dereference attempt
* 1:66565 <-> SERVER-WEBAPP Apache Superset default SECRET_KEY authentication bypass attempt
* 3:66563 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2026-2415 attack attempt
* 3:66564 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2026-2415 attack attempt
* 3:66566 <-> SERVER-WEBAPP Cisco Unified Communications Manager server side request forgery attempt

Modified Rules:

* 1:18274 <-> FILE-IDENTIFY EML file download request
* 1:301412 <-> FILE-OTHER LAquis SCADA LGX Report directory traversal attempt
* 1:65064 <-> SERVER-MAIL RoundCube Webmail cross-site scripting attempt

3370

2026-06-04 13:44:15 UTC

Snort Subscriber Rules Update

Date: 2026-06-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.3.7.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301514 <-> FILE-OTHER LAquis SCADA LGX Report directory traversal attempt
* 1:301515 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301516 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301517 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301518 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301519 <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt
* 1:301520 <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt
* 1:301521 <-> SERVER-WEBAPP pac4j-jwt authentication bypass attempt
* 1:66553 <-> SERVER-APACHE Apache Tomcat remote JSP file upload attempt
* 1:66560 <-> FILE-IDENTIFY EML file attachment detected
* 1:66561 <-> SERVER-WEBAPP ELOG Project ELOG null pointer dereference attempt
* 1:66562 <-> SERVER-WEBAPP ELOG Project ELOG null pointer dereference attempt
* 1:66565 <-> SERVER-WEBAPP Apache Superset default SECRET_KEY authentication bypass attempt
* 3:66563 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2026-2415 attack attempt
* 3:66564 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2026-2415 attack attempt
* 3:66566 <-> SERVER-WEBAPP Cisco Unified Communications Manager server side request forgery attempt

Modified Rules:

* 1:18274 <-> FILE-IDENTIFY EML file download request
* 1:301412 <-> FILE-OTHER LAquis SCADA LGX Report directory traversal attempt
* 1:65064 <-> SERVER-MAIL RoundCube Webmail cross-site scripting attempt

3700

2026-06-04 13:44:15 UTC

Snort Subscriber Rules Update

Date: 2026-06-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.7.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301514 <-> FILE-OTHER LAquis SCADA LGX Report directory traversal attempt
* 1:301515 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301516 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301517 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301518 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301519 <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt
* 1:301520 <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt
* 1:301521 <-> SERVER-WEBAPP pac4j-jwt authentication bypass attempt
* 1:66553 <-> SERVER-APACHE Apache Tomcat remote JSP file upload attempt
* 1:66560 <-> FILE-IDENTIFY EML file attachment detected
* 1:66561 <-> SERVER-WEBAPP ELOG Project ELOG null pointer dereference attempt
* 1:66562 <-> SERVER-WEBAPP ELOG Project ELOG null pointer dereference attempt
* 1:66565 <-> SERVER-WEBAPP Apache Superset default SECRET_KEY authentication bypass attempt
* 3:66563 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2026-2415 attack attempt
* 3:66564 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2026-2415 attack attempt
* 3:66566 <-> SERVER-WEBAPP Cisco Unified Communications Manager server side request forgery attempt

Modified Rules:

* 1:18274 <-> FILE-IDENTIFY EML file download request
* 1:301412 <-> FILE-OTHER LAquis SCADA LGX Report directory traversal attempt
* 1:65064 <-> SERVER-MAIL RoundCube Webmail cross-site scripting attempt

3900

2026-06-04 13:44:15 UTC

Snort Subscriber Rules Update

Date: 2026-06-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.9.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301514 <-> FILE-OTHER LAquis SCADA LGX Report directory traversal attempt
* 1:301515 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301516 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301517 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301518 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301519 <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt
* 1:301520 <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt
* 1:301521 <-> SERVER-WEBAPP pac4j-jwt authentication bypass attempt
* 1:66553 <-> SERVER-APACHE Apache Tomcat remote JSP file upload attempt
* 1:66560 <-> FILE-IDENTIFY EML file attachment detected
* 1:66561 <-> SERVER-WEBAPP ELOG Project ELOG null pointer dereference attempt
* 1:66562 <-> SERVER-WEBAPP ELOG Project ELOG null pointer dereference attempt
* 1:66565 <-> SERVER-WEBAPP Apache Superset default SECRET_KEY authentication bypass attempt
* 3:66563 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2026-2415 attack attempt
* 3:66564 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2026-2415 attack attempt
* 3:66566 <-> SERVER-WEBAPP Cisco Unified Communications Manager server side request forgery attempt

Modified Rules:

* 1:18274 <-> FILE-IDENTIFY EML file download request
* 1:301412 <-> FILE-OTHER LAquis SCADA LGX Report directory traversal attempt
* 1:65064 <-> SERVER-MAIL RoundCube Webmail cross-site scripting attempt

