Talos Rules 2016-04-14
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, exploit-kit, file-flash, indicator-obfuscation, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-04-14 15:34:24 UTC

Snort Subscriber Rules Update

Date: 2016-04-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38541 <-> DISABLED <-> INDICATOR-OBFUSCATION newline only separator evasion (indicator-obfuscation.rules)
 * 1:38536 <-> DISABLED <-> SERVER-WEBAPP Wordpress Scoreme cross site scripting attempt (server-webapp.rules)
 * 1:38537 <-> DISABLED <-> BROWSER-PLUGINS Symantec NavComUI AxSysListView32 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38534 <-> DISABLED <-> FILE-FLASH Rig Exploit Kit exploitation attempt (file-flash.rules)
 * 1:38535 <-> DISABLED <-> FILE-FLASH Rig Exploit Kit exploitation attempt (file-flash.rules)
 * 1:38531 <-> DISABLED <-> SERVER-WEBAPP WSN Live SQL injection attempt SQL injection attempt (server-webapp.rules)
 * 1:38532 <-> DISABLED <-> FILE-FLASH Rig Exploit Kit exploitation attempt (file-flash.rules)
 * 1:38529 <-> DISABLED <-> MALWARE-OTHER XBot CC Social Engineering (malware-other.rules)
 * 1:38527 <-> ENABLED <-> BLACKLIST DNS request for known malware domain melon25.ru - XBot (blacklist.rules)
 * 1:38525 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Troll dropper document file detected (malware-other.rules)
 * 1:38509 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Boaxxe variant outbound connection (malware-cnc.rules)
 * 1:38511 <-> DISABLED <-> SERVER-WEBAPP Novell Service Desk directory traversal attempt (server-webapp.rules)
 * 1:38513 <-> DISABLED <-> SERVER-WEBAPP ATutor question_import.php directory traversal attempt (server-webapp.rules)
 * 1:38510 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpySoft variant exfiltration attempt (malware-cnc.rules)
 * 1:38512 <-> DISABLED <-> SERVER-WEBAPP ATutor question_import.php directory traversal attempt (server-webapp.rules)
 * 1:38523 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:38542 <-> DISABLED <-> MALWARE-CNC VBS Trojan Downloading Encoded Executable (malware-cnc.rules)
 * 1:38516 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sweeper outbound connection attempt (malware-cnc.rules)
 * 1:38538 <-> DISABLED <-> BROWSER-PLUGINS Symantec NavComUI AxSysListView32 ActiveX function call access attempt (browser-plugins.rules)
 * 1:38539 <-> DISABLED <-> BROWSER-PLUGINS Symantec NavComUI AxSysListView32OAA ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38515 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sweeper outbound connection attempt (malware-cnc.rules)
 * 1:38517 <-> ENABLED <-> MALWARE-CNC binary download while video expected (malware-cnc.rules)
 * 1:38518 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt (server-webapp.rules)
 * 1:38519 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt (server-webapp.rules)
 * 1:38520 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt (server-webapp.rules)
 * 1:38521 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit redirect page detected (exploit-kit.rules)
 * 1:38522 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:38524 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:38526 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Troll dropper document file detected (malware-other.rules)
 * 1:38528 <-> DISABLED <-> MALWARE-CNC XBot Command Request get_action (malware-cnc.rules)
 * 1:38530 <-> ENABLED <-> MALWARE-CNC Obfuscated Javascript Attack runtime detection (malware-cnc.rules)
 * 1:38533 <-> DISABLED <-> FILE-FLASH Rig Exploit Kit exploitation attempt (file-flash.rules)
 * 1:38540 <-> DISABLED <-> BROWSER-PLUGINS Symantec NavComUI AxSysListView32OAA ActiveX function call access attempt (browser-plugins.rules)
 * 1:38514 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sweeper outbound connection attempt (malware-cnc.rules)
 * 3:38543 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Central Web Framework remote file include attempt (server-webapp.rules)

Modified Rules:


 * 1:38030 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing ExternalInterface function download detected (policy-other.rules)
 * 1:29287 <-> DISABLED <-> FILE-FLASH Adobe Flash Player sharable ByteArray code execution attempt (file-flash.rules)
 * 1:29286 <-> DISABLED <-> FILE-FLASH Adobe Flash Player sharable ByteArray code execution attempt (file-flash.rules)
 * 1:38033 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing allowLoadBytesCodeExecution function download detected  (policy-other.rules)
 * 1:38034 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing allowLoadBytesCodeExecution function download detected (policy-other.rules)
 * 1:38031 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing loadBytes function download detected (policy-other.rules)
 * 1:38050 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing defaultValue function download detected (policy-other.rules)
 * 1:38051 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing domainMemory function download detected (policy-other.rules)
 * 1:31299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Necurs or Win.Trojan.Locky variant outbound detection (malware-cnc.rules)
 * 1:29288 <-> DISABLED <-> FILE-FLASH Adobe Flash Player sharable ByteArray code execution attempt (file-flash.rules)
 * 1:38032 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing atomicCompareAndSwapLength function download detected (policy-other.rules)
 * 1:12252 <-> DISABLED <-> BROWSER-PLUGINS Symantec NavComUI AxSysListView32OAA ActiveX function call access attempt (browser-plugins.rules)
 * 1:12248 <-> DISABLED <-> BROWSER-PLUGINS Symantec NavComUI AxSysListView32 ActiveX function call access attempt (browser-plugins.rules)
 * 1:12246 <-> DISABLED <-> BROWSER-PLUGINS Symantec NavComUI AxSysListView32 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:12250 <-> DISABLED <-> BROWSER-PLUGINS Symantec NavComUI AxSysListView32OAA ActiveX clsid access attempt (browser-plugins.rules)
 * 1:29281 <-> DISABLED <-> FILE-FLASH Adobe Flash Player sharable ByteArray code execution attempt (file-flash.rules)
 * 1:38027 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing ExternalInterface function download detected (policy-other.rules)
 * 1:29283 <-> DISABLED <-> FILE-FLASH Adobe Flash Player sharable ByteArray code execution attempt (file-flash.rules)
 * 1:29285 <-> DISABLED <-> FILE-FLASH Adobe Flash Player sharable ByteArray code execution attempt (file-flash.rules)
 * 1:38052 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing parseFloat function download detected (policy-other.rules)
 * 1:38364 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules)
 * 1:32666 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Coreshell variant outbound connection (malware-cnc.rules)
 * 1:38053 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing getDefinitionByName function download detected (policy-other.rules)
 * 1:37970 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:38020 <-> DISABLED <-> FILE-FLASH Adobe Flash file with CreateFileA shellcode (file-flash.rules)
 * 1:38054 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing protoType.valueOf