Talos Rules 2015-11-10
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Security Bulletin MS15-112: Microsoft Internet Explorer suffers from programming errors that may lead to remote code execution.

Previously released rules will detect attacks targeting this vulnerability and have been updated with the appropriate reference information. They are included in this release and are identified with GID 1, SIDs 35199 through 35200, 35956, and 35958.

New rules to detect attacks targeting these vulnerabilities are also included in this release and are identified with GID 1, SIDs 36671 through 36696, 36699 through 36702, 36738 through 36739, 36742 through 36743, 36746 through 36747, 36753 through 36754, and 36759 through 36760.

Microsoft Security Bulletin MS15-114: A coding deficiency exists in Microsoft Windows Journal that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 36697 through 36698.

Microsoft Security Bulletin MS15-115: A coding deficiency exists in Microsoft Windows that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 36703 through 36704, 36709 through 36710, 36718 through 36719, 36722 through 36723, 36736 through 36737, 36749 through 36750, and 36761 through 36762.

Microsoft Security Bulletin MS15-116: A coding deficiency exists in Microsoft Office that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 36707 through 36708, 36714 through 36717, 36720 through 36721, 36740 through 36741, and 36751 through 36752.

Microsoft Security Bulletin MS15-117: A coding deficiency exists in Microsoft Windows NDIS that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 36744 through 36745.

Microsoft Security Bulletin MS15-118: A coding deficiency exists in the Microsoft .NET Framework that may lead to an escalation of privilege.

A previously released rule will detect attacks targeting these vulnerabilities and has been updated with the appropriate reference information. It is included in this release and is identified with GID 1, SID 20258.

New rules to detect attacks targeting these vulnerabilities are also included in this release and are identified with GID 1, SIDs 36712 through 36713.

Microsoft Security Bulletin MS15-119: A coding deficiency exists in Microsoft Winsock that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 36705 through 36706.

Microsoft Security Bulletin MS15-123: A coding deficiency exists in Skype for Business and Microsoft Lync that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 36733 through 36735.

Talos has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, file-flash, file-identify, file-office, file-other, indicator-compromise, malware-cnc, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-11-10 17:40:00 UTC

