Snort - Network Intrusion Detection & Prevention System

Talos Rules 2026-02-10

Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2026-21231: A coding deficiency exists in Microsoft Windows Kernel that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 65895 through 65896, Snort 3: GID 1, SID 301395.

Microsoft Vulnerability CVE-2026-21238: A coding deficiency exists in Microsoft Windows Ancillary Function Driver for WinSock that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 65897 through 65898, Snort 3: GID 1, SID 301396.

Microsoft Vulnerability CVE-2026-21241: A coding deficiency exists in Microsoft Windows Ancillary Function Driver for WinSock that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 65899 through 65900, Snort 3: GID 1, SID 301397.

Microsoft Vulnerability CVE-2026-21253: A coding deficiency exists in Microsoft Mailslot File System that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 65906 through 65907, Snort 3: GID 1, SID 301399.

Microsoft Vulnerability CVE-2026-21510: A coding deficiency exists in Microsoft Windows Shell that may lead to security feature bypass.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 65902 through 65903, Snort 3: GID 1, SID 301398.

Microsoft Vulnerability CVE-2026-21514: A coding deficiency exists in Microsoft Word that may lead to security feature bypass.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 65913 through 65914, Snort 3: GID 1, SID 301402.

Microsoft Vulnerability CVE-2026-21519: A coding deficiency exists in Microsoft Desktop Window Manager that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 65910 through 65911, Snort 3: GID 1, SID 301401.

Microsoft Vulnerability CVE-2026-21525: A coding deficiency exists in Microsoft Windows Remote Access Connection Manager that may lead to denial of service.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 65908 through 65909, Snort 3: GID 1, SID 301400.

Microsoft Vulnerability CVE-2026-21533: A coding deficiency exists in Microsoft Windows Remote Desktop Services that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 65923 through 65924, Snort 3: GID 1, SID 301403.

Talos also has added and modified multiple rules in the file-office, file-other, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

29200

2026-02-10 23:47:42 UTC

Snort Subscriber Rules Update

Date: 2026-02-10

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2092000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:65893 <-> DISABLED <-> FILE-OTHER RARLAB WinRAR directory traversal attempt (file-other.rules)
 * 1:65894 <-> DISABLED <-> FILE-OTHER RARLAB WinRAR directory traversal attempt (file-other.rules)
 * 1:65895 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65896 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65897 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt (os-windows.rules)
 * 1:65898 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt (os-windows.rules)
 * 1:65899 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt (os-windows.rules)
 * 1:65900 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt (os-windows.rules)
 * 1:65901 <-> DISABLED <-> SERVER-WEBAPP Apache Tapestry information disclosure attempt (server-webapp.rules)
 * 1:65902 <-> ENABLED <-> OS-WINDOWS Microsoft Windows security feature bypass attempt (os-windows.rules)
 * 1:65903 <-> ENABLED <-> OS-WINDOWS Microsoft Windows security feature bypass attempt (os-windows.rules)
 * 1:65904 <-> DISABLED <-> SERVER-WEBAPP Gaizhenbiao Chuanhuchatgpt queue_join absolute path directory traversal attempt (server-webapp.rules)
 * 1:65905 <-> DISABLED <-> SERVER-WEBAPP Gaizhenbiao Chuanhuchatgpt queue_join relative path directory traversal attempt (server-webapp.rules)
 * 1:65906 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Mailslot File System elevation of privilege attempt (os-windows.rules)
 * 1:65907 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Mailslot File System elevation of privilege attempt (os-windows.rules)
 * 1:65908 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Access Connection Manager denial of service attempt (os-windows.rules)
 * 1:65909 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Access Connection Manager denial of service attempt (os-windows.rules)
 * 1:65910 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Desktop Windows Manager elevation of privilege attempt (os-windows.rules)
 * 1:65911 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Desktop Windows Manager elevation of privilege attempt (os-windows.rules)
 * 1:65912 <-> DISABLED <-> SERVER-WEBAPP Ivanti Connect Secure XML external entity injection attempt (server-webapp.rules)
 * 1:65913 <-> DISABLED <-> FILE-OFFICE Microsoft Office security feature bypass attempt (file-office.rules)
 * 1:65914 <-> DISABLED <-> FILE-OFFICE Microsoft Office security feature bypass attempt (file-office.rules)
 * 1:65915 <-> DISABLED <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication (malware-cnc.rules)
 * 1:65916 <-> DISABLED <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication (malware-cnc.rules)
 * 1:65917 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication (malware-cnc.rules)
 * 1:65918 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication (malware-cnc.rules)
 * 1:65919 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication (malware-cnc.rules)
 * 1:65920 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication (malware-cnc.rules)
 * 1:65921 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication (malware-cnc.rules)
 * 1:65922 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication (malware-cnc.rules)
 * 1:65923 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop Services elevation of privilege attempt (os-windows.rules)
 * 1:65924 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop Services elevation of privilege attempt (os-windows.rules)
 * 3:65890 <-> ENABLED <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt (server-webapp.rules)
 * 3:65891 <-> ENABLED <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt (server-webapp.rules)
 * 3:65892 <-> ENABLED <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 1:65472 <-> ENABLED <-> SERVER-WEBAPP XWiki Platform server side template injection attempt (server-webapp.rules)
 * 1:65471 <-> ENABLED <-> SERVER-WEBAPP XWiki Platform server side template injection attempt (server-webapp.rules)
 * 1:65544 <-> ENABLED <-> SERVER-WEBAPP XWiki SolrSearch code injection attempt (server-webapp.rules)
 * 1:59016 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (server-webapp.rules)

