Snort - Network Intrusion Detection & Prevention System

Talos Rules 2025-11-11

Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2025-59512: A coding deficiency exists in Microsoft Customer Experience Improvement Program (CEIP) that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 65500 through 65501, Snort 3: GID 1, SID 301345.

Microsoft Vulnerability CVE-2025-60705: A coding deficiency exists in Microsoft Windows Client-Side Caching that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 65507 through 65508, Snort 3: GID 1, SID 301347.

Microsoft Vulnerability CVE-2025-60719: A coding deficiency exists in Microsoft Windows Ancillary Function Driver for WinSock that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 65496 through 65497, Snort 3: GID 1, SID 301343.

Microsoft Vulnerability CVE-2025-62213: A coding deficiency exists in Microsoft Windows Ancillary Function Driver for WinSock that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 65498 through 65499, Snort 3: GID 1, SID 301344.

Microsoft Vulnerability CVE-2025-62215: A coding deficiency exists in Microsoft Windows Kernel that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 65509 through 65510, Snort 3: GID 1, SID 301348.

Talos has added and modified multiple rules in the malware-cnc, malware-other, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

29200

2025-11-11 18:09:27 UTC

Snort Subscriber Rules Update

Date: 2025-11-11

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2092000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:65502 <-> ENABLED <-> MALWARE-CNC Win.Trojan.LokiBot variant outbound connection attempt (malware-cnc.rules)
 * 1:65503 <-> DISABLED <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt (server-webapp.rules)
 * 1:65504 <-> DISABLED <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt (server-webapp.rules)
 * 1:65505 <-> DISABLED <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt (server-webapp.rules)
 * 1:65506 <-> DISABLED <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt (server-other.rules)
 * 1:65507 <-> DISABLED <-> OS-WINDOWS Microsoft Windows csc.sys elevation of privilege attempt (os-windows.rules)
 * 1:65508 <-> DISABLED <-> OS-WINDOWS Microsoft Windows csc.sys elevation of privilege attempt (os-windows.rules)
 * 1:65509 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65510 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65511 <-> DISABLED <-> SERVER-WEBAPP FlowiseAI Flowise directory traversal attempt (server-webapp.rules)
 * 1:65512 <-> DISABLED <-> MALWARE-OTHER PHP.Webshell.PHPFileManager outbound connection (malware-other.rules)
 * 1:65513 <-> DISABLED <-> MALWARE-CNC PHP.Webshell.Generic outbound connection (malware-cnc.rules)
 * 1:65490 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt (server-webapp.rules)
 * 1:65491 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt (server-webapp.rules)
 * 1:65492 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt (server-webapp.rules)
 * 1:65493 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt (server-webapp.rules)
 * 1:65494 <-> DISABLED <-> POLICY-OTHER Dassault Systemes DELMIA Apriso potential authentication bypass attempt (policy-other.rules)
 * 1:65495 <-> DISABLED <-> SERVER-WEBAPP Adobe ColdFusion remote code execution attempt (server-webapp.rules)
 * 1:65496 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt (os-windows.rules)
 * 1:65497 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt (os-windows.rules)
 * 1:65498 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver elevation of privilege attempt (os-windows.rules)
 * 1:65499 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver elevation of privilege attempt (os-windows.rules)
 * 1:65500 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Customer Experience Improvement Program privilege escalation attempt (os-windows.rules)
 * 1:65501 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Customer Experience Improvement Program privilege escalation attempt (os-windows.rules)
 * 3:65514 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt (policy-other.rules)
 * 3:65515 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt (policy-other.rules)

Modified Rules:


 * 1:60117 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Workflow XOML injection attempt (server-webapp.rules)

29190

2025-11-11 18:09:27 UTC

Snort Subscriber Rules Update

Date: 2025-11-11

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091900.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:65492 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt (server-webapp.rules)
 * 1:65490 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt (server-webapp.rules)
 * 1:65494 <-> DISABLED <-> POLICY-OTHER Dassault Systemes DELMIA Apriso potential authentication bypass attempt (policy-other.rules)
 * 1:65495 <-> DISABLED <-> SERVER-WEBAPP Adobe ColdFusion remote code execution attempt (server-webapp.rules)
 * 1:65496 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt (os-windows.rules)
 * 1:65497 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt (os-windows.rules)
 * 1:65498 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver elevation of privilege attempt (os-windows.rules)
 * 1:65499 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver elevation of privilege attempt (os-windows.rules)
 * 1:65513 <-> DISABLED <-> MALWARE-CNC PHP.Webshell.Generic outbound connection (malware-cnc.rules)
 * 1:65493 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt (server-webapp.rules)
 * 1:65491 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt (server-webapp.rules)
 * 1:65510 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65511 <-> DISABLED <-> SERVER-WEBAPP FlowiseAI Flowise directory traversal attempt (server-webapp.rules)
 * 1:65512 <-> DISABLED <-> MALWARE-OTHER PHP.Webshell.PHPFileManager outbound connection (malware-other.rules)
 * 1:65500 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Customer Experience Improvement Program privilege escalation attempt (os-windows.rules)
 * 1:65501 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Customer Experience Improvement Program privilege escalation attempt (os-windows.rules)
 * 1:65502 <-> ENABLED <-> MALWARE-CNC Win.Trojan.LokiBot variant outbound connection attempt (malware-cnc.rules)
 * 1:65503 <-> DISABLED <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt (server-webapp.rules)
 * 1:65504 <-> DISABLED <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt (server-webapp.rules)
 * 1:65505 <-> DISABLED <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt (server-webapp.rules)
 * 1:65506 <-> DISABLED <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt (server-other.rules)
 * 1:65507 <-> DISABLED <-> OS-WINDOWS Microsoft Windows csc.sys elevation of privilege attempt (os-windows.rules)
 * 1:65508 <-> DISABLED <-> OS-WINDOWS Microsoft Windows csc.sys elevation of privilege attempt (os-windows.rules)
 * 1:65509 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 3:65514 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt (policy-other.rules)
 * 3:65515 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt (policy-other.rules)

Modified Rules:


 * 1:60117 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Workflow XOML injection attempt (server-webapp.rules)

29181

2025-11-11 18:09:27 UTC

Snort Subscriber Rules Update

Date: 2025-11-11

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091801.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:65490 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt (server-webapp.rules)
 * 1:65508 <-> DISABLED <-> OS-WINDOWS Microsoft Windows csc.sys elevation of privilege attempt (os-windows.rules)
 * 1:65491 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt (server-webapp.rules)
 * 1:65510 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65492 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt (server-webapp.rules)
 * 1:65505 <-> DISABLED <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt (server-webapp.rules)
 * 1:65493 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt (server-webapp.rules)
 * 1:65494 <-> DISABLED <-> POLICY-OTHER Dassault Systemes DELMIA Apriso potential authentication bypass attempt (policy-other.rules)
 * 1:65506 <-> DISABLED <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt (server-other.rules)
 * 1:65495 <-> DISABLED <-> SERVER-WEBAPP Adobe ColdFusion remote code execution attempt (server-webapp.rules)
 * 1:65496 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt (os-windows.rules)
 * 1:65507 <-> DISABLED <-> OS-WINDOWS Microsoft Windows csc.sys elevation of privilege attempt (os-windows.rules)
 * 1:65513 <-> DISABLED <-> MALWARE-CNC PHP.Webshell.Generic outbound connection (malware-cnc.rules)
 * 1:65509 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65511 <-> DISABLED <-> SERVER-WEBAPP FlowiseAI Flowise directory traversal attempt (server-webapp.rules)
 * 1:65512 <-> DISABLED <-> MALWARE-OTHER PHP.Webshell.PHPFileManager outbound connection (malware-other.rules)
 * 1:65497 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt (os-windows.rules)
 * 1:65498 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver elevation of privilege attempt (os-windows.rules)
 * 1:65499 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver elevation of privilege attempt (os-windows.rules)
 * 1:65500 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Customer Experience Improvement Program privilege escalation attempt (os-windows.rules)
 * 1:65501 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Customer Experience Improvement Program privilege escalation attempt (os-windows.rules)
 * 1:65502 <-> ENABLED <-> MALWARE-CNC Win.Trojan.LokiBot variant outbound connection attempt (malware-cnc.rules)
 * 1:65503 <-> DISABLED <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt (server-webapp.rules)
 * 1:65504 <-> DISABLED <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt (server-webapp.rules)
 * 3:65514 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt (policy-other.rules)
 * 3:65515 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt (policy-other.rules)