Snort Subscriber Rules Update

Date: 2015-11-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36755 <-> DISABLED <-> FILE-FLASH Adobe Flash Player loadBytes buffer overflow remote code execution attempt (file-flash.rules)
 * 1:36757 <-> DISABLED <-> FILE-FLASH Adobe Flash Player loadBytes buffer overflow remote code execution attempt (file-flash.rules)
 * 1:36758 <-> DISABLED <-> FILE-FLASH Adobe Flash Player loadBytes buffer overflow remote code execution attempt (file-flash.rules)
 * 1:36754 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CElement JSON write-what-where attempt (browser-ie.rules)
 * 1:36759 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Internet Explorer setAttributeNS ASLR bypass attempt (indicator-compromise.rules)
 * 1:36760 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft Internet Explorer setAttributeNS ASLR bypass attempt (indicator-compromise.rules)
 * 1:36761 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtSetInformationFile hard link sandbox bypass attempt (os-windows.rules)
 * 1:36762 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtSetInformationFile hard link sandbox bypass attempt (os-windows.rules)
 * 1:36751 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel MdCallBack out of bounds read attempt (file-office.rules)
 * 1:36765 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Stupeval variant outbound connection attempt (malware-cnc.rules)
 * 1:36763 <-> ENABLED <-> SERVER-WEBAPP vBulletin decodeArguments PHP object injection attempt (server-webapp.rules)
 * 1:36764 <-> ENABLED <-> BLACKLIST DNS request for known malware domain blogbox.it - Win.Trojan.Stupeval (blacklist.rules)
 * 1:36671 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer fragmented CtxtBlk heap overflow attempt (browser-ie.rules)
 * 1:36673 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DOM object hard hyphen bounds checking bypass attempt (browser-ie.rules)
 * 1:36670 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sathurbot outbound connection (malware-cnc.rules)
 * 1:36669 <-> ENABLED <-> BLACKLIST DNS request for known malware domain aerofix.eu - Win.Trojan.Sathurbot (blacklist.rules)
 * 1:36666 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tentobr outbound connection (malware-cnc.rules)
 * 1:36668 <-> ENABLED <-> BLACKLIST DNS request for known malware domain inuxland.eu - Win.Trojan.Sathurbot (blacklist.rules)
 * 1:36665 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA ActiveX clsid access (browser-plugins.rules)
 * 1:36663 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA ActiveX clsid access (browser-plugins.rules)
 * 1:36664 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA ActiveX clsid access (browser-plugins.rules)
 * 1:36661 <-> DISABLED <-> FILE-OTHER Interactive Data eSignal stack buffer overflow attempt (file-other.rules)
 * 1:36659 <-> DISABLED <-> FILE-OTHER Interactive Data eSignal stack buffer overflow attempt (file-other.rules)
 * 1:36660 <-> DISABLED <-> FILE-OTHER Interactive Data eSignal stack buffer overflow attempt (file-other.rules)
 * 1:36656 <-> DISABLED <-> SERVER-WEBAPP Joomla com_realestatemanager module SQL injection attempt (server-webapp.rules)
 * 1:36658 <-> DISABLED <-> FILE-OTHER Interactive Data eSignal stack buffer overflow attempt (file-other.rules)
 * 1:36655 <-> DISABLED <-> SERVER-WEBAPP Joomla com_realestatemanager module SQL injection attempt (server-webapp.rules)
 * 1:36653 <-> DISABLED <-> BROWSER-PLUGINS MW6 Technologies Aztec ActiveX clsid access (browser-plugins.rules)
 * 1:36750 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing out of bounds write attempt (file-other.rules)
 * 1:36753 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CElement JSON write-what-where attempt (browser-ie.rules)
 * 1:36752 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel MdCallBack out of bounds read attempt (file-office.rules)
 * 1:36654 <-> DISABLED <-> BROWSER-PLUGINS MW6 Technologies Aztec ActiveX clsid access (browser-plugins.rules)
 * 1:36657 <-> DISABLED <-> SERVER-WEBAPP Joomla com_realestatemanager module SQL injection attempt (server-webapp.rules)
 * 1:36662 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA ActiveX clsid access (browser-plugins.rules)
 * 1:36667 <-> ENABLED <-> BLACKLIST DNS request for known malware domain newworldtraf.pro - Win.Trojan.Sathurbot (blacklist.rules)
 * 1:36672 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer fragmented CtxtBlk heap overflow attempt (browser-ie.rules)
 * 1:36674 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DOM object hard hyphen bounds checking bypass attempt (browser-ie.rules)
 * 1:36675 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMarkup use-after-free attempt (browser-ie.rules)
 * 1:36676 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMarkup use-after-free attempt (browser-ie.rules)
 * 1:36677 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SVG textbox out of bound memory access attempt (browser-ie.rules)
 * 1:36678 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SVG textbox out of bound memory access attempt (browser-ie.rules)
 * 1:36679 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer cache management code overflow attempt (browser-ie.rules)
 * 1:36680 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer cache management code overflow attempt (browser-ie.rules)
 * 1:36681 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer access violation attempt (browser-ie.rules)
 * 1:36682 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer access violation attempt (browser-ie.rules)
 * 1:36683 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTableCell object use after free attempt (browser-ie.rules)
 * 1:36684 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTableCell object use after free attempt (browser-ie.rules)
 * 1:36685 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer col onpropertychange memory corruption attempt (browser-ie.rules)
 * 1:36686 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer col onpropertychange memory corruption attempt (browser-ie.rules)
 * 1:36687 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElement use after free attempt (browser-ie.rules)
 * 1:36688 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElement use after free attempt (browser-ie.rules)
 * 1:36689 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer managed CDispNode objects use-after-free attempt (browser-ie.rules)
 * 1:36690 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer managed CDispNode objects use-after-free attempt (browser-ie.rules)
 * 1:36691 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CUListElement use-after-free attempt (browser-ie.rules)
 * 1:36692 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CUListElement use-after-free attempt (browser-ie.rules)
 * 1:36693 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer style object stylesheet use after free attempt (browser-ie.rules)
 * 1:36694 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer style object stylesheet use after free attempt (browser-ie.rules)
 * 1:36695 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer table element modification use after free attempt (browser-ie.rules)
 * 1:36696 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer table element modification use after free attempt (browser-ie.rules)
 * 1:36697 <-> ENABLED <-> FILE-OTHER Microsoft Windows Journal integer overflow attempt (file-other.rules)
 * 1:36698 <-> ENABLED <-> FILE-OTHER Microsoft Windows Journal integer overflow attempt (file-other.rules)
 * 1:36699 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreeNode row element removal remote code execution attempt (browser-ie.rules)
 * 1:36700 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreeNode row element removal remote code execution attempt (browser-ie.rules)
 * 1:36701 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CEditEventSink navigate use after free attempt (browser-ie.rules)
 * 1:36702 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CEditEventSink navigate use after free attempt (browser-ie.rules)
 * 1:36703 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DeferWindowPos privilege escalation attempt (os-windows.rules)
 * 1:36704 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DeferWindowPos privilege escalation attempt (os-windows.rules)
 * 1:36705 <-> ENABLED <-> OS-WINDOWS Microsoft Windows afd.sys memory corruption attempt (os-windows.rules)
 * 1:36706 <-> ENABLED <-> OS-WINDOWS Microsoft Windows afd.sys memory corruption attempt (os-windows.rules)
 * 1:36707 <-> ENABLED <-> FILE-OFFICE Microsoft Office malformed odttf integer overflow attempt (file-office.rules)
 * 1:36708 <-> ENABLED <-> FILE-OFFICE Microsoft Office malformed odttf integer overflow attempt (file-office.rules)
 * 1:36709 <-> ENABLED <-> OS-WINDOWS Microsoft Windows use after free kernel privilege escalation attempt (os-windows.rules)
 * 1:36710 <-> ENABLED <-> OS-WINDOWS Microsoft Windows use after free kernel privilege escalation attempt (os-windows.rules)
 * 1:36756 <-> DISABLED <-> FILE-FLASH Adobe Flash Player loadBytes buffer overflow remote code execution attempt (file-flash.rules)
 * 1:36711 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows .NET Application file attachment detected (file-identify.rules)
 * 1:36712 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ClickOnce information disclosure attempt (os-windows.rules)
 * 1:36713 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ClickOnce information disclosure attempt (os-windows.rules)
 * 1:36714 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel slicer style use-after-free attempt (file-office.rules)
 * 1:36715 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel slicer style use-after-free attempt (file-office.rules)
 * 1:36716 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word PmwdFromDoc use after free attempt (file-office.rules)
 * 1:36717 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word PmwdFromDoc use after free attempt (file-office.rules)
 * 1:36718 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k kernel memory information disclosure attempt (os-windows.rules)
 * 1:36719 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k kernel memory information disclosure attempt (os-windows.rules)
 * 1:36720 <-> DISABLED <-> FILE-OFFICE Microsoft Word CoCreateInstance elevation of privilege attempt (file-office.rules)
 * 1:36721 <-> DISABLED <-> FILE-OFFICE Microsoft Word CoCreateInstance elevation of privilege attempt (file-office.rules)
 * 1:36722 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k information disclosure attempt (os-windows.rules)
 * 1:36723 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k information disclosure attempt (os-windows.rules)
 * 1:36724 <-> ENABLED <-> BLACKLIST DNS request for known malware domain axnlze.net - Win.Trojan.Sefnit (blacklist.rules)
 * 1:36725 <-> ENABLED <-> BLACKLIST DNS request for known malware domain brynj.su - Win.Trojan.Sefnit (blacklist.rules)
 * 1:36726 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dtbnox.com - Win.Trojan.Sefnit (blacklist.rules)
 * 1:36727 <-> ENABLED <-> BLACKLIST DNS request for known malware domain oruedk.com - Win.Trojan.Sefnit (blacklist.rules)
 * 1:36728 <-> ENABLED <-> BLACKLIST DNS request for known malware domain oxjefy.su - Win.Trojan.Sefnit (blacklist.rules)
 * 1:36729 <-> ENABLED <-> BLACKLIST DNS request for known malware domain urirq.com - Win.Trojan.Sefnit (blacklist.rules)
 * 1:36730 <-> ENABLED <-> BLACKLIST DNS request for known malware domain vzvju.org - Win.Trojan.Sefnit (blacklist.rules)
 * 1:36731 <-> ENABLED <-> BLACKLIST DNS request for known malware domain win-upd.su - Win.Trojan.Sefnit (blacklist.rules)
 * 1:36732 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sefnit variant outbound connection attempt (malware-cnc.rules)
 * 1:36733 <-> DISABLED <-> PROTOCOL-VOIP javascript found in SIP headers attempt (protocol-voip.rules)
 * 1:36734 <-> DISABLED <-> PROTOCOL-VOIP javascript found in SIP headers attempt (protocol-voip.rules)
 * 1:36735 <-> DISABLED <-> PROTOCOL-VOIP javascript found in SIP headers attempt (protocol-voip.rules)
 * 1:36736 <-> ENABLED <-> FILE-OTHER Microsoft Windows malformed TrueType file remote code execution attempt (file-other.rules)
 * 1:36737 <-> ENABLED <-> FILE-OTHER Microsoft Windows malformed TrueType file remote code execution attempt (file-other.rules)
 * 1:36749 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing out of bounds write attempt (file-other.rules)
 * 1:36748 <-> ENABLED <-> FILE-IDENTIFY TTF file attachment detected (file-identify.rules)
 * 1:36747 <-> DISABLED <-> BROWSER-IE Microsoft Edge click method use after free attempt (browser-ie.rules)
 * 1:36738 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTsfTextStore use-after-free attempt (browser-ie.rules)
 * 1:36739 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTsfTextStore use-after-free attempt (browser-ie.rules)
 * 1:36743 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElement use after free attempt (browser-ie.rules)
 * 1:36744 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NDIS.SYS driver buffer overflow attempt (os-windows.rules)
 * 1:36740 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word FGetCpFlowDr memory corruption attempt (file-office.rules)
 * 1:36741 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word FGetCpFlowDr memory corruption attempt (file-office.rules)
 * 1:36746 <-> DISABLED <-> BROWSER-IE Microsoft Edge click method use after free attempt (browser-ie.rules)
 * 1:36742 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElement use after free attempt (browser-ie.rules)
 * 1:36745 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NDIS.SYS driver buffer overflow attempt (os-windows.rules)