31110

2026-06-04 13:44:15 UTC

Snort Subscriber Rules Update

Date: 2026-06-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.11.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301514 <-> FILE-OTHER LAquis SCADA LGX Report directory traversal attempt
* 1:301515 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301516 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301517 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301518 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301519 <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt
* 1:301520 <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt
* 1:301521 <-> SERVER-WEBAPP pac4j-jwt authentication bypass attempt
* 1:66553 <-> SERVER-APACHE Apache Tomcat remote JSP file upload attempt
* 1:66560 <-> FILE-IDENTIFY EML file attachment detected
* 1:66561 <-> SERVER-WEBAPP ELOG Project ELOG null pointer dereference attempt
* 1:66562 <-> SERVER-WEBAPP ELOG Project ELOG null pointer dereference attempt
* 1:66565 <-> SERVER-WEBAPP Apache Superset default SECRET_KEY authentication bypass attempt
* 3:66563 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2026-2415 attack attempt
* 3:66564 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2026-2415 attack attempt
* 3:66566 <-> SERVER-WEBAPP Cisco Unified Communications Manager server side request forgery attempt

Modified Rules:

* 1:18274 <-> FILE-IDENTIFY EML file download request
* 1:301412 <-> FILE-OTHER LAquis SCADA LGX Report directory traversal attempt
* 1:65064 <-> SERVER-MAIL RoundCube Webmail cross-site scripting attempt

31150

2026-06-04 13:44:15 UTC

Snort Subscriber Rules Update

Date: 2026-06-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.15.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301514 <-> FILE-OTHER LAquis SCADA LGX Report directory traversal attempt
* 1:301515 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301516 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301517 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301518 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301519 <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt
* 1:301520 <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt
* 1:301521 <-> SERVER-WEBAPP pac4j-jwt authentication bypass attempt
* 1:66553 <-> SERVER-APACHE Apache Tomcat remote JSP file upload attempt
* 1:66560 <-> FILE-IDENTIFY EML file attachment detected
* 1:66561 <-> SERVER-WEBAPP ELOG Project ELOG null pointer dereference attempt
* 1:66562 <-> SERVER-WEBAPP ELOG Project ELOG null pointer dereference attempt
* 1:66565 <-> SERVER-WEBAPP Apache Superset default SECRET_KEY authentication bypass attempt
* 3:66563 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2026-2415 attack attempt
* 3:66564 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2026-2415 attack attempt
* 3:66566 <-> SERVER-WEBAPP Cisco Unified Communications Manager server side request forgery attempt

Modified Rules:

* 1:18274 <-> FILE-IDENTIFY EML file download request
* 1:301412 <-> FILE-OTHER LAquis SCADA LGX Report directory traversal attempt
* 1:65064 <-> SERVER-MAIL RoundCube Webmail cross-site scripting attempt

31180

2026-06-04 13:44:16 UTC

Snort Subscriber Rules Update

Date: 2026-06-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.18.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301514 <-> FILE-OTHER LAquis SCADA LGX Report directory traversal attempt
* 1:301515 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301516 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301517 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301518 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301519 <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt
* 1:301520 <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt
* 1:301521 <-> SERVER-WEBAPP pac4j-jwt authentication bypass attempt
* 1:66553 <-> SERVER-APACHE Apache Tomcat remote JSP file upload attempt
* 1:66560 <-> FILE-IDENTIFY EML file attachment detected
* 1:66561 <-> SERVER-WEBAPP ELOG Project ELOG null pointer dereference attempt
* 1:66562 <-> SERVER-WEBAPP ELOG Project ELOG null pointer dereference attempt
* 1:66565 <-> SERVER-WEBAPP Apache Superset default SECRET_KEY authentication bypass attempt
* 3:66563 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2026-2415 attack attempt
* 3:66564 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2026-2415 attack attempt
* 3:66566 <-> SERVER-WEBAPP Cisco Unified Communications Manager server side request forgery attempt

Modified Rules:

* 1:18274 <-> FILE-IDENTIFY EML file download request
* 1:301412 <-> FILE-OTHER LAquis SCADA LGX Report directory traversal attempt
* 1:65064 <-> SERVER-MAIL RoundCube Webmail cross-site scripting attempt