29181

2026-02-10 23:47:42 UTC

Snort Subscriber Rules Update

Date: 2026-02-10

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091801.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:65923 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop Services elevation of privilege attempt (os-windows.rules)
 * 1:65922 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication (malware-cnc.rules)
 * 1:65924 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop Services elevation of privilege attempt (os-windows.rules)
 * 1:65893 <-> DISABLED <-> FILE-OTHER RARLAB WinRAR directory traversal attempt (file-other.rules)
 * 1:65894 <-> DISABLED <-> FILE-OTHER RARLAB WinRAR directory traversal attempt (file-other.rules)
 * 1:65896 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65897 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt (os-windows.rules)
 * 1:65898 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt (os-windows.rules)
 * 1:65899 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt (os-windows.rules)
 * 1:65900 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt (os-windows.rules)
 * 1:65901 <-> DISABLED <-> SERVER-WEBAPP Apache Tapestry information disclosure attempt (server-webapp.rules)
 * 1:65902 <-> ENABLED <-> OS-WINDOWS Microsoft Windows security feature bypass attempt (os-windows.rules)
 * 1:65903 <-> ENABLED <-> OS-WINDOWS Microsoft Windows security feature bypass attempt (os-windows.rules)
 * 1:65904 <-> DISABLED <-> SERVER-WEBAPP Gaizhenbiao Chuanhuchatgpt queue_join absolute path directory traversal attempt (server-webapp.rules)
 * 1:65905 <-> DISABLED <-> SERVER-WEBAPP Gaizhenbiao Chuanhuchatgpt queue_join relative path directory traversal attempt (server-webapp.rules)
 * 1:65906 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Mailslot File System elevation of privilege attempt (os-windows.rules)
 * 1:65907 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Mailslot File System elevation of privilege attempt (os-windows.rules)
 * 1:65908 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Access Connection Manager denial of service attempt (os-windows.rules)
 * 1:65909 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Access Connection Manager denial of service attempt (os-windows.rules)
 * 1:65910 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Desktop Windows Manager elevation of privilege attempt (os-windows.rules)
 * 1:65911 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Desktop Windows Manager elevation of privilege attempt (os-windows.rules)
 * 1:65912 <-> DISABLED <-> SERVER-WEBAPP Ivanti Connect Secure XML external entity injection attempt (server-webapp.rules)
 * 1:65913 <-> DISABLED <-> FILE-OFFICE Microsoft Office security feature bypass attempt (file-office.rules)
 * 1:65914 <-> DISABLED <-> FILE-OFFICE Microsoft Office security feature bypass attempt (file-office.rules)
 * 1:65917 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication (malware-cnc.rules)
 * 1:65916 <-> DISABLED <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication (malware-cnc.rules)
 * 1:65918 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication (malware-cnc.rules)
 * 1:65919 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication (malware-cnc.rules)
 * 1:65920 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication (malware-cnc.rules)
 * 1:65921 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication (malware-cnc.rules)
 * 1:65895 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65915 <-> DISABLED <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication (malware-cnc.rules)
 * 3:65890 <-> ENABLED <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt (server-webapp.rules)
 * 3:65891 <-> ENABLED <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt (server-webapp.rules)
 * 3:65892 <-> ENABLED <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 1:65544 <-> ENABLED <-> SERVER-WEBAPP XWiki SolrSearch code injection attempt (server-webapp.rules)
 * 1:65471 <-> ENABLED <-> SERVER-WEBAPP XWiki Platform server side template injection attempt (server-webapp.rules)
 * 1:59016 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (server-webapp.rules)
 * 1:65472 <-> ENABLED <-> SERVER-WEBAPP XWiki Platform server side template injection attempt (server-webapp.rules)