Modified Rules:


 * 1:35958 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStr object use after free attempt (browser-ie.rules)
 * 1:35956 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStr object use after free attempt (browser-ie.rules)
 * 1:33321 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EPM MOTWCreateFileW file access bypass attempt (browser-ie.rules)
 * 1:33319 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EPM MOTWCreateFileW file access bypass attempt (browser-ie.rules)
 * 1:35200 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TreeComputedContent object use after free attempt (browser-ie.rules)
 * 1:35199 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TreeComputedContent object use after free attempt (browser-ie.rules)
 * 1:30049 <-> DISABLED <-> BROWSER-PLUGINS MW6 Technologies Aztec ActiveX clsid access (browser-plugins.rules)
 * 1:30053 <-> DISABLED <-> BROWSER-PLUGINS MW6 Technologies Aztec ActiveX clsid access (browser-plugins.rules)
 * 1:30051 <-> DISABLED <-> BROWSER-PLUGINS MW6 Technologies Aztec ActiveX clsid access (browser-plugins.rules)
 * 1:30052 <-> DISABLED <-> BROWSER-PLUGINS MW6 Technologies Aztec ActiveX clsid access (browser-plugins.rules)
 * 1:30048 <-> DISABLED <-> BROWSER-PLUGINS MW6 Technologies Aztec ActiveX clsid access (browser-plugins.rules)
 * 1:30050 <-> DISABLED <-> BROWSER-PLUGINS MW6 Technologies Aztec ActiveX clsid access (browser-plugins.rules)
 * 1:20258 <-> DISABLED <-> OS-WINDOWS Microsoft generic javascript handler in URI XSS attempt (os-windows.rules)
 * 1:19458 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmCMajority record buffer overflow attempt (file-office.rules)
 * 1:19459 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmCMajority record buffer overflow attempt (file-office.rules)

