©2026 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
Talos has added and modified multiple rules in the file-image, malware-cnc, malware-other, protocol-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2092000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:66105 <-> DISABLED <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt (server-other.rules) * 1:66106 <-> DISABLED <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt (server-other.rules) * 1:66107 <-> DISABLED <-> SERVER-OTHER SolarWinds Network Performance Monitor arbitrary command execution attempt (server-other.rules) * 1:66108 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.LucidRook variant download attempt (malware-other.rules) * 1:66109 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.LucidRook variant download attempt (malware-other.rules) * 1:66110 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.LucidRook variant download attempt (malware-other.rules) * 1:66111 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.LucidRook variant download attempt (malware-other.rules) * 1:66112 <-> DISABLED <-> PROTOCOL-OTHER HeLOL TLSv1.2 Client Hello tunnel exfiltration attempt (protocol-other.rules) * 1:66113 <-> DISABLED <-> SERVER-WEBAPP ChuanhuChatGPT fn_index arbitrary file deletion attempt (server-webapp.rules) * 1:66114 <-> DISABLED <-> SERVER-WEBAPP ServiceNow AI Platform authentication bypass attempt (server-webapp.rules) * 1:66115 <-> DISABLED <-> SERVER-WEBAPP Jenkins Generic Webhook Trigger Plugin XML external entity injection attempt (server-webapp.rules) * 1:66116 <-> DISABLED <-> SERVER-WEBAPP Jenkins Nuget Plugin XML external entity injection attempt (server-webapp.rules) * 1:66117 <-> DISABLED <-> SERVER-WEBAPP Jenkins Config File Provider Plugin XML external entity injection attempt (server-webapp.rules) * 1:66118 <-> DISABLED <-> MALWARE-CNC Ps1.Trojan.PowMix variant connection (malware-cnc.rules) * 3:66119 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt (file-image.rules) * 3:66120 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt (file-image.rules) * 3:66121 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt (file-image.rules) * 3:66122 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt (file-image.rules)
* 1:65387 <-> DISABLED <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt (server-webapp.rules) * 1:65388 <-> DISABLED <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091801.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:66117 <-> DISABLED <-> SERVER-WEBAPP Jenkins Config File Provider Plugin XML external entity injection attempt (server-webapp.rules) * 1:66108 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.LucidRook variant download attempt (malware-other.rules) * 1:66106 <-> DISABLED <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt (server-other.rules) * 1:66111 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.LucidRook variant download attempt (malware-other.rules) * 1:66109 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.LucidRook variant download attempt (malware-other.rules) * 1:66105 <-> DISABLED <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt (server-other.rules) * 1:66110 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.LucidRook variant download attempt (malware-other.rules) * 1:66113 <-> DISABLED <-> SERVER-WEBAPP ChuanhuChatGPT fn_index arbitrary file deletion attempt (server-webapp.rules) * 1:66114 <-> DISABLED <-> SERVER-WEBAPP ServiceNow AI Platform authentication bypass attempt (server-webapp.rules) * 1:66115 <-> DISABLED <-> SERVER-WEBAPP Jenkins Generic Webhook Trigger Plugin XML external entity injection attempt (server-webapp.rules) * 1:66116 <-> DISABLED <-> SERVER-WEBAPP Jenkins Nuget Plugin XML external entity injection attempt (server-webapp.rules) * 1:66107 <-> DISABLED <-> SERVER-OTHER SolarWinds Network Performance Monitor arbitrary command execution attempt (server-other.rules) * 1:66118 <-> DISABLED <-> MALWARE-CNC Ps1.Trojan.PowMix variant connection (malware-cnc.rules) * 1:66112 <-> DISABLED <-> PROTOCOL-OTHER HeLOL TLSv1.2 Client Hello tunnel exfiltration attempt (protocol-other.rules) * 3:66121 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt (file-image.rules) * 3:66120 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt (file-image.rules) * 3:66119 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt (file-image.rules) * 3:66122 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt (file-image.rules)
