Talos Rules 2016-01-19
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the app-detect, blacklist, deleted, exploit-kit, file-flash, file-office, file-other, file-pdf, malware-cnc, os-windows, protocol-icmp, server-mail, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2016-01-19 22:20:02 UTC

Snort Subscriber Rules Update

Date: 2016-01-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37375 <-> DISABLED <-> SERVER-MAIL MailEnable IMAP service EXAMINE command log message overflow attempt (server-mail.rules)
 * 1:37363 <-> DISABLED <-> SERVER-OTHER Java Library SpringFramework unauthorized serialized object attempt (server-other.rules)
 * 1:37364 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST client identifier overflow attempt (os-windows.rules)
 * 1:37365 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST client identifier overflow attempt (os-windows.rules)
 * 1:37366 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST hostname overflow attempt (os-windows.rules)
 * 1:37367 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST hostname overflow attempt (os-windows.rules)
 * 1:37403 <-> DISABLED <-> SERVER-OTHER Easy Chat server authentication request password parameter overflow attempt (server-other.rules)
 * 1:37404 <-> DISABLED <-> SERVER-OTHER Easy Chat server authentication request username parameter overflow attempt (server-other.rules)
 * 1:37401 <-> DISABLED <-> FILE-OTHER librtmp invalid pointer dereference attempt (file-other.rules)
 * 1:37400 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader custom string length function memory corruption attempt (file-pdf.rules)
 * 1:37396 <-> DISABLED <-> SERVER-WEBAPP eWON default password login attempt (server-webapp.rules)
 * 1:37399 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader custom string length function memory corruption attempt (file-pdf.rules)
 * 1:37398 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed UTF-16 string memory corruption attempt (file-pdf.rules)
 * 1:37395 <-> DISABLED <-> SERVER-WEBAPP Westermo default password login attempt (server-webapp.rules)
 * 1:37393 <-> DISABLED <-> SERVER-WEBAPP Schneider default password login attempt (server-webapp.rules)
 * 1:37394 <-> DISABLED <-> SERVER-WEBAPP Wago default password login attempt (server-webapp.rules)
 * 1:37391 <-> DISABLED <-> SERVER-WEBAPP Samsung default password login attempt (server-webapp.rules)
 * 1:37389 <-> DISABLED <-> SERVER-WEBAPP Rockwell Automation default password login attempt (server-webapp.rules)
 * 1:37390 <-> DISABLED <-> SERVER-WEBAPP Rockwell Automation default password login attempt (server-webapp.rules)
 * 1:37388 <-> DISABLED <-> SERVER-WEBAPP NOVUS AUTOMATION default password login attempt (server-webapp.rules)
 * 1:37385 <-> DISABLED <-> SERVER-WEBAPP Hirschmann default password login attempt (server-webapp.rules)
 * 1:37386 <-> DISABLED <-> SERVER-WEBAPP Hirschmann default password login attempt (server-webapp.rules)
 * 1:37383 <-> DISABLED <-> SERVER-WEBAPP Digi default password login attempt (server-webapp.rules)
 * 1:37384 <-> DISABLED <-> SERVER-WEBAPP Emerson default password login attempt (server-webapp.rules)
 * 1:37382 <-> DISABLED <-> SERVER-WEBAPP Digi default password login attempt (server-webapp.rules)
 * 1:37380 <-> DISABLED <-> SERVER-WEBAPP BinTec Elmeg default password login attempt (server-webapp.rules)
 * 1:37379 <-> DISABLED <-> SERVER-WEBAPP BinTec Elmeg default password login attempt (server-webapp.rules)
 * 1:37378 <-> DISABLED <-> SERVER-WEBAPP ABB default password login attempt (server-webapp.rules)
 * 1:37377 <-> DISABLED <-> DELETED FILE-PDF Adobe Acrobat CoolType malformed font memory corruption attempt (deleted.rules)
 * 1:37376 <-> DISABLED <-> DELETED FILE-PDF Adobe Acrobat CoolType malformed font memory corruption attempt (deleted.rules)
 * 1:37368 <-> DISABLED <-> SERVER-OTHER Multiple Vendors SOAP large array information disclosure attempt (server-other.rules)
 * 1:37407 <-> DISABLED <-> FILE-OTHER librtmp invalid pointer dereference attempt (file-other.rules)
 * 1:37406 <-> ENABLED <-> FILE-PDF Adobe Reader addAnnot JavaScript based memory corruption attempt (file-pdf.rules)
 * 1:37409 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word ActiveX object uninitialized memory access attempt (file-office.rules)