2015-11-10 17:40:00 UTC

Snort Subscriber Rules Update

Date: 2015-11-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36653 <-> DISABLED <-> BROWSER-PLUGINS MW6 Technologies Aztec ActiveX clsid access (browser-plugins.rules)
 * 1:36654 <-> DISABLED <-> BROWSER-PLUGINS MW6 Technologies Aztec ActiveX clsid access (browser-plugins.rules)
 * 1:36655 <-> DISABLED <-> SERVER-WEBAPP Joomla com_realestatemanager module SQL injection attempt (server-webapp.rules)
 * 1:36656 <-> DISABLED <-> SERVER-WEBAPP Joomla com_realestatemanager module SQL injection attempt (server-webapp.rules)
 * 1:36658 <-> DISABLED <-> FILE-OTHER Interactive Data eSignal stack buffer overflow attempt (file-other.rules)
 * 1:36657 <-> DISABLED <-> SERVER-WEBAPP Joomla com_realestatemanager module SQL injection attempt (server-webapp.rules)
 * 1:36659 <-> DISABLED <-> FILE-OTHER Interactive Data eSignal stack buffer overflow attempt (file-other.rules)
 * 1:36660 <-> DISABLED <-> FILE-OTHER Interactive Data eSignal stack buffer overflow attempt (file-other.rules)
 * 1:36661 <-> DISABLED <-> FILE-OTHER Interactive Data eSignal stack buffer overflow attempt (file-other.rules)
 * 1:36662 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA ActiveX clsid access (browser-plugins.rules)
 * 1:36663 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA ActiveX clsid access (browser-plugins.rules)
 * 1:36664 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA ActiveX clsid access (browser-plugins.rules)
 * 1:36665 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA ActiveX clsid access (browser-plugins.rules)
 * 1:36666 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tentobr outbound connection (malware-cnc.rules)
 * 1:36668 <-> ENABLED <-> BLACKLIST DNS request for known malware domain inuxland.eu - Win.Trojan.Sathurbot (blacklist.rules)
 * 1:36667 <-> ENABLED <-> BLACKLIST DNS request for known malware domain newworldtraf.pro - Win.Trojan.Sathurbot (blacklist.rules)
 * 1:36669 <-> ENABLED <-> BLACKLIST DNS request for known malware domain aerofix.eu - Win.Trojan.Sathurbot (blacklist.rules)
 * 1:36670 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sathurbot outbound connection (malware-cnc.rules)
 * 1:36671 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer fragmented CtxtBlk heap overflow attempt (browser-ie.rules)
 * 1:36673 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DOM object hard hyphen bounds checking bypass attempt (browser-ie.rules)
 * 1:36672 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer fragmented CtxtBlk heap overflow attempt (browser-ie.rules)
 * 1:36674 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DOM object hard hyphen bounds checking bypass attempt (browser-ie.rules)
 * 1:36675 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMarkup use-after-free attempt (browser-ie.rules)
 * 1:36676 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMarkup use-after-free attempt (browser-ie.rules)
 * 1:36677 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SVG textbox out of bound memory access attempt (browser-ie.rules)
 * 1:36678 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SVG textbox out of bound memory access attempt (browser-ie.rules)
 * 1:36679 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer cache management code overflow attempt (browser-ie.rules)
 * 1:36680 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer cache management code overflow attempt (browser-ie.rules)
 * 1:36681 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer access violation attempt (browser-ie.rules)
 * 1:36682 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer access violation attempt (browser-ie.rules)
 * 1:36683 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTableCell object use after free attempt (browser-ie.rules)
 * 1:36684 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTableCell object use after free attempt (browser-ie.rules)
 * 1:36685 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer col onpropertychange memory corruption attempt (browser-ie.rules)
 * 1:36686 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer col onpropertychange memory corruption attempt (browser-ie.rules)
 * 1:36687 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElement use after free attempt (browser-ie.rules)
 * 1:36688 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElement use after free attempt (browser-ie.rules)
 * 1:36689 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer managed CDispNode objects use-after-free attempt (browser-ie.rules)
 * 1:36690 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer managed CDispNode objects use-after-free attempt (browser-ie.rules)
 * 1:36691 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CUListElement use-after-free attempt (browser-ie.rules)
 * 1:36692 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CUListElement use-after-free attempt (browser-ie.rules)
 * 1:36693 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer style object stylesheet use after free attempt (browser-ie.rules)
 * 1:36694 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer style object stylesheet use after free attempt (browser-ie.rules)
 * 1:36695 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer table element modification use after free attempt (browser-ie.rules)
 * 1:36696 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer table element modification use after free attempt (browser-ie.rules)
 * 1:36697 <-> ENABLED <-> FILE-OTHER Microsoft Windows Journal integer overflow attempt (file-other.rules)
 * 1:36698 <-> ENABLED <-> FILE-OTHER Microsoft Windows Journal integer overflow attempt (file-other.rules)
 * 1:36699 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreeNode row element removal remote code execution attempt (browser-ie.rules)
 * 1:36700 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreeNode row element removal remote code execution attempt (browser-ie.rules)
 * 1:36701 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CEditEventSink navigate use after free attempt (browser-ie.rules)
 * 1:36702 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CEditEventSink navigate use after free attempt (browser-ie.rules)
 * 1:36703 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DeferWindowPos privilege escalation attempt (os-windows.rules)
 * 1:36704 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DeferWindowPos privilege escalation attempt (os-windows.rules)
 * 1:36705 <-> ENABLED <-> OS-WINDOWS Microsoft Windows afd.sys memory corruption attempt (os-windows.rules)
 * 1:36706 <-> ENABLED <-> OS-WINDOWS Microsoft Windows afd.sys memory corruption attempt (os-windows.rules)
 * 1:36707 <-> ENABLED <-> FILE-OFFICE Microsoft Office malformed odttf integer overflow attempt (file-office.rules)
 * 1:36708 <-> ENABLED <-> FILE-OFFICE Microsoft Office malformed odttf integer overflow attempt (file-office.rules)
 * 1:36709 <-> ENABLED <-> OS-WINDOWS Microsoft Windows use after free kernel privilege escalation attempt (os-windows.rules)
 * 1:36710 <-> ENABLED <-> OS-WINDOWS Microsoft Windows use after free kernel privilege escalation attempt (os-windows.rules)
 * 1:36711 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows .NET Application file attachment detected (file-identify.rules)
 * 1:36712 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ClickOnce information disclosure attempt (os-windows.rules)
 * 1:36713 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ClickOnce information disclosure attempt (os-windows.rules)
 * 1:36714 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel slicer style use-after-free attempt (file-office.rules)
 * 1:36715 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel slicer style use-after-free attempt (file-office.rules)
 * 1:36716 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word PmwdFromDoc use after free attempt (file-office.rules)
 * 1:36717 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word PmwdFromDoc use after free attempt (file-office.rules)
 * 1:36718 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k kernel memory information disclosure attempt (os-windows.rules)
 * 1:36719 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k kernel memory information disclosure attempt (os-windows.rules)
 * 1:36720 <-> DISABLED <-> FILE-OFFICE Microsoft Word CoCreateInstance elevation of privilege attempt (file-office.rules)
 * 1:36721 <-> DISABLED <-> FILE-OFFICE Microsoft Word CoCreateInstance elevation of privilege attempt (file-office.rules)
 * 1:36722 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k information disclosure attempt (os-windows.rules)
 * 1:36723 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k information disclosure attempt (os-windows.rules)
 * 1:36724 <-> ENABLED <-> BLACKLIST DNS request for known malware domain axnlze.net - Win.Trojan.Sefnit (blacklist.rules)
 * 1:36725 <-> ENABLED <-> BLACKLIST DNS request for known malware domain brynj.su - Win.Trojan.Sefnit (blacklist.rules)
 * 1:36726 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dtbnox.com - Win.Trojan.Sefnit (blacklist.rules)
 * 1:36727 <-> ENABLED <-> BLACKLIST DNS request for known malware domain oruedk.com - Win.Trojan.Sefnit (blacklist.rules)
 * 1:36728 <-> ENABLED <-> BLACKLIST DNS request for known malware domain oxjefy.su - Win.Trojan.Sefnit (blacklist.rules)
 * 1:36729 <-> ENABLED <-> BLACKLIST DNS request for known malware domain urirq.com - Win.Trojan.Sefnit (blacklist.rules)
 * 1:36730 <-> ENABLED <-> BLACKLIST DNS request for known malware domain vzvju.org - Win.Trojan.Sefnit (blacklist.rules)
 * 1:36731 <-> ENABLED <-> BLACKLIST DNS request for known malware domain win-upd.su - Win.Trojan.Sefnit (blacklist.rules)
 * 1:36732 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sefnit variant outbound connection attempt (malware-cnc.rules)
 * 1:36733 <-> DISABLED <-> PROTOCOL-VOIP javascript found in SIP headers attempt (protocol-voip.rules)
 * 1:36734 <-> DISABLED <-> PROTOCOL-VOIP javascript found in SIP headers attempt (protocol-voip.rules)
 * 1:36735 <-> DISABLED <-> PROTOCOL-VOIP javascript found in SIP headers attempt (protocol-voip.rules)
 * 1:36736 <-> ENABLED <-> FILE-OTHER Microsoft Windows malformed TrueType file remote code execution attempt (file-other.rules)
 * 1:36737 <-> ENABLED <-> FILE-OTHER Microsoft Windows malformed TrueType file remote code execution attempt (file-other.rules)
 * 1:36765 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Stupeval variant outbound connection attempt (malware-cnc.rules)
 * 1:36764 <-> ENABLED <-> BLACKLIST DNS request for known malware domain blogbox.it - Win.Trojan.Stupeval (blacklist.rules)
 * 1:36763 <-> ENABLED <-> SERVER-WEBAPP vBulletin decodeArguments PHP object injection attempt (server-webapp.rules)
 * 1:36762 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtSetInformationFile hard link sandbox bypass attempt (os-windows.rules)
 * 1:36761 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtSetInformationFile hard link sandbox bypass attempt (os-windows.rules)
 * 1:36760 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft Internet Explorer setAttributeNS ASLR bypass attempt (indicator-compromise.rules)
 * 1:36759 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Internet Explorer setAttributeNS ASLR bypass attempt (indicator-compromise.rules)
 * 1:36758 <-> DISABLED <-> FILE-FLASH Adobe Flash Player loadBytes buffer overflow remote code execution attempt (file-flash.rules)
 * 1:36757 <-> DISABLED <-> FILE-FLASH Adobe Flash Player loadBytes buffer overflow remote code execution attempt (file-flash.rules)
 * 1:36756 <-> DISABLED <-> FILE-FLASH Adobe Flash Player loadBytes buffer overflow remote code execution attempt (file-flash.rules)
 * 1:36755 <-> DISABLED <-> FILE-FLASH Adobe Flash Player loadBytes buffer overflow remote code execution attempt (file-flash.rules)
 * 1:36754 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CElement JSON write-what-where attempt (browser-ie.rules)
 * 1:36753 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CElement JSON write-what-where attempt (browser-ie.rules)
 * 1:36752 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel MdCallBack out of bounds read attempt (file-office.rules)
 * 1:36751 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel MdCallBack out of bounds read attempt (file-office.rules)
 * 1:36750 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing out of bounds write attempt (file-other.rules)
 * 1:36749 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing out of bounds write attempt (file-other.rules)
 * 1:36748 <-> ENABLED <-> FILE-IDENTIFY TTF file attachment detected (file-identify.rules)
 * 1:36747 <-> DISABLED <-> BROWSER-IE Microsoft Edge click method use after free attempt (browser-ie.rules)
 * 1:36746 <-> DISABLED <-> BROWSER-IE Microsoft Edge click method use after free attempt (browser-ie.rules)
 * 1:36745 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NDIS.SYS driver buffer overflow attempt (os-windows.rules)
 * 1:36744 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NDIS.SYS driver buffer overflow attempt (os-windows.rules)
 * 1:36743 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElement use after free attempt (browser-ie.rules)
 * 1:36742 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElement use after free attempt (browser-ie.rules)
 * 1:36740 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word FGetCpFlowDr memory corruption attempt (file-office.rules)
 * 1:36741 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word FGetCpFlowDr memory corruption attempt (file-office.rules)
 * 1:36738 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTsfTextStore use-after-free attempt (browser-ie.rules)
 * 1:36739 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTsfTextStore use-after-free attempt (browser-ie.rules)