29171

2026-02-10 23:47:42 UTC

Snort Subscriber Rules Update

Date: 2026-02-10

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:65897 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt (os-windows.rules)
 * 1:65919 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication (malware-cnc.rules)
 * 1:65894 <-> DISABLED <-> FILE-OTHER RARLAB WinRAR directory traversal attempt (file-other.rules)
 * 1:65921 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication (malware-cnc.rules)
 * 1:65922 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication (malware-cnc.rules)
 * 1:65923 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop Services elevation of privilege attempt (os-windows.rules)
 * 1:65896 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65895 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:65898 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt (os-windows.rules)
 * 1:65899 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt (os-windows.rules)
 * 1:65901 <-> DISABLED <-> SERVER-WEBAPP Apache Tapestry information disclosure attempt (server-webapp.rules)
 * 1:65902 <-> ENABLED <-> OS-WINDOWS Microsoft Windows security feature bypass attempt (os-windows.rules)
 * 1:65903 <-> ENABLED <-> OS-WINDOWS Microsoft Windows security feature bypass attempt (os-windows.rules)
 * 1:65904 <-> DISABLED <-> SERVER-WEBAPP Gaizhenbiao Chuanhuchatgpt queue_join absolute path directory traversal attempt (server-webapp.rules)
 * 1:65905 <-> DISABLED <-> SERVER-WEBAPP Gaizhenbiao Chuanhuchatgpt queue_join relative path directory traversal attempt (server-webapp.rules)
 * 1:65906 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Mailslot File System elevation of privilege attempt (os-windows.rules)
 * 1:65907 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Mailslot File System elevation of privilege attempt (os-windows.rules)
 * 1:65908 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Access Connection Manager denial of service attempt (os-windows.rules)
 * 1:65909 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Access Connection Manager denial of service attempt (os-windows.rules)
 * 1:65910 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Desktop Windows Manager elevation of privilege attempt (os-windows.rules)
 * 1:65911 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Desktop Windows Manager elevation of privilege attempt (os-windows.rules)
 * 1:65912 <-> DISABLED <-> SERVER-WEBAPP Ivanti Connect Secure XML external entity injection attempt (server-webapp.rules)
 * 1:65915 <-> DISABLED <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication (malware-cnc.rules)
 * 1:65914 <-> DISABLED <-> FILE-OFFICE Microsoft Office security feature bypass attempt (file-office.rules)
 * 1:65916 <-> DISABLED <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication (malware-cnc.rules)
 * 1:65917 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication (malware-cnc.rules)
 * 1:65918 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication (malware-cnc.rules)
 * 1:65893 <-> DISABLED <-> FILE-OTHER RARLAB WinRAR directory traversal attempt (file-other.rules)
 * 1:65900 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt (os-windows.rules)
 * 1:65913 <-> DISABLED <-> FILE-OFFICE Microsoft Office security feature bypass attempt (file-office.rules)
 * 1:65924 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop Services elevation of privilege attempt (os-windows.rules)
 * 1:65920 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication (malware-cnc.rules)
 * 3:65890 <-> ENABLED <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt (server-webapp.rules)
 * 3:65891 <-> ENABLED <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt (server-webapp.rules)
 * 3:65892 <-> ENABLED <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 1:65544 <-> ENABLED <-> SERVER-WEBAPP XWiki SolrSearch code injection attempt (server-webapp.rules)
 * 1:65472 <-> ENABLED <-> SERVER-WEBAPP XWiki Platform server side template injection attempt (server-webapp.rules)
 * 1:59016 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt (server-webapp.rules)
 * 1:65471 <-> ENABLED <-> SERVER-WEBAPP XWiki Platform server side template injection attempt (server-webapp.rules)

3200

2026-02-10 23:49:34 UTC

Snort Subscriber Rules Update

Date: 2026-02-10-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.2.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301394 <-> FILE-OTHER RARLAB WinRAR directory traversal attempt
* 1:301395 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:301396 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301397 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301398 <-> OS-WINDOWS Microsoft Windows security feature bypass attempt
* 1:301399 <-> OS-WINDOWS Microsoft Windows Mailslot File System elevation of privilege attempt
* 1:301400 <-> OS-WINDOWS Microsoft Windows Remote Access Connection Manager denial of service attempt
* 1:301401 <-> OS-WINDOWS Microsoft Windows Desktop Windows Manager elevation of privilege attempt
* 1:301402 <-> FILE-OFFICE Microsoft Office security feature bypass attempt
* 1:301403 <-> OS-WINDOWS Microsoft Windows Remote Desktop Services elevation of privilege attempt
* 1:65901 <-> SERVER-WEBAPP Apache Tapestry information disclosure attempt
* 1:65904 <-> SERVER-WEBAPP Gaizhenbiao Chuanhuchatgpt queue_join absolute path directory traversal attempt
* 1:65905 <-> SERVER-WEBAPP Gaizhenbiao Chuanhuchatgpt queue_join relative path directory traversal attempt
* 1:65912 <-> SERVER-WEBAPP Ivanti Connect Secure XML external entity injection attempt
* 1:65915 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65916 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65917 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65918 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65919 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65920 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65921 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65922 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 3:65890 <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt
* 3:65891 <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt
* 3:65892 <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt

Modified Rules:

* 1:301340 <-> SERVER-WEBAPP XWiki Platform server side template injection attempt
* 1:59016 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt
* 1:65544 <-> SERVER-WEBAPP XWiki SolrSearch code injection attempt