* 1:65387 <-> DISABLED <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt (server-webapp.rules) * 1:65388 <-> DISABLED <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091701.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:66116 <-> DISABLED <-> SERVER-WEBAPP Jenkins Nuget Plugin XML external entity injection attempt (server-webapp.rules) * 1:66114 <-> DISABLED <-> SERVER-WEBAPP ServiceNow AI Platform authentication bypass attempt (server-webapp.rules) * 1:66117 <-> DISABLED <-> SERVER-WEBAPP Jenkins Config File Provider Plugin XML external entity injection attempt (server-webapp.rules) * 1:66105 <-> DISABLED <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt (server-other.rules) * 1:66108 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.LucidRook variant download attempt (malware-other.rules) * 1:66106 <-> DISABLED <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt (server-other.rules) * 1:66118 <-> DISABLED <-> MALWARE-CNC Ps1.Trojan.PowMix variant connection (malware-cnc.rules) * 1:66107 <-> DISABLED <-> SERVER-OTHER SolarWinds Network Performance Monitor arbitrary command execution attempt (server-other.rules) * 1:66110 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.LucidRook variant download attempt (malware-other.rules) * 1:66111 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.LucidRook variant download attempt (malware-other.rules) * 1:66113 <-> DISABLED <-> SERVER-WEBAPP ChuanhuChatGPT fn_index arbitrary file deletion attempt (server-webapp.rules) * 1:66115 <-> DISABLED <-> SERVER-WEBAPP Jenkins Generic Webhook Trigger Plugin XML external entity injection attempt (server-webapp.rules) * 1:66109 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.LucidRook variant download attempt (malware-other.rules) * 1:66112 <-> DISABLED <-> PROTOCOL-OTHER HeLOL TLSv1.2 Client Hello tunnel exfiltration attempt (protocol-other.rules) * 3:66120 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt (file-image.rules) * 3:66119 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt (file-image.rules) * 3:66121 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt (file-image.rules) * 3:66122 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt (file-image.rules)
* 1:65387 <-> DISABLED <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt (server-webapp.rules) * 1:65388 <-> DISABLED <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.2.0.0.
The format of the file is:
gid:sid <-> Message
* 1:301447 <-> MALWARE-OTHER Win.Dropper.LucidRook variant download attempt * 1:301448 <-> MALWARE-OTHER Win.Dropper.LucidRook variant download attempt * 1:66105 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt * 1:66106 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt * 1:66107 <-> SERVER-OTHER SolarWinds Network Performance Monitor arbitrary command execution attempt * 1:66112 <-> PROTOCOL-OTHER HeLOL TLSv1.2 Client Hello tunnel exfiltration attempt * 1:66113 <-> SERVER-WEBAPP ChuanhuChatGPT fn_index arbitrary file deletion attempt * 1:66114 <-> SERVER-WEBAPP ServiceNow AI Platform authentication bypass attempt * 1:66115 <-> SERVER-WEBAPP Jenkins Generic Webhook Trigger Plugin XML external entity injection attempt * 1:66116 <-> SERVER-WEBAPP Jenkins Nuget Plugin XML external entity injection attempt * 1:66117 <-> SERVER-WEBAPP Jenkins Config File Provider Plugin XML external entity injection attempt * 1:66118 <-> MALWARE-CNC Ps1.Trojan.PowMix variant connection * 3:66119 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66120 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66121 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66122 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt
* 1:65387 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt * 1:65388 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt * 7:2 <-> MALWARE-CNC Win.Trojan.Havoc variant outbound connection
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.3.5.1.
The format of the file is:
gid:sid <-> Message
* 1:301447 <-> MALWARE-OTHER Win.Dropper.LucidRook variant download attempt * 1:301448 <-> MALWARE-OTHER Win.Dropper.LucidRook variant download attempt * 1:66105 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt * 1:66106 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt * 1:66107 <-> SERVER-OTHER SolarWinds Network Performance Monitor arbitrary command execution attempt * 1:66112 <-> PROTOCOL-OTHER HeLOL TLSv1.2 Client Hello tunnel exfiltration attempt * 1:66113 <-> SERVER-WEBAPP ChuanhuChatGPT fn_index arbitrary file deletion attempt * 1:66114 <-> SERVER-WEBAPP ServiceNow AI Platform authentication bypass attempt * 1:66115 <-> SERVER-WEBAPP Jenkins Generic Webhook Trigger Plugin XML external entity injection attempt * 1:66116 <-> SERVER-WEBAPP Jenkins Nuget Plugin XML external entity injection attempt * 1:66117 <-> SERVER-WEBAPP Jenkins Config File Provider Plugin XML external entity injection attempt * 1:66118 <-> MALWARE-CNC Ps1.Trojan.PowMix variant connection * 3:66119 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66120 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66121 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66122 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt
* 1:65387 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt * 1:65388 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt * 7:2 <-> MALWARE-CNC Win.Trojan.Havoc variant outbound connection
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.3.6.0.