Modified Rules:


 * 1:35958 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStr object use after free attempt (browser-ie.rules)
 * 1:35200 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TreeComputedContent object use after free attempt (browser-ie.rules)
 * 1:35956 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStr object use after free attempt (browser-ie.rules)
 * 1:33321 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EPM MOTWCreateFileW file access bypass attempt (browser-ie.rules)
 * 1:35199 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TreeComputedContent object use after free attempt (browser-ie.rules)
 * 1:33319 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EPM MOTWCreateFileW file access bypass attempt (browser-ie.rules)
 * 1:30052 <-> DISABLED <-> BROWSER-PLUGINS MW6 Technologies Aztec ActiveX clsid access (browser-plugins.rules)
 * 1:30053 <-> DISABLED <-> BROWSER-PLUGINS MW6 Technologies Aztec ActiveX clsid access (browser-plugins.rules)
 * 1:30050 <-> DISABLED <-> BROWSER-PLUGINS MW6 Technologies Aztec ActiveX clsid access (browser-plugins.rules)
 * 1:30051 <-> DISABLED <-> BROWSER-PLUGINS MW6 Technologies Aztec ActiveX clsid access (browser-plugins.rules)
 * 1:30048 <-> DISABLED <-> BROWSER-PLUGINS MW6 Technologies Aztec ActiveX clsid access (browser-plugins.rules)
 * 1:30049 <-> DISABLED <-> BROWSER-PLUGINS MW6 Technologies Aztec ActiveX clsid access (browser-plugins.rules)
 * 1:20258 <-> DISABLED <-> OS-WINDOWS Microsoft generic javascript handler in URI XSS attempt (os-windows.rules)
 * 1:19459 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmCMajority record buffer overflow attempt (file-office.rules)
 * 1:19458 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmCMajority record buffer overflow attempt (file-office.rules)

