Snort - Network Intrusion Detection & Prevention System

Talos Rules 2025-10-14

Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2025-24052: A coding deficiency exists in Microsoft Windows Agere Modem Driver that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 65391 through 65392, Snort 3: GID 1, SID 301325.

Microsoft Vulnerability CVE-2025-24990: A coding deficiency exists in Microsoft Windows Agere Modem Driver that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 65391 through 65392, Snort 3: GID 1, SID 301325.

Microsoft Vulnerability CVE-2025-48004: A coding deficiency exists in Microsoft Brokering File System that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 65393 through 65394, Snort 3: GID 1, SID 301326.

Microsoft Vulnerability CVE-2025-55680: A coding deficiency exists in Microsoft Windows Cloud Files Mini Filter Driver that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 65395 through 65396, Snort 3: GID 1, SID 301327.

Microsoft Vulnerability CVE-2025-55681: A coding deficiency exists in Microsoft Desktop Windows Manager that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 65409 through 65410, Snort 3: GID 1, SID 301334.

Microsoft Vulnerability CVE-2025-55692: A coding deficiency exists in Microsoft Windows Error Reporting Service that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 65397 through 65398, Snort 3: GID 1, SID 301328.

Microsoft Vulnerability CVE-2025-55693: A coding deficiency exists in Microsoft Windows Kernel that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 65401 through 65402, Snort 3: GID 1, SID 301330.

Microsoft Vulnerability CVE-2025-55694: A coding deficiency exists in Microsoft Windows Error Reporting Service that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 65403 through 65404, Snort 3: GID 1, SID 301331.

Microsoft Vulnerability CVE-2025-58722: A coding deficiency exists in Microsoft DWM Core Library that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 65399 through 65400, Snort 3: GID 1, SID 301329.

Microsoft Vulnerability CVE-2025-59194: A coding deficiency exists in Microsoft Windows Kernel that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 65407 through 65408, Snort 3: GID 1, SID 301333.

Microsoft Vulnerability CVE-2025-59199: A coding deficiency exists in Microsoft Software Protection Platform (SPP) that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 65405 through 65406, Snort 3: GID 1, SID 301332.

Microsoft Vulnerability CVE-2025-59287: A coding deficiency exists in Microsoft Windows Server Update Service (WSUS) that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SID 65422, Snort 3: GID 1, SID 65422.

Microsoft Vulnerability CVE-2025-47827: A coding deficiency exists in Secure Boot Security Feature Bypass Vulnerability that may lead to security feature bypass.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SID 65420 through 65421, Snort 3: GID 1, SID 301336.

Talos has added and modified multiple rules in the file-pdf, malware-cnc, malware-other, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

29200

2025-10-14 19:51:18 UTC

Snort Subscriber Rules Update

Date: 2025-10-14

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2092000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:65381 <-> DISABLED <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt (server-webapp.rules)
 * 1:65382 <-> DISABLED <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt (server-webapp.rules)
 * 1:65383 <-> DISABLED <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt (server-webapp.rules)
 * 1:65384 <-> ENABLED <-> SERVER-WEBAPP Commvault Command Center argument injection attempt (server-webapp.rules)
 * 1:65385 <-> ENABLED <-> SERVER-WEBAPP Commvault Command Center argument injection attempt (server-webapp.rules)
 * 1:65386 <-> ENABLED <-> SERVER-WEBAPP Commvault Command Center Java expression language injection attempt (server-webapp.rules)
 * 1:65387 <-> DISABLED <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt (server-webapp.rules)
 * 1:65388 <-> DISABLED <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt (server-webapp.rules)
 * 1:65389 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LockBit5 variant download attempt (malware-other.rules)
 * 1:65390 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LockBit5 variant download attempt (malware-other.rules)
 * 1:65391 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Agere Modem Driver elevation of privilege attempt (os-windows.rules)
 * 1:65392 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Agere Modem Driver elevation of privilege attempt (os-windows.rules)
 * 1:65393 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Brokering File System elevation of privilege attempt (os-windows.rules)
 * 1:65394 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Brokering File System elevation of privilege attempt (os-windows.rules)
 * 1:65395 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt (os-windows.rules)
 * 1:65396 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt (os-windows.rules)
 * 1:65397 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt (os-windows.rules)
 * 1:65398 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt (os-windows.rules)
 * 1:65399 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core Library elevation of privilege attempt (os-windows.rules)
 * 1:65400 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core Library elevation of privilege attempt (os-windows.rules)
 * 1:65401 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65402 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65403 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt (os-windows.rules)
 * 1:65404 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt (os-windows.rules)
 * 1:65405 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Software Protection Platform elevation of privilege attempt (os-windows.rules)
 * 1:65406 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Software Protection Platform elevation of privilege attempt (os-windows.rules)
 * 1:65407 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Windows elevation of privilege attempt (os-windows.rules)
 * 1:65408 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Windows elevation of privilege attempt (os-windows.rules)
 * 1:65409 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Desktop Window Manager privilege escalation attempt (os-windows.rules)
 * 1:65410 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Desktop Window Manager privilege escalation attempt (os-windows.rules)
 * 1:65413 <-> ENABLED <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt (malware-cnc.rules)
 * 1:65414 <-> ENABLED <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt (malware-cnc.rules)
 * 1:65415 <-> DISABLED <-> MALWARE-CNC Java.Backdoor.Cl0p variant payload download attempt (malware-cnc.rules)
 * 1:65416 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:65417 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:65418 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:65419 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:65420 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt (os-windows.rules)
 * 1:65421 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt (os-windows.rules)
 * 1:65422 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Server Update Services insecure object deserialization attempt (os-windows.rules)
 * 3:65411 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt (file-pdf.rules)
 * 3:65412 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:44734 <-> DISABLED <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt (server-mail.rules)
 * 1:44735 <-> DISABLED <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt (server-mail.rules)
 * 1:64672 <-> DISABLED <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt (server-webapp.rules)
 * 1:64101 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-820 Router OS command injection attempt (server-webapp.rules)
 * 1:64671 <-> DISABLED <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt (server-webapp.rules)
 * 1:64673 <-> DISABLED <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt (server-webapp.rules)

29190

2025-10-14 19:51:18 UTC

Snort Subscriber Rules Update

Date: 2025-10-14

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091900.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:65384 <-> ENABLED <-> SERVER-WEBAPP Commvault Command Center argument injection attempt (server-webapp.rules)
 * 1:65385 <-> ENABLED <-> SERVER-WEBAPP Commvault Command Center argument injection attempt (server-webapp.rules)
 * 1:65387 <-> DISABLED <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt (server-webapp.rules)
 * 1:65383 <-> DISABLED <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt (server-webapp.rules)
 * 1:65388 <-> DISABLED <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt (server-webapp.rules)
 * 1:65389 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LockBit5 variant download attempt (malware-other.rules)
 * 1:65390 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LockBit5 variant download attempt (malware-other.rules)
 * 1:65391 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Agere Modem Driver elevation of privilege attempt (os-windows.rules)
 * 1:65392 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Agere Modem Driver elevation of privilege attempt (os-windows.rules)
 * 1:65386 <-> ENABLED <-> SERVER-WEBAPP Commvault Command Center Java expression language injection attempt (server-webapp.rules)
 * 1:65394 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Brokering File System elevation of privilege attempt (os-windows.rules)
 * 1:65395 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt (os-windows.rules)
 * 1:65396 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt (os-windows.rules)
 * 1:65397 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt (os-windows.rules)
 * 1:65398 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt (os-windows.rules)
 * 1:65399 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core Library elevation of privilege attempt (os-windows.rules)
 * 1:65400 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core Library elevation of privilege attempt (os-windows.rules)
 * 1:65401 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65402 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65403 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt (os-windows.rules)
 * 1:65404 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt (os-windows.rules)
 * 1:65405 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Software Protection Platform elevation of privilege attempt (os-windows.rules)
 * 1:65406 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Software Protection Platform elevation of privilege attempt (os-windows.rules)
 * 1:65407 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Windows elevation of privilege attempt (os-windows.rules)
 * 1:65408 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Windows elevation of privilege attempt (os-windows.rules)
 * 1:65409 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Desktop Window Manager privilege escalation attempt (os-windows.rules)
 * 1:65410 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Desktop Window Manager privilege escalation attempt (os-windows.rules)
 * 1:65413 <-> ENABLED <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt (malware-cnc.rules)
 * 1:65414 <-> ENABLED <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt (malware-cnc.rules)
 * 1:65415 <-> DISABLED <-> MALWARE-CNC Java.Backdoor.Cl0p variant payload download attempt (malware-cnc.rules)
 * 1:65419 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:65418 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:65420 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt (os-windows.rules)
 * 1:65421 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt (os-windows.rules)
 * 1:65422 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Server Update Services insecure object deserialization attempt (os-windows.rules)
 * 1:65417 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:65382 <-> DISABLED <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt (server-webapp.rules)
 * 1:65381 <-> DISABLED <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt (server-webapp.rules)
 * 1:65393 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Brokering File System elevation of privilege attempt (os-windows.rules)
 * 1:65416 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 3:65412 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt (file-pdf.rules)
 * 3:65411 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:44735 <-> DISABLED <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt (server-mail.rules)
 * 1:64101 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-820 Router OS command injection attempt (server-webapp.rules)
 * 1:64672 <-> DISABLED <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt (server-webapp.rules)
 * 1:44734 <-> DISABLED <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt (server-mail.rules)
 * 1:64671 <-> DISABLED <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt (server-webapp.rules)
 * 1:64673 <-> DISABLED <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt (server-webapp.rules)