The format of the file is:
gid:sid <-> Message
* 1:301447 <-> MALWARE-OTHER Win.Dropper.LucidRook variant download attempt * 1:301448 <-> MALWARE-OTHER Win.Dropper.LucidRook variant download attempt * 1:66105 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt * 1:66106 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt * 1:66107 <-> SERVER-OTHER SolarWinds Network Performance Monitor arbitrary command execution attempt * 1:66112 <-> PROTOCOL-OTHER HeLOL TLSv1.2 Client Hello tunnel exfiltration attempt * 1:66113 <-> SERVER-WEBAPP ChuanhuChatGPT fn_index arbitrary file deletion attempt * 1:66114 <-> SERVER-WEBAPP ServiceNow AI Platform authentication bypass attempt * 1:66115 <-> SERVER-WEBAPP Jenkins Generic Webhook Trigger Plugin XML external entity injection attempt * 1:66116 <-> SERVER-WEBAPP Jenkins Nuget Plugin XML external entity injection attempt * 1:66117 <-> SERVER-WEBAPP Jenkins Config File Provider Plugin XML external entity injection attempt * 1:66118 <-> MALWARE-CNC Ps1.Trojan.PowMix variant connection * 3:66119 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66120 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66121 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66122 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt
* 1:65387 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt * 1:65388 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt * 7:2 <-> MALWARE-CNC Win.Trojan.Havoc variant outbound connection
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.3.7.0.
The format of the file is:
gid:sid <-> Message
* 1:301447 <-> MALWARE-OTHER Win.Dropper.LucidRook variant download attempt * 1:301448 <-> MALWARE-OTHER Win.Dropper.LucidRook variant download attempt * 1:66105 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt * 1:66106 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt * 1:66107 <-> SERVER-OTHER SolarWinds Network Performance Monitor arbitrary command execution attempt * 1:66112 <-> PROTOCOL-OTHER HeLOL TLSv1.2 Client Hello tunnel exfiltration attempt * 1:66113 <-> SERVER-WEBAPP ChuanhuChatGPT fn_index arbitrary file deletion attempt * 1:66114 <-> SERVER-WEBAPP ServiceNow AI Platform authentication bypass attempt * 1:66115 <-> SERVER-WEBAPP Jenkins Generic Webhook Trigger Plugin XML external entity injection attempt * 1:66116 <-> SERVER-WEBAPP Jenkins Nuget Plugin XML external entity injection attempt * 1:66117 <-> SERVER-WEBAPP Jenkins Config File Provider Plugin XML external entity injection attempt * 1:66118 <-> MALWARE-CNC Ps1.Trojan.PowMix variant connection * 3:66119 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66120 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66121 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66122 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt
* 1:65387 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt * 1:65388 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt * 7:2 <-> MALWARE-CNC Win.Trojan.Havoc variant outbound connection
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.7.0.0.