2015-11-10 17:40:00 UTC

Snort Subscriber Rules Update

Date: 2015-11-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36729 <-> ENABLED <-> BLACKLIST DNS request for known malware domain urirq.com - Win.Trojan.Sefnit (blacklist.rules)
 * 1:36728 <-> ENABLED <-> BLACKLIST DNS request for known malware domain oxjefy.su - Win.Trojan.Sefnit (blacklist.rules)
 * 1:36727 <-> ENABLED <-> BLACKLIST DNS request for known malware domain oruedk.com - Win.Trojan.Sefnit (blacklist.rules)
 * 1:36726 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dtbnox.com - Win.Trojan.Sefnit (blacklist.rules)
 * 1:36725 <-> ENABLED <-> BLACKLIST DNS request for known malware domain brynj.su - Win.Trojan.Sefnit (blacklist.rules)
 * 1:36724 <-> ENABLED <-> BLACKLIST DNS request for known malware domain axnlze.net - Win.Trojan.Sefnit (blacklist.rules)
 * 1:36723 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k information disclosure attempt (os-windows.rules)
 * 1:36722 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k information disclosure attempt (os-windows.rules)
 * 1:36721 <-> DISABLED <-> FILE-OFFICE Microsoft Word CoCreateInstance elevation of privilege attempt (file-office.rules)
 * 1:36720 <-> DISABLED <-> FILE-OFFICE Microsoft Word CoCreateInstance elevation of privilege attempt (file-office.rules)
 * 1:36719 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k kernel memory information disclosure attempt (os-windows.rules)
 * 1:36718 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k kernel memory information disclosure attempt (os-windows.rules)
 * 1:36717 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word PmwdFromDoc use after free attempt (file-office.rules)
 * 1:36716 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word PmwdFromDoc use after free attempt (file-office.rules)
 * 1:36715 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel slicer style use-after-free attempt (file-office.rules)
 * 1:36714 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel slicer style use-after-free attempt (file-office.rules)
 * 1:36713 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ClickOnce information disclosure attempt (os-windows.rules)
 * 1:36712 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ClickOnce information disclosure attempt (os-windows.rules)
 * 1:36711 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows .NET Application file attachment detected (file-identify.rules)
 * 1:36710 <-> ENABLED <-> OS-WINDOWS Microsoft Windows use after free kernel privilege escalation attempt (os-windows.rules)
 * 1:36709 <-> ENABLED <-> OS-WINDOWS Microsoft Windows use after free kernel privilege escalation attempt (os-windows.rules)
 * 1:36765 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Stupeval variant outbound connection attempt (malware-cnc.rules)
 * 1:36764 <-> ENABLED <-> BLACKLIST DNS request for known malware domain blogbox.it - Win.Trojan.Stupeval (blacklist.rules)
 * 1:36763 <-> ENABLED <-> SERVER-WEBAPP vBulletin decodeArguments PHP object injection attempt (server-webapp.rules)
 * 1:36762 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtSetInformationFile hard link sandbox bypass attempt (os-windows.rules)
 * 1:36761 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtSetInformationFile hard link sandbox bypass attempt (os-windows.rules)
 * 1:36760 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft Internet Explorer setAttributeNS ASLR bypass attempt (indicator-compromise.rules)
 * 1:36759 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Internet Explorer setAttributeNS ASLR bypass attempt (indicator-compromise.rules)
 * 1:36758 <-> DISABLED <-> FILE-FLASH Adobe Flash Player loadBytes buffer overflow remote code execution attempt (file-flash.rules)
 * 1:36757 <-> DISABLED <-> FILE-FLASH Adobe Flash Player loadBytes buffer overflow remote code execution attempt (file-flash.rules)
 * 1:36756 <-> DISABLED <-> FILE-FLASH Adobe Flash Player loadBytes buffer overflow remote code execution attempt (file-flash.rules)
 * 1:36755 <-> DISABLED <-> FILE-FLASH Adobe Flash Player loadBytes buffer overflow remote code execution attempt (file-flash.rules)
 * 1:36754 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CElement JSON write-what-where attempt (browser-ie.rules)
 * 1:36753 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CElement JSON write-what-where attempt (browser-ie.rules)
 * 1:36752 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel MdCallBack out of bounds read attempt (file-office.rules)
 * 1:36751 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel MdCallBack out of bounds read attempt (file-office.rules)
 * 1:36750 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing out of bounds write attempt (file-other.rules)
 * 1:36749 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing out of bounds write attempt (file-other.rules)
 * 1:36748 <-> ENABLED <-> FILE-IDENTIFY TTF file attachment detected (file-identify.rules)
 * 1:36747 <-> DISABLED <-> BROWSER-IE Microsoft Edge click method use after free attempt (browser-ie.rules)
 * 1:36746 <-> DISABLED <-> BROWSER-IE Microsoft Edge click method use after free attempt (browser-ie.rules)
 * 1:36745 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NDIS.SYS driver buffer overflow attempt (os-windows.rules)
 * 1:36744 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NDIS.SYS driver buffer overflow attempt (os-windows.rules)
 * 1:36743 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElement use after free attempt (browser-ie.rules)
 * 1:36742 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElement use after free attempt (browser-ie.rules)
 * 1:36741 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word FGetCpFlowDr memory corruption attempt (file-office.rules)
 * 1:36740 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word FGetCpFlowDr memory corruption attempt (file-office.rules)
 * 1:36739 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTsfTextStore use-after-free attempt (browser-ie.rules)
 * 1:36738 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTsfTextStore use-after-free attempt (browser-ie.rules)
 * 1:36737 <-> ENABLED <-> FILE-OTHER Microsoft Windows malformed TrueType file remote code execution attempt (file-other.rules)
 * 1:36736 <-> ENABLED <-> FILE-OTHER Microsoft Windows malformed TrueType file remote code execution attempt (file-other.rules)
 * 1:36735 <-> DISABLED <-> PROTOCOL-VOIP javascript found in SIP headers attempt (protocol-voip.rules)
 * 1:36734 <-> DISABLED <-> PROTOCOL-VOIP javascript found in SIP headers attempt (protocol-voip.rules)
 * 1:36733 <-> DISABLED <-> PROTOCOL-VOIP javascript found in SIP headers attempt (protocol-voip.rules)
 * 1:36732 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sefnit variant outbound connection attempt (malware-cnc.rules)
 * 1:36731 <-> ENABLED <-> BLACKLIST DNS request for known malware domain win-upd.su - Win.Trojan.Sefnit (blacklist.rules)