29181

2025-10-14 19:51:18 UTC

Snort Subscriber Rules Update

Date: 2025-10-14

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091801.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:65417 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:65419 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:65381 <-> DISABLED <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt (server-webapp.rules)
 * 1:65390 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LockBit5 variant download attempt (malware-other.rules)
 * 1:65391 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Agere Modem Driver elevation of privilege attempt (os-windows.rules)
 * 1:65392 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Agere Modem Driver elevation of privilege attempt (os-windows.rules)
 * 1:65393 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Brokering File System elevation of privilege attempt (os-windows.rules)
 * 1:65394 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Brokering File System elevation of privilege attempt (os-windows.rules)
 * 1:65395 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt (os-windows.rules)
 * 1:65396 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt (os-windows.rules)
 * 1:65397 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt (os-windows.rules)
 * 1:65398 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt (os-windows.rules)
 * 1:65399 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core Library elevation of privilege attempt (os-windows.rules)
 * 1:65400 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core Library elevation of privilege attempt (os-windows.rules)
 * 1:65401 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65402 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65403 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt (os-windows.rules)
 * 1:65404 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt (os-windows.rules)
 * 1:65405 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Software Protection Platform elevation of privilege attempt (os-windows.rules)
 * 1:65406 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Software Protection Platform elevation of privilege attempt (os-windows.rules)
 * 1:65415 <-> DISABLED <-> MALWARE-CNC Java.Backdoor.Cl0p variant payload download attempt (malware-cnc.rules)
 * 1:65416 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:65407 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Windows elevation of privilege attempt (os-windows.rules)
 * 1:65385 <-> ENABLED <-> SERVER-WEBAPP Commvault Command Center argument injection attempt (server-webapp.rules)
 * 1:65387 <-> DISABLED <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt (server-webapp.rules)
 * 1:65386 <-> ENABLED <-> SERVER-WEBAPP Commvault Command Center Java expression language injection attempt (server-webapp.rules)
 * 1:65389 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LockBit5 variant download attempt (malware-other.rules)
 * 1:65388 <-> DISABLED <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt (server-webapp.rules)
 * 1:65413 <-> ENABLED <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt (malware-cnc.rules)
 * 1:65408 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Windows elevation of privilege attempt (os-windows.rules)
 * 1:65409 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Desktop Window Manager privilege escalation attempt (os-windows.rules)
 * 1:65410 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Desktop Window Manager privilege escalation attempt (os-windows.rules)
 * 1:65414 <-> ENABLED <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt (malware-cnc.rules)
 * 1:65382 <-> DISABLED <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt (server-webapp.rules)
 * 1:65383 <-> DISABLED <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt (server-webapp.rules)
 * 1:65418 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:65384 <-> ENABLED <-> SERVER-WEBAPP Commvault Command Center argument injection attempt (server-webapp.rules)
 * 1:65420 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt (os-windows.rules)
 * 1:65421 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt (os-windows.rules)
 * 1:65422 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Server Update Services insecure object deserialization attempt (os-windows.rules)
 * 3:65411 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt (file-pdf.rules)
 * 3:65412 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:44735 <-> DISABLED <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt (server-mail.rules)
 * 1:64672 <-> DISABLED <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt (server-webapp.rules)
 * 1:64673 <-> DISABLED <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt (server-webapp.rules)
 * 1:44734 <-> DISABLED <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt (server-mail.rules)
 * 1:64671 <-> DISABLED <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt (server-webapp.rules)
 * 1:64101 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-820 Router OS command injection attempt (server-webapp.rules)

29171

2025-10-14 19:51:18 UTC

Snort Subscriber Rules Update

Date: 2025-10-14

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:65410 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Desktop Window Manager privilege escalation attempt (os-windows.rules)
 * 1:65414 <-> ENABLED <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt (malware-cnc.rules)
 * 1:65417 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:65418 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:65422 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Server Update Services insecure object deserialization attempt (os-windows.rules)
 * 1:65416 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:65419 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:65415 <-> DISABLED <-> MALWARE-CNC Java.Backdoor.Cl0p variant payload download attempt (malware-cnc.rules)
 * 1:65381 <-> DISABLED <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt (server-webapp.rules)
 * 1:65388 <-> DISABLED <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt (server-webapp.rules)
 * 1:65389 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LockBit5 variant download attempt (malware-other.rules)
 * 1:65390 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LockBit5 variant download attempt (malware-other.rules)
 * 1:65391 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Agere Modem Driver elevation of privilege attempt (os-windows.rules)
 * 1:65383 <-> DISABLED <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt (server-webapp.rules)
 * 1:65385 <-> ENABLED <-> SERVER-WEBAPP Commvault Command Center argument injection attempt (server-webapp.rules)
 * 1:65384 <-> ENABLED <-> SERVER-WEBAPP Commvault Command Center argument injection attempt (server-webapp.rules)
 * 1:65382 <-> DISABLED <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt (server-webapp.rules)
 * 1:65386 <-> ENABLED <-> SERVER-WEBAPP Commvault Command Center Java expression language injection attempt (server-webapp.rules)
 * 1:65408 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Windows elevation of privilege attempt (os-windows.rules)
 * 1:65392 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Agere Modem Driver elevation of privilege attempt (os-windows.rules)
 * 1:65393 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Brokering File System elevation of privilege attempt (os-windows.rules)
 * 1:65394 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Brokering File System elevation of privilege attempt (os-windows.rules)
 * 1:65395 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt (os-windows.rules)
 * 1:65396 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt (os-windows.rules)
 * 1:65387 <-> DISABLED <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt (server-webapp.rules)
 * 1:65397 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt (os-windows.rules)
 * 1:65398 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt (os-windows.rules)
 * 1:65399 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core Library elevation of privilege attempt (os-windows.rules)
 * 1:65400 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core Library elevation of privilege attempt (os-windows.rules)
 * 1:65420 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt (os-windows.rules)
 * 1:65421 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt (os-windows.rules)
 * 1:65413 <-> ENABLED <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt (malware-cnc.rules)
 * 1:65409 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Desktop Window Manager privilege escalation attempt (os-windows.rules)
 * 1:65401 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65402 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65403 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt (os-windows.rules)
 * 1:65404 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt (os-windows.rules)
 * 1:65405 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Software Protection Platform elevation of privilege attempt (os-windows.rules)
 * 1:65406 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Software Protection Platform elevation of privilege attempt (os-windows.rules)
 * 1:65407 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Windows elevation of privilege attempt (os-windows.rules)
 * 3:65411 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt (file-pdf.rules)
 * 3:65412 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:44734 <-> DISABLED <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt (server-mail.rules)
 * 1:64101 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-820 Router OS command injection attempt (server-webapp.rules)
 * 1:44735 <-> DISABLED <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt (server-mail.rules)
 * 1:64671 <-> DISABLED <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt (server-webapp.rules)
 * 1:64673 <-> DISABLED <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt (server-webapp.rules)
 * 1:64672 <-> DISABLED <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt (server-webapp.rules)

29170

2025-10-14 19:51:18 UTC

Snort Subscriber Rules Update

Date: 2025-10-14

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:65415 <-> DISABLED <-> MALWARE-CNC Java.Backdoor.Cl0p variant payload download attempt (malware-cnc.rules)
 * 1:65421 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt (os-windows.rules)
 * 1:65384 <-> ENABLED <-> SERVER-WEBAPP Commvault Command Center argument injection attempt (server-webapp.rules)
 * 1:65383 <-> DISABLED <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt (server-webapp.rules)
 * 1:65402 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65419 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:65420 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt (os-windows.rules)
 * 1:65396 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt (os-windows.rules)
 * 1:65381 <-> DISABLED <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt (server-webapp.rules)
 * 1:65385 <-> ENABLED <-> SERVER-WEBAPP Commvault Command Center argument injection attempt (server-webapp.rules)
 * 1:65386 <-> ENABLED <-> SERVER-WEBAPP Commvault Command Center Java expression language injection attempt (server-webapp.rules)
 * 1:65387 <-> DISABLED <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt (server-webapp.rules)
 * 1:65388 <-> DISABLED <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt (server-webapp.rules)
 * 1:65389 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LockBit5 variant download attempt (malware-other.rules)
 * 1:65391 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Agere Modem Driver elevation of privilege attempt (os-windows.rules)
 * 1:65393 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Brokering File System elevation of privilege attempt (os-windows.rules)
 * 1:65392 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Agere Modem Driver elevation of privilege attempt (os-windows.rules)
 * 1:65395 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt (os-windows.rules)
 * 1:65397 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt (os-windows.rules)
 * 1:65394 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Brokering File System elevation of privilege attempt (os-windows.rules)
 * 1:65398 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt (os-windows.rules)
 * 1:65405 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Software Protection Platform elevation of privilege attempt (os-windows.rules)
 * 1:65400 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core Library elevation of privilege attempt (os-windows.rules)
 * 1:65406 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Software Protection Platform elevation of privilege attempt (os-windows.rules)
 * 1:65399 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core Library elevation of privilege attempt (os-windows.rules)
 * 1:65409 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Desktop Window Manager privilege escalation attempt (os-windows.rules)
 * 1:65408 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Windows elevation of privilege attempt (os-windows.rules)
 * 1:65407 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Windows elevation of privilege attempt (os-windows.rules)
 * 1:65410 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Desktop Window Manager privilege escalation attempt (os-windows.rules)
 * 1:65417 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:65422 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Server Update Services insecure object deserialization attempt (os-windows.rules)
 * 1:65390 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LockBit5 variant download attempt (malware-other.rules)
 * 1:65418 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:65403 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt (os-windows.rules)
 * 1:65414 <-> ENABLED <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt (malware-cnc.rules)
 * 1:65401 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65413 <-> ENABLED <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt (malware-cnc.rules)
 * 1:65416 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:65404 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt (os-windows.rules)
 * 1:65382 <-> DISABLED <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt (server-webapp.rules)
 * 3:65411 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt (file-pdf.rules)
 * 3:65412 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:64101 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-820 Router OS command injection attempt (server-webapp.rules)
 * 1:44735 <-> DISABLED <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt (server-mail.rules)
 * 1:44734 <-> DISABLED <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt (server-mail.rules)
 * 1:64672 <-> DISABLED <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt (server-webapp.rules)
 * 1:64671 <-> DISABLED <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt (server-webapp.rules)
 * 1:64673 <-> DISABLED <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt (server-webapp.rules)