31200

2026-06-04 13:44:16 UTC

Snort Subscriber Rules Update

Date: 2026-06-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.12.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301514 <-> FILE-OTHER LAquis SCADA LGX Report directory traversal attempt
* 1:301515 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301516 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301517 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301518 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301519 <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt
* 1:301520 <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt
* 1:301521 <-> SERVER-WEBAPP pac4j-jwt authentication bypass attempt
* 1:66553 <-> SERVER-APACHE Apache Tomcat remote JSP file upload attempt
* 1:66560 <-> FILE-IDENTIFY EML file attachment detected
* 1:66561 <-> SERVER-WEBAPP ELOG Project ELOG null pointer dereference attempt
* 1:66562 <-> SERVER-WEBAPP ELOG Project ELOG null pointer dereference attempt
* 1:66565 <-> SERVER-WEBAPP Apache Superset default SECRET_KEY authentication bypass attempt
* 3:66563 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2026-2415 attack attempt
* 3:66564 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2026-2415 attack attempt
* 3:66566 <-> SERVER-WEBAPP Cisco Unified Communications Manager server side request forgery attempt

Modified Rules:

* 1:18274 <-> FILE-IDENTIFY EML file download request
* 1:301412 <-> FILE-OTHER LAquis SCADA LGX Report directory traversal attempt
* 1:65064 <-> SERVER-MAIL RoundCube Webmail cross-site scripting attempt

31210

2026-06-04 13:44:16 UTC

Snort Subscriber Rules Update

Date: 2026-06-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.21.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301514 <-> FILE-OTHER LAquis SCADA LGX Report directory traversal attempt
* 1:301515 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301516 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301517 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301518 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301519 <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt
* 1:301520 <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt
* 1:301521 <-> SERVER-WEBAPP pac4j-jwt authentication bypass attempt
* 1:66553 <-> SERVER-APACHE Apache Tomcat remote JSP file upload attempt
* 1:66560 <-> FILE-IDENTIFY EML file attachment detected
* 1:66561 <-> SERVER-WEBAPP ELOG Project ELOG null pointer dereference attempt
* 1:66562 <-> SERVER-WEBAPP ELOG Project ELOG null pointer dereference attempt
* 1:66565 <-> SERVER-WEBAPP Apache Superset default SECRET_KEY authentication bypass attempt
* 3:66563 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2026-2415 attack attempt
* 3:66564 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2026-2415 attack attempt
* 3:66566 <-> SERVER-WEBAPP Cisco Unified Communications Manager server side request forgery attempt

Modified Rules:

* 1:18274 <-> FILE-IDENTIFY EML file download request
* 1:301412 <-> FILE-OTHER LAquis SCADA LGX Report directory traversal attempt
* 1:65064 <-> SERVER-MAIL RoundCube Webmail cross-site scripting attempt

31350

2026-06-04 13:44:16 UTC

Snort Subscriber Rules Update

Date: 2026-06-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.35.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301514 <-> FILE-OTHER LAquis SCADA LGX Report directory traversal attempt
* 1:301515 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301516 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301517 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301518 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301519 <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt
* 1:301520 <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt
* 1:301521 <-> SERVER-WEBAPP pac4j-jwt authentication bypass attempt
* 1:66553 <-> SERVER-APACHE Apache Tomcat remote JSP file upload attempt
* 1:66560 <-> FILE-IDENTIFY EML file attachment detected
* 1:66561 <-> SERVER-WEBAPP ELOG Project ELOG null pointer dereference attempt
* 1:66562 <-> SERVER-WEBAPP ELOG Project ELOG null pointer dereference attempt
* 1:66565 <-> SERVER-WEBAPP Apache Superset default SECRET_KEY authentication bypass attempt
* 3:66563 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2026-2415 attack attempt
* 3:66564 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2026-2415 attack attempt
* 3:66566 <-> SERVER-WEBAPP Cisco Unified Communications Manager server side request forgery attempt

Modified Rules:

* 1:18274 <-> FILE-IDENTIFY EML file download request
* 1:301412 <-> FILE-OTHER LAquis SCADA LGX Report directory traversal attempt
* 1:65064 <-> SERVER-MAIL RoundCube Webmail cross-site scripting attempt

31440

2026-06-04 13:44:16 UTC

Snort Subscriber Rules Update

Date: 2026-06-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.44.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301514 <-> FILE-OTHER LAquis SCADA LGX Report directory traversal attempt
* 1:301515 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301516 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301517 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301518 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301519 <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt
* 1:301520 <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt
* 1:301521 <-> SERVER-WEBAPP pac4j-jwt authentication bypass attempt
* 1:66553 <-> SERVER-APACHE Apache Tomcat remote JSP file upload attempt
* 1:66560 <-> FILE-IDENTIFY EML file attachment detected
* 1:66561 <-> SERVER-WEBAPP ELOG Project ELOG null pointer dereference attempt
* 1:66562 <-> SERVER-WEBAPP ELOG Project ELOG null pointer dereference attempt
* 1:66565 <-> SERVER-WEBAPP Apache Superset default SECRET_KEY authentication bypass attempt
* 3:66563 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2026-2415 attack attempt
* 3:66564 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2026-2415 attack attempt
* 3:66566 <-> SERVER-WEBAPP Cisco Unified Communications Manager server side request forgery attempt