The format of the file is:
gid:sid <-> Message
* 1:301447 <-> MALWARE-OTHER Win.Dropper.LucidRook variant download attempt * 1:301448 <-> MALWARE-OTHER Win.Dropper.LucidRook variant download attempt * 1:66105 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt * 1:66106 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt * 1:66107 <-> SERVER-OTHER SolarWinds Network Performance Monitor arbitrary command execution attempt * 1:66112 <-> PROTOCOL-OTHER HeLOL TLSv1.2 Client Hello tunnel exfiltration attempt * 1:66113 <-> SERVER-WEBAPP ChuanhuChatGPT fn_index arbitrary file deletion attempt * 1:66114 <-> SERVER-WEBAPP ServiceNow AI Platform authentication bypass attempt * 1:66115 <-> SERVER-WEBAPP Jenkins Generic Webhook Trigger Plugin XML external entity injection attempt * 1:66116 <-> SERVER-WEBAPP Jenkins Nuget Plugin XML external entity injection attempt * 1:66117 <-> SERVER-WEBAPP Jenkins Config File Provider Plugin XML external entity injection attempt * 1:66118 <-> MALWARE-CNC Ps1.Trojan.PowMix variant connection * 3:66119 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66120 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66121 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66122 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt
* 1:65387 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt * 1:65388 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt * 7:2 <-> MALWARE-CNC Win.Trojan.Havoc variant outbound connection
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.9.0.0.
The format of the file is:
gid:sid <-> Message
* 1:301447 <-> MALWARE-OTHER Win.Dropper.LucidRook variant download attempt * 1:301448 <-> MALWARE-OTHER Win.Dropper.LucidRook variant download attempt * 1:66105 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt * 1:66106 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt * 1:66107 <-> SERVER-OTHER SolarWinds Network Performance Monitor arbitrary command execution attempt * 1:66112 <-> PROTOCOL-OTHER HeLOL TLSv1.2 Client Hello tunnel exfiltration attempt * 1:66113 <-> SERVER-WEBAPP ChuanhuChatGPT fn_index arbitrary file deletion attempt * 1:66114 <-> SERVER-WEBAPP ServiceNow AI Platform authentication bypass attempt * 1:66115 <-> SERVER-WEBAPP Jenkins Generic Webhook Trigger Plugin XML external entity injection attempt * 1:66116 <-> SERVER-WEBAPP Jenkins Nuget Plugin XML external entity injection attempt * 1:66117 <-> SERVER-WEBAPP Jenkins Config File Provider Plugin XML external entity injection attempt * 1:66118 <-> MALWARE-CNC Ps1.Trojan.PowMix variant connection * 3:66119 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66120 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66121 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66122 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt
* 1:65387 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt * 1:65388 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt * 7:2 <-> MALWARE-CNC Win.Trojan.Havoc variant outbound connection
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.11.0.
The format of the file is:
gid:sid <-> Message
* 1:301447 <-> MALWARE-OTHER Win.Dropper.LucidRook variant download attempt * 1:301448 <-> MALWARE-OTHER Win.Dropper.LucidRook variant download attempt * 1:66105 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt * 1:66106 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt * 1:66107 <-> SERVER-OTHER SolarWinds Network Performance Monitor arbitrary command execution attempt * 1:66112 <-> PROTOCOL-OTHER HeLOL TLSv1.2 Client Hello tunnel exfiltration attempt * 1:66113 <-> SERVER-WEBAPP ChuanhuChatGPT fn_index arbitrary file deletion attempt * 1:66114 <-> SERVER-WEBAPP ServiceNow AI Platform authentication bypass attempt * 1:66115 <-> SERVER-WEBAPP Jenkins Generic Webhook Trigger Plugin XML external entity injection attempt * 1:66116 <-> SERVER-WEBAPP Jenkins Nuget Plugin XML external entity injection attempt * 1:66117 <-> SERVER-WEBAPP Jenkins Config File Provider Plugin XML external entity injection attempt * 1:66118 <-> MALWARE-CNC Ps1.Trojan.PowMix variant connection * 3:66119 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66120 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66121 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66122 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt
* 1:65387 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt * 1:65388 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt * 7:2 <-> MALWARE-CNC Win.Trojan.Havoc variant outbound connection
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.15.0.