29161

2025-10-14 19:51:18 UTC

Snort Subscriber Rules Update

Date: 2025-10-14

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:65421 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt (os-windows.rules)
 * 1:65418 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:65405 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Software Protection Platform elevation of privilege attempt (os-windows.rules)
 * 1:65381 <-> DISABLED <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt (server-webapp.rules)
 * 1:65387 <-> DISABLED <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt (server-webapp.rules)
 * 1:65386 <-> ENABLED <-> SERVER-WEBAPP Commvault Command Center Java expression language injection attempt (server-webapp.rules)
 * 1:65422 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Server Update Services insecure object deserialization attempt (os-windows.rules)
 * 1:65382 <-> DISABLED <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt (server-webapp.rules)
 * 1:65383 <-> DISABLED <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt (server-webapp.rules)
 * 1:65406 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Software Protection Platform elevation of privilege attempt (os-windows.rules)
 * 1:65393 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Brokering File System elevation of privilege attempt (os-windows.rules)
 * 1:65420 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt (os-windows.rules)
 * 1:65388 <-> DISABLED <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt (server-webapp.rules)
 * 1:65389 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LockBit5 variant download attempt (malware-other.rules)
 * 1:65390 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LockBit5 variant download attempt (malware-other.rules)
 * 1:65391 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Agere Modem Driver elevation of privilege attempt (os-windows.rules)
 * 1:65392 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Agere Modem Driver elevation of privilege attempt (os-windows.rules)
 * 1:65407 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Windows elevation of privilege attempt (os-windows.rules)
 * 1:65394 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Brokering File System elevation of privilege attempt (os-windows.rules)
 * 1:65404 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt (os-windows.rules)
 * 1:65384 <-> ENABLED <-> SERVER-WEBAPP Commvault Command Center argument injection attempt (server-webapp.rules)
 * 1:65417 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:65395 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt (os-windows.rules)
 * 1:65399 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core Library elevation of privilege attempt (os-windows.rules)
 * 1:65397 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt (os-windows.rules)
 * 1:65403 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt (os-windows.rules)
 * 1:65410 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Desktop Window Manager privilege escalation attempt (os-windows.rules)
 * 1:65416 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:65413 <-> ENABLED <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt (malware-cnc.rules)
 * 1:65408 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Windows elevation of privilege attempt (os-windows.rules)
 * 1:65415 <-> DISABLED <-> MALWARE-CNC Java.Backdoor.Cl0p variant payload download attempt (malware-cnc.rules)
 * 1:65385 <-> ENABLED <-> SERVER-WEBAPP Commvault Command Center argument injection attempt (server-webapp.rules)
 * 1:65414 <-> ENABLED <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt (malware-cnc.rules)
 * 1:65396 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt (os-windows.rules)
 * 1:65398 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt (os-windows.rules)
 * 1:65402 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65401 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65400 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core Library elevation of privilege attempt (os-windows.rules)
 * 1:65409 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Desktop Window Manager privilege escalation attempt (os-windows.rules)
 * 1:65419 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 3:65412 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt (file-pdf.rules)
 * 3:65411 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:64671 <-> DISABLED <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt (server-webapp.rules)
 * 1:64101 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-820 Router OS command injection attempt (server-webapp.rules)
 * 1:44735 <-> DISABLED <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt (server-mail.rules)
 * 1:64672 <-> DISABLED <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt (server-webapp.rules)
 * 1:44734 <-> DISABLED <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt (server-mail.rules)
 * 1:64673 <-> DISABLED <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt (server-webapp.rules)

29160

2025-10-14 19:51:18 UTC

Snort Subscriber Rules Update

Date: 2025-10-14

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:65383 <-> DISABLED <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt (server-webapp.rules)
 * 1:65382 <-> DISABLED <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt (server-webapp.rules)
 * 1:65384 <-> ENABLED <-> SERVER-WEBAPP Commvault Command Center argument injection attempt (server-webapp.rules)
 * 1:65419 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:65385 <-> ENABLED <-> SERVER-WEBAPP Commvault Command Center argument injection attempt (server-webapp.rules)
 * 1:65415 <-> DISABLED <-> MALWARE-CNC Java.Backdoor.Cl0p variant payload download attempt (malware-cnc.rules)
 * 1:65408 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Windows elevation of privilege attempt (os-windows.rules)
 * 1:65414 <-> ENABLED <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt (malware-cnc.rules)
 * 1:65410 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Desktop Window Manager privilege escalation attempt (os-windows.rules)
 * 1:65417 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:65413 <-> ENABLED <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt (malware-cnc.rules)
 * 1:65416 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:65418 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:65387 <-> DISABLED <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt (server-webapp.rules)
 * 1:65388 <-> DISABLED <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt (server-webapp.rules)
 * 1:65389 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LockBit5 variant download attempt (malware-other.rules)
 * 1:65390 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LockBit5 variant download attempt (malware-other.rules)
 * 1:65391 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Agere Modem Driver elevation of privilege attempt (os-windows.rules)
 * 1:65420 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt (os-windows.rules)
 * 1:65392 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Agere Modem Driver elevation of privilege attempt (os-windows.rules)
 * 1:65393 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Brokering File System elevation of privilege attempt (os-windows.rules)
 * 1:65386 <-> ENABLED <-> SERVER-WEBAPP Commvault Command Center Java expression language injection attempt (server-webapp.rules)
 * 1:65394 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Brokering File System elevation of privilege attempt (os-windows.rules)
 * 1:65395 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt (os-windows.rules)
 * 1:65396 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt (os-windows.rules)
 * 1:65409 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Desktop Window Manager privilege escalation attempt (os-windows.rules)
 * 1:65421 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt (os-windows.rules)
 * 1:65397 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt (os-windows.rules)
 * 1:65422 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Server Update Services insecure object deserialization attempt (os-windows.rules)
 * 1:65398 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt (os-windows.rules)
 * 1:65399 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core Library elevation of privilege attempt (os-windows.rules)
 * 1:65400 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core Library elevation of privilege attempt (os-windows.rules)
 * 1:65401 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65402 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65403 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt (os-windows.rules)
 * 1:65404 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt (os-windows.rules)
 * 1:65405 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Software Protection Platform elevation of privilege attempt (os-windows.rules)
 * 1:65406 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Software Protection Platform elevation of privilege attempt (os-windows.rules)
 * 1:65381 <-> DISABLED <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt (server-webapp.rules)
 * 1:65407 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Windows elevation of privilege attempt (os-windows.rules)
 * 3:65411 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt (file-pdf.rules)
 * 3:65412 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:44735 <-> DISABLED <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt (server-mail.rules)
 * 1:64672 <-> DISABLED <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt (server-webapp.rules)
 * 1:44734 <-> DISABLED <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt (server-mail.rules)
 * 1:64101 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-820 Router OS command injection attempt (server-webapp.rules)
 * 1:64671 <-> DISABLED <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt (server-webapp.rules)
 * 1:64673 <-> DISABLED <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt (server-webapp.rules)

29151

2025-10-14 19:51:18 UTC

Snort Subscriber Rules Update

Date: 2025-10-14

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:65420 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt (os-windows.rules)
 * 1:65393 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Brokering File System elevation of privilege attempt (os-windows.rules)
 * 1:65385 <-> ENABLED <-> SERVER-WEBAPP Commvault Command Center argument injection attempt (server-webapp.rules)
 * 1:65421 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt (os-windows.rules)
 * 1:65418 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:65416 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:65386 <-> ENABLED <-> SERVER-WEBAPP Commvault Command Center Java expression language injection attempt (server-webapp.rules)
 * 1:65422 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Server Update Services insecure object deserialization attempt (os-windows.rules)
 * 1:65383 <-> DISABLED <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt (server-webapp.rules)
 * 1:65384 <-> ENABLED <-> SERVER-WEBAPP Commvault Command Center argument injection attempt (server-webapp.rules)
 * 1:65387 <-> DISABLED <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt (server-webapp.rules)
 * 1:65394 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Brokering File System elevation of privilege attempt (os-windows.rules)
 * 1:65395 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt (os-windows.rules)
 * 1:65382 <-> DISABLED <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt (server-webapp.rules)
 * 1:65389 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LockBit5 variant download attempt (malware-other.rules)
 * 1:65388 <-> DISABLED <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt (server-webapp.rules)
 * 1:65391 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Agere Modem Driver elevation of privilege attempt (os-windows.rules)
 * 1:65390 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LockBit5 variant download attempt (malware-other.rules)
 * 1:65392 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Agere Modem Driver elevation of privilege attempt (os-windows.rules)
 * 1:65396 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt (os-windows.rules)
 * 1:65397 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt (os-windows.rules)
 * 1:65398 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt (os-windows.rules)
 * 1:65381 <-> DISABLED <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt (server-webapp.rules)
 * 1:65419 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:65399 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core Library elevation of privilege attempt (os-windows.rules)
 * 1:65400 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core Library elevation of privilege attempt (os-windows.rules)
 * 1:65401 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65402 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65403 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt (os-windows.rules)
 * 1:65404 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt (os-windows.rules)
 * 1:65405 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Software Protection Platform elevation of privilege attempt (os-windows.rules)
 * 1:65406 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Software Protection Platform elevation of privilege attempt (os-windows.rules)
 * 1:65407 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Windows elevation of privilege attempt (os-windows.rules)
 * 1:65408 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Windows elevation of privilege attempt (os-windows.rules)
 * 1:65417 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:65409 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Desktop Window Manager privilege escalation attempt (os-windows.rules)
 * 1:65410 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Desktop Window Manager privilege escalation attempt (os-windows.rules)
 * 1:65413 <-> ENABLED <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt (malware-cnc.rules)
 * 1:65414 <-> ENABLED <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt (malware-cnc.rules)
 * 1:65415 <-> DISABLED <-> MALWARE-CNC Java.Backdoor.Cl0p variant payload download attempt (malware-cnc.rules)
 * 3:65411 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt (file-pdf.rules)
 * 3:65412 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:64101 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-820 Router OS command injection attempt (server-webapp.rules)
 * 1:44734 <-> DISABLED <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt (server-mail.rules)
 * 1:44735 <-> DISABLED <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt (server-mail.rules)
 * 1:64671 <-> DISABLED <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt (server-webapp.rules)
 * 1:64673 <-> DISABLED <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt (server-webapp.rules)
 * 1:64672 <-> DISABLED <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt (server-webapp.rules)