 * 1:37410 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word ActiveX object uninitialized memory access attempt (file-office.rules)
 * 1:37381 <-> DISABLED <-> SERVER-WEBAPP Digi default password login attempt (server-webapp.rules)
 * 1:37387 <-> DISABLED <-> SERVER-WEBAPP Moxa default password login attempt (server-webapp.rules)
 * 1:37362 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2007 conversion library code execution attempt (file-office.rules)
 * 1:37361 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit iframe insertion detected (exploit-kit.rules)
 * 1:37392 <-> DISABLED <-> SERVER-WEBAPP Schneider default password login attempt (server-webapp.rules)
 * 1:37408 <-> DISABLED <-> DELETED OS-LINUX Linux kernel SCTP handshake COOKIE ECHO Chunks denial of service attempt (deleted.rules)
 * 1:37374 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Derkziel variant outbound connection (malware-cnc.rules)
 * 1:37373 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fuckingyoursister.ru - Win.Trojan.Derkziel (blacklist.rules)
 * 1:37397 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed UTF-16 string memory corruption attempt (file-pdf.rules)
 * 1:37402 <-> DISABLED <-> FILE-OTHER librtmp invalid pointer dereference attempt (file-other.rules)
 * 1:37369 <-> DISABLED <-> SERVER-WEBAPP Ipswitch WhatsUp iDroneComAPI SQL injection attempt (server-webapp.rules)
 * 1:37372 <-> ENABLED <-> BLACKLIST DNS request for known malware domain derkziel.su - Win.Trojan.Derkziel (blacklist.rules)
 * 1:37371 <-> ENABLED <-> SERVER-OTHER OpenSSH insecure roaming key exchange attempt (server-other.rules)
 * 1:37405 <-> ENABLED <-> FILE-PDF Adobe Reader addAnnot JavaScript based memory corruption attempt (file-pdf.rules)
 * 1:37370 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trochulis variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:13287 <-> DISABLED <-> OS-WINDOWS Windows remote kernel tcp/ip igmp vulnerability exploit attempt (os-windows.rules)
 * 1:13288 <-> DISABLED <-> OS-WINDOWS Microsoft Windows remote kernel tcp/ip icmp vulnerability exploit attempt (os-windows.rules)
 * 1:13898 <-> ENABLED <-> APP-DETECT Apple iTunes client request for server info (app-detect.rules)
 * 1:13899 <-> DISABLED <-> APP-DETECT Apple iTunes client login attempt (app-detect.rules)
 * 1:13900 <-> DISABLED <-> APP-DETECT Apple iTunes server multicast DNS response (app-detect.rules)
 * 1:16051 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2007 conversion library code execution attempt (file-office.rules)
 * 1:17155 <-> DISABLED <-> SERVER-OTHER Multiple vendors OPIE off-by-one stack buffer overflow attempt (server-other.rules)
 * 1:17722 <-> DISABLED <-> SERVER-ORACLE XDB.XDB_PITRIG_PKG buffer overflow attempt (server-oracle.rules)
 * 1:23230 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST client identifier overflow attempt (os-windows.rules)
 * 1:23231 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST hostname overflow attempt (os-windows.rules)
 * 1:25459 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader incomplete JP2K image geometry potentially malicious PDF detected (file-pdf.rules)
 * 1:25460 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader incomplete JP2K image geometry potentially malicious PDF detected (file-pdf.rules)
 * 1:36637 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit viewtopic uri request attempt (exploit-kit.rules)
 * 1:36771 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit viewforum uri request attempt (exploit-kit.rules)
 * 1:37052 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt outbound communication (malware-cnc.rules)
 * 1:37125 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MP3 ID3 data parsing heap buffer overflow attempt (file-flash.rules)
 * 1:37126 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MP3 ID3 data parsing heap buffer overflow attempt (file-flash.rules)
 * 1:37234 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)
 * 1:37235 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)
 * 1:396 <-> DISABLED <-> PROTOCOL-ICMP Destination Unreachable Fragmentation Needed and DF bit was set (protocol-icmp.rules)