Modified Rules:


 * 1:60117 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Workflow XOML injection attempt (server-webapp.rules)

29171

2025-11-11 18:09:27 UTC

Snort Subscriber Rules Update

Date: 2025-11-11

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:65513 <-> DISABLED <-> MALWARE-CNC PHP.Webshell.Generic outbound connection (malware-cnc.rules)
 * 1:65512 <-> DISABLED <-> MALWARE-OTHER PHP.Webshell.PHPFileManager outbound connection (malware-other.rules)
 * 1:65502 <-> ENABLED <-> MALWARE-CNC Win.Trojan.LokiBot variant outbound connection attempt (malware-cnc.rules)
 * 1:65495 <-> DISABLED <-> SERVER-WEBAPP Adobe ColdFusion remote code execution attempt (server-webapp.rules)
 * 1:65490 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt (server-webapp.rules)
 * 1:65497 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt (os-windows.rules)
 * 1:65496 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt (os-windows.rules)
 * 1:65499 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver elevation of privilege attempt (os-windows.rules)
 * 1:65501 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Customer Experience Improvement Program privilege escalation attempt (os-windows.rules)
 * 1:65500 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Customer Experience Improvement Program privilege escalation attempt (os-windows.rules)
 * 1:65498 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver elevation of privilege attempt (os-windows.rules)
 * 1:65508 <-> DISABLED <-> OS-WINDOWS Microsoft Windows csc.sys elevation of privilege attempt (os-windows.rules)
 * 1:65503 <-> DISABLED <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt (server-webapp.rules)
 * 1:65505 <-> DISABLED <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt (server-webapp.rules)
 * 1:65504 <-> DISABLED <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt (server-webapp.rules)
 * 1:65507 <-> DISABLED <-> OS-WINDOWS Microsoft Windows csc.sys elevation of privilege attempt (os-windows.rules)
 * 1:65506 <-> DISABLED <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt (server-other.rules)
 * 1:65509 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65510 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65511 <-> DISABLED <-> SERVER-WEBAPP FlowiseAI Flowise directory traversal attempt (server-webapp.rules)
 * 1:65494 <-> DISABLED <-> POLICY-OTHER Dassault Systemes DELMIA Apriso potential authentication bypass attempt (policy-other.rules)
 * 1:65491 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt (server-webapp.rules)
 * 1:65493 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt (server-webapp.rules)
 * 1:65492 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt (server-webapp.rules)
 * 3:65515 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt (policy-other.rules)
 * 3:65514 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt (policy-other.rules)

Modified Rules:


 * 1:60117 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Workflow XOML injection attempt (server-webapp.rules)

29170

2025-11-11 18:09:27 UTC

Snort Subscriber Rules Update

Date: 2025-11-11

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:65491 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt (server-webapp.rules)
 * 1:65505 <-> DISABLED <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt (server-webapp.rules)
 * 1:65512 <-> DISABLED <-> MALWARE-OTHER PHP.Webshell.PHPFileManager outbound connection (malware-other.rules)
 * 1:65506 <-> DISABLED <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt (server-other.rules)
 * 1:65497 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt (os-windows.rules)
 * 1:65496 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt (os-windows.rules)
 * 1:65490 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt (server-webapp.rules)
 * 1:65509 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65493 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt (server-webapp.rules)
 * 1:65494 <-> DISABLED <-> POLICY-OTHER Dassault Systemes DELMIA Apriso potential authentication bypass attempt (policy-other.rules)
 * 1:65492 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt (server-webapp.rules)
 * 1:65508 <-> DISABLED <-> OS-WINDOWS Microsoft Windows csc.sys elevation of privilege attempt (os-windows.rules)
 * 1:65499 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver elevation of privilege attempt (os-windows.rules)
 * 1:65500 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Customer Experience Improvement Program privilege escalation attempt (os-windows.rules)
 * 1:65501 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Customer Experience Improvement Program privilege escalation attempt (os-windows.rules)
 * 1:65502 <-> ENABLED <-> MALWARE-CNC Win.Trojan.LokiBot variant outbound connection attempt (malware-cnc.rules)
 * 1:65503 <-> DISABLED <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt (server-webapp.rules)
 * 1:65498 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver elevation of privilege attempt (os-windows.rules)
 * 1:65513 <-> DISABLED <-> MALWARE-CNC PHP.Webshell.Generic outbound connection (malware-cnc.rules)
 * 1:65507 <-> DISABLED <-> OS-WINDOWS Microsoft Windows csc.sys elevation of privilege attempt (os-windows.rules)
 * 1:65511 <-> DISABLED <-> SERVER-WEBAPP FlowiseAI Flowise directory traversal attempt (server-webapp.rules)
 * 1:65510 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65504 <-> DISABLED <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt (server-webapp.rules)
 * 1:65495 <-> DISABLED <-> SERVER-WEBAPP Adobe ColdFusion remote code execution attempt (server-webapp.rules)
 * 3:65515 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt (policy-other.rules)
 * 3:65514 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt (policy-other.rules)

Modified Rules:


 * 1:60117 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Workflow XOML injection attempt (server-webapp.rules)

29161

2025-11-11 18:09:27 UTC

Snort Subscriber Rules Update

Date: 2025-11-11

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:65513 <-> DISABLED <-> MALWARE-CNC PHP.Webshell.Generic outbound connection (malware-cnc.rules)
 * 1:65492 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt (server-webapp.rules)
 * 1:65504 <-> DISABLED <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt (server-webapp.rules)
 * 1:65496 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt (os-windows.rules)
 * 1:65495 <-> DISABLED <-> SERVER-WEBAPP Adobe ColdFusion remote code execution attempt (server-webapp.rules)
 * 1:65499 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver elevation of privilege attempt (os-windows.rules)
 * 1:65503 <-> DISABLED <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt (server-webapp.rules)
 * 1:65500 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Customer Experience Improvement Program privilege escalation attempt (os-windows.rules)
 * 1:65498 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver elevation of privilege attempt (os-windows.rules)
 * 1:65501 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Customer Experience Improvement Program privilege escalation attempt (os-windows.rules)
 * 1:65497 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt (os-windows.rules)
 * 1:65502 <-> ENABLED <-> MALWARE-CNC Win.Trojan.LokiBot variant outbound connection attempt (malware-cnc.rules)
 * 1:65505 <-> DISABLED <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt (server-webapp.rules)
 * 1:65509 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65494 <-> DISABLED <-> POLICY-OTHER Dassault Systemes DELMIA Apriso potential authentication bypass attempt (policy-other.rules)
 * 1:65506 <-> DISABLED <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt (server-other.rules)
 * 1:65491 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt (server-webapp.rules)
 * 1:65508 <-> DISABLED <-> OS-WINDOWS Microsoft Windows csc.sys elevation of privilege attempt (os-windows.rules)
 * 1:65512 <-> DISABLED <-> MALWARE-OTHER PHP.Webshell.PHPFileManager outbound connection (malware-other.rules)
 * 1:65510 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65493 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt (server-webapp.rules)
 * 1:65507 <-> DISABLED <-> OS-WINDOWS Microsoft Windows csc.sys elevation of privilege attempt (os-windows.rules)
 * 1:65490 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt (server-webapp.rules)
 * 1:65511 <-> DISABLED <-> SERVER-WEBAPP FlowiseAI Flowise directory traversal attempt (server-webapp.rules)
 * 3:65514 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt (policy-other.rules)
 * 3:65515 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt (policy-other.rules)