The format of the file is:
gid:sid <-> Message
* 1:301447 <-> MALWARE-OTHER Win.Dropper.LucidRook variant download attempt * 1:301448 <-> MALWARE-OTHER Win.Dropper.LucidRook variant download attempt * 1:66105 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt * 1:66106 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt * 1:66107 <-> SERVER-OTHER SolarWinds Network Performance Monitor arbitrary command execution attempt * 1:66112 <-> PROTOCOL-OTHER HeLOL TLSv1.2 Client Hello tunnel exfiltration attempt * 1:66113 <-> SERVER-WEBAPP ChuanhuChatGPT fn_index arbitrary file deletion attempt * 1:66114 <-> SERVER-WEBAPP ServiceNow AI Platform authentication bypass attempt * 1:66115 <-> SERVER-WEBAPP Jenkins Generic Webhook Trigger Plugin XML external entity injection attempt * 1:66116 <-> SERVER-WEBAPP Jenkins Nuget Plugin XML external entity injection attempt * 1:66117 <-> SERVER-WEBAPP Jenkins Config File Provider Plugin XML external entity injection attempt * 1:66118 <-> MALWARE-CNC Ps1.Trojan.PowMix variant connection * 3:66119 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66120 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66121 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66122 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt
* 1:65387 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt * 1:65388 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt * 7:2 <-> MALWARE-CNC Win.Trojan.Havoc variant outbound connection
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.18.0.
The format of the file is:
gid:sid <-> Message
* 1:301447 <-> MALWARE-OTHER Win.Dropper.LucidRook variant download attempt * 1:301448 <-> MALWARE-OTHER Win.Dropper.LucidRook variant download attempt * 1:66105 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt * 1:66106 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt * 1:66107 <-> SERVER-OTHER SolarWinds Network Performance Monitor arbitrary command execution attempt * 1:66112 <-> PROTOCOL-OTHER HeLOL TLSv1.2 Client Hello tunnel exfiltration attempt * 1:66113 <-> SERVER-WEBAPP ChuanhuChatGPT fn_index arbitrary file deletion attempt * 1:66114 <-> SERVER-WEBAPP ServiceNow AI Platform authentication bypass attempt * 1:66115 <-> SERVER-WEBAPP Jenkins Generic Webhook Trigger Plugin XML external entity injection attempt * 1:66116 <-> SERVER-WEBAPP Jenkins Nuget Plugin XML external entity injection attempt * 1:66117 <-> SERVER-WEBAPP Jenkins Config File Provider Plugin XML external entity injection attempt * 1:66118 <-> MALWARE-CNC Ps1.Trojan.PowMix variant connection * 3:66119 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66120 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66121 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66122 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt
* 1:65387 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt * 1:65388 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt * 7:2 <-> MALWARE-CNC Win.Trojan.Havoc variant outbound connection
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.12.0.0.
The format of the file is:
gid:sid <-> Message
* 1:301447 <-> MALWARE-OTHER Win.Dropper.LucidRook variant download attempt * 1:301448 <-> MALWARE-OTHER Win.Dropper.LucidRook variant download attempt * 1:66105 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt * 1:66106 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt * 1:66107 <-> SERVER-OTHER SolarWinds Network Performance Monitor arbitrary command execution attempt * 1:66112 <-> PROTOCOL-OTHER HeLOL TLSv1.2 Client Hello tunnel exfiltration attempt * 1:66113 <-> SERVER-WEBAPP ChuanhuChatGPT fn_index arbitrary file deletion attempt * 1:66114 <-> SERVER-WEBAPP ServiceNow AI Platform authentication bypass attempt * 1:66115 <-> SERVER-WEBAPP Jenkins Generic Webhook Trigger Plugin XML external entity injection attempt * 1:66116 <-> SERVER-WEBAPP Jenkins Nuget Plugin XML external entity injection attempt * 1:66117 <-> SERVER-WEBAPP Jenkins Config File Provider Plugin XML external entity injection attempt * 1:66118 <-> MALWARE-CNC Ps1.Trojan.PowMix variant connection * 3:66119 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66120 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66121 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66122 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt
* 1:65387 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt * 1:65388 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt * 7:2 <-> MALWARE-CNC Win.Trojan.Havoc variant outbound connection
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.21.0.