3351

2026-02-10 23:49:34 UTC

Snort Subscriber Rules Update

Date: 2026-02-10-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.3.5.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301394 <-> FILE-OTHER RARLAB WinRAR directory traversal attempt
* 1:301395 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:301396 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301397 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301398 <-> OS-WINDOWS Microsoft Windows security feature bypass attempt
* 1:301399 <-> OS-WINDOWS Microsoft Windows Mailslot File System elevation of privilege attempt
* 1:301400 <-> OS-WINDOWS Microsoft Windows Remote Access Connection Manager denial of service attempt
* 1:301401 <-> OS-WINDOWS Microsoft Windows Desktop Windows Manager elevation of privilege attempt
* 1:301402 <-> FILE-OFFICE Microsoft Office security feature bypass attempt
* 1:301403 <-> OS-WINDOWS Microsoft Windows Remote Desktop Services elevation of privilege attempt
* 1:65901 <-> SERVER-WEBAPP Apache Tapestry information disclosure attempt
* 1:65904 <-> SERVER-WEBAPP Gaizhenbiao Chuanhuchatgpt queue_join absolute path directory traversal attempt
* 1:65905 <-> SERVER-WEBAPP Gaizhenbiao Chuanhuchatgpt queue_join relative path directory traversal attempt
* 1:65912 <-> SERVER-WEBAPP Ivanti Connect Secure XML external entity injection attempt
* 1:65915 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65916 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65917 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65918 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65919 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65920 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65921 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65922 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 3:65890 <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt
* 3:65891 <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt
* 3:65892 <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt

Modified Rules:

* 1:301340 <-> SERVER-WEBAPP XWiki Platform server side template injection attempt
* 1:59016 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt
* 1:65544 <-> SERVER-WEBAPP XWiki SolrSearch code injection attempt

3360

2026-02-10 23:49:34 UTC

Snort Subscriber Rules Update

Date: 2026-02-10-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.3.6.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301394 <-> FILE-OTHER RARLAB WinRAR directory traversal attempt
* 1:301395 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:301396 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301397 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301398 <-> OS-WINDOWS Microsoft Windows security feature bypass attempt
* 1:301399 <-> OS-WINDOWS Microsoft Windows Mailslot File System elevation of privilege attempt
* 1:301400 <-> OS-WINDOWS Microsoft Windows Remote Access Connection Manager denial of service attempt
* 1:301401 <-> OS-WINDOWS Microsoft Windows Desktop Windows Manager elevation of privilege attempt
* 1:301402 <-> FILE-OFFICE Microsoft Office security feature bypass attempt
* 1:301403 <-> OS-WINDOWS Microsoft Windows Remote Desktop Services elevation of privilege attempt
* 1:65901 <-> SERVER-WEBAPP Apache Tapestry information disclosure attempt
* 1:65904 <-> SERVER-WEBAPP Gaizhenbiao Chuanhuchatgpt queue_join absolute path directory traversal attempt
* 1:65905 <-> SERVER-WEBAPP Gaizhenbiao Chuanhuchatgpt queue_join relative path directory traversal attempt
* 1:65912 <-> SERVER-WEBAPP Ivanti Connect Secure XML external entity injection attempt
* 1:65915 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65916 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65917 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65918 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65919 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65920 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65921 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65922 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 3:65890 <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt
* 3:65891 <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt
* 3:65892 <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt

Modified Rules:

* 1:301340 <-> SERVER-WEBAPP XWiki Platform server side template injection attempt
* 1:59016 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt
* 1:65544 <-> SERVER-WEBAPP XWiki SolrSearch code injection attempt

3370

2026-02-10 23:49:34 UTC

Snort Subscriber Rules Update

Date: 2026-02-10-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.3.7.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301394 <-> FILE-OTHER RARLAB WinRAR directory traversal attempt
* 1:301395 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:301396 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301397 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301398 <-> OS-WINDOWS Microsoft Windows security feature bypass attempt
* 1:301399 <-> OS-WINDOWS Microsoft Windows Mailslot File System elevation of privilege attempt
* 1:301400 <-> OS-WINDOWS Microsoft Windows Remote Access Connection Manager denial of service attempt
* 1:301401 <-> OS-WINDOWS Microsoft Windows Desktop Windows Manager elevation of privilege attempt
* 1:301402 <-> FILE-OFFICE Microsoft Office security feature bypass attempt
* 1:301403 <-> OS-WINDOWS Microsoft Windows Remote Desktop Services elevation of privilege attempt
* 1:65901 <-> SERVER-WEBAPP Apache Tapestry information disclosure attempt
* 1:65904 <-> SERVER-WEBAPP Gaizhenbiao Chuanhuchatgpt queue_join absolute path directory traversal attempt
* 1:65905 <-> SERVER-WEBAPP Gaizhenbiao Chuanhuchatgpt queue_join relative path directory traversal attempt
* 1:65912 <-> SERVER-WEBAPP Ivanti Connect Secure XML external entity injection attempt
* 1:65915 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65916 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65917 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65918 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65919 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65920 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65921 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65922 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 3:65890 <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt
* 3:65891 <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt
* 3:65892 <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt

Modified Rules:

* 1:301340 <-> SERVER-WEBAPP XWiki Platform server side template injection attempt
* 1:59016 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt
* 1:65544 <-> SERVER-WEBAPP XWiki SolrSearch code injection attempt

3700

2026-02-10 23:49:34 UTC

Snort Subscriber Rules Update

Date: 2026-02-10-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.7.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301394 <-> FILE-OTHER RARLAB WinRAR directory traversal attempt
* 1:301395 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:301396 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301397 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301398 <-> OS-WINDOWS Microsoft Windows security feature bypass attempt
* 1:301399 <-> OS-WINDOWS Microsoft Windows Mailslot File System elevation of privilege attempt
* 1:301400 <-> OS-WINDOWS Microsoft Windows Remote Access Connection Manager denial of service attempt
* 1:301401 <-> OS-WINDOWS Microsoft Windows Desktop Windows Manager elevation of privilege attempt
* 1:301402 <-> FILE-OFFICE Microsoft Office security feature bypass attempt
* 1:301403 <-> OS-WINDOWS Microsoft Windows Remote Desktop Services elevation of privilege attempt
* 1:65901 <-> SERVER-WEBAPP Apache Tapestry information disclosure attempt
* 1:65904 <-> SERVER-WEBAPP Gaizhenbiao Chuanhuchatgpt queue_join absolute path directory traversal attempt
* 1:65905 <-> SERVER-WEBAPP Gaizhenbiao Chuanhuchatgpt queue_join relative path directory traversal attempt
* 1:65912 <-> SERVER-WEBAPP Ivanti Connect Secure XML external entity injection attempt
* 1:65915 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65916 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65917 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65918 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65919 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65920 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65921 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65922 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 3:65890 <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt
* 3:65891 <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt
* 3:65892 <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt

Modified Rules:

* 1:301340 <-> SERVER-WEBAPP XWiki Platform server side template injection attempt
* 1:59016 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt
* 1:65544 <-> SERVER-WEBAPP XWiki SolrSearch code injection attempt

3900

2026-02-10 23:49:34 UTC

Snort Subscriber Rules Update

Date: 2026-02-10-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.9.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301394 <-> FILE-OTHER RARLAB WinRAR directory traversal attempt
* 1:301395 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:301396 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301397 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301398 <-> OS-WINDOWS Microsoft Windows security feature bypass attempt
* 1:301399 <-> OS-WINDOWS Microsoft Windows Mailslot File System elevation of privilege attempt
* 1:301400 <-> OS-WINDOWS Microsoft Windows Remote Access Connection Manager denial of service attempt
* 1:301401 <-> OS-WINDOWS Microsoft Windows Desktop Windows Manager elevation of privilege attempt
* 1:301402 <-> FILE-OFFICE Microsoft Office security feature bypass attempt
* 1:301403 <-> OS-WINDOWS Microsoft Windows Remote Desktop Services elevation of privilege attempt
* 1:65901 <-> SERVER-WEBAPP Apache Tapestry information disclosure attempt
* 1:65904 <-> SERVER-WEBAPP Gaizhenbiao Chuanhuchatgpt queue_join absolute path directory traversal attempt
* 1:65905 <-> SERVER-WEBAPP Gaizhenbiao Chuanhuchatgpt queue_join relative path directory traversal attempt
* 1:65912 <-> SERVER-WEBAPP Ivanti Connect Secure XML external entity injection attempt
* 1:65915 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65916 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65917 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65918 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65919 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65920 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65921 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65922 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 3:65890 <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt
* 3:65891 <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt
* 3:65892 <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt

Modified Rules:

* 1:301340 <-> SERVER-WEBAPP XWiki Platform server side template injection attempt
* 1:59016 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt
* 1:65544 <-> SERVER-WEBAPP XWiki SolrSearch code injection attempt

31110

2026-02-10 23:49:34 UTC

Snort Subscriber Rules Update

Date: 2026-02-10-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.11.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301394 <-> FILE-OTHER RARLAB WinRAR directory traversal attempt
* 1:301395 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:301396 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301397 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301398 <-> OS-WINDOWS Microsoft Windows security feature bypass attempt
* 1:301399 <-> OS-WINDOWS Microsoft Windows Mailslot File System elevation of privilege attempt
* 1:301400 <-> OS-WINDOWS Microsoft Windows Remote Access Connection Manager denial of service attempt
* 1:301401 <-> OS-WINDOWS Microsoft Windows Desktop Windows Manager elevation of privilege attempt
* 1:301402 <-> FILE-OFFICE Microsoft Office security feature bypass attempt
* 1:301403 <-> OS-WINDOWS Microsoft Windows Remote Desktop Services elevation of privilege attempt
* 1:65901 <-> SERVER-WEBAPP Apache Tapestry information disclosure attempt
* 1:65904 <-> SERVER-WEBAPP Gaizhenbiao Chuanhuchatgpt queue_join absolute path directory traversal attempt
* 1:65905 <-> SERVER-WEBAPP Gaizhenbiao Chuanhuchatgpt queue_join relative path directory traversal attempt
* 1:65912 <-> SERVER-WEBAPP Ivanti Connect Secure XML external entity injection attempt
* 1:65915 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65916 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65917 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65918 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65919 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65920 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65921 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65922 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 3:65890 <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt
* 3:65891 <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt
* 3:65892 <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt

Modified Rules:

* 1:301340 <-> SERVER-WEBAPP XWiki Platform server side template injection attempt
* 1:59016 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt
* 1:65544 <-> SERVER-WEBAPP XWiki SolrSearch code injection attempt

31150

2026-02-10 23:49:34 UTC

Snort Subscriber Rules Update

Date: 2026-02-10-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.15.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301394 <-> FILE-OTHER RARLAB WinRAR directory traversal attempt
* 1:301395 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:301396 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301397 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301398 <-> OS-WINDOWS Microsoft Windows security feature bypass attempt
* 1:301399 <-> OS-WINDOWS Microsoft Windows Mailslot File System elevation of privilege attempt
* 1:301400 <-> OS-WINDOWS Microsoft Windows Remote Access Connection Manager denial of service attempt
* 1:301401 <-> OS-WINDOWS Microsoft Windows Desktop Windows Manager elevation of privilege attempt
* 1:301402 <-> FILE-OFFICE Microsoft Office security feature bypass attempt
* 1:301403 <-> OS-WINDOWS Microsoft Windows Remote Desktop Services elevation of privilege attempt
* 1:65901 <-> SERVER-WEBAPP Apache Tapestry information disclosure attempt
* 1:65904 <-> SERVER-WEBAPP Gaizhenbiao Chuanhuchatgpt queue_join absolute path directory traversal attempt
* 1:65905 <-> SERVER-WEBAPP Gaizhenbiao Chuanhuchatgpt queue_join relative path directory traversal attempt
* 1:65912 <-> SERVER-WEBAPP Ivanti Connect Secure XML external entity injection attempt
* 1:65915 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65916 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65917 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65918 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65919 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65920 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65921 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65922 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 3:65890 <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt
* 3:65891 <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt
* 3:65892 <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt

Modified Rules:

* 1:301340 <-> SERVER-WEBAPP XWiki Platform server side template injection attempt
* 1:59016 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt
* 1:65544 <-> SERVER-WEBAPP XWiki SolrSearch code injection attempt

31180

2026-02-10 23:49:34 UTC

Snort Subscriber Rules Update

Date: 2026-02-10-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.18.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301394 <-> FILE-OTHER RARLAB WinRAR directory traversal attempt
* 1:301395 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:301396 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301397 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301398 <-> OS-WINDOWS Microsoft Windows security feature bypass attempt
* 1:301399 <-> OS-WINDOWS Microsoft Windows Mailslot File System elevation of privilege attempt
* 1:301400 <-> OS-WINDOWS Microsoft Windows Remote Access Connection Manager denial of service attempt
* 1:301401 <-> OS-WINDOWS Microsoft Windows Desktop Windows Manager elevation of privilege attempt
* 1:301402 <-> FILE-OFFICE Microsoft Office security feature bypass attempt
* 1:301403 <-> OS-WINDOWS Microsoft Windows Remote Desktop Services elevation of privilege attempt
* 1:65901 <-> SERVER-WEBAPP Apache Tapestry information disclosure attempt
* 1:65904 <-> SERVER-WEBAPP Gaizhenbiao Chuanhuchatgpt queue_join absolute path directory traversal attempt
* 1:65905 <-> SERVER-WEBAPP Gaizhenbiao Chuanhuchatgpt queue_join relative path directory traversal attempt
* 1:65912 <-> SERVER-WEBAPP Ivanti Connect Secure XML external entity injection attempt
* 1:65915 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65916 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65917 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65918 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65919 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65920 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65921 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65922 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 3:65890 <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt
* 3:65891 <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt
* 3:65892 <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt

Modified Rules:

* 1:301340 <-> SERVER-WEBAPP XWiki Platform server side template injection attempt
* 1:59016 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt
* 1:65544 <-> SERVER-WEBAPP XWiki SolrSearch code injection attempt

31200

2026-02-10 23:49:34 UTC

Snort Subscriber Rules Update

Date: 2026-02-10-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.20.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301394 <-> FILE-OTHER RARLAB WinRAR directory traversal attempt
* 1:301395 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:301396 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301397 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301398 <-> OS-WINDOWS Microsoft Windows security feature bypass attempt
* 1:301399 <-> OS-WINDOWS Microsoft Windows Mailslot File System elevation of privilege attempt
* 1:301400 <-> OS-WINDOWS Microsoft Windows Remote Access Connection Manager denial of service attempt
* 1:301401 <-> OS-WINDOWS Microsoft Windows Desktop Windows Manager elevation of privilege attempt
* 1:301402 <-> FILE-OFFICE Microsoft Office security feature bypass attempt
* 1:301403 <-> OS-WINDOWS Microsoft Windows Remote Desktop Services elevation of privilege attempt
* 1:65901 <-> SERVER-WEBAPP Apache Tapestry information disclosure attempt
* 1:65904 <-> SERVER-WEBAPP Gaizhenbiao Chuanhuchatgpt queue_join absolute path directory traversal attempt
* 1:65905 <-> SERVER-WEBAPP Gaizhenbiao Chuanhuchatgpt queue_join relative path directory traversal attempt
* 1:65912 <-> SERVER-WEBAPP Ivanti Connect Secure XML external entity injection attempt
* 1:65915 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65916 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65917 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65918 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65919 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65920 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65921 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65922 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 3:65890 <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt
* 3:65891 <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt
* 3:65892 <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt

Modified Rules:

* 1:301340 <-> SERVER-WEBAPP XWiki Platform server side template injection attempt
* 1:59016 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt
* 1:65544 <-> SERVER-WEBAPP XWiki SolrSearch code injection attempt

31210

2026-02-10 23:49:34 UTC

Snort Subscriber Rules Update

Date: 2026-02-10-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.21.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301394 <-> FILE-OTHER RARLAB WinRAR directory traversal attempt
* 1:301395 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:301396 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301397 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301398 <-> OS-WINDOWS Microsoft Windows security feature bypass attempt
* 1:301399 <-> OS-WINDOWS Microsoft Windows Mailslot File System elevation of privilege attempt
* 1:301400 <-> OS-WINDOWS Microsoft Windows Remote Access Connection Manager denial of service attempt
* 1:301401 <-> OS-WINDOWS Microsoft Windows Desktop Windows Manager elevation of privilege attempt
* 1:301402 <-> FILE-OFFICE Microsoft Office security feature bypass attempt
* 1:301403 <-> OS-WINDOWS Microsoft Windows Remote Desktop Services elevation of privilege attempt
* 1:65901 <-> SERVER-WEBAPP Apache Tapestry information disclosure attempt
* 1:65904 <-> SERVER-WEBAPP Gaizhenbiao Chuanhuchatgpt queue_join absolute path directory traversal attempt
* 1:65905 <-> SERVER-WEBAPP Gaizhenbiao Chuanhuchatgpt queue_join relative path directory traversal attempt
* 1:65912 <-> SERVER-WEBAPP Ivanti Connect Secure XML external entity injection attempt
* 1:65915 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65916 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65917 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65918 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65919 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65920 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65921 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65922 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 3:65890 <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt
* 3:65891 <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt
* 3:65892 <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt

Modified Rules:

* 1:301340 <-> SERVER-WEBAPP XWiki Platform server side template injection attempt
* 1:59016 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt
* 1:65544 <-> SERVER-WEBAPP XWiki SolrSearch code injection attempt

31350

2026-02-10 23:49:34 UTC

Snort Subscriber Rules Update

Date: 2026-02-10-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.35.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301394 <-> FILE-OTHER RARLAB WinRAR directory traversal attempt
* 1:301395 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:301396 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301397 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301398 <-> OS-WINDOWS Microsoft Windows security feature bypass attempt
* 1:301399 <-> OS-WINDOWS Microsoft Windows Mailslot File System elevation of privilege attempt
* 1:301400 <-> OS-WINDOWS Microsoft Windows Remote Access Connection Manager denial of service attempt
* 1:301401 <-> OS-WINDOWS Microsoft Windows Desktop Windows Manager elevation of privilege attempt
* 1:301402 <-> FILE-OFFICE Microsoft Office security feature bypass attempt
* 1:301403 <-> OS-WINDOWS Microsoft Windows Remote Desktop Services elevation of privilege attempt
* 1:65901 <-> SERVER-WEBAPP Apache Tapestry information disclosure attempt
* 1:65904 <-> SERVER-WEBAPP Gaizhenbiao Chuanhuchatgpt queue_join absolute path directory traversal attempt
* 1:65905 <-> SERVER-WEBAPP Gaizhenbiao Chuanhuchatgpt queue_join relative path directory traversal attempt
* 1:65912 <-> SERVER-WEBAPP Ivanti Connect Secure XML external entity injection attempt
* 1:65915 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65916 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65917 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65918 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65919 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65920 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65921 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65922 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 3:65890 <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt
* 3:65891 <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt
* 3:65892 <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt

Modified Rules:

* 1:301340 <-> SERVER-WEBAPP XWiki Platform server side template injection attempt
* 1:59016 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt
* 1:65544 <-> SERVER-WEBAPP XWiki SolrSearch code injection attempt