2016-01-19 22:20:02 UTC

Snort Subscriber Rules Update

Date: 2016-01-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37404 <-> DISABLED <-> SERVER-OTHER Easy Chat server authentication request username parameter overflow attempt (server-other.rules)
 * 1:37401 <-> DISABLED <-> FILE-OTHER librtmp invalid pointer dereference attempt (file-other.rules)
 * 1:37403 <-> DISABLED <-> SERVER-OTHER Easy Chat server authentication request password parameter overflow attempt (server-other.rules)
 * 1:37400 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader custom string length function memory corruption attempt (file-pdf.rules)
 * 1:37399 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader custom string length function memory corruption attempt (file-pdf.rules)
 * 1:37398 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed UTF-16 string memory corruption attempt (file-pdf.rules)
 * 1:37396 <-> DISABLED <-> SERVER-WEBAPP eWON default password login attempt (server-webapp.rules)
 * 1:37395 <-> DISABLED <-> SERVER-WEBAPP Westermo default password login attempt (server-webapp.rules)
 * 1:37393 <-> DISABLED <-> SERVER-WEBAPP Schneider default password login attempt (server-webapp.rules)
 * 1:37394 <-> DISABLED <-> SERVER-WEBAPP Wago default password login attempt (server-webapp.rules)
 * 1:37391 <-> DISABLED <-> SERVER-WEBAPP Samsung default password login attempt (server-webapp.rules)
 * 1:37389 <-> DISABLED <-> SERVER-WEBAPP Rockwell Automation default password login attempt (server-webapp.rules)
 * 1:37390 <-> DISABLED <-> SERVER-WEBAPP Rockwell Automation default password login attempt (server-webapp.rules)
 * 1:37388 <-> DISABLED <-> SERVER-WEBAPP NOVUS AUTOMATION default password login attempt (server-webapp.rules)
 * 1:37385 <-> DISABLED <-> SERVER-WEBAPP Hirschmann default password login attempt (server-webapp.rules)
 * 1:37386 <-> DISABLED <-> SERVER-WEBAPP Hirschmann default password login attempt (server-webapp.rules)
 * 1:37383 <-> DISABLED <-> SERVER-WEBAPP Digi default password login attempt (server-webapp.rules)
 * 1:37384 <-> DISABLED <-> SERVER-WEBAPP Emerson default password login attempt (server-webapp.rules)
 * 1:37382 <-> DISABLED <-> SERVER-WEBAPP Digi default password login attempt (server-webapp.rules)
 * 1:37380 <-> DISABLED <-> SERVER-WEBAPP BinTec Elmeg default password login attempt (server-webapp.rules)
 * 1:37379 <-> DISABLED <-> SERVER-WEBAPP BinTec Elmeg default password login attempt (server-webapp.rules)
 * 1:37378 <-> DISABLED <-> SERVER-WEBAPP ABB default password login attempt (server-webapp.rules)
 * 1:37377 <-> DISABLED <-> DELETED FILE-PDF Adobe Acrobat CoolType malformed font memory corruption attempt (deleted.rules)
 * 1:37376 <-> DISABLED <-> DELETED FILE-PDF Adobe Acrobat CoolType malformed font memory corruption attempt (deleted.rules)
 * 1:37369 <-> DISABLED <-> SERVER-WEBAPP Ipswitch WhatsUp iDroneComAPI SQL injection attempt (server-webapp.rules)
 * 1:37372 <-> ENABLED <-> BLACKLIST DNS request for known malware domain derkziel.su - Win.Trojan.Derkziel (blacklist.rules)
 * 1:37373 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fuckingyoursister.ru - Win.Trojan.Derkziel (blacklist.rules)
 * 1:37374 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Derkziel variant outbound connection (malware-cnc.rules)
 * 1:37375 <-> DISABLED <-> SERVER-MAIL MailEnable IMAP service EXAMINE command log message overflow attempt (server-mail.rules)
 * 1:37361 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit iframe insertion detected (exploit-kit.rules)
 * 1:37362 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2007 conversion library code execution attempt (file-office.rules)
 * 1:37363 <-> DISABLED <-> SERVER-OTHER Java Library SpringFramework unauthorized serialized object attempt (server-other.rules)
 * 1:37364 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST client identifier overflow attempt (os-windows.rules)
 * 1:37365 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST client identifier overflow attempt (os-windows.rules)
 * 1:37366 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST hostname overflow attempt (os-windows.rules)
 * 1:37367 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST hostname overflow attempt (os-windows.rules)
 * 1:37368 <-> DISABLED <-> SERVER-OTHER Multiple Vendors SOAP large array information disclosure attempt (server-other.rules)
 * 1:37381 <-> DISABLED <-> SERVER-WEBAPP Digi default password login attempt (server-webapp.rules)
 * 1:37387 <-> DISABLED <-> SERVER-WEBAPP Moxa default password login attempt (server-webapp.rules)
 * 1:37392 <-> DISABLED <-> SERVER-WEBAPP Schneider default password login attempt (server-webapp.rules)
 * 1:37397 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed UTF-16 string memory corruption attempt (file-pdf.rules)
 * 1:37402 <-> DISABLED <-> FILE-OTHER librtmp invalid pointer dereference attempt (file-other.rules)
 * 1:37371 <-> ENABLED <-> SERVER-OTHER OpenSSH insecure roaming key exchange attempt (server-other.rules)
 * 1:37410 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word ActiveX object uninitialized memory access attempt (file-office.rules)
 * 1:37409 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word ActiveX object uninitialized memory access attempt (file-office.rules)
 * 1:37406 <-> ENABLED <-> FILE-PDF Adobe Reader addAnnot JavaScript based memory corruption attempt (file-pdf.rules)
 * 1:37408 <-> DISABLED <-> DELETED OS-LINUX Linux kernel SCTP handshake COOKIE ECHO Chunks denial of service attempt (deleted.rules)
 * 1:37407 <-> DISABLED <-> FILE-OTHER librtmp invalid pointer dereference attempt (file-other.rules)
 * 1:37370 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trochulis variant outbound connection (malware-cnc.rules)
 * 1:37405 <-> ENABLED <-> FILE-PDF Adobe Reader addAnnot JavaScript based memory corruption attempt (file-pdf.rules)