The format of the file is:
gid:sid <-> Message
* 1:301447 <-> MALWARE-OTHER Win.Dropper.LucidRook variant download attempt * 1:301448 <-> MALWARE-OTHER Win.Dropper.LucidRook variant download attempt * 1:66105 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt * 1:66106 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt * 1:66107 <-> SERVER-OTHER SolarWinds Network Performance Monitor arbitrary command execution attempt * 1:66112 <-> PROTOCOL-OTHER HeLOL TLSv1.2 Client Hello tunnel exfiltration attempt * 1:66113 <-> SERVER-WEBAPP ChuanhuChatGPT fn_index arbitrary file deletion attempt * 1:66114 <-> SERVER-WEBAPP ServiceNow AI Platform authentication bypass attempt * 1:66115 <-> SERVER-WEBAPP Jenkins Generic Webhook Trigger Plugin XML external entity injection attempt * 1:66116 <-> SERVER-WEBAPP Jenkins Nuget Plugin XML external entity injection attempt * 1:66117 <-> SERVER-WEBAPP Jenkins Config File Provider Plugin XML external entity injection attempt * 1:66118 <-> MALWARE-CNC Ps1.Trojan.PowMix variant connection * 3:66119 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66120 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66121 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66122 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt
* 1:65387 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt * 1:65388 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt * 7:2 <-> MALWARE-CNC Win.Trojan.Havoc variant outbound connection
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.35.0.
The format of the file is:
gid:sid <-> Message
* 1:301447 <-> MALWARE-OTHER Win.Dropper.LucidRook variant download attempt * 1:301448 <-> MALWARE-OTHER Win.Dropper.LucidRook variant download attempt * 1:66105 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt * 1:66106 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt * 1:66107 <-> SERVER-OTHER SolarWinds Network Performance Monitor arbitrary command execution attempt * 1:66112 <-> PROTOCOL-OTHER HeLOL TLSv1.2 Client Hello tunnel exfiltration attempt * 1:66113 <-> SERVER-WEBAPP ChuanhuChatGPT fn_index arbitrary file deletion attempt * 1:66114 <-> SERVER-WEBAPP ServiceNow AI Platform authentication bypass attempt * 1:66115 <-> SERVER-WEBAPP Jenkins Generic Webhook Trigger Plugin XML external entity injection attempt * 1:66116 <-> SERVER-WEBAPP Jenkins Nuget Plugin XML external entity injection attempt * 1:66117 <-> SERVER-WEBAPP Jenkins Config File Provider Plugin XML external entity injection attempt * 1:66118 <-> MALWARE-CNC Ps1.Trojan.PowMix variant connection * 3:66119 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66120 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66121 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66122 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt
* 1:65387 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt * 1:65388 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt * 7:2 <-> MALWARE-CNC Win.Trojan.Havoc variant outbound connection
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.44.0.
The format of the file is:
gid:sid <-> Message
* 1:301447 <-> MALWARE-OTHER Win.Dropper.LucidRook variant download attempt * 1:301448 <-> MALWARE-OTHER Win.Dropper.LucidRook variant download attempt * 1:66105 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt * 1:66106 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt * 1:66107 <-> SERVER-OTHER SolarWinds Network Performance Monitor arbitrary command execution attempt * 1:66112 <-> PROTOCOL-OTHER HeLOL TLSv1.2 Client Hello tunnel exfiltration attempt * 1:66113 <-> SERVER-WEBAPP ChuanhuChatGPT fn_index arbitrary file deletion attempt * 1:66114 <-> SERVER-WEBAPP ServiceNow AI Platform authentication bypass attempt * 1:66115 <-> SERVER-WEBAPP Jenkins Generic Webhook Trigger Plugin XML external entity injection attempt * 1:66116 <-> SERVER-WEBAPP Jenkins Nuget Plugin XML external entity injection attempt * 1:66117 <-> SERVER-WEBAPP Jenkins Config File Provider Plugin XML external entity injection attempt * 1:66118 <-> MALWARE-CNC Ps1.Trojan.PowMix variant connection * 3:66119 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66120 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66121 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66122 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt
* 1:65387 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt * 1:65388 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt * 7:2 <-> MALWARE-CNC Win.Trojan.Havoc variant outbound connection
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.47.0.
The format of the file is:
gid:sid <-> Message
* 1:301447 <-> MALWARE-OTHER Win.Dropper.LucidRook variant download attempt * 1:301448 <-> MALWARE-OTHER Win.Dropper.LucidRook variant download attempt * 1:66105 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt * 1:66106 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt * 1:66107 <-> SERVER-OTHER SolarWinds Network Performance Monitor arbitrary command execution attempt * 1:66112 <-> PROTOCOL-OTHER HeLOL TLSv1.2 Client Hello tunnel exfiltration attempt * 1:66113 <-> SERVER-WEBAPP ChuanhuChatGPT fn_index arbitrary file deletion attempt * 1:66114 <-> SERVER-WEBAPP ServiceNow AI Platform authentication bypass attempt * 1:66115 <-> SERVER-WEBAPP Jenkins Generic Webhook Trigger Plugin XML external entity injection attempt * 1:66116 <-> SERVER-WEBAPP Jenkins Nuget Plugin XML external entity injection attempt * 1:66117 <-> SERVER-WEBAPP Jenkins Config File Provider Plugin XML external entity injection attempt * 1:66118 <-> MALWARE-CNC Ps1.Trojan.PowMix variant connection * 3:66119 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66120 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66121 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66122 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt
* 1:65387 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt * 1:65388 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt * 7:2 <-> MALWARE-CNC Win.Trojan.Havoc variant outbound connection
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.11.0.0.
The format of the file is:
gid:sid <-> Message
* 1:301447 <-> MALWARE-OTHER Win.Dropper.LucidRook variant download attempt * 1:301448 <-> MALWARE-OTHER Win.Dropper.LucidRook variant download attempt * 1:66105 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt * 1:66106 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt * 1:66107 <-> SERVER-OTHER SolarWinds Network Performance Monitor arbitrary command execution attempt * 1:66112 <-> PROTOCOL-OTHER HeLOL TLSv1.2 Client Hello tunnel exfiltration attempt * 1:66113 <-> SERVER-WEBAPP ChuanhuChatGPT fn_index arbitrary file deletion attempt * 1:66114 <-> SERVER-WEBAPP ServiceNow AI Platform authentication bypass attempt * 1:66115 <-> SERVER-WEBAPP Jenkins Generic Webhook Trigger Plugin XML external entity injection attempt * 1:66116 <-> SERVER-WEBAPP Jenkins Nuget Plugin XML external entity injection attempt * 1:66117 <-> SERVER-WEBAPP Jenkins Config File Provider Plugin XML external entity injection attempt * 1:66118 <-> MALWARE-CNC Ps1.Trojan.PowMix variant connection * 3:66119 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66120 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66121 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66122 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt
* 1:65387 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt * 1:65388 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt * 7:2 <-> MALWARE-CNC Win.Trojan.Havoc variant outbound connection
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.12.0.0.
The format of the file is:
gid:sid <-> Message
* 1:301447 <-> MALWARE-OTHER Win.Dropper.LucidRook variant download attempt * 1:301448 <-> MALWARE-OTHER Win.Dropper.LucidRook variant download attempt * 1:66105 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt * 1:66106 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt * 1:66107 <-> SERVER-OTHER SolarWinds Network Performance Monitor arbitrary command execution attempt * 1:66112 <-> PROTOCOL-OTHER HeLOL TLSv1.2 Client Hello tunnel exfiltration attempt * 1:66113 <-> SERVER-WEBAPP ChuanhuChatGPT fn_index arbitrary file deletion attempt * 1:66114 <-> SERVER-WEBAPP ServiceNow AI Platform authentication bypass attempt * 1:66115 <-> SERVER-WEBAPP Jenkins Generic Webhook Trigger Plugin XML external entity injection attempt * 1:66116 <-> SERVER-WEBAPP Jenkins Nuget Plugin XML external entity injection attempt * 1:66117 <-> SERVER-WEBAPP Jenkins Config File Provider Plugin XML external entity injection attempt * 1:66118 <-> MALWARE-CNC Ps1.Trojan.PowMix variant connection * 3:66119 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66120 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66121 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt * 3:66122 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2331 attack attempt
* 1:65387 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt * 1:65388 <-> SERVER-WEBAPP Framelink Figma MCP Server command injection attempt * 7:2 <-> MALWARE-CNC Win.Trojan.Havoc variant outbound connection
©2026 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.