updating IDs

Author: patel-bhavin

lookups/cisco_snort_ids_to_threat_mapping.csv

@@ -1,4 +1,6 @@
 threat,signature_id,category,message
+ArcaneDoor,46897,SERVER-WEBAPP,Cisco Adaptive Security Appliance directory traversal attempt
+ArcaneDoor,65340,SERVER-WEBAPP,TRUFFLEHUNTER SFVRT-1055 attack attempt
 AgentTesla,40238,MALWARE-CNC,Win.Keylogger.AgentTesla variant outbound connection
 AgentTesla,52246,INDICATOR-COMPROMISE,AgentTesla variant outbound connection attempt
 AgentTesla,52612,MALWARE-CNC,Win.Trojan.AgentTesla variant outbound connection detected

lookups/cisco_snort_ids_to_threat_mapping.yml

@@ -1,6 +1,6 @@
 name: cisco_snort_ids_to_threat_mapping
-date: 2025-08-21
-version: 2
+date: 2025-09-24
+version: 3
 id: f08ae6ce-d7a8-423e-a778-be7178a719f9
 author: Bhavin Patel, Nasreddine Bencherchali, Splunk Threat Research Team
 lookup_type: csv

lookups/threat_snort_count.csv

@@ -1,4 +1,5 @@
 threat,description,distinct_count_snort_ids
+ArcaneDoor,"ArcaneDoor is a state-sponsored cyberespionage campaign targeting perimeter network devices from multiple vendors, with a particular focus on Cisco Secure Firewall ASA/FTD appliances.",2
 AgentTesla,"AgentTesla is a widely used .NET-based infostealer that exfiltrates credentials, clipboard data, and keystrokes. It often spreads via phishing emails with malicious attachments.",2
 Amadey,"Amadey is a lightweight malware primarily used as a loader for deploying additional payloads. It collects system information and often works alongside other malware like SmokeLoader.",1
 AsyncRAT,"AsyncRAT is an open-source Remote Access Trojan (RAT) used for remote control, keylogging, and credential theft. It's commonly used by both amateurs and cybercriminals due to its ease of deployment.",1

lookups/threat_snort_count.yml

@@ -1,6 +1,6 @@
 name: threat_snort_count
-date: 2025-08-21
-version: 2
+date: 2025-09-24
+version: 3
 id: 48a35e07-ed5f-42f9-a5da-b7f2ab892e3c
 author: Bhavin Patel, Nasreddine Bencherchali, Splunk
 lookup_type: csv