Modified Rules:


 * 1:13287 <-> DISABLED <-> OS-WINDOWS Windows remote kernel tcp/ip igmp vulnerability exploit attempt (os-windows.rules)
 * 1:13288 <-> DISABLED <-> OS-WINDOWS Microsoft Windows remote kernel tcp/ip icmp vulnerability exploit attempt (os-windows.rules)
 * 1:13898 <-> ENABLED <-> APP-DETECT Apple iTunes client request for server info (app-detect.rules)
 * 1:13899 <-> DISABLED <-> APP-DETECT Apple iTunes client login attempt (app-detect.rules)
 * 1:13900 <-> DISABLED <-> APP-DETECT Apple iTunes server multicast DNS response (app-detect.rules)
 * 1:16051 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2007 conversion library code execution attempt (file-office.rules)
 * 1:17155 <-> DISABLED <-> SERVER-OTHER Multiple vendors OPIE off-by-one stack buffer overflow attempt (server-other.rules)
 * 1:17722 <-> DISABLED <-> SERVER-ORACLE XDB.XDB_PITRIG_PKG buffer overflow attempt (server-oracle.rules)
 * 1:23230 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST client identifier overflow attempt (os-windows.rules)
 * 1:23231 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST hostname overflow attempt (os-windows.rules)
 * 1:25459 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader incomplete JP2K image geometry potentially malicious PDF detected (file-pdf.rules)
 * 1:25460 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader incomplete JP2K image geometry potentially malicious PDF detected (file-pdf.rules)
 * 1:36637 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit viewtopic uri request attempt (exploit-kit.rules)
 * 1:36771 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit viewforum uri request attempt (exploit-kit.rules)
 * 1:37052 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt outbound communication (malware-cnc.rules)
 * 1:37125 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MP3 ID3 data parsing heap buffer overflow attempt (file-flash.rules)
 * 1:37126 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MP3 ID3 data parsing heap buffer overflow attempt (file-flash.rules)
 * 1:37234 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)
 * 1:37235 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)
 * 1:396 <-> DISABLED <-> PROTOCOL-ICMP Destination Unreachable Fragmentation Needed and DF bit was set (protocol-icmp.rules)