Modified Rules:


 * 1:60117 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Workflow XOML injection attempt (server-webapp.rules)

29160

2025-11-11 18:09:27 UTC

Snort Subscriber Rules Update

Date: 2025-11-11

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:65509 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65493 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt (server-webapp.rules)
 * 1:65490 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt (server-webapp.rules)
 * 1:65513 <-> DISABLED <-> MALWARE-CNC PHP.Webshell.Generic outbound connection (malware-cnc.rules)
 * 1:65491 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt (server-webapp.rules)
 * 1:65499 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver elevation of privilege attempt (os-windows.rules)
 * 1:65512 <-> DISABLED <-> MALWARE-OTHER PHP.Webshell.PHPFileManager outbound connection (malware-other.rules)
 * 1:65511 <-> DISABLED <-> SERVER-WEBAPP FlowiseAI Flowise directory traversal attempt (server-webapp.rules)
 * 1:65510 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65508 <-> DISABLED <-> OS-WINDOWS Microsoft Windows csc.sys elevation of privilege attempt (os-windows.rules)
 * 1:65507 <-> DISABLED <-> OS-WINDOWS Microsoft Windows csc.sys elevation of privilege attempt (os-windows.rules)
 * 1:65497 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt (os-windows.rules)
 * 1:65492 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt (server-webapp.rules)
 * 1:65495 <-> DISABLED <-> SERVER-WEBAPP Adobe ColdFusion remote code execution attempt (server-webapp.rules)
 * 1:65494 <-> DISABLED <-> POLICY-OTHER Dassault Systemes DELMIA Apriso potential authentication bypass attempt (policy-other.rules)
 * 1:65501 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Customer Experience Improvement Program privilege escalation attempt (os-windows.rules)
 * 1:65496 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt (os-windows.rules)
 * 1:65498 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver elevation of privilege attempt (os-windows.rules)
 * 1:65505 <-> DISABLED <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt (server-webapp.rules)
 * 1:65502 <-> ENABLED <-> MALWARE-CNC Win.Trojan.LokiBot variant outbound connection attempt (malware-cnc.rules)
 * 1:65503 <-> DISABLED <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt (server-webapp.rules)
 * 1:65500 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Customer Experience Improvement Program privilege escalation attempt (os-windows.rules)
 * 1:65506 <-> DISABLED <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt (server-other.rules)
 * 1:65504 <-> DISABLED <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt (server-webapp.rules)
 * 3:65515 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt (policy-other.rules)
 * 3:65514 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt (policy-other.rules)

Modified Rules:


 * 1:60117 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Workflow XOML injection attempt (server-webapp.rules)

29151

2025-11-11 18:09:27 UTC

Snort Subscriber Rules Update

Date: 2025-11-11

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:65493 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt (server-webapp.rules)
 * 1:65504 <-> DISABLED <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt (server-webapp.rules)
 * 1:65512 <-> DISABLED <-> MALWARE-OTHER PHP.Webshell.PHPFileManager outbound connection (malware-other.rules)
 * 1:65502 <-> ENABLED <-> MALWARE-CNC Win.Trojan.LokiBot variant outbound connection attempt (malware-cnc.rules)
 * 1:65506 <-> DISABLED <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt (server-other.rules)
 * 1:65494 <-> DISABLED <-> POLICY-OTHER Dassault Systemes DELMIA Apriso potential authentication bypass attempt (policy-other.rules)
 * 1:65490 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt (server-webapp.rules)
 * 1:65510 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65501 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Customer Experience Improvement Program privilege escalation attempt (os-windows.rules)
 * 1:65509 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65505 <-> DISABLED <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt (server-webapp.rules)
 * 1:65498 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver elevation of privilege attempt (os-windows.rules)
 * 1:65496 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt (os-windows.rules)
 * 1:65497 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt (os-windows.rules)
 * 1:65495 <-> DISABLED <-> SERVER-WEBAPP Adobe ColdFusion remote code execution attempt (server-webapp.rules)
 * 1:65491 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt (server-webapp.rules)
 * 1:65492 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt (server-webapp.rules)
 * 1:65499 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver elevation of privilege attempt (os-windows.rules)
 * 1:65500 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Customer Experience Improvement Program privilege escalation attempt (os-windows.rules)
 * 1:65507 <-> DISABLED <-> OS-WINDOWS Microsoft Windows csc.sys elevation of privilege attempt (os-windows.rules)
 * 1:65508 <-> DISABLED <-> OS-WINDOWS Microsoft Windows csc.sys elevation of privilege attempt (os-windows.rules)
 * 1:65503 <-> DISABLED <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt (server-webapp.rules)
 * 1:65511 <-> DISABLED <-> SERVER-WEBAPP FlowiseAI Flowise directory traversal attempt (server-webapp.rules)
 * 1:65513 <-> DISABLED <-> MALWARE-CNC PHP.Webshell.Generic outbound connection (malware-cnc.rules)
 * 3:65515 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt (policy-other.rules)
 * 3:65514 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt (policy-other.rules)

Modified Rules:


 * 1:60117 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Workflow XOML injection attempt (server-webapp.rules)

29141

2025-11-11 18:09:27 UTC

Snort Subscriber Rules Update

Date: 2025-11-11

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:65506 <-> DISABLED <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt (server-other.rules)
 * 1:65491 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt (server-webapp.rules)
 * 1:65490 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt (server-webapp.rules)
 * 1:65497 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt (os-windows.rules)
 * 1:65492 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt (server-webapp.rules)
 * 1:65494 <-> DISABLED <-> POLICY-OTHER Dassault Systemes DELMIA Apriso potential authentication bypass attempt (policy-other.rules)
 * 1:65496 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt (os-windows.rules)
 * 1:65509 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65493 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt (server-webapp.rules)
 * 1:65512 <-> DISABLED <-> MALWARE-OTHER PHP.Webshell.PHPFileManager outbound connection (malware-other.rules)
 * 1:65502 <-> ENABLED <-> MALWARE-CNC Win.Trojan.LokiBot variant outbound connection attempt (malware-cnc.rules)
 * 1:65507 <-> DISABLED <-> OS-WINDOWS Microsoft Windows csc.sys elevation of privilege attempt (os-windows.rules)
 * 1:65503 <-> DISABLED <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt (server-webapp.rules)
 * 1:65511 <-> DISABLED <-> SERVER-WEBAPP FlowiseAI Flowise directory traversal attempt (server-webapp.rules)
 * 1:65513 <-> DISABLED <-> MALWARE-CNC PHP.Webshell.Generic outbound connection (malware-cnc.rules)
 * 1:65501 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Customer Experience Improvement Program privilege escalation attempt (os-windows.rules)
 * 1:65499 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver elevation of privilege attempt (os-windows.rules)
 * 1:65500 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Customer Experience Improvement Program privilege escalation attempt (os-windows.rules)
 * 1:65498 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver elevation of privilege attempt (os-windows.rules)
 * 1:65504 <-> DISABLED <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt (server-webapp.rules)
 * 1:65505 <-> DISABLED <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt (server-webapp.rules)
 * 1:65495 <-> DISABLED <-> SERVER-WEBAPP Adobe ColdFusion remote code execution attempt (server-webapp.rules)
 * 1:65508 <-> DISABLED <-> OS-WINDOWS Microsoft Windows csc.sys elevation of privilege attempt (os-windows.rules)
 * 1:65510 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 3:65514 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt (policy-other.rules)
 * 3:65515 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt (policy-other.rules)