29141

2025-10-14 19:51:18 UTC

Snort Subscriber Rules Update

Date: 2025-10-14

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:65415 <-> DISABLED <-> MALWARE-CNC Java.Backdoor.Cl0p variant payload download attempt (malware-cnc.rules)
 * 1:65387 <-> DISABLED <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt (server-webapp.rules)
 * 1:65421 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt (os-windows.rules)
 * 1:65398 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt (os-windows.rules)
 * 1:65399 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core Library elevation of privilege attempt (os-windows.rules)
 * 1:65400 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core Library elevation of privilege attempt (os-windows.rules)
 * 1:65401 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65402 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65404 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt (os-windows.rules)
 * 1:65405 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Software Protection Platform elevation of privilege attempt (os-windows.rules)
 * 1:65406 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Software Protection Platform elevation of privilege attempt (os-windows.rules)
 * 1:65407 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Windows elevation of privilege attempt (os-windows.rules)
 * 1:65381 <-> DISABLED <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt (server-webapp.rules)
 * 1:65414 <-> ENABLED <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt (malware-cnc.rules)
 * 1:65417 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:65420 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt (os-windows.rules)
 * 1:65416 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:65410 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Desktop Window Manager privilege escalation attempt (os-windows.rules)
 * 1:65419 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:65418 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:65413 <-> ENABLED <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt (malware-cnc.rules)
 * 1:65392 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Agere Modem Driver elevation of privilege attempt (os-windows.rules)
 * 1:65382 <-> DISABLED <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt (server-webapp.rules)
 * 1:65383 <-> DISABLED <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt (server-webapp.rules)
 * 1:65384 <-> ENABLED <-> SERVER-WEBAPP Commvault Command Center argument injection attempt (server-webapp.rules)
 * 1:65385 <-> ENABLED <-> SERVER-WEBAPP Commvault Command Center argument injection attempt (server-webapp.rules)
 * 1:65386 <-> ENABLED <-> SERVER-WEBAPP Commvault Command Center Java expression language injection attempt (server-webapp.rules)
 * 1:65389 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LockBit5 variant download attempt (malware-other.rules)
 * 1:65388 <-> DISABLED <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt (server-webapp.rules)
 * 1:65393 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Brokering File System elevation of privilege attempt (os-windows.rules)
 * 1:65390 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LockBit5 variant download attempt (malware-other.rules)
 * 1:65395 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt (os-windows.rules)
 * 1:65394 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Brokering File System elevation of privilege attempt (os-windows.rules)
 * 1:65391 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Agere Modem Driver elevation of privilege attempt (os-windows.rules)
 * 1:65408 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Windows elevation of privilege attempt (os-windows.rules)
 * 1:65403 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt (os-windows.rules)
 * 1:65409 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Desktop Window Manager privilege escalation attempt (os-windows.rules)
 * 1:65396 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt (os-windows.rules)
 * 1:65422 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Server Update Services insecure object deserialization attempt (os-windows.rules)
 * 1:65397 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt (os-windows.rules)
 * 3:65411 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt (file-pdf.rules)
 * 3:65412 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:44734 <-> DISABLED <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt (server-mail.rules)
 * 1:64671 <-> DISABLED <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt (server-webapp.rules)
 * 1:64101 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-820 Router OS command injection attempt (server-webapp.rules)
 * 1:44735 <-> DISABLED <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt (server-mail.rules)
 * 1:64673 <-> DISABLED <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt (server-webapp.rules)
 * 1:64672 <-> DISABLED <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt (server-webapp.rules)

29130

2025-10-14 19:51:18 UTC

Snort Subscriber Rules Update

Date: 2025-10-14

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:65414 <-> ENABLED <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt (malware-cnc.rules)
 * 1:65381 <-> DISABLED <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt (server-webapp.rules)
 * 1:65418 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:65395 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt (os-windows.rules)
 * 1:65394 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Brokering File System elevation of privilege attempt (os-windows.rules)
 * 1:65419 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:65422 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Server Update Services insecure object deserialization attempt (os-windows.rules)
 * 1:65417 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:65391 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Agere Modem Driver elevation of privilege attempt (os-windows.rules)
 * 1:65415 <-> DISABLED <-> MALWARE-CNC Java.Backdoor.Cl0p variant payload download attempt (malware-cnc.rules)
 * 1:65420 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt (os-windows.rules)
 * 1:65385 <-> ENABLED <-> SERVER-WEBAPP Commvault Command Center argument injection attempt (server-webapp.rules)
 * 1:65386 <-> ENABLED <-> SERVER-WEBAPP Commvault Command Center Java expression language injection attempt (server-webapp.rules)
 * 1:65383 <-> DISABLED <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt (server-webapp.rules)
 * 1:65387 <-> DISABLED <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt (server-webapp.rules)
 * 1:65410 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Desktop Window Manager privilege escalation attempt (os-windows.rules)
 * 1:65421 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt (os-windows.rules)
 * 1:65388 <-> DISABLED <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt (server-webapp.rules)
 * 1:65398 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt (os-windows.rules)
 * 1:65389 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LockBit5 variant download attempt (malware-other.rules)
 * 1:65382 <-> DISABLED <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt (server-webapp.rules)
 * 1:65397 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt (os-windows.rules)
 * 1:65416 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:65384 <-> ENABLED <-> SERVER-WEBAPP Commvault Command Center argument injection attempt (server-webapp.rules)
 * 1:65400 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core Library elevation of privilege attempt (os-windows.rules)
 * 1:65396 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt (os-windows.rules)
 * 1:65399 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core Library elevation of privilege attempt (os-windows.rules)
 * 1:65402 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65392 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Agere Modem Driver elevation of privilege attempt (os-windows.rules)
 * 1:65405 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Software Protection Platform elevation of privilege attempt (os-windows.rules)
 * 1:65413 <-> ENABLED <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt (malware-cnc.rules)
 * 1:65393 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Brokering File System elevation of privilege attempt (os-windows.rules)
 * 1:65406 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Software Protection Platform elevation of privilege attempt (os-windows.rules)
 * 1:65401 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65408 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Windows elevation of privilege attempt (os-windows.rules)
 * 1:65404 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt (os-windows.rules)
 * 1:65403 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt (os-windows.rules)
 * 1:65409 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Desktop Window Manager privilege escalation attempt (os-windows.rules)
 * 1:65407 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Windows elevation of privilege attempt (os-windows.rules)
 * 1:65390 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LockBit5 variant download attempt (malware-other.rules)
 * 3:65411 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt (file-pdf.rules)
 * 3:65412 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:64672 <-> DISABLED <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt (server-webapp.rules)
 * 1:44734 <-> DISABLED <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt (server-mail.rules)
 * 1:64101 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-820 Router OS command injection attempt (server-webapp.rules)
 * 1:64671 <-> DISABLED <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt (server-webapp.rules)
 * 1:64673 <-> DISABLED <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt (server-webapp.rules)
 * 1:44735 <-> DISABLED <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt (server-mail.rules)

29111

2025-10-14 19:51:18 UTC

Snort Subscriber Rules Update

Date: 2025-10-14

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:65386 <-> ENABLED <-> SERVER-WEBAPP Commvault Command Center Java expression language injection attempt (server-webapp.rules)
 * 1:65381 <-> DISABLED <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt (server-webapp.rules)
 * 1:65406 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Software Protection Platform elevation of privilege attempt (os-windows.rules)
 * 1:65396 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt (os-windows.rules)
 * 1:65413 <-> ENABLED <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt (malware-cnc.rules)
 * 1:65389 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LockBit5 variant download attempt (malware-other.rules)
 * 1:65392 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Agere Modem Driver elevation of privilege attempt (os-windows.rules)
 * 1:65405 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Software Protection Platform elevation of privilege attempt (os-windows.rules)
 * 1:65402 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65417 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:65387 <-> DISABLED <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt (server-webapp.rules)
 * 1:65388 <-> DISABLED <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt (server-webapp.rules)
 * 1:65391 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Agere Modem Driver elevation of privilege attempt (os-windows.rules)
 * 1:65397 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt (os-windows.rules)
 * 1:65416 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:65385 <-> ENABLED <-> SERVER-WEBAPP Commvault Command Center argument injection attempt (server-webapp.rules)
 * 1:65393 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Brokering File System elevation of privilege attempt (os-windows.rules)
 * 1:65418 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:65421 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt (os-windows.rules)
 * 1:65390 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LockBit5 variant download attempt (malware-other.rules)
 * 1:65395 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt (os-windows.rules)
 * 1:65399 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core Library elevation of privilege attempt (os-windows.rules)
 * 1:65414 <-> ENABLED <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt (malware-cnc.rules)
 * 1:65400 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core Library elevation of privilege attempt (os-windows.rules)
 * 1:65422 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Server Update Services insecure object deserialization attempt (os-windows.rules)
 * 1:65419 <-> DISABLED <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt (server-webapp.rules)
 * 1:65394 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Brokering File System elevation of privilege attempt (os-windows.rules)
 * 1:65403 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt (os-windows.rules)
 * 1:65407 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Windows elevation of privilege attempt (os-windows.rules)
 * 1:65382 <-> DISABLED <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt (server-webapp.rules)
 * 1:65404 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt (os-windows.rules)
 * 1:65415 <-> DISABLED <-> MALWARE-CNC Java.Backdoor.Cl0p variant payload download attempt (malware-cnc.rules)
 * 1:65408 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Windows elevation of privilege attempt (os-windows.rules)
 * 1:65383 <-> DISABLED <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt (server-webapp.rules)
 * 1:65398 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt (os-windows.rules)
 * 1:65409 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Desktop Window Manager privilege escalation attempt (os-windows.rules)
 * 1:65420 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt (os-windows.rules)
 * 1:65401 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65384 <-> ENABLED <-> SERVER-WEBAPP Commvault Command Center argument injection attempt (server-webapp.rules)
 * 1:65410 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Desktop Window Manager privilege escalation attempt (os-windows.rules)
 * 3:65411 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt (file-pdf.rules)
 * 3:65412 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:44734 <-> DISABLED <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt (server-mail.rules)
 * 1:64673 <-> DISABLED <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt (server-webapp.rules)
 * 1:64671 <-> DISABLED <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt (server-webapp.rules)
 * 1:64672 <-> DISABLED <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt (server-webapp.rules)
 * 1:44735 <-> DISABLED <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt (server-mail.rules)
 * 1:64101 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-820 Router OS command injection attempt (server-webapp.rules)

3000

2025-10-14 19:58:45 UTC

Snort Subscriber Rules Update

Date: 2025-10-14-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.0.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301324 <-> MALWARE-OTHER Win.Ransomware.LockBit5 variant download attempt
* 1:301325 <-> OS-WINDOWS Microsoft Windows Agere Modem Driver elevation of privilege attempt
* 1:301326 <-> OS-WINDOWS Microsoft Windows Brokering File System elevation of privilege attempt
* 1:301327 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt
* 1:301328 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301329 <-> OS-WINDOWS Microsoft Windows DWM Core Library elevation of privilege attempt
* 1:301330 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:301331 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301332 <-> OS-WINDOWS Microsoft Windows Software Protection Platform elevation of privilege attempt
* 1:301333 <-> OS-WINDOWS Microsoft Windows Windows elevation of privilege attempt
* 1:301334 <-> OS-WINDOWS Microsoft Windows Desktop Window Manager privilege escalation attempt
* 1:301335 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:301336 <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt
* 1:65381 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65382 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65383 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65384 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65385 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65386 <-> SERVER-WEBAPP Commvault Command Center Java expression language injection attempt
* 1:65387 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65388 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65413 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65414 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65415 <-> MALWARE-CNC Java.Backdoor.Cl0p variant payload download attempt
* 1:65416 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65417 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65418 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65419 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65422 <-> OS-WINDOWS Microsoft Windows Server Update Services insecure object deserialization attempt
* 3:65411 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt
* 3:65412 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt

Modified Rules:

* 1:44734 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:44735 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:64101 <-> SERVER-WEBAPP D-Link DIR-820 Router OS command injection attempt
* 1:64671 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64672 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64673 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt

3031

2025-10-14 19:58:45 UTC

Snort Subscriber Rules Update

Date: 2025-10-14-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.0.3.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301324 <-> MALWARE-OTHER Win.Ransomware.LockBit5 variant download attempt
* 1:301325 <-> OS-WINDOWS Microsoft Windows Agere Modem Driver elevation of privilege attempt
* 1:301326 <-> OS-WINDOWS Microsoft Windows Brokering File System elevation of privilege attempt
* 1:301327 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt
* 1:301328 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301329 <-> OS-WINDOWS Microsoft Windows DWM Core Library elevation of privilege attempt
* 1:301330 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:301331 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301332 <-> OS-WINDOWS Microsoft Windows Software Protection Platform elevation of privilege attempt
* 1:301333 <-> OS-WINDOWS Microsoft Windows Windows elevation of privilege attempt
* 1:301334 <-> OS-WINDOWS Microsoft Windows Desktop Window Manager privilege escalation attempt
* 1:301335 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:301336 <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt
* 1:65381 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65382 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65383 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65384 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65385 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65386 <-> SERVER-WEBAPP Commvault Command Center Java expression language injection attempt
* 1:65387 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65388 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65413 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65414 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65415 <-> MALWARE-CNC Java.Backdoor.Cl0p variant payload download attempt
* 1:65416 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65417 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65418 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65419 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65422 <-> OS-WINDOWS Microsoft Windows Server Update Services insecure object deserialization attempt
* 3:65411 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt
* 3:65412 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt

Modified Rules:

* 1:44734 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:44735 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:64101 <-> SERVER-WEBAPP D-Link DIR-820 Router OS command injection attempt
* 1:64671 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64672 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64673 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt

3034

2025-10-14 19:58:45 UTC

Snort Subscriber Rules Update

Date: 2025-10-14-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.0.3.4.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301324 <-> MALWARE-OTHER Win.Ransomware.LockBit5 variant download attempt
* 1:301325 <-> OS-WINDOWS Microsoft Windows Agere Modem Driver elevation of privilege attempt
* 1:301326 <-> OS-WINDOWS Microsoft Windows Brokering File System elevation of privilege attempt
* 1:301327 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt
* 1:301328 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301329 <-> OS-WINDOWS Microsoft Windows DWM Core Library elevation of privilege attempt
* 1:301330 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:301331 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301332 <-> OS-WINDOWS Microsoft Windows Software Protection Platform elevation of privilege attempt
* 1:301333 <-> OS-WINDOWS Microsoft Windows Windows elevation of privilege attempt
* 1:301334 <-> OS-WINDOWS Microsoft Windows Desktop Window Manager privilege escalation attempt
* 1:301335 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:301336 <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt
* 1:65381 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65382 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65383 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65384 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65385 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65386 <-> SERVER-WEBAPP Commvault Command Center Java expression language injection attempt
* 1:65387 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65388 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65413 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65414 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65415 <-> MALWARE-CNC Java.Backdoor.Cl0p variant payload download attempt
* 1:65416 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65417 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65418 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65419 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65422 <-> OS-WINDOWS Microsoft Windows Server Update Services insecure object deserialization attempt
* 3:65411 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt
* 3:65412 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt

Modified Rules:

* 1:44734 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:44735 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:64101 <-> SERVER-WEBAPP D-Link DIR-820 Router OS command injection attempt
* 1:64671 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64672 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64673 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt

3100

2025-10-14 19:58:45 UTC

Snort Subscriber Rules Update

Date: 2025-10-14-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301324 <-> MALWARE-OTHER Win.Ransomware.LockBit5 variant download attempt
* 1:301325 <-> OS-WINDOWS Microsoft Windows Agere Modem Driver elevation of privilege attempt
* 1:301326 <-> OS-WINDOWS Microsoft Windows Brokering File System elevation of privilege attempt
* 1:301327 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt
* 1:301328 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301329 <-> OS-WINDOWS Microsoft Windows DWM Core Library elevation of privilege attempt
* 1:301330 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:301331 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301332 <-> OS-WINDOWS Microsoft Windows Software Protection Platform elevation of privilege attempt
* 1:301333 <-> OS-WINDOWS Microsoft Windows Windows elevation of privilege attempt
* 1:301334 <-> OS-WINDOWS Microsoft Windows Desktop Window Manager privilege escalation attempt
* 1:301335 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:301336 <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt
* 1:65381 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65382 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65383 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65384 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65385 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65386 <-> SERVER-WEBAPP Commvault Command Center Java expression language injection attempt
* 1:65387 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65388 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65413 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65414 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65415 <-> MALWARE-CNC Java.Backdoor.Cl0p variant payload download attempt
* 1:65416 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65417 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65418 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65419 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65422 <-> OS-WINDOWS Microsoft Windows Server Update Services insecure object deserialization attempt
* 3:65411 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt
* 3:65412 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt

Modified Rules:

* 1:44734 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:44735 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:64101 <-> SERVER-WEBAPP D-Link DIR-820 Router OS command injection attempt
* 1:64671 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64672 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64673 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt

3101

2025-10-14 19:58:45 UTC

Snort Subscriber Rules Update

Date: 2025-10-14-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.0.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301324 <-> MALWARE-OTHER Win.Ransomware.LockBit5 variant download attempt
* 1:301325 <-> OS-WINDOWS Microsoft Windows Agere Modem Driver elevation of privilege attempt
* 1:301326 <-> OS-WINDOWS Microsoft Windows Brokering File System elevation of privilege attempt
* 1:301327 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt
* 1:301328 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301329 <-> OS-WINDOWS Microsoft Windows DWM Core Library elevation of privilege attempt
* 1:301330 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:301331 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301332 <-> OS-WINDOWS Microsoft Windows Software Protection Platform elevation of privilege attempt
* 1:301333 <-> OS-WINDOWS Microsoft Windows Windows elevation of privilege attempt
* 1:301334 <-> OS-WINDOWS Microsoft Windows Desktop Window Manager privilege escalation attempt
* 1:301335 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:301336 <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt
* 1:65381 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65382 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65383 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65384 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65385 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65386 <-> SERVER-WEBAPP Commvault Command Center Java expression language injection attempt
* 1:65387 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65388 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65413 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65414 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65415 <-> MALWARE-CNC Java.Backdoor.Cl0p variant payload download attempt
* 1:65416 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65417 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65418 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65419 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65422 <-> OS-WINDOWS Microsoft Windows Server Update Services insecure object deserialization attempt
* 3:65411 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt
* 3:65412 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt

Modified Rules:

* 1:44734 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:44735 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:64101 <-> SERVER-WEBAPP D-Link DIR-820 Router OS command injection attempt
* 1:64671 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64672 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64673 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt

3110

2025-10-14 19:58:45 UTC

Snort Subscriber Rules Update

Date: 2025-10-14-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.1.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301324 <-> MALWARE-OTHER Win.Ransomware.LockBit5 variant download attempt
* 1:301325 <-> OS-WINDOWS Microsoft Windows Agere Modem Driver elevation of privilege attempt
* 1:301326 <-> OS-WINDOWS Microsoft Windows Brokering File System elevation of privilege attempt
* 1:301327 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt
* 1:301328 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301329 <-> OS-WINDOWS Microsoft Windows DWM Core Library elevation of privilege attempt
* 1:301330 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:301331 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301332 <-> OS-WINDOWS Microsoft Windows Software Protection Platform elevation of privilege attempt
* 1:301333 <-> OS-WINDOWS Microsoft Windows Windows elevation of privilege attempt
* 1:301334 <-> OS-WINDOWS Microsoft Windows Desktop Window Manager privilege escalation attempt
* 1:301335 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:301336 <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt
* 1:65381 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65382 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65383 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65384 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65385 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65386 <-> SERVER-WEBAPP Commvault Command Center Java expression language injection attempt
* 1:65387 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65388 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65413 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65414 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65415 <-> MALWARE-CNC Java.Backdoor.Cl0p variant payload download attempt
* 1:65416 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65417 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65418 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65419 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65422 <-> OS-WINDOWS Microsoft Windows Server Update Services insecure object deserialization attempt
* 3:65411 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt
* 3:65412 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt

Modified Rules:

* 1:44734 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:44735 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:64101 <-> SERVER-WEBAPP D-Link DIR-820 Router OS command injection attempt
* 1:64671 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64672 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64673 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt

3130

2025-10-14 19:58:45 UTC

Snort Subscriber Rules Update

Date: 2025-10-14-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.3.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301324 <-> MALWARE-OTHER Win.Ransomware.LockBit5 variant download attempt
* 1:301325 <-> OS-WINDOWS Microsoft Windows Agere Modem Driver elevation of privilege attempt
* 1:301326 <-> OS-WINDOWS Microsoft Windows Brokering File System elevation of privilege attempt
* 1:301327 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt
* 1:301328 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301329 <-> OS-WINDOWS Microsoft Windows DWM Core Library elevation of privilege attempt
* 1:301330 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:301331 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301332 <-> OS-WINDOWS Microsoft Windows Software Protection Platform elevation of privilege attempt
* 1:301333 <-> OS-WINDOWS Microsoft Windows Windows elevation of privilege attempt
* 1:301334 <-> OS-WINDOWS Microsoft Windows Desktop Window Manager privilege escalation attempt
* 1:301335 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:301336 <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt
* 1:65381 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65382 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65383 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65384 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65385 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65386 <-> SERVER-WEBAPP Commvault Command Center Java expression language injection attempt
* 1:65387 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65388 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65413 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65414 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65415 <-> MALWARE-CNC Java.Backdoor.Cl0p variant payload download attempt
* 1:65416 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65417 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65418 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65419 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65422 <-> OS-WINDOWS Microsoft Windows Server Update Services insecure object deserialization attempt
* 3:65411 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt
* 3:65412 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt

Modified Rules:

* 1:44734 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:44735 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:64101 <-> SERVER-WEBAPP D-Link DIR-820 Router OS command injection attempt
* 1:64671 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64672 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64673 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt

3140

2025-10-14 19:58:45 UTC

Snort Subscriber Rules Update

Date: 2025-10-14-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.4.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301324 <-> MALWARE-OTHER Win.Ransomware.LockBit5 variant download attempt
* 1:301325 <-> OS-WINDOWS Microsoft Windows Agere Modem Driver elevation of privilege attempt
* 1:301326 <-> OS-WINDOWS Microsoft Windows Brokering File System elevation of privilege attempt
* 1:301327 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt
* 1:301328 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301329 <-> OS-WINDOWS Microsoft Windows DWM Core Library elevation of privilege attempt
* 1:301330 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:301331 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301332 <-> OS-WINDOWS Microsoft Windows Software Protection Platform elevation of privilege attempt
* 1:301333 <-> OS-WINDOWS Microsoft Windows Windows elevation of privilege attempt
* 1:301334 <-> OS-WINDOWS Microsoft Windows Desktop Window Manager privilege escalation attempt
* 1:301335 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:301336 <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt
* 1:65381 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65382 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65383 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65384 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65385 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65386 <-> SERVER-WEBAPP Commvault Command Center Java expression language injection attempt
* 1:65387 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65388 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65413 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65414 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65415 <-> MALWARE-CNC Java.Backdoor.Cl0p variant payload download attempt
* 1:65416 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65417 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65418 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65419 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65422 <-> OS-WINDOWS Microsoft Windows Server Update Services insecure object deserialization attempt
* 3:65411 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt
* 3:65412 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt

Modified Rules:

* 1:44734 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:44735 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:64101 <-> SERVER-WEBAPP D-Link DIR-820 Router OS command injection attempt
* 1:64671 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64672 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64673 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt

3150

2025-10-14 19:58:45 UTC

Snort Subscriber Rules Update

Date: 2025-10-14-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.5.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301324 <-> MALWARE-OTHER Win.Ransomware.LockBit5 variant download attempt
* 1:301325 <-> OS-WINDOWS Microsoft Windows Agere Modem Driver elevation of privilege attempt
* 1:301326 <-> OS-WINDOWS Microsoft Windows Brokering File System elevation of privilege attempt
* 1:301327 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt
* 1:301328 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301329 <-> OS-WINDOWS Microsoft Windows DWM Core Library elevation of privilege attempt
* 1:301330 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:301331 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301332 <-> OS-WINDOWS Microsoft Windows Software Protection Platform elevation of privilege attempt
* 1:301333 <-> OS-WINDOWS Microsoft Windows Windows elevation of privilege attempt
* 1:301334 <-> OS-WINDOWS Microsoft Windows Desktop Window Manager privilege escalation attempt
* 1:301335 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:301336 <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt
* 1:65381 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65382 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65383 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65384 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65385 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65386 <-> SERVER-WEBAPP Commvault Command Center Java expression language injection attempt
* 1:65387 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65388 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65413 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65414 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65415 <-> MALWARE-CNC Java.Backdoor.Cl0p variant payload download attempt
* 1:65416 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65417 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65418 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65419 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65422 <-> OS-WINDOWS Microsoft Windows Server Update Services insecure object deserialization attempt
* 3:65411 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt
* 3:65412 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt

Modified Rules:

* 1:44734 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:44735 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:64101 <-> SERVER-WEBAPP D-Link DIR-820 Router OS command injection attempt
* 1:64671 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64672 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64673 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt

3170

2025-10-14 19:58:45 UTC

Snort Subscriber Rules Update

Date: 2025-10-14-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.7.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301324 <-> MALWARE-OTHER Win.Ransomware.LockBit5 variant download attempt
* 1:301325 <-> OS-WINDOWS Microsoft Windows Agere Modem Driver elevation of privilege attempt
* 1:301326 <-> OS-WINDOWS Microsoft Windows Brokering File System elevation of privilege attempt
* 1:301327 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt
* 1:301328 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301329 <-> OS-WINDOWS Microsoft Windows DWM Core Library elevation of privilege attempt
* 1:301330 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:301331 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301332 <-> OS-WINDOWS Microsoft Windows Software Protection Platform elevation of privilege attempt
* 1:301333 <-> OS-WINDOWS Microsoft Windows Windows elevation of privilege attempt
* 1:301334 <-> OS-WINDOWS Microsoft Windows Desktop Window Manager privilege escalation attempt
* 1:301335 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:301336 <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt
* 1:65381 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65382 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65383 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65384 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65385 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65386 <-> SERVER-WEBAPP Commvault Command Center Java expression language injection attempt
* 1:65387 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65388 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65413 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65414 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65415 <-> MALWARE-CNC Java.Backdoor.Cl0p variant payload download attempt
* 1:65416 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65417 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65418 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65419 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65422 <-> OS-WINDOWS Microsoft Windows Server Update Services insecure object deserialization attempt
* 3:65411 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt
* 3:65412 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt

Modified Rules:

* 1:44734 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:44735 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:64101 <-> SERVER-WEBAPP D-Link DIR-820 Router OS command injection attempt
* 1:64671 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64672 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64673 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt

3190

2025-10-14 19:58:45 UTC

Snort Subscriber Rules Update

Date: 2025-10-14-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.9.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301324 <-> MALWARE-OTHER Win.Ransomware.LockBit5 variant download attempt
* 1:301325 <-> OS-WINDOWS Microsoft Windows Agere Modem Driver elevation of privilege attempt
* 1:301326 <-> OS-WINDOWS Microsoft Windows Brokering File System elevation of privilege attempt
* 1:301327 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt
* 1:301328 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301329 <-> OS-WINDOWS Microsoft Windows DWM Core Library elevation of privilege attempt
* 1:301330 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:301331 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301332 <-> OS-WINDOWS Microsoft Windows Software Protection Platform elevation of privilege attempt
* 1:301333 <-> OS-WINDOWS Microsoft Windows Windows elevation of privilege attempt
* 1:301334 <-> OS-WINDOWS Microsoft Windows Desktop Window Manager privilege escalation attempt
* 1:301335 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:301336 <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt
* 1:65381 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65382 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65383 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65384 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65385 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65386 <-> SERVER-WEBAPP Commvault Command Center Java expression language injection attempt
* 1:65387 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65388 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65413 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65414 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65415 <-> MALWARE-CNC Java.Backdoor.Cl0p variant payload download attempt
* 1:65416 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65417 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65418 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65419 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65422 <-> OS-WINDOWS Microsoft Windows Server Update Services insecure object deserialization attempt
* 3:65411 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt
* 3:65412 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt

Modified Rules:

* 1:44734 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:44735 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:64101 <-> SERVER-WEBAPP D-Link DIR-820 Router OS command injection attempt
* 1:64671 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64672 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64673 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt

3200

2025-10-14 19:58:46 UTC

Snort Subscriber Rules Update

Date: 2025-10-14-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.2.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301324 <-> MALWARE-OTHER Win.Ransomware.LockBit5 variant download attempt
* 1:301325 <-> OS-WINDOWS Microsoft Windows Agere Modem Driver elevation of privilege attempt
* 1:301326 <-> OS-WINDOWS Microsoft Windows Brokering File System elevation of privilege attempt
* 1:301327 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt
* 1:301328 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301329 <-> OS-WINDOWS Microsoft Windows DWM Core Library elevation of privilege attempt
* 1:301330 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:301331 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301332 <-> OS-WINDOWS Microsoft Windows Software Protection Platform elevation of privilege attempt
* 1:301333 <-> OS-WINDOWS Microsoft Windows Windows elevation of privilege attempt
* 1:301334 <-> OS-WINDOWS Microsoft Windows Desktop Window Manager privilege escalation attempt
* 1:301335 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:301336 <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt
* 1:65381 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65382 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65383 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65384 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65385 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65386 <-> SERVER-WEBAPP Commvault Command Center Java expression language injection attempt
* 1:65387 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65388 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65413 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65414 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65415 <-> MALWARE-CNC Java.Backdoor.Cl0p variant payload download attempt
* 1:65416 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65417 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65418 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65419 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65422 <-> OS-WINDOWS Microsoft Windows Server Update Services insecure object deserialization attempt
* 3:65411 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt
* 3:65412 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt

Modified Rules:

* 1:44734 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:44735 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:64101 <-> SERVER-WEBAPP D-Link DIR-820 Router OS command injection attempt
* 1:64671 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64672 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64673 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt

3351

2025-10-14 19:58:46 UTC

Snort Subscriber Rules Update

Date: 2025-10-14-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.3.5.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301324 <-> MALWARE-OTHER Win.Ransomware.LockBit5 variant download attempt
* 1:301325 <-> OS-WINDOWS Microsoft Windows Agere Modem Driver elevation of privilege attempt
* 1:301326 <-> OS-WINDOWS Microsoft Windows Brokering File System elevation of privilege attempt
* 1:301327 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt
* 1:301328 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301329 <-> OS-WINDOWS Microsoft Windows DWM Core Library elevation of privilege attempt
* 1:301330 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:301331 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301332 <-> OS-WINDOWS Microsoft Windows Software Protection Platform elevation of privilege attempt
* 1:301333 <-> OS-WINDOWS Microsoft Windows Windows elevation of privilege attempt
* 1:301334 <-> OS-WINDOWS Microsoft Windows Desktop Window Manager privilege escalation attempt
* 1:301335 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:301336 <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt
* 1:65381 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65382 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65383 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65384 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65385 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65386 <-> SERVER-WEBAPP Commvault Command Center Java expression language injection attempt
* 1:65387 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65388 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65413 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65414 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65415 <-> MALWARE-CNC Java.Backdoor.Cl0p variant payload download attempt
* 1:65416 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65417 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65418 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65419 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65422 <-> OS-WINDOWS Microsoft Windows Server Update Services insecure object deserialization attempt
* 3:65411 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt
* 3:65412 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt

Modified Rules:

* 1:44734 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:44735 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:64101 <-> SERVER-WEBAPP D-Link DIR-820 Router OS command injection attempt
* 1:64671 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64672 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64673 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt

3360

2025-10-14 19:58:46 UTC

Snort Subscriber Rules Update

Date: 2025-10-14-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.3.6.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301324 <-> MALWARE-OTHER Win.Ransomware.LockBit5 variant download attempt
* 1:301325 <-> OS-WINDOWS Microsoft Windows Agere Modem Driver elevation of privilege attempt
* 1:301326 <-> OS-WINDOWS Microsoft Windows Brokering File System elevation of privilege attempt
* 1:301327 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt
* 1:301328 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301329 <-> OS-WINDOWS Microsoft Windows DWM Core Library elevation of privilege attempt
* 1:301330 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:301331 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301332 <-> OS-WINDOWS Microsoft Windows Software Protection Platform elevation of privilege attempt
* 1:301333 <-> OS-WINDOWS Microsoft Windows Windows elevation of privilege attempt
* 1:301334 <-> OS-WINDOWS Microsoft Windows Desktop Window Manager privilege escalation attempt
* 1:301335 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:301336 <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt
* 1:65381 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65382 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65383 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65384 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65385 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65386 <-> SERVER-WEBAPP Commvault Command Center Java expression language injection attempt
* 1:65387 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65388 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65413 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65414 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65415 <-> MALWARE-CNC Java.Backdoor.Cl0p variant payload download attempt
* 1:65416 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65417 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65418 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65419 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65422 <-> OS-WINDOWS Microsoft Windows Server Update Services insecure object deserialization attempt
* 3:65411 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt
* 3:65412 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt

Modified Rules:

* 1:44734 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:44735 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:64101 <-> SERVER-WEBAPP D-Link DIR-820 Router OS command injection attempt
* 1:64671 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64672 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64673 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt

3370

2025-10-14 19:58:46 UTC

Snort Subscriber Rules Update

Date: 2025-10-14-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.3.7.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301324 <-> MALWARE-OTHER Win.Ransomware.LockBit5 variant download attempt
* 1:301325 <-> OS-WINDOWS Microsoft Windows Agere Modem Driver elevation of privilege attempt
* 1:301326 <-> OS-WINDOWS Microsoft Windows Brokering File System elevation of privilege attempt
* 1:301327 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt
* 1:301328 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301329 <-> OS-WINDOWS Microsoft Windows DWM Core Library elevation of privilege attempt
* 1:301330 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:301331 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301332 <-> OS-WINDOWS Microsoft Windows Software Protection Platform elevation of privilege attempt
* 1:301333 <-> OS-WINDOWS Microsoft Windows Windows elevation of privilege attempt
* 1:301334 <-> OS-WINDOWS Microsoft Windows Desktop Window Manager privilege escalation attempt
* 1:301335 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:301336 <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt
* 1:65381 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65382 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65383 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65384 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65385 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65386 <-> SERVER-WEBAPP Commvault Command Center Java expression language injection attempt
* 1:65387 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65388 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65413 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65414 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65415 <-> MALWARE-CNC Java.Backdoor.Cl0p variant payload download attempt
* 1:65416 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65417 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65418 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65419 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65422 <-> OS-WINDOWS Microsoft Windows Server Update Services insecure object deserialization attempt
* 3:65411 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt
* 3:65412 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt

Modified Rules:

* 1:44734 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:44735 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:64101 <-> SERVER-WEBAPP D-Link DIR-820 Router OS command injection attempt
* 1:64671 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64672 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64673 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt

3700

2025-10-14 19:58:46 UTC

Snort Subscriber Rules Update

Date: 2025-10-14-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.7.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301324 <-> MALWARE-OTHER Win.Ransomware.LockBit5 variant download attempt
* 1:301325 <-> OS-WINDOWS Microsoft Windows Agere Modem Driver elevation of privilege attempt
* 1:301326 <-> OS-WINDOWS Microsoft Windows Brokering File System elevation of privilege attempt
* 1:301327 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt
* 1:301328 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301329 <-> OS-WINDOWS Microsoft Windows DWM Core Library elevation of privilege attempt
* 1:301330 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:301331 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301332 <-> OS-WINDOWS Microsoft Windows Software Protection Platform elevation of privilege attempt
* 1:301333 <-> OS-WINDOWS Microsoft Windows Windows elevation of privilege attempt
* 1:301334 <-> OS-WINDOWS Microsoft Windows Desktop Window Manager privilege escalation attempt
* 1:301335 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:301336 <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt
* 1:65381 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65382 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65383 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65384 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65385 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65386 <-> SERVER-WEBAPP Commvault Command Center Java expression language injection attempt
* 1:65387 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65388 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65413 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65414 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65415 <-> MALWARE-CNC Java.Backdoor.Cl0p variant payload download attempt
* 1:65416 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65417 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65418 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65419 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65422 <-> OS-WINDOWS Microsoft Windows Server Update Services insecure object deserialization attempt
* 3:65411 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt
* 3:65412 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt

Modified Rules:

* 1:44734 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:44735 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:64101 <-> SERVER-WEBAPP D-Link DIR-820 Router OS command injection attempt
* 1:64671 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64672 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64673 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt

3900

2025-10-14 19:58:46 UTC

Snort Subscriber Rules Update

Date: 2025-10-14-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.9.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301324 <-> MALWARE-OTHER Win.Ransomware.LockBit5 variant download attempt
* 1:301325 <-> OS-WINDOWS Microsoft Windows Agere Modem Driver elevation of privilege attempt
* 1:301326 <-> OS-WINDOWS Microsoft Windows Brokering File System elevation of privilege attempt
* 1:301327 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt
* 1:301328 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301329 <-> OS-WINDOWS Microsoft Windows DWM Core Library elevation of privilege attempt
* 1:301330 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:301331 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301332 <-> OS-WINDOWS Microsoft Windows Software Protection Platform elevation of privilege attempt
* 1:301333 <-> OS-WINDOWS Microsoft Windows Windows elevation of privilege attempt
* 1:301334 <-> OS-WINDOWS Microsoft Windows Desktop Window Manager privilege escalation attempt
* 1:301335 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:301336 <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt
* 1:65381 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65382 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65383 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65384 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65385 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65386 <-> SERVER-WEBAPP Commvault Command Center Java expression language injection attempt
* 1:65387 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65388 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65413 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65414 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65415 <-> MALWARE-CNC Java.Backdoor.Cl0p variant payload download attempt
* 1:65416 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65417 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65418 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65419 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65422 <-> OS-WINDOWS Microsoft Windows Server Update Services insecure object deserialization attempt
* 3:65411 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt
* 3:65412 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt

Modified Rules:

* 1:44734 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:44735 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:64101 <-> SERVER-WEBAPP D-Link DIR-820 Router OS command injection attempt
* 1:64671 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64672 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64673 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt

31110

2025-10-14 19:58:46 UTC

Snort Subscriber Rules Update

Date: 2025-10-14-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.11.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301324 <-> MALWARE-OTHER Win.Ransomware.LockBit5 variant download attempt
* 1:301325 <-> OS-WINDOWS Microsoft Windows Agere Modem Driver elevation of privilege attempt
* 1:301326 <-> OS-WINDOWS Microsoft Windows Brokering File System elevation of privilege attempt
* 1:301327 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt
* 1:301328 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301329 <-> OS-WINDOWS Microsoft Windows DWM Core Library elevation of privilege attempt
* 1:301330 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:301331 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301332 <-> OS-WINDOWS Microsoft Windows Software Protection Platform elevation of privilege attempt
* 1:301333 <-> OS-WINDOWS Microsoft Windows Windows elevation of privilege attempt
* 1:301334 <-> OS-WINDOWS Microsoft Windows Desktop Window Manager privilege escalation attempt
* 1:301335 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:301336 <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt
* 1:65381 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65382 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65383 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65384 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65385 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65386 <-> SERVER-WEBAPP Commvault Command Center Java expression language injection attempt
* 1:65387 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65388 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65413 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65414 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65415 <-> MALWARE-CNC Java.Backdoor.Cl0p variant payload download attempt
* 1:65416 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65417 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65418 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65419 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65422 <-> OS-WINDOWS Microsoft Windows Server Update Services insecure object deserialization attempt
* 3:65411 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt
* 3:65412 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt

Modified Rules:

* 1:44734 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:44735 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:64101 <-> SERVER-WEBAPP D-Link DIR-820 Router OS command injection attempt
* 1:64671 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64672 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64673 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt

31150

2025-10-14 19:58:46 UTC

Snort Subscriber Rules Update

Date: 2025-10-14-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.15.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301324 <-> MALWARE-OTHER Win.Ransomware.LockBit5 variant download attempt
* 1:301325 <-> OS-WINDOWS Microsoft Windows Agere Modem Driver elevation of privilege attempt
* 1:301326 <-> OS-WINDOWS Microsoft Windows Brokering File System elevation of privilege attempt
* 1:301327 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt
* 1:301328 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301329 <-> OS-WINDOWS Microsoft Windows DWM Core Library elevation of privilege attempt
* 1:301330 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:301331 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301332 <-> OS-WINDOWS Microsoft Windows Software Protection Platform elevation of privilege attempt
* 1:301333 <-> OS-WINDOWS Microsoft Windows Windows elevation of privilege attempt
* 1:301334 <-> OS-WINDOWS Microsoft Windows Desktop Window Manager privilege escalation attempt
* 1:301335 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:301336 <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt
* 1:65381 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65382 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65383 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65384 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65385 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65386 <-> SERVER-WEBAPP Commvault Command Center Java expression language injection attempt
* 1:65387 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65388 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65413 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65414 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65415 <-> MALWARE-CNC Java.Backdoor.Cl0p variant payload download attempt
* 1:65416 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65417 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65418 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65419 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65422 <-> OS-WINDOWS Microsoft Windows Server Update Services insecure object deserialization attempt
* 3:65411 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt
* 3:65412 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt

Modified Rules:

* 1:44734 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:44735 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:64101 <-> SERVER-WEBAPP D-Link DIR-820 Router OS command injection attempt
* 1:64671 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64672 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64673 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt

31180

2025-10-14 19:58:46 UTC

Snort Subscriber Rules Update

Date: 2025-10-14-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.18.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301324 <-> MALWARE-OTHER Win.Ransomware.LockBit5 variant download attempt
* 1:301325 <-> OS-WINDOWS Microsoft Windows Agere Modem Driver elevation of privilege attempt
* 1:301326 <-> OS-WINDOWS Microsoft Windows Brokering File System elevation of privilege attempt
* 1:301327 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt
* 1:301328 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301329 <-> OS-WINDOWS Microsoft Windows DWM Core Library elevation of privilege attempt
* 1:301330 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:301331 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301332 <-> OS-WINDOWS Microsoft Windows Software Protection Platform elevation of privilege attempt
* 1:301333 <-> OS-WINDOWS Microsoft Windows Windows elevation of privilege attempt
* 1:301334 <-> OS-WINDOWS Microsoft Windows Desktop Window Manager privilege escalation attempt
* 1:301335 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:301336 <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt
* 1:65381 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65382 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65383 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65384 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65385 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65386 <-> SERVER-WEBAPP Commvault Command Center Java expression language injection attempt
* 1:65387 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65388 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65413 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65414 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65415 <-> MALWARE-CNC Java.Backdoor.Cl0p variant payload download attempt
* 1:65416 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65417 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65418 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65419 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65422 <-> OS-WINDOWS Microsoft Windows Server Update Services insecure object deserialization attempt
* 3:65411 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt
* 3:65412 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt

Modified Rules:

* 1:44734 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:44735 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:64101 <-> SERVER-WEBAPP D-Link DIR-820 Router OS command injection attempt
* 1:64671 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64672 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64673 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt

31200

2025-10-14 19:58:46 UTC

Snort Subscriber Rules Update

Date: 2025-10-14-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.20.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301324 <-> MALWARE-OTHER Win.Ransomware.LockBit5 variant download attempt
* 1:301325 <-> OS-WINDOWS Microsoft Windows Agere Modem Driver elevation of privilege attempt
* 1:301326 <-> OS-WINDOWS Microsoft Windows Brokering File System elevation of privilege attempt
* 1:301327 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt
* 1:301328 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301329 <-> OS-WINDOWS Microsoft Windows DWM Core Library elevation of privilege attempt
* 1:301330 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:301331 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301332 <-> OS-WINDOWS Microsoft Windows Software Protection Platform elevation of privilege attempt
* 1:301333 <-> OS-WINDOWS Microsoft Windows Windows elevation of privilege attempt
* 1:301334 <-> OS-WINDOWS Microsoft Windows Desktop Window Manager privilege escalation attempt
* 1:301335 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:301336 <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt
* 1:65381 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65382 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65383 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65384 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65385 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65386 <-> SERVER-WEBAPP Commvault Command Center Java expression language injection attempt
* 1:65387 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65388 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65413 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65414 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65415 <-> MALWARE-CNC Java.Backdoor.Cl0p variant payload download attempt
* 1:65416 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65417 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65418 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65419 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65422 <-> OS-WINDOWS Microsoft Windows Server Update Services insecure object deserialization attempt
* 3:65411 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt
* 3:65412 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt

Modified Rules:

* 1:44734 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:44735 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:64101 <-> SERVER-WEBAPP D-Link DIR-820 Router OS command injection attempt
* 1:64671 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64672 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64673 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt

31210

2025-10-14 19:58:46 UTC

Snort Subscriber Rules Update

Date: 2025-10-14-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.21.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301324 <-> MALWARE-OTHER Win.Ransomware.LockBit5 variant download attempt
* 1:301325 <-> OS-WINDOWS Microsoft Windows Agere Modem Driver elevation of privilege attempt
* 1:301326 <-> OS-WINDOWS Microsoft Windows Brokering File System elevation of privilege attempt
* 1:301327 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt
* 1:301328 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301329 <-> OS-WINDOWS Microsoft Windows DWM Core Library elevation of privilege attempt
* 1:301330 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:301331 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301332 <-> OS-WINDOWS Microsoft Windows Software Protection Platform elevation of privilege attempt
* 1:301333 <-> OS-WINDOWS Microsoft Windows Windows elevation of privilege attempt
* 1:301334 <-> OS-WINDOWS Microsoft Windows Desktop Window Manager privilege escalation attempt
* 1:301335 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:301336 <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt
* 1:65381 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65382 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65383 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65384 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65385 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65386 <-> SERVER-WEBAPP Commvault Command Center Java expression language injection attempt
* 1:65387 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65388 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65413 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65414 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65415 <-> MALWARE-CNC Java.Backdoor.Cl0p variant payload download attempt
* 1:65416 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65417 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65418 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65419 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65422 <-> OS-WINDOWS Microsoft Windows Server Update Services insecure object deserialization attempt
* 3:65411 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt
* 3:65412 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt

Modified Rules:

* 1:44734 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:44735 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:64101 <-> SERVER-WEBAPP D-Link DIR-820 Router OS command injection attempt
* 1:64671 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64672 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64673 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt

31350

2025-10-14 19:58:46 UTC

Snort Subscriber Rules Update

Date: 2025-10-14-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.35.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301324 <-> MALWARE-OTHER Win.Ransomware.LockBit5 variant download attempt
* 1:301325 <-> OS-WINDOWS Microsoft Windows Agere Modem Driver elevation of privilege attempt
* 1:301326 <-> OS-WINDOWS Microsoft Windows Brokering File System elevation of privilege attempt
* 1:301327 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt
* 1:301328 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301329 <-> OS-WINDOWS Microsoft Windows DWM Core Library elevation of privilege attempt
* 1:301330 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:301331 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301332 <-> OS-WINDOWS Microsoft Windows Software Protection Platform elevation of privilege attempt
* 1:301333 <-> OS-WINDOWS Microsoft Windows Windows elevation of privilege attempt
* 1:301334 <-> OS-WINDOWS Microsoft Windows Desktop Window Manager privilege escalation attempt
* 1:301335 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:301336 <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt
* 1:65381 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65382 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65383 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65384 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65385 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65386 <-> SERVER-WEBAPP Commvault Command Center Java expression language injection attempt
* 1:65387 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65388 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65413 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65414 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65415 <-> MALWARE-CNC Java.Backdoor.Cl0p variant payload download attempt
* 1:65416 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65417 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65418 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65419 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65422 <-> OS-WINDOWS Microsoft Windows Server Update Services insecure object deserialization attempt
* 3:65411 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt
* 3:65412 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt

Modified Rules:

* 1:44734 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:44735 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:64101 <-> SERVER-WEBAPP D-Link DIR-820 Router OS command injection attempt
* 1:64671 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64672 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64673 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt

31440

2025-10-14 19:58:46 UTC

Snort Subscriber Rules Update

Date: 2025-10-14-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.44.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301324 <-> MALWARE-OTHER Win.Ransomware.LockBit5 variant download attempt
* 1:301325 <-> OS-WINDOWS Microsoft Windows Agere Modem Driver elevation of privilege attempt
* 1:301326 <-> OS-WINDOWS Microsoft Windows Brokering File System elevation of privilege attempt
* 1:301327 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt
* 1:301328 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301329 <-> OS-WINDOWS Microsoft Windows DWM Core Library elevation of privilege attempt
* 1:301330 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:301331 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301332 <-> OS-WINDOWS Microsoft Windows Software Protection Platform elevation of privilege attempt
* 1:301333 <-> OS-WINDOWS Microsoft Windows Windows elevation of privilege attempt
* 1:301334 <-> OS-WINDOWS Microsoft Windows Desktop Window Manager privilege escalation attempt
* 1:301335 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:301336 <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt
* 1:65381 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65382 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65383 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65384 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65385 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65386 <-> SERVER-WEBAPP Commvault Command Center Java expression language injection attempt
* 1:65387 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65388 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65413 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65414 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65415 <-> MALWARE-CNC Java.Backdoor.Cl0p variant payload download attempt
* 1:65416 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65417 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65418 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65419 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65422 <-> OS-WINDOWS Microsoft Windows Server Update Services insecure object deserialization attempt
* 3:65411 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt
* 3:65412 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt

Modified Rules:

* 1:44734 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:44735 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:64101 <-> SERVER-WEBAPP D-Link DIR-820 Router OS command injection attempt
* 1:64671 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64672 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64673 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt

31470

2025-10-14 19:58:46 UTC

Snort Subscriber Rules Update

Date: 2025-10-14-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.47.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301324 <-> MALWARE-OTHER Win.Ransomware.LockBit5 variant download attempt
* 1:301325 <-> OS-WINDOWS Microsoft Windows Agere Modem Driver elevation of privilege attempt
* 1:301326 <-> OS-WINDOWS Microsoft Windows Brokering File System elevation of privilege attempt
* 1:301327 <-> OS-WINDOWS Microsoft Windows Cloud Files Mini Filter Driver elevation of privilege attempt
* 1:301328 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301329 <-> OS-WINDOWS Microsoft Windows DWM Core Library elevation of privilege attempt
* 1:301330 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:301331 <-> OS-WINDOWS Microsoft Windows Error Reporting Service privilege escalation attempt
* 1:301332 <-> OS-WINDOWS Microsoft Windows Software Protection Platform elevation of privilege attempt
* 1:301333 <-> OS-WINDOWS Microsoft Windows Windows elevation of privilege attempt
* 1:301334 <-> OS-WINDOWS Microsoft Windows Desktop Window Manager privilege escalation attempt
* 1:301335 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:301336 <-> OS-WINDOWS Microsoft Windows Secure Boot bypass attempt
* 1:65381 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65382 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65383 <-> SERVER-WEBAPP FlowiseAI Flowise V1 API cross site scripting attempt
* 1:65384 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65385 <-> SERVER-WEBAPP Commvault Command Center argument injection attempt
* 1:65386 <-> SERVER-WEBAPP Commvault Command Center Java expression language injection attempt
* 1:65387 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65388 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt
* 1:65413 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65414 <-> MALWARE-CNC Java.Backdoor.Cl0p variant inbound connection attempt
* 1:65415 <-> MALWARE-CNC Java.Backdoor.Cl0p variant payload download attempt
* 1:65416 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65417 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65418 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65419 <-> SERVER-WEBAPP IBM Spectrum Protect Plus command injection attempt
* 1:65422 <-> OS-WINDOWS Microsoft Windows Server Update Services insecure object deserialization attempt
* 3:65411 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt
* 3:65412 <-> FILE-PDF TRUFFLEHUNTER TALOS-2025-2278 attack attempt

Modified Rules:

* 1:44734 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:44735 <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt
* 1:64101 <-> SERVER-WEBAPP D-Link DIR-820 Router OS command injection attempt
* 1:64671 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64672 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt
* 1:64673 <-> SERVER-WEBAPP Advantive VeraCore SQL injection attempt