2016-01-19 22:20:02 UTC

Snort Subscriber Rules Update

Date: 2016-01-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37410 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word ActiveX object uninitialized memory access attempt (file-office.rules)
 * 1:37409 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word ActiveX object uninitialized memory access attempt (file-office.rules)
 * 1:37408 <-> DISABLED <-> DELETED OS-LINUX Linux kernel SCTP handshake COOKIE ECHO Chunks denial of service attempt (deleted.rules)
 * 1:37407 <-> DISABLED <-> FILE-OTHER librtmp invalid pointer dereference attempt (file-other.rules)
 * 1:37406 <-> ENABLED <-> FILE-PDF Adobe Reader addAnnot JavaScript based memory corruption attempt (file-pdf.rules)
 * 1:37405 <-> ENABLED <-> FILE-PDF Adobe Reader addAnnot JavaScript based memory corruption attempt (file-pdf.rules)
 * 1:37404 <-> DISABLED <-> SERVER-OTHER Easy Chat server authentication request username parameter overflow attempt (server-other.rules)
 * 1:37403 <-> DISABLED <-> SERVER-OTHER Easy Chat server authentication request password parameter overflow attempt (server-other.rules)
 * 1:37402 <-> DISABLED <-> FILE-OTHER librtmp invalid pointer dereference attempt (file-other.rules)
 * 1:37401 <-> DISABLED <-> FILE-OTHER librtmp invalid pointer dereference attempt (file-other.rules)
 * 1:37400 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader custom string length function memory corruption attempt (file-pdf.rules)
 * 1:37399 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader custom string length function memory corruption attempt (file-pdf.rules)
 * 1:37398 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed UTF-16 string memory corruption attempt (file-pdf.rules)
 * 1:37397 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed UTF-16 string memory corruption attempt (file-pdf.rules)
 * 1:37396 <-> DISABLED <-> SERVER-WEBAPP eWON default password login attempt (server-webapp.rules)
 * 1:37395 <-> DISABLED <-> SERVER-WEBAPP Westermo default password login attempt (server-webapp.rules)
 * 1:37394 <-> DISABLED <-> SERVER-WEBAPP Wago default password login attempt (server-webapp.rules)
 * 1:37393 <-> DISABLED <-> SERVER-WEBAPP Schneider default password login attempt (server-webapp.rules)
 * 1:37392 <-> DISABLED <-> SERVER-WEBAPP Schneider default password login attempt (server-webapp.rules)
 * 1:37391 <-> DISABLED <-> SERVER-WEBAPP Samsung default password login attempt (server-webapp.rules)
 * 1:37390 <-> DISABLED <-> SERVER-WEBAPP Rockwell Automation default password login attempt (server-webapp.rules)
 * 1:37389 <-> DISABLED <-> SERVER-WEBAPP Rockwell Automation default password login attempt (server-webapp.rules)
 * 1:37388 <-> DISABLED <-> SERVER-WEBAPP NOVUS AUTOMATION default password login attempt (server-webapp.rules)
 * 1:37387 <-> DISABLED <-> SERVER-WEBAPP Moxa default password login attempt (server-webapp.rules)
 * 1:37386 <-> DISABLED <-> SERVER-WEBAPP Hirschmann default password login attempt (server-webapp.rules)
 * 1:37385 <-> DISABLED <-> SERVER-WEBAPP Hirschmann default password login attempt (server-webapp.rules)
 * 1:37384 <-> DISABLED <-> SERVER-WEBAPP Emerson default password login attempt (server-webapp.rules)
 * 1:37383 <-> DISABLED <-> SERVER-WEBAPP Digi default password login attempt (server-webapp.rules)
 * 1:37382 <-> DISABLED <-> SERVER-WEBAPP Digi default password login attempt (server-webapp.rules)
 * 1:37381 <-> DISABLED <-> SERVER-WEBAPP Digi default password login attempt (server-webapp.rules)
 * 1:37380 <-> DISABLED <-> SERVER-WEBAPP BinTec Elmeg default password login attempt (server-webapp.rules)
 * 1:37379 <-> DISABLED <-> SERVER-WEBAPP BinTec Elmeg default password login attempt (server-webapp.rules)
 * 1:37378 <-> DISABLED <-> SERVER-WEBAPP ABB default password login attempt (server-webapp.rules)
 * 1:37377 <-> DISABLED <-> DELETED FILE-PDF Adobe Acrobat CoolType malformed font memory corruption attempt (deleted.rules)
 * 1:37376 <-> DISABLED <-> DELETED FILE-PDF Adobe Acrobat CoolType malformed font memory corruption attempt (deleted.rules)
 * 1:37375 <-> DISABLED <-> SERVER-MAIL MailEnable IMAP service EXAMINE command log message overflow attempt (server-mail.rules)
 * 1:37374 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Derkziel variant outbound connection (malware-cnc.rules)
 * 1:37373 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fuckingyoursister.ru - Win.Trojan.Derkziel (blacklist.rules)
 * 1:37372 <-> ENABLED <-> BLACKLIST DNS request for known malware domain derkziel.su - Win.Trojan.Derkziel (blacklist.rules)
 * 1:37371 <-> ENABLED <-> SERVER-OTHER OpenSSH insecure roaming key exchange attempt (server-other.rules)
 * 1:37370 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trochulis variant outbound connection (malware-cnc.rules)
 * 1:37369 <-> DISABLED <-> SERVER-WEBAPP Ipswitch WhatsUp iDroneComAPI SQL injection attempt (server-webapp.rules)
 * 1:37368 <-> DISABLED <-> SERVER-OTHER Multiple Vendors SOAP large array information disclosure attempt (server-other.rules)
 * 1:37367 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST hostname overflow attempt (os-windows.rules)
 * 1:37366 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST hostname overflow attempt (os-windows.rules)
 * 1:37365 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST client identifier overflow attempt (os-windows.rules)
 * 1:37364 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST client identifier overflow attempt (os-windows.rules)
 * 1:37363 <-> DISABLED <-> SERVER-OTHER Java Library SpringFramework unauthorized serialized object attempt (server-other.rules)
 * 1:37362 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2007 conversion library code execution attempt (file-office.rules)
 * 1:37361 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit iframe insertion detected (exploit-kit.rules)