31440

2026-02-10 23:49:34 UTC

Snort Subscriber Rules Update

Date: 2026-02-10-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.44.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301394 <-> FILE-OTHER RARLAB WinRAR directory traversal attempt
* 1:301395 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:301396 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301397 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301398 <-> OS-WINDOWS Microsoft Windows security feature bypass attempt
* 1:301399 <-> OS-WINDOWS Microsoft Windows Mailslot File System elevation of privilege attempt
* 1:301400 <-> OS-WINDOWS Microsoft Windows Remote Access Connection Manager denial of service attempt
* 1:301401 <-> OS-WINDOWS Microsoft Windows Desktop Windows Manager elevation of privilege attempt
* 1:301402 <-> FILE-OFFICE Microsoft Office security feature bypass attempt
* 1:301403 <-> OS-WINDOWS Microsoft Windows Remote Desktop Services elevation of privilege attempt
* 1:65901 <-> SERVER-WEBAPP Apache Tapestry information disclosure attempt
* 1:65904 <-> SERVER-WEBAPP Gaizhenbiao Chuanhuchatgpt queue_join absolute path directory traversal attempt
* 1:65905 <-> SERVER-WEBAPP Gaizhenbiao Chuanhuchatgpt queue_join relative path directory traversal attempt
* 1:65912 <-> SERVER-WEBAPP Ivanti Connect Secure XML external entity injection attempt
* 1:65915 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65916 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65917 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65918 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65919 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65920 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65921 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65922 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 3:65890 <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt
* 3:65891 <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt
* 3:65892 <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt

Modified Rules:

* 1:301340 <-> SERVER-WEBAPP XWiki Platform server side template injection attempt
* 1:59016 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt
* 1:65544 <-> SERVER-WEBAPP XWiki SolrSearch code injection attempt

31470

2026-02-10 23:49:34 UTC

Snort Subscriber Rules Update

Date: 2026-02-10-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.47.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301394 <-> FILE-OTHER RARLAB WinRAR directory traversal attempt
* 1:301395 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:301396 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301397 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301398 <-> OS-WINDOWS Microsoft Windows security feature bypass attempt
* 1:301399 <-> OS-WINDOWS Microsoft Windows Mailslot File System elevation of privilege attempt
* 1:301400 <-> OS-WINDOWS Microsoft Windows Remote Access Connection Manager denial of service attempt
* 1:301401 <-> OS-WINDOWS Microsoft Windows Desktop Windows Manager elevation of privilege attempt
* 1:301402 <-> FILE-OFFICE Microsoft Office security feature bypass attempt
* 1:301403 <-> OS-WINDOWS Microsoft Windows Remote Desktop Services elevation of privilege attempt
* 1:65901 <-> SERVER-WEBAPP Apache Tapestry information disclosure attempt
* 1:65904 <-> SERVER-WEBAPP Gaizhenbiao Chuanhuchatgpt queue_join absolute path directory traversal attempt
* 1:65905 <-> SERVER-WEBAPP Gaizhenbiao Chuanhuchatgpt queue_join relative path directory traversal attempt
* 1:65912 <-> SERVER-WEBAPP Ivanti Connect Secure XML external entity injection attempt
* 1:65915 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65916 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65917 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65918 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65919 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65920 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65921 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65922 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 3:65890 <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt
* 3:65891 <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt
* 3:65892 <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt

Modified Rules:

* 1:301340 <-> SERVER-WEBAPP XWiki Platform server side template injection attempt
* 1:59016 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt
* 1:65544 <-> SERVER-WEBAPP XWiki SolrSearch code injection attempt

31100

2026-02-10 23:49:34 UTC

Snort Subscriber Rules Update

Date: 2026-02-10-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.11.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301394 <-> FILE-OTHER RARLAB WinRAR directory traversal attempt
* 1:301395 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:301396 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301397 <-> OS-WINDOWS Microsoft Windows Ancillary Function Driver for WinSock elevation of privilege attempt
* 1:301398 <-> OS-WINDOWS Microsoft Windows security feature bypass attempt
* 1:301399 <-> OS-WINDOWS Microsoft Windows Mailslot File System elevation of privilege attempt
* 1:301400 <-> OS-WINDOWS Microsoft Windows Remote Access Connection Manager denial of service attempt
* 1:301401 <-> OS-WINDOWS Microsoft Windows Desktop Windows Manager elevation of privilege attempt
* 1:301402 <-> FILE-OFFICE Microsoft Office security feature bypass attempt
* 1:301403 <-> OS-WINDOWS Microsoft Windows Remote Desktop Services elevation of privilege attempt
* 1:65901 <-> SERVER-WEBAPP Apache Tapestry information disclosure attempt
* 1:65904 <-> SERVER-WEBAPP Gaizhenbiao Chuanhuchatgpt queue_join absolute path directory traversal attempt
* 1:65905 <-> SERVER-WEBAPP Gaizhenbiao Chuanhuchatgpt queue_join relative path directory traversal attempt
* 1:65912 <-> SERVER-WEBAPP Ivanti Connect Secure XML external entity injection attempt
* 1:65915 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65916 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65917 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65918 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65919 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65920 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65921 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 1:65922 <-> MALWARE-CNC Unix.Trojan.VoidLink variant communication
* 3:65890 <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt
* 3:65891 <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt
* 3:65892 <-> SERVER-WEBAPP Cisco Meeting Management directory traversal attempt

Modified Rules:

* 1:301340 <-> SERVER-WEBAPP XWiki Platform server side template injection attempt
* 1:59016 <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center Java expression language injection attempt
* 1:65544 <-> SERVER-WEBAPP XWiki SolrSearch code injection attempt