Snort - Network Intrusion Detection & Prevention System

Talos Rules 2026-03-10

Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2026-23668: A coding deficiency exists in Microsoft Windows Graphics Component that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 66091 through 66092, Snort 3: GID 1, SID 301443.

Microsoft Vulnerability CVE-2026-24289: A coding deficiency exists in Microsoft Windows Kernel that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 66089 through 66090, Snort 3: GID 1, SID 301442.

Microsoft Vulnerability CVE-2026-24291: A coding deficiency exists in Microsoft Windows Accessibility Infrastructure (ATBroker.exe) that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 66101 through 66102, Snort 3: GID 1, SID 301445.

Microsoft Vulnerability CVE-2026-25187: A coding deficiency exists in Microsoft Winlogon that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 66096 through 66097, Snort 3: GID 1, SID 301444.

Microsoft Vulnerability CVE-2026-26132: A coding deficiency exists in Microsoft Windows Kernel that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 66103 through 66104, Snort 3: GID 1, SID 301446.

Talos has added and modified multiple rules in the file-image, file-other, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

29171

2026-03-11 16:52:17 UTC

Snort Subscriber Rules Update

Date: 2026-03-10

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:66090 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel driver elevation of privilege attempt (os-windows.rules)
 * 1:66088 <-> DISABLED <-> SERVER-WEBAPP WordPress WPvivid Backup Plugin PHP object injection attempt (server-webapp.rules)
 * 1:66102 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Accessibility Infrastructure elevation of privilege attempt (os-windows.rules)
 * 1:66085 <-> DISABLED <-> POLICY-OTHER BeyondTrust RS and PRA vulnerable WebSocket application access attempt (policy-other.rules)
 * 1:66092 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics Component elevation of privilege attempt (os-windows.rules)
 * 1:66091 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics Component elevation of privilege attempt (os-windows.rules)
 * 1:66087 <-> DISABLED <-> SERVER-WEBAPP WordPress WPvivid Backup Plugin PHP archive deserialization attempt (server-webapp.rules)
 * 1:66093 <-> DISABLED <-> SERVER-WEBAPP ChuanhuChatGPT fn_index denial of service attempt (server-webapp.rules)
 * 1:66104 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:66103 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:66084 <-> DISABLED <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt (server-other.rules)
 * 1:66086 <-> DISABLED <-> POLICY-OTHER BeyondTrust RS and PRA potential information disclosure attempt (policy-other.rules)
 * 1:66089 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel driver elevation of privilege attempt (os-windows.rules)
 * 1:66094 <-> DISABLED <-> SERVER-WEBAPP Dolibarr ERP CRM Menu Editor code injection attempt (server-webapp.rules)
 * 1:66096 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Winlogon elevation of privilege attempt (os-windows.rules)
 * 1:66097 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Winlogon elevation of privilege attempt (os-windows.rules)
 * 1:66101 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Accessibility Infrastructure elevation of privilege attempt (os-windows.rules)
 * 1:66098 <-> DISABLED <-> SERVER-WEBAPP Man Group D-Tale remote code execution attempt (server-webapp.rules)
 * 3:66099 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2359 attack attempt (file-image.rules)
 * 3:66095 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage authentication bypass attempt (server-webapp.rules)
 * 3:66100 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2359 attack attempt (file-image.rules)

Modified Rules:


 * 1:59781 <-> DISABLED <-> FILE-OTHER Info-ZIP Unzip malformed extra field buffer overflow attempt (file-other.rules)
 * 1:59770 <-> DISABLED <-> FILE-OTHER Info-ZIP Unzip malformed extra field buffer overflow attempt (file-other.rules)
 * 1:59761 <-> DISABLED <-> FILE-OTHER Info-ZIP Unzip malformed extra field buffer overflow attempt (file-other.rules)
 * 1:59780 <-> DISABLED <-> FILE-OTHER Info-ZIP Unzip malformed extra field buffer overflow attempt (file-other.rules)
 * 1:59771 <-> DISABLED <-> FILE-OTHER Info-ZIP Unzip malformed extra field buffer overflow attempt (file-other.rules)
 * 1:59760 <-> DISABLED <-> FILE-OTHER Info-ZIP Unzip malformed extra field buffer overflow attempt (file-other.rules)
 * 3:61367 <-> ENABLED <-> SERVER-WEBAPP Cisco Email Security Appliance arbitrary code execution attempt (server-webapp.rules)

29200

2026-03-11 16:52:17 UTC

Snort Subscriber Rules Update

Date: 2026-03-10

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2092000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:66084 <-> DISABLED <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt (server-other.rules)
 * 1:66085 <-> DISABLED <-> POLICY-OTHER BeyondTrust RS and PRA vulnerable WebSocket application access attempt (policy-other.rules)
 * 1:66086 <-> DISABLED <-> POLICY-OTHER BeyondTrust RS and PRA potential information disclosure attempt (policy-other.rules)
 * 1:66087 <-> DISABLED <-> SERVER-WEBAPP WordPress WPvivid Backup Plugin PHP archive deserialization attempt (server-webapp.rules)
 * 1:66088 <-> DISABLED <-> SERVER-WEBAPP WordPress WPvivid Backup Plugin PHP object injection attempt (server-webapp.rules)
 * 1:66089 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel driver elevation of privilege attempt (os-windows.rules)
 * 1:66090 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel driver elevation of privilege attempt (os-windows.rules)
 * 1:66091 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics Component elevation of privilege attempt (os-windows.rules)
 * 1:66092 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics Component elevation of privilege attempt (os-windows.rules)
 * 1:66093 <-> DISABLED <-> SERVER-WEBAPP ChuanhuChatGPT fn_index denial of service attempt (server-webapp.rules)
 * 1:66094 <-> DISABLED <-> SERVER-WEBAPP Dolibarr ERP CRM Menu Editor code injection attempt (server-webapp.rules)
 * 1:66096 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Winlogon elevation of privilege attempt (os-windows.rules)
 * 1:66097 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Winlogon elevation of privilege attempt (os-windows.rules)
 * 1:66098 <-> DISABLED <-> SERVER-WEBAPP Man Group D-Tale remote code execution attempt (server-webapp.rules)
 * 1:66101 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Accessibility Infrastructure elevation of privilege attempt (os-windows.rules)
 * 1:66102 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Accessibility Infrastructure elevation of privilege attempt (os-windows.rules)
 * 1:66103 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 1:66104 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules)
 * 3:66099 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2359 attack attempt (file-image.rules)
 * 3:66095 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage authentication bypass attempt (server-webapp.rules)
 * 3:66100 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2359 attack attempt (file-image.rules)

Modified Rules:


 * 1:59781 <-> DISABLED <-> FILE-OTHER Info-ZIP Unzip malformed extra field buffer overflow attempt (file-other.rules)
 * 1:59761 <-> DISABLED <-> FILE-OTHER Info-ZIP Unzip malformed extra field buffer overflow attempt (file-other.rules)
 * 1:59780 <-> DISABLED <-> FILE-OTHER Info-ZIP Unzip malformed extra field buffer overflow attempt (file-other.rules)
 * 1:59771 <-> DISABLED <-> FILE-OTHER Info-ZIP Unzip malformed extra field buffer overflow attempt (file-other.rules)
 * 1:59770 <-> DISABLED <-> FILE-OTHER Info-ZIP Unzip malformed extra field buffer overflow attempt (file-other.rules)
 * 1:59760 <-> DISABLED <-> FILE-OTHER Info-ZIP Unzip malformed extra field buffer overflow attempt (file-other.rules)
 * 3:61367 <-> ENABLED <-> SERVER-WEBAPP Cisco Email Security Appliance arbitrary code execution attempt (server-webapp.rules)

3900

2026-03-11 16:52:17 UTC

Snort Subscriber Rules Update

Date: 2026-03-10-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.9.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301442 <-> OS-WINDOWS Microsoft Windows Kernel driver elevation of privilege attempt
* 1:301443 <-> OS-WINDOWS Microsoft Windows Graphics Component elevation of privilege attempt
* 1:301444 <-> OS-WINDOWS Microsoft Windows Winlogon elevation of privilege attempt
* 1:301445 <-> OS-WINDOWS Microsoft Windows Accessibility Infrastructure elevation of privilege attempt
* 1:301446 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:66084 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt
* 1:66085 <-> POLICY-OTHER BeyondTrust RS and PRA vulnerable WebSocket application access attempt
* 1:66086 <-> POLICY-OTHER BeyondTrust RS and PRA potential information disclosure attempt
* 1:66087 <-> SERVER-WEBAPP WordPress WPvivid Backup Plugin PHP archive deserialization attempt
* 1:66088 <-> SERVER-WEBAPP WordPress WPvivid Backup Plugin PHP object injection attempt
* 1:66093 <-> SERVER-WEBAPP ChuanhuChatGPT fn_index denial of service attempt
* 1:66094 <-> SERVER-WEBAPP Dolibarr ERP CRM Menu Editor code injection attempt
* 1:66098 <-> SERVER-WEBAPP Man Group D-Tale remote code execution attempt
* 3:66095 <-> SERVER-WEBAPP Cisco SD-WAN vManage authentication bypass attempt
* 3:66099 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2359 attack attempt
* 3:66100 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2359 attack attempt

Modified Rules:

* 1:300151 <-> FILE-OTHER Info-ZIP Unzip malformed extra field buffer overflow attempt
* 1:300156 <-> FILE-OTHER Info-ZIP Unzip malformed extra field buffer overflow attempt
* 1:300161 <-> FILE-OTHER Info-ZIP Unzip malformed extra field buffer overflow attempt
* 3:61367 <-> SERVER-WEBAPP Cisco Email Security Appliance arbitrary code execution attempt

31470

2026-03-11 16:52:17 UTC

Snort Subscriber Rules Update

Date: 2026-03-10-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.47.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301442 <-> OS-WINDOWS Microsoft Windows Kernel driver elevation of privilege attempt
* 1:301443 <-> OS-WINDOWS Microsoft Windows Graphics Component elevation of privilege attempt
* 1:301444 <-> OS-WINDOWS Microsoft Windows Winlogon elevation of privilege attempt
* 1:301445 <-> OS-WINDOWS Microsoft Windows Accessibility Infrastructure elevation of privilege attempt
* 1:301446 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:66084 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt
* 1:66085 <-> POLICY-OTHER BeyondTrust RS and PRA vulnerable WebSocket application access attempt
* 1:66086 <-> POLICY-OTHER BeyondTrust RS and PRA potential information disclosure attempt
* 1:66087 <-> SERVER-WEBAPP WordPress WPvivid Backup Plugin PHP archive deserialization attempt
* 1:66088 <-> SERVER-WEBAPP WordPress WPvivid Backup Plugin PHP object injection attempt
* 1:66093 <-> SERVER-WEBAPP ChuanhuChatGPT fn_index denial of service attempt
* 1:66094 <-> SERVER-WEBAPP Dolibarr ERP CRM Menu Editor code injection attempt
* 1:66098 <-> SERVER-WEBAPP Man Group D-Tale remote code execution attempt
* 3:66095 <-> SERVER-WEBAPP Cisco SD-WAN vManage authentication bypass attempt
* 3:66099 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2359 attack attempt
* 3:66100 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2359 attack attempt

Modified Rules:

* 1:300151 <-> FILE-OTHER Info-ZIP Unzip malformed extra field buffer overflow attempt
* 1:300156 <-> FILE-OTHER Info-ZIP Unzip malformed extra field buffer overflow attempt
* 1:300161 <-> FILE-OTHER Info-ZIP Unzip malformed extra field buffer overflow attempt
* 3:61367 <-> SERVER-WEBAPP Cisco Email Security Appliance arbitrary code execution attempt

31100

2026-03-11 16:52:17 UTC

Snort Subscriber Rules Update

Date: 2026-03-10-001

This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.11.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:301442 <-> OS-WINDOWS Microsoft Windows Kernel driver elevation of privilege attempt
* 1:301443 <-> OS-WINDOWS Microsoft Windows Graphics Component elevation of privilege attempt
* 1:301444 <-> OS-WINDOWS Microsoft Windows Winlogon elevation of privilege attempt
* 1:301445 <-> OS-WINDOWS Microsoft Windows Accessibility Infrastructure elevation of privilege attempt
* 1:301446 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt
* 1:66084 <-> SERVER-OTHER SolarWinds Network Performance Monitor insecure deserialization attempt
* 1:66085 <-> POLICY-OTHER BeyondTrust RS and PRA vulnerable WebSocket application access attempt
* 1:66086 <-> POLICY-OTHER BeyondTrust RS and PRA potential information disclosure attempt
* 1:66087 <-> SERVER-WEBAPP WordPress WPvivid Backup Plugin PHP archive deserialization attempt
* 1:66088 <-> SERVER-WEBAPP WordPress WPvivid Backup Plugin PHP object injection attempt
* 1:66093 <-> SERVER-WEBAPP ChuanhuChatGPT fn_index denial of service attempt
* 1:66094 <-> SERVER-WEBAPP Dolibarr ERP CRM Menu Editor code injection attempt
* 1:66098 <-> SERVER-WEBAPP Man Group D-Tale remote code execution attempt
* 3:66095 <-> SERVER-WEBAPP Cisco SD-WAN vManage authentication bypass attempt
* 3:66099 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2359 attack attempt
* 3:66100 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2026-2359 attack attempt

Modified Rules:

* 1:300151 <-> FILE-OTHER Info-ZIP Unzip malformed extra field buffer overflow attempt
* 1:300156 <-> FILE-OTHER Info-ZIP Unzip malformed extra field buffer overflow attempt
* 1:300161 <-> FILE-OTHER Info-ZIP Unzip malformed extra field buffer overflow attempt
* 3:61367 <-> SERVER-WEBAPP Cisco Email Security Appliance arbitrary code execution attempt