Modified Rules:

* 1:18274 <-> FILE-IDENTIFY EML file download request
* 1:301412 <-> FILE-OTHER LAquis SCADA LGX Report directory traversal attempt
* 1:65064 <-> SERVER-MAIL RoundCube Webmail cross-site scripting attempt

31470

2026-06-04 13:44:16 UTC

Snort Subscriber Rules Update

Date: 2026-06-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.47.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301514 <-> FILE-OTHER LAquis SCADA LGX Report directory traversal attempt
* 1:301515 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301516 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301517 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301518 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301519 <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt
* 1:301520 <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt
* 1:301521 <-> SERVER-WEBAPP pac4j-jwt authentication bypass attempt
* 1:66553 <-> SERVER-APACHE Apache Tomcat remote JSP file upload attempt
* 1:66560 <-> FILE-IDENTIFY EML file attachment detected
* 1:66561 <-> SERVER-WEBAPP ELOG Project ELOG null pointer dereference attempt
* 1:66562 <-> SERVER-WEBAPP ELOG Project ELOG null pointer dereference attempt
* 1:66565 <-> SERVER-WEBAPP Apache Superset default SECRET_KEY authentication bypass attempt
* 3:66563 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2026-2415 attack attempt
* 3:66564 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2026-2415 attack attempt
* 3:66566 <-> SERVER-WEBAPP Cisco Unified Communications Manager server side request forgery attempt

Modified Rules:

* 1:18274 <-> FILE-IDENTIFY EML file download request
* 1:301412 <-> FILE-OTHER LAquis SCADA LGX Report directory traversal attempt
* 1:65064 <-> SERVER-MAIL RoundCube Webmail cross-site scripting attempt

31100

2026-06-04 13:44:16 UTC

Snort Subscriber Rules Update

Date: 2026-06-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.11.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301514 <-> FILE-OTHER LAquis SCADA LGX Report directory traversal attempt
* 1:301515 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301516 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301517 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301518 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301519 <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt
* 1:301520 <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt
* 1:301521 <-> SERVER-WEBAPP pac4j-jwt authentication bypass attempt
* 1:66553 <-> SERVER-APACHE Apache Tomcat remote JSP file upload attempt
* 1:66560 <-> FILE-IDENTIFY EML file attachment detected
* 1:66561 <-> SERVER-WEBAPP ELOG Project ELOG null pointer dereference attempt
* 1:66562 <-> SERVER-WEBAPP ELOG Project ELOG null pointer dereference attempt
* 1:66565 <-> SERVER-WEBAPP Apache Superset default SECRET_KEY authentication bypass attempt
* 3:66563 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2026-2415 attack attempt
* 3:66564 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2026-2415 attack attempt
* 3:66566 <-> SERVER-WEBAPP Cisco Unified Communications Manager server side request forgery attempt

Modified Rules:

* 1:18274 <-> FILE-IDENTIFY EML file download request
* 1:301412 <-> FILE-OTHER LAquis SCADA LGX Report directory traversal attempt
* 1:65064 <-> SERVER-MAIL RoundCube Webmail cross-site scripting attempt

31200

2026-06-04 13:44:16 UTC

Snort Subscriber Rules Update

Date: 2026-06-03-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.12.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301514 <-> FILE-OTHER LAquis SCADA LGX Report directory traversal attempt
* 1:301515 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301516 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301517 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301518 <-> SERVER-OTHER NodeJS vm2 sandbox escape remote code execution attempt
* 1:301519 <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt
* 1:301520 <-> SERVER-WEBAPP VM2 JavaScript remote code execution attempt
* 1:301521 <-> SERVER-WEBAPP pac4j-jwt authentication bypass attempt
* 1:66553 <-> SERVER-APACHE Apache Tomcat remote JSP file upload attempt
* 1:66560 <-> FILE-IDENTIFY EML file attachment detected
* 1:66561 <-> SERVER-WEBAPP ELOG Project ELOG null pointer dereference attempt
* 1:66562 <-> SERVER-WEBAPP ELOG Project ELOG null pointer dereference attempt
* 1:66565 <-> SERVER-WEBAPP Apache Superset default SECRET_KEY authentication bypass attempt
* 3:66563 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2026-2415 attack attempt
* 3:66564 <-> FILE-OTHER TRUFFLEHUNTER TALOS-2026-2415 attack attempt
* 3:66566 <-> SERVER-WEBAPP Cisco Unified Communications Manager server side request forgery attempt

Modified Rules:

* 1:18274 <-> FILE-IDENTIFY EML file download request
* 1:301412 <-> FILE-OTHER LAquis SCADA LGX Report directory traversal attempt
* 1:65064 <-> SERVER-MAIL RoundCube Webmail cross-site scripting attempt