Modified Rules:


 * 1:60117 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Workflow XOML injection attempt (server-webapp.rules)

29130

2025-11-11 18:09:27 UTC

Snort Subscriber Rules Update

Date: 2025-11-11

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:65512 <-> DISABLED <-> MALWARE-OTHER PHP.Webshell.PHPFileManager outbound connection (malware-other.rules)
 * 1:65511 <-> DISABLED <-> SERVER-WEBAPP FlowiseAI Flowise directory traversal attempt (server-webapp.rules)
 * 1:65508 <-> DISABLED <-> OS-WINDOWS Microsoft Windows csc.sys elevation of privilege attempt (os-windows.rules)
 * 1:65509 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65510 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65492 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt (server-webapp.rules)
 * 1:65490 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt (server-webapp.rules)
 * 1:65491 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt (server-webapp.rules)
 * 1:65493 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt (server-webapp.rules)
 * 1:65496 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt (os-windows.rules)
 * 1:65507 <-> DISABLED <-> OS-WINDOWS Microsoft Windows csc.sys elevation of privilege attempt (os-windows.rules)
 * 1:65495 <-> DISABLED <-> SERVER-WEBAPP Adobe ColdFusion remote code execution attempt (server-webapp.rules)
 * 1:65500 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Customer Experience Improvement Program privilege escalation attempt (os-windows.rules)
 * 1:65497 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt (os-windows.rules)
 * 1:65513 <-> DISABLED <-> MALWARE-CNC PHP.Webshell.Generic outbound connection (malware-cnc.rules)
 * 1:65494 <-> DISABLED <-> POLICY-OTHER Dassault Systemes DELMIA Apriso potential authentication bypass attempt (policy-other.rules)
 * 1:65506 <-> DISABLED <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt (server-other.rules)
 * 1:65499 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver elevation of privilege attempt (os-windows.rules)
 * 1:65504 <-> DISABLED <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt (server-webapp.rules)
 * 1:65501 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Customer Experience Improvement Program privilege escalation attempt (os-windows.rules)
 * 1:65498 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver elevation of privilege attempt (os-windows.rules)
 * 1:65503 <-> DISABLED <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt (server-webapp.rules)
 * 1:65505 <-> DISABLED <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt (server-webapp.rules)
 * 1:65502 <-> ENABLED <-> MALWARE-CNC Win.Trojan.LokiBot variant outbound connection attempt (malware-cnc.rules)
 * 3:65514 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt (policy-other.rules)
 * 3:65515 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt (policy-other.rules)

Modified Rules:


 * 1:60117 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Workflow XOML injection attempt (server-webapp.rules)

29111

2025-11-11 18:09:27 UTC

Snort Subscriber Rules Update

Date: 2025-11-11

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:65494 <-> DISABLED <-> POLICY-OTHER Dassault Systemes DELMIA Apriso potential authentication bypass attempt (policy-other.rules)
 * 1:65509 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65511 <-> DISABLED <-> SERVER-WEBAPP FlowiseAI Flowise directory traversal attempt (server-webapp.rules)
 * 1:65500 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Customer Experience Improvement Program privilege escalation attempt (os-windows.rules)
 * 1:65505 <-> DISABLED <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt (server-webapp.rules)
 * 1:65504 <-> DISABLED <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt (server-webapp.rules)
 * 1:65492 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt (server-webapp.rules)
 * 1:65510 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65497 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt (os-windows.rules)
 * 1:65495 <-> DISABLED <-> SERVER-WEBAPP Adobe ColdFusion remote code execution attempt (server-webapp.rules)
 * 1:65490 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt (server-webapp.rules)
 * 1:65506 <-> DISABLED <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt (server-other.rules)
 * 1:65503 <-> DISABLED <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt (server-webapp.rules)
 * 1:65499 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver elevation of privilege attempt (os-windows.rules)
 * 1:65513 <-> DISABLED <-> MALWARE-CNC PHP.Webshell.Generic outbound connection (malware-cnc.rules)
 * 1:65508 <-> DISABLED <-> OS-WINDOWS Microsoft Windows csc.sys elevation of privilege attempt (os-windows.rules)
 * 1:65496 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt (os-windows.rules)
 * 1:65493 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt (server-webapp.rules)
 * 1:65491 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt (server-webapp.rules)
 * 1:65512 <-> DISABLED <-> MALWARE-OTHER PHP.Webshell.PHPFileManager outbound connection (malware-other.rules)
 * 1:65498 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver elevation of privilege attempt (os-windows.rules)
 * 1:65507 <-> DISABLED <-> OS-WINDOWS Microsoft Windows csc.sys elevation of privilege attempt (os-windows.rules)
 * 1:65501 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Customer Experience Improvement Program privilege escalation attempt (os-windows.rules)
 * 1:65502 <-> ENABLED <-> MALWARE-CNC Win.Trojan.LokiBot variant outbound connection attempt (malware-cnc.rules)
 * 3:65514 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt (policy-other.rules)
 * 3:65515 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt (policy-other.rules)

Modified Rules:


 * 1:60117 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint Workflow XOML injection attempt (server-webapp.rules)

3000

2025-11-11 18:13:21 UTC

Snort Subscriber Rules Update

Date: 2025-11-10-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.0.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301343 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301344 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver elevation of privilege attempt
* 1:301345 <-> OS-WINDOWS Microsoft Windows Customer Experience Improvement Program privilege escalation attempt
* 1:301346 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:301347 <-> OS-WINDOWS Microsoft Windows csc.sys elevation of privilege attempt
* 1:301348 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:65490 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65491 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65492 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65493 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65494 <-> POLICY-OTHER Dassault Systemes DELMIA Apriso potential authentication bypass attempt
* 1:65495 <-> SERVER-WEBAPP Adobe ColdFusion remote code execution attempt
* 1:65502 <-> MALWARE-CNC Win.Trojan.LokiBot variant outbound connection attempt
* 1:65503 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:65506 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt
* 1:65511 <-> SERVER-WEBAPP FlowiseAI Flowise directory traversal attempt
* 1:65512 <-> MALWARE-OTHER PHP.Webshell.PHPFileManager outbound connection
* 1:65513 <-> MALWARE-CNC PHP.Webshell.Generic outbound connection
* 3:65514 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt
* 3:65515 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt

Modified Rules:

* 1:60117 <-> SERVER-WEBAPP Microsoft SharePoint Workflow XOML injection attempt

3031

2025-11-11 18:13:21 UTC

Snort Subscriber Rules Update

Date: 2025-11-10-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.0.3.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301343 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301344 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver elevation of privilege attempt
* 1:301345 <-> OS-WINDOWS Microsoft Windows Customer Experience Improvement Program privilege escalation attempt
* 1:301346 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:301347 <-> OS-WINDOWS Microsoft Windows csc.sys elevation of privilege attempt
* 1:301348 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:65490 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65491 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65492 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65493 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65494 <-> POLICY-OTHER Dassault Systemes DELMIA Apriso potential authentication bypass attempt
* 1:65495 <-> SERVER-WEBAPP Adobe ColdFusion remote code execution attempt
* 1:65502 <-> MALWARE-CNC Win.Trojan.LokiBot variant outbound connection attempt
* 1:65503 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:65506 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt
* 1:65511 <-> SERVER-WEBAPP FlowiseAI Flowise directory traversal attempt
* 1:65512 <-> MALWARE-OTHER PHP.Webshell.PHPFileManager outbound connection
* 1:65513 <-> MALWARE-CNC PHP.Webshell.Generic outbound connection
* 3:65514 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt
* 3:65515 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt

Modified Rules:

* 1:60117 <-> SERVER-WEBAPP Microsoft SharePoint Workflow XOML injection attempt

3034

2025-11-11 18:13:21 UTC

Snort Subscriber Rules Update

Date: 2025-11-10-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.0.3.4.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301343 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301344 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver elevation of privilege attempt
* 1:301345 <-> OS-WINDOWS Microsoft Windows Customer Experience Improvement Program privilege escalation attempt
* 1:301346 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:301347 <-> OS-WINDOWS Microsoft Windows csc.sys elevation of privilege attempt
* 1:301348 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:65490 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65491 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65492 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65493 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65494 <-> POLICY-OTHER Dassault Systemes DELMIA Apriso potential authentication bypass attempt
* 1:65495 <-> SERVER-WEBAPP Adobe ColdFusion remote code execution attempt
* 1:65502 <-> MALWARE-CNC Win.Trojan.LokiBot variant outbound connection attempt
* 1:65503 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:65506 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt
* 1:65511 <-> SERVER-WEBAPP FlowiseAI Flowise directory traversal attempt
* 1:65512 <-> MALWARE-OTHER PHP.Webshell.PHPFileManager outbound connection
* 1:65513 <-> MALWARE-CNC PHP.Webshell.Generic outbound connection
* 3:65514 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt
* 3:65515 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt

Modified Rules:

* 1:60117 <-> SERVER-WEBAPP Microsoft SharePoint Workflow XOML injection attempt

3100

2025-11-11 18:13:21 UTC

Snort Subscriber Rules Update

Date: 2025-11-10-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301343 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301344 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver elevation of privilege attempt
* 1:301345 <-> OS-WINDOWS Microsoft Windows Customer Experience Improvement Program privilege escalation attempt
* 1:301346 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:301347 <-> OS-WINDOWS Microsoft Windows csc.sys elevation of privilege attempt
* 1:301348 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:65490 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65491 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65492 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65493 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65494 <-> POLICY-OTHER Dassault Systemes DELMIA Apriso potential authentication bypass attempt
* 1:65495 <-> SERVER-WEBAPP Adobe ColdFusion remote code execution attempt
* 1:65502 <-> MALWARE-CNC Win.Trojan.LokiBot variant outbound connection attempt
* 1:65503 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:65506 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt
* 1:65511 <-> SERVER-WEBAPP FlowiseAI Flowise directory traversal attempt
* 1:65512 <-> MALWARE-OTHER PHP.Webshell.PHPFileManager outbound connection
* 1:65513 <-> MALWARE-CNC PHP.Webshell.Generic outbound connection
* 3:65514 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt
* 3:65515 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt

Modified Rules:

* 1:60117 <-> SERVER-WEBAPP Microsoft SharePoint Workflow XOML injection attempt

3101

2025-11-11 18:13:21 UTC

Snort Subscriber Rules Update

Date: 2025-11-10-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.0.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301343 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301344 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver elevation of privilege attempt
* 1:301345 <-> OS-WINDOWS Microsoft Windows Customer Experience Improvement Program privilege escalation attempt
* 1:301346 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:301347 <-> OS-WINDOWS Microsoft Windows csc.sys elevation of privilege attempt
* 1:301348 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:65490 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65491 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65492 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65493 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65494 <-> POLICY-OTHER Dassault Systemes DELMIA Apriso potential authentication bypass attempt
* 1:65495 <-> SERVER-WEBAPP Adobe ColdFusion remote code execution attempt
* 1:65502 <-> MALWARE-CNC Win.Trojan.LokiBot variant outbound connection attempt
* 1:65503 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:65506 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt
* 1:65511 <-> SERVER-WEBAPP FlowiseAI Flowise directory traversal attempt
* 1:65512 <-> MALWARE-OTHER PHP.Webshell.PHPFileManager outbound connection
* 1:65513 <-> MALWARE-CNC PHP.Webshell.Generic outbound connection
* 3:65514 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt
* 3:65515 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt

Modified Rules:

* 1:60117 <-> SERVER-WEBAPP Microsoft SharePoint Workflow XOML injection attempt

3110

2025-11-11 18:13:21 UTC

Snort Subscriber Rules Update

Date: 2025-11-10-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.1.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301343 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301344 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver elevation of privilege attempt
* 1:301345 <-> OS-WINDOWS Microsoft Windows Customer Experience Improvement Program privilege escalation attempt
* 1:301346 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:301347 <-> OS-WINDOWS Microsoft Windows csc.sys elevation of privilege attempt
* 1:301348 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:65490 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65491 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65492 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65493 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65494 <-> POLICY-OTHER Dassault Systemes DELMIA Apriso potential authentication bypass attempt
* 1:65495 <-> SERVER-WEBAPP Adobe ColdFusion remote code execution attempt
* 1:65502 <-> MALWARE-CNC Win.Trojan.LokiBot variant outbound connection attempt
* 1:65503 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:65506 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt
* 1:65511 <-> SERVER-WEBAPP FlowiseAI Flowise directory traversal attempt
* 1:65512 <-> MALWARE-OTHER PHP.Webshell.PHPFileManager outbound connection
* 1:65513 <-> MALWARE-CNC PHP.Webshell.Generic outbound connection
* 3:65514 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt
* 3:65515 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt

Modified Rules:

* 1:60117 <-> SERVER-WEBAPP Microsoft SharePoint Workflow XOML injection attempt

3130

2025-11-11 18:13:21 UTC

Snort Subscriber Rules Update

Date: 2025-11-10-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.3.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301343 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301344 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver elevation of privilege attempt
* 1:301345 <-> OS-WINDOWS Microsoft Windows Customer Experience Improvement Program privilege escalation attempt
* 1:301346 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:301347 <-> OS-WINDOWS Microsoft Windows csc.sys elevation of privilege attempt
* 1:301348 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:65490 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65491 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65492 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65493 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65494 <-> POLICY-OTHER Dassault Systemes DELMIA Apriso potential authentication bypass attempt
* 1:65495 <-> SERVER-WEBAPP Adobe ColdFusion remote code execution attempt
* 1:65502 <-> MALWARE-CNC Win.Trojan.LokiBot variant outbound connection attempt
* 1:65503 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:65506 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt
* 1:65511 <-> SERVER-WEBAPP FlowiseAI Flowise directory traversal attempt
* 1:65512 <-> MALWARE-OTHER PHP.Webshell.PHPFileManager outbound connection
* 1:65513 <-> MALWARE-CNC PHP.Webshell.Generic outbound connection
* 3:65514 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt
* 3:65515 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt

Modified Rules:

* 1:60117 <-> SERVER-WEBAPP Microsoft SharePoint Workflow XOML injection attempt

3140

2025-11-11 18:13:21 UTC

Snort Subscriber Rules Update

Date: 2025-11-10-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.4.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301343 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301344 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver elevation of privilege attempt
* 1:301345 <-> OS-WINDOWS Microsoft Windows Customer Experience Improvement Program privilege escalation attempt
* 1:301346 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:301347 <-> OS-WINDOWS Microsoft Windows csc.sys elevation of privilege attempt
* 1:301348 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:65490 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65491 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65492 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65493 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65494 <-> POLICY-OTHER Dassault Systemes DELMIA Apriso potential authentication bypass attempt
* 1:65495 <-> SERVER-WEBAPP Adobe ColdFusion remote code execution attempt
* 1:65502 <-> MALWARE-CNC Win.Trojan.LokiBot variant outbound connection attempt
* 1:65503 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:65506 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt
* 1:65511 <-> SERVER-WEBAPP FlowiseAI Flowise directory traversal attempt
* 1:65512 <-> MALWARE-OTHER PHP.Webshell.PHPFileManager outbound connection
* 1:65513 <-> MALWARE-CNC PHP.Webshell.Generic outbound connection
* 3:65514 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt
* 3:65515 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt

Modified Rules:

* 1:60117 <-> SERVER-WEBAPP Microsoft SharePoint Workflow XOML injection attempt

3150

2025-11-11 18:13:21 UTC

Snort Subscriber Rules Update

Date: 2025-11-10-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.5.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301343 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301344 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver elevation of privilege attempt
* 1:301345 <-> OS-WINDOWS Microsoft Windows Customer Experience Improvement Program privilege escalation attempt
* 1:301346 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:301347 <-> OS-WINDOWS Microsoft Windows csc.sys elevation of privilege attempt
* 1:301348 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:65490 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65491 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65492 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65493 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65494 <-> POLICY-OTHER Dassault Systemes DELMIA Apriso potential authentication bypass attempt
* 1:65495 <-> SERVER-WEBAPP Adobe ColdFusion remote code execution attempt
* 1:65502 <-> MALWARE-CNC Win.Trojan.LokiBot variant outbound connection attempt
* 1:65503 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:65506 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt
* 1:65511 <-> SERVER-WEBAPP FlowiseAI Flowise directory traversal attempt
* 1:65512 <-> MALWARE-OTHER PHP.Webshell.PHPFileManager outbound connection
* 1:65513 <-> MALWARE-CNC PHP.Webshell.Generic outbound connection
* 3:65514 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt
* 3:65515 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt

Modified Rules:

* 1:60117 <-> SERVER-WEBAPP Microsoft SharePoint Workflow XOML injection attempt

3170

2025-11-11 18:13:22 UTC

Snort Subscriber Rules Update

Date: 2025-11-10-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.7.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301343 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301344 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver elevation of privilege attempt
* 1:301345 <-> OS-WINDOWS Microsoft Windows Customer Experience Improvement Program privilege escalation attempt
* 1:301346 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:301347 <-> OS-WINDOWS Microsoft Windows csc.sys elevation of privilege attempt
* 1:301348 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:65490 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65491 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65492 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65493 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65494 <-> POLICY-OTHER Dassault Systemes DELMIA Apriso potential authentication bypass attempt
* 1:65495 <-> SERVER-WEBAPP Adobe ColdFusion remote code execution attempt
* 1:65502 <-> MALWARE-CNC Win.Trojan.LokiBot variant outbound connection attempt
* 1:65503 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:65506 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt
* 1:65511 <-> SERVER-WEBAPP FlowiseAI Flowise directory traversal attempt
* 1:65512 <-> MALWARE-OTHER PHP.Webshell.PHPFileManager outbound connection
* 1:65513 <-> MALWARE-CNC PHP.Webshell.Generic outbound connection
* 3:65514 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt
* 3:65515 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt

Modified Rules:

* 1:60117 <-> SERVER-WEBAPP Microsoft SharePoint Workflow XOML injection attempt

3190

2025-11-11 18:13:22 UTC

Snort Subscriber Rules Update

Date: 2025-11-10-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.9.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301343 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301344 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver elevation of privilege attempt
* 1:301345 <-> OS-WINDOWS Microsoft Windows Customer Experience Improvement Program privilege escalation attempt
* 1:301346 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:301347 <-> OS-WINDOWS Microsoft Windows csc.sys elevation of privilege attempt
* 1:301348 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:65490 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65491 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65492 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65493 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65494 <-> POLICY-OTHER Dassault Systemes DELMIA Apriso potential authentication bypass attempt
* 1:65495 <-> SERVER-WEBAPP Adobe ColdFusion remote code execution attempt
* 1:65502 <-> MALWARE-CNC Win.Trojan.LokiBot variant outbound connection attempt
* 1:65503 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:65506 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt
* 1:65511 <-> SERVER-WEBAPP FlowiseAI Flowise directory traversal attempt
* 1:65512 <-> MALWARE-OTHER PHP.Webshell.PHPFileManager outbound connection
* 1:65513 <-> MALWARE-CNC PHP.Webshell.Generic outbound connection
* 3:65514 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt
* 3:65515 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt

Modified Rules:

* 1:60117 <-> SERVER-WEBAPP Microsoft SharePoint Workflow XOML injection attempt

3200

2025-11-11 18:13:22 UTC

Snort Subscriber Rules Update

Date: 2025-11-10-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.2.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301343 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301344 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver elevation of privilege attempt
* 1:301345 <-> OS-WINDOWS Microsoft Windows Customer Experience Improvement Program privilege escalation attempt
* 1:301346 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:301347 <-> OS-WINDOWS Microsoft Windows csc.sys elevation of privilege attempt
* 1:301348 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:65490 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65491 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65492 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65493 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65494 <-> POLICY-OTHER Dassault Systemes DELMIA Apriso potential authentication bypass attempt
* 1:65495 <-> SERVER-WEBAPP Adobe ColdFusion remote code execution attempt
* 1:65502 <-> MALWARE-CNC Win.Trojan.LokiBot variant outbound connection attempt
* 1:65503 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:65506 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt
* 1:65511 <-> SERVER-WEBAPP FlowiseAI Flowise directory traversal attempt
* 1:65512 <-> MALWARE-OTHER PHP.Webshell.PHPFileManager outbound connection
* 1:65513 <-> MALWARE-CNC PHP.Webshell.Generic outbound connection
* 3:65514 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt
* 3:65515 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt

Modified Rules:

* 1:60117 <-> SERVER-WEBAPP Microsoft SharePoint Workflow XOML injection attempt

3351

2025-11-11 18:13:22 UTC

Snort Subscriber Rules Update

Date: 2025-11-10-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.3.5.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301343 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301344 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver elevation of privilege attempt
* 1:301345 <-> OS-WINDOWS Microsoft Windows Customer Experience Improvement Program privilege escalation attempt
* 1:301346 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:301347 <-> OS-WINDOWS Microsoft Windows csc.sys elevation of privilege attempt
* 1:301348 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:65490 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65491 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65492 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65493 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65494 <-> POLICY-OTHER Dassault Systemes DELMIA Apriso potential authentication bypass attempt
* 1:65495 <-> SERVER-WEBAPP Adobe ColdFusion remote code execution attempt
* 1:65502 <-> MALWARE-CNC Win.Trojan.LokiBot variant outbound connection attempt
* 1:65503 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:65506 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt
* 1:65511 <-> SERVER-WEBAPP FlowiseAI Flowise directory traversal attempt
* 1:65512 <-> MALWARE-OTHER PHP.Webshell.PHPFileManager outbound connection
* 1:65513 <-> MALWARE-CNC PHP.Webshell.Generic outbound connection
* 3:65514 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt
* 3:65515 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt

Modified Rules:

* 1:60117 <-> SERVER-WEBAPP Microsoft SharePoint Workflow XOML injection attempt

3360

2025-11-11 18:13:22 UTC

Snort Subscriber Rules Update

Date: 2025-11-10-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.3.6.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301343 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301344 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver elevation of privilege attempt
* 1:301345 <-> OS-WINDOWS Microsoft Windows Customer Experience Improvement Program privilege escalation attempt
* 1:301346 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:301347 <-> OS-WINDOWS Microsoft Windows csc.sys elevation of privilege attempt
* 1:301348 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:65490 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65491 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65492 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65493 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65494 <-> POLICY-OTHER Dassault Systemes DELMIA Apriso potential authentication bypass attempt
* 1:65495 <-> SERVER-WEBAPP Adobe ColdFusion remote code execution attempt
* 1:65502 <-> MALWARE-CNC Win.Trojan.LokiBot variant outbound connection attempt
* 1:65503 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:65506 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt
* 1:65511 <-> SERVER-WEBAPP FlowiseAI Flowise directory traversal attempt
* 1:65512 <-> MALWARE-OTHER PHP.Webshell.PHPFileManager outbound connection
* 1:65513 <-> MALWARE-CNC PHP.Webshell.Generic outbound connection
* 3:65514 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt
* 3:65515 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt

Modified Rules:

* 1:60117 <-> SERVER-WEBAPP Microsoft SharePoint Workflow XOML injection attempt

3370

2025-11-11 18:13:22 UTC

Snort Subscriber Rules Update

Date: 2025-11-10-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.3.7.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301343 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301344 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver elevation of privilege attempt
* 1:301345 <-> OS-WINDOWS Microsoft Windows Customer Experience Improvement Program privilege escalation attempt
* 1:301346 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:301347 <-> OS-WINDOWS Microsoft Windows csc.sys elevation of privilege attempt
* 1:301348 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:65490 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65491 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65492 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65493 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65494 <-> POLICY-OTHER Dassault Systemes DELMIA Apriso potential authentication bypass attempt
* 1:65495 <-> SERVER-WEBAPP Adobe ColdFusion remote code execution attempt
* 1:65502 <-> MALWARE-CNC Win.Trojan.LokiBot variant outbound connection attempt
* 1:65503 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:65506 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt
* 1:65511 <-> SERVER-WEBAPP FlowiseAI Flowise directory traversal attempt
* 1:65512 <-> MALWARE-OTHER PHP.Webshell.PHPFileManager outbound connection
* 1:65513 <-> MALWARE-CNC PHP.Webshell.Generic outbound connection
* 3:65514 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt
* 3:65515 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt

Modified Rules:

* 1:60117 <-> SERVER-WEBAPP Microsoft SharePoint Workflow XOML injection attempt

3700

2025-11-11 18:13:22 UTC

Snort Subscriber Rules Update

Date: 2025-11-10-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.7.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301343 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301344 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver elevation of privilege attempt
* 1:301345 <-> OS-WINDOWS Microsoft Windows Customer Experience Improvement Program privilege escalation attempt
* 1:301346 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:301347 <-> OS-WINDOWS Microsoft Windows csc.sys elevation of privilege attempt
* 1:301348 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:65490 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65491 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65492 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65493 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65494 <-> POLICY-OTHER Dassault Systemes DELMIA Apriso potential authentication bypass attempt
* 1:65495 <-> SERVER-WEBAPP Adobe ColdFusion remote code execution attempt
* 1:65502 <-> MALWARE-CNC Win.Trojan.LokiBot variant outbound connection attempt
* 1:65503 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:65506 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt
* 1:65511 <-> SERVER-WEBAPP FlowiseAI Flowise directory traversal attempt
* 1:65512 <-> MALWARE-OTHER PHP.Webshell.PHPFileManager outbound connection
* 1:65513 <-> MALWARE-CNC PHP.Webshell.Generic outbound connection
* 3:65514 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt
* 3:65515 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt

Modified Rules:

* 1:60117 <-> SERVER-WEBAPP Microsoft SharePoint Workflow XOML injection attempt

3900

2025-11-11 18:13:22 UTC

Snort Subscriber Rules Update

Date: 2025-11-10-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.9.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301343 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301344 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver elevation of privilege attempt
* 1:301345 <-> OS-WINDOWS Microsoft Windows Customer Experience Improvement Program privilege escalation attempt
* 1:301346 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:301347 <-> OS-WINDOWS Microsoft Windows csc.sys elevation of privilege attempt
* 1:301348 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:65490 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65491 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65492 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65493 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65494 <-> POLICY-OTHER Dassault Systemes DELMIA Apriso potential authentication bypass attempt
* 1:65495 <-> SERVER-WEBAPP Adobe ColdFusion remote code execution attempt
* 1:65502 <-> MALWARE-CNC Win.Trojan.LokiBot variant outbound connection attempt
* 1:65503 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:65506 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt
* 1:65511 <-> SERVER-WEBAPP FlowiseAI Flowise directory traversal attempt
* 1:65512 <-> MALWARE-OTHER PHP.Webshell.PHPFileManager outbound connection
* 1:65513 <-> MALWARE-CNC PHP.Webshell.Generic outbound connection
* 3:65514 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt
* 3:65515 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt

Modified Rules:

* 1:60117 <-> SERVER-WEBAPP Microsoft SharePoint Workflow XOML injection attempt

31110

2025-11-11 18:13:22 UTC

Snort Subscriber Rules Update

Date: 2025-11-10-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.11.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301343 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301344 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver elevation of privilege attempt
* 1:301345 <-> OS-WINDOWS Microsoft Windows Customer Experience Improvement Program privilege escalation attempt
* 1:301346 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:301347 <-> OS-WINDOWS Microsoft Windows csc.sys elevation of privilege attempt
* 1:301348 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:65490 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65491 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65492 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65493 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65494 <-> POLICY-OTHER Dassault Systemes DELMIA Apriso potential authentication bypass attempt
* 1:65495 <-> SERVER-WEBAPP Adobe ColdFusion remote code execution attempt
* 1:65502 <-> MALWARE-CNC Win.Trojan.LokiBot variant outbound connection attempt
* 1:65503 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:65506 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt
* 1:65511 <-> SERVER-WEBAPP FlowiseAI Flowise directory traversal attempt
* 1:65512 <-> MALWARE-OTHER PHP.Webshell.PHPFileManager outbound connection
* 1:65513 <-> MALWARE-CNC PHP.Webshell.Generic outbound connection
* 3:65514 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt
* 3:65515 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt

Modified Rules:

* 1:60117 <-> SERVER-WEBAPP Microsoft SharePoint Workflow XOML injection attempt

31150

2025-11-11 18:13:22 UTC

Snort Subscriber Rules Update

Date: 2025-11-10-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.15.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301343 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301344 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver elevation of privilege attempt
* 1:301345 <-> OS-WINDOWS Microsoft Windows Customer Experience Improvement Program privilege escalation attempt
* 1:301346 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:301347 <-> OS-WINDOWS Microsoft Windows csc.sys elevation of privilege attempt
* 1:301348 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:65490 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65491 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65492 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65493 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65494 <-> POLICY-OTHER Dassault Systemes DELMIA Apriso potential authentication bypass attempt
* 1:65495 <-> SERVER-WEBAPP Adobe ColdFusion remote code execution attempt
* 1:65502 <-> MALWARE-CNC Win.Trojan.LokiBot variant outbound connection attempt
* 1:65503 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:65506 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt
* 1:65511 <-> SERVER-WEBAPP FlowiseAI Flowise directory traversal attempt
* 1:65512 <-> MALWARE-OTHER PHP.Webshell.PHPFileManager outbound connection
* 1:65513 <-> MALWARE-CNC PHP.Webshell.Generic outbound connection
* 3:65514 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt
* 3:65515 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt

Modified Rules:

* 1:60117 <-> SERVER-WEBAPP Microsoft SharePoint Workflow XOML injection attempt

31180

2025-11-11 18:13:22 UTC

Snort Subscriber Rules Update

Date: 2025-11-10-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.18.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301343 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301344 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver elevation of privilege attempt
* 1:301345 <-> OS-WINDOWS Microsoft Windows Customer Experience Improvement Program privilege escalation attempt
* 1:301346 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:301347 <-> OS-WINDOWS Microsoft Windows csc.sys elevation of privilege attempt
* 1:301348 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:65490 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65491 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65492 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65493 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65494 <-> POLICY-OTHER Dassault Systemes DELMIA Apriso potential authentication bypass attempt
* 1:65495 <-> SERVER-WEBAPP Adobe ColdFusion remote code execution attempt
* 1:65502 <-> MALWARE-CNC Win.Trojan.LokiBot variant outbound connection attempt
* 1:65503 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:65506 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt
* 1:65511 <-> SERVER-WEBAPP FlowiseAI Flowise directory traversal attempt
* 1:65512 <-> MALWARE-OTHER PHP.Webshell.PHPFileManager outbound connection
* 1:65513 <-> MALWARE-CNC PHP.Webshell.Generic outbound connection
* 3:65514 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt
* 3:65515 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt

Modified Rules:

* 1:60117 <-> SERVER-WEBAPP Microsoft SharePoint Workflow XOML injection attempt

31200

2025-11-11 18:13:22 UTC

Snort Subscriber Rules Update

Date: 2025-11-10-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.20.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301343 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301344 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver elevation of privilege attempt
* 1:301345 <-> OS-WINDOWS Microsoft Windows Customer Experience Improvement Program privilege escalation attempt
* 1:301346 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:301347 <-> OS-WINDOWS Microsoft Windows csc.sys elevation of privilege attempt
* 1:301348 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:65490 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65491 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65492 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65493 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65494 <-> POLICY-OTHER Dassault Systemes DELMIA Apriso potential authentication bypass attempt
* 1:65495 <-> SERVER-WEBAPP Adobe ColdFusion remote code execution attempt
* 1:65502 <-> MALWARE-CNC Win.Trojan.LokiBot variant outbound connection attempt
* 1:65503 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:65506 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt
* 1:65511 <-> SERVER-WEBAPP FlowiseAI Flowise directory traversal attempt
* 1:65512 <-> MALWARE-OTHER PHP.Webshell.PHPFileManager outbound connection
* 1:65513 <-> MALWARE-CNC PHP.Webshell.Generic outbound connection
* 3:65514 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt
* 3:65515 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt

Modified Rules:

* 1:60117 <-> SERVER-WEBAPP Microsoft SharePoint Workflow XOML injection attempt

31210

2025-11-11 18:13:22 UTC

Snort Subscriber Rules Update

Date: 2025-11-10-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.21.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301343 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301344 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver elevation of privilege attempt
* 1:301345 <-> OS-WINDOWS Microsoft Windows Customer Experience Improvement Program privilege escalation attempt
* 1:301346 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:301347 <-> OS-WINDOWS Microsoft Windows csc.sys elevation of privilege attempt
* 1:301348 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:65490 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65491 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65492 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65493 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65494 <-> POLICY-OTHER Dassault Systemes DELMIA Apriso potential authentication bypass attempt
* 1:65495 <-> SERVER-WEBAPP Adobe ColdFusion remote code execution attempt
* 1:65502 <-> MALWARE-CNC Win.Trojan.LokiBot variant outbound connection attempt
* 1:65503 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:65506 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt
* 1:65511 <-> SERVER-WEBAPP FlowiseAI Flowise directory traversal attempt
* 1:65512 <-> MALWARE-OTHER PHP.Webshell.PHPFileManager outbound connection
* 1:65513 <-> MALWARE-CNC PHP.Webshell.Generic outbound connection
* 3:65514 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt
* 3:65515 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt

Modified Rules:

* 1:60117 <-> SERVER-WEBAPP Microsoft SharePoint Workflow XOML injection attempt

31350

2025-11-11 18:13:22 UTC

Snort Subscriber Rules Update

Date: 2025-11-10-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.35.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301343 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301344 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver elevation of privilege attempt
* 1:301345 <-> OS-WINDOWS Microsoft Windows Customer Experience Improvement Program privilege escalation attempt
* 1:301346 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:301347 <-> OS-WINDOWS Microsoft Windows csc.sys elevation of privilege attempt
* 1:301348 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:65490 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65491 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65492 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65493 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65494 <-> POLICY-OTHER Dassault Systemes DELMIA Apriso potential authentication bypass attempt
* 1:65495 <-> SERVER-WEBAPP Adobe ColdFusion remote code execution attempt
* 1:65502 <-> MALWARE-CNC Win.Trojan.LokiBot variant outbound connection attempt
* 1:65503 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:65506 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt
* 1:65511 <-> SERVER-WEBAPP FlowiseAI Flowise directory traversal attempt
* 1:65512 <-> MALWARE-OTHER PHP.Webshell.PHPFileManager outbound connection
* 1:65513 <-> MALWARE-CNC PHP.Webshell.Generic outbound connection
* 3:65514 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt
* 3:65515 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt

Modified Rules:

* 1:60117 <-> SERVER-WEBAPP Microsoft SharePoint Workflow XOML injection attempt

31440

2025-11-11 18:13:22 UTC

Snort Subscriber Rules Update

Date: 2025-11-10-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.44.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301343 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301344 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver elevation of privilege attempt
* 1:301345 <-> OS-WINDOWS Microsoft Windows Customer Experience Improvement Program privilege escalation attempt
* 1:301346 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:301347 <-> OS-WINDOWS Microsoft Windows csc.sys elevation of privilege attempt
* 1:301348 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:65490 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65491 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65492 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65493 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65494 <-> POLICY-OTHER Dassault Systemes DELMIA Apriso potential authentication bypass attempt
* 1:65495 <-> SERVER-WEBAPP Adobe ColdFusion remote code execution attempt
* 1:65502 <-> MALWARE-CNC Win.Trojan.LokiBot variant outbound connection attempt
* 1:65503 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:65506 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt
* 1:65511 <-> SERVER-WEBAPP FlowiseAI Flowise directory traversal attempt
* 1:65512 <-> MALWARE-OTHER PHP.Webshell.PHPFileManager outbound connection
* 1:65513 <-> MALWARE-CNC PHP.Webshell.Generic outbound connection
* 3:65514 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt
* 3:65515 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt

Modified Rules:

* 1:60117 <-> SERVER-WEBAPP Microsoft SharePoint Workflow XOML injection attempt

31470

2025-11-11 18:13:22 UTC

Snort Subscriber Rules Update

Date: 2025-11-10-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.47.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301343 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301344 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver elevation of privilege attempt
* 1:301345 <-> OS-WINDOWS Microsoft Windows Customer Experience Improvement Program privilege escalation attempt
* 1:301346 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:301347 <-> OS-WINDOWS Microsoft Windows csc.sys elevation of privilege attempt
* 1:301348 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:65490 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65491 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65492 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65493 <-> SERVER-WEBAPP Ubiquiti airOS stainfo.cgi command injection attempt
* 1:65494 <-> POLICY-OTHER Dassault Systemes DELMIA Apriso potential authentication bypass attempt
* 1:65495 <-> SERVER-WEBAPP Adobe ColdFusion remote code execution attempt
* 1:65502 <-> MALWARE-CNC Win.Trojan.LokiBot variant outbound connection attempt
* 1:65503 <-> SERVER-WEBAPP Gladinet CentreStack directory traversal attempt
* 1:65506 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt
* 1:65511 <-> SERVER-WEBAPP FlowiseAI Flowise directory traversal attempt
* 1:65512 <-> MALWARE-OTHER PHP.Webshell.PHPFileManager outbound connection
* 1:65513 <-> MALWARE-CNC PHP.Webshell.Generic outbound connection
* 3:65514 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt
* 3:65515 <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2025-2292 attack attempt

Modified Rules:

* 1:60117 <-> SERVER-WEBAPP Microsoft SharePoint Workflow XOML injection attempt