Modified Rules:


 * 1:13287 <-> DISABLED <-> OS-WINDOWS Windows remote kernel tcp/ip igmp vulnerability exploit attempt (os-windows.rules)
 * 1:13288 <-> DISABLED <-> OS-WINDOWS Microsoft Windows remote kernel tcp/ip icmp vulnerability exploit attempt (os-windows.rules)
 * 1:13898 <-> ENABLED <-> APP-DETECT Apple iTunes client request for server info (app-detect.rules)
 * 1:13899 <-> DISABLED <-> APP-DETECT Apple iTunes client login attempt (app-detect.rules)
 * 1:13900 <-> DISABLED <-> APP-DETECT Apple iTunes server multicast DNS response (app-detect.rules)
 * 1:16051 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2007 conversion library code execution attempt (file-office.rules)
 * 1:17155 <-> DISABLED <-> SERVER-OTHER Multiple vendors OPIE off-by-one stack buffer overflow attempt (server-other.rules)
 * 1:17722 <-> DISABLED <-> SERVER-ORACLE XDB.XDB_PITRIG_PKG buffer overflow attempt (server-oracle.rules)
 * 1:23230 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST client identifier overflow attempt (os-windows.rules)
 * 1:23231 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST hostname overflow attempt (os-windows.rules)
 * 1:25459 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader incomplete JP2K image geometry potentially malicious PDF detected (file-pdf.rules)
 * 1:25460 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader incomplete JP2K image geometry potentially malicious PDF detected (file-pdf.rules)
 * 1:36637 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit viewtopic uri request attempt (exploit-kit.rules)
 * 1:36771 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit viewforum uri request attempt (exploit-kit.rules)
 * 1:37052 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt outbound communication (malware-cnc.rules)
 * 1:37125 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MP3 ID3 data parsing heap buffer overflow attempt (file-flash.rules)
 * 1:37126 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MP3 ID3 data parsing heap buffer overflow attempt (file-flash.rules)
 * 1:37234 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)
 * 1:37235 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)
 * 1:396 <-> DISABLED <-> PROTOCOL-ICMP Destination Unreachable Fragmentation Needed and DF bit was set (protocol-icmp.rules)