 * 1:36730 <-> ENABLED <-> BLACKLIST DNS request for known malware domain vzvju.org - Win.Trojan.Sefnit (blacklist.rules)
 * 1:36708 <-> ENABLED <-> FILE-OFFICE Microsoft Office malformed odttf integer overflow attempt (file-office.rules)
 * 1:36707 <-> ENABLED <-> FILE-OFFICE Microsoft Office malformed odttf integer overflow attempt (file-office.rules)
 * 1:36706 <-> ENABLED <-> OS-WINDOWS Microsoft Windows afd.sys memory corruption attempt (os-windows.rules)
 * 1:36705 <-> ENABLED <-> OS-WINDOWS Microsoft Windows afd.sys memory corruption attempt (os-windows.rules)
 * 1:36704 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DeferWindowPos privilege escalation attempt (os-windows.rules)
 * 1:36703 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DeferWindowPos privilege escalation attempt (os-windows.rules)
 * 1:36702 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CEditEventSink navigate use after free attempt (browser-ie.rules)
 * 1:36701 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CEditEventSink navigate use after free attempt (browser-ie.rules)
 * 1:36700 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreeNode row element removal remote code execution attempt (browser-ie.rules)
 * 1:36699 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreeNode row element removal remote code execution attempt (browser-ie.rules)
 * 1:36698 <-> ENABLED <-> FILE-OTHER Microsoft Windows Journal integer overflow attempt (file-other.rules)
 * 1:36697 <-> ENABLED <-> FILE-OTHER Microsoft Windows Journal integer overflow attempt (file-other.rules)
 * 1:36696 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer table element modification use after free attempt (browser-ie.rules)
 * 1:36695 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer table element modification use after free attempt (browser-ie.rules)
 * 1:36694 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer style object stylesheet use after free attempt (browser-ie.rules)
 * 1:36693 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer style object stylesheet use after free attempt (browser-ie.rules)
 * 1:36692 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CUListElement use-after-free attempt (browser-ie.rules)
 * 1:36691 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CUListElement use-after-free attempt (browser-ie.rules)
 * 1:36690 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer managed CDispNode objects use-after-free attempt (browser-ie.rules)
 * 1:36689 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer managed CDispNode objects use-after-free attempt (browser-ie.rules)
 * 1:36688 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElement use after free attempt (browser-ie.rules)
 * 1:36687 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElement use after free attempt (browser-ie.rules)
 * 1:36686 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer col onpropertychange memory corruption attempt (browser-ie.rules)
 * 1:36685 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer col onpropertychange memory corruption attempt (browser-ie.rules)
 * 1:36684 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTableCell object use after free attempt (browser-ie.rules)
 * 1:36683 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTableCell object use after free attempt (browser-ie.rules)
 * 1:36682 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer access violation attempt (browser-ie.rules)
 * 1:36681 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer access violation attempt (browser-ie.rules)
 * 1:36680 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer cache management code overflow attempt (browser-ie.rules)
 * 1:36679 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer cache management code overflow attempt (browser-ie.rules)
 * 1:36678 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SVG textbox out of bound memory access attempt (browser-ie.rules)
 * 1:36677 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SVG textbox out of bound memory access attempt (browser-ie.rules)
 * 1:36676 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMarkup use-after-free attempt (browser-ie.rules)
 * 1:36675 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMarkup use-after-free attempt (browser-ie.rules)
 * 1:36674 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DOM object hard hyphen bounds checking bypass attempt (browser-ie.rules)
 * 1:36673 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DOM object hard hyphen bounds checking bypass attempt (browser-ie.rules)
 * 1:36672 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer fragmented CtxtBlk heap overflow attempt (browser-ie.rules)
 * 1:36671 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer fragmented CtxtBlk heap overflow attempt (browser-ie.rules)
 * 1:36670 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sathurbot outbound connection (malware-cnc.rules)
 * 1:36669 <-> ENABLED <-> BLACKLIST DNS request for known malware domain aerofix.eu - Win.Trojan.Sathurbot (blacklist.rules)
 * 1:36668 <-> ENABLED <-> BLACKLIST DNS request for known malware domain inuxland.eu - Win.Trojan.Sathurbot (blacklist.rules)
 * 1:36667 <-> ENABLED <-> BLACKLIST DNS request for known malware domain newworldtraf.pro - Win.Trojan.Sathurbot (blacklist.rules)
 * 1:36666 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tentobr outbound connection (malware-cnc.rules)
 * 1:36665 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA ActiveX clsid access (browser-plugins.rules)
 * 1:36664 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA ActiveX clsid access (browser-plugins.rules)
 * 1:36663 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA ActiveX clsid access (browser-plugins.rules)
 * 1:36662 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA ActiveX clsid access (browser-plugins.rules)
 * 1:36661 <-> DISABLED <-> FILE-OTHER Interactive Data eSignal stack buffer overflow attempt (file-other.rules)
 * 1:36660 <-> DISABLED <-> FILE-OTHER Interactive Data eSignal stack buffer overflow attempt (file-other.rules)
 * 1:36659 <-> DISABLED <-> FILE-OTHER Interactive Data eSignal stack buffer overflow attempt (file-other.rules)
 * 1:36658 <-> DISABLED <-> FILE-OTHER Interactive Data eSignal stack buffer overflow attempt (file-other.rules)
 * 1:36657 <-> DISABLED <-> SERVER-WEBAPP Joomla com_realestatemanager module SQL injection attempt (server-webapp.rules)
 * 1:36656 <-> DISABLED <-> SERVER-WEBAPP Joomla com_realestatemanager module SQL injection attempt (server-webapp.rules)
 * 1:36655 <-> DISABLED <-> SERVER-WEBAPP Joomla com_realestatemanager module SQL injection attempt (server-webapp.rules)
 * 1:36654 <-> DISABLED <-> BROWSER-PLUGINS MW6 Technologies Aztec ActiveX clsid access (browser-plugins.rules)
 * 1:36653 <-> DISABLED <-> BROWSER-PLUGINS MW6 Technologies Aztec ActiveX clsid access (browser-plugins.rules)

Modified Rules:


 * 1:35958 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStr object use after free attempt (browser-ie.rules)
 * 1:35956 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStr object use after free attempt (browser-ie.rules)
 * 1:35200 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TreeComputedContent object use after free attempt (browser-ie.rules)
 * 1:33321 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EPM MOTWCreateFileW file access bypass attempt (browser-ie.rules)
 * 1:35199 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TreeComputedContent object use after free attempt (browser-ie.rules)
 * 1:30053 <-> DISABLED <-> BROWSER-PLUGINS MW6 Technologies Aztec ActiveX clsid access (browser-plugins.rules)
 * 1:33319 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EPM MOTWCreateFileW file access bypass attempt (browser-ie.rules)
 * 1:30051 <-> DISABLED <-> BROWSER-PLUGINS MW6 Technologies Aztec ActiveX clsid access (browser-plugins.rules)
 * 1:30052 <-> DISABLED <-> BROWSER-PLUGINS MW6 Technologies Aztec ActiveX clsid access (browser-plugins.rules)
 * 1:30049 <-> DISABLED <-> BROWSER-PLUGINS MW6 Technologies Aztec ActiveX clsid access (browser-plugins.rules)
 * 1:30050 <-> DISABLED <-> BROWSER-PLUGINS MW6 Technologies Aztec ActiveX clsid access (browser-plugins.rules)
 * 1:20258 <-> DISABLED <-> OS-WINDOWS Microsoft generic javascript handler in URI XSS attempt (os-windows.rules)
 * 1:30048 <-> DISABLED <-> BROWSER-PLUGINS MW6 Technologies Aztec ActiveX clsid access (browser-plugins.rules)
 * 1:19458 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmCMajority record buffer overflow attempt (file-office.rules)
 * 1:19459 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmCMajority record buffer overflow attempt (file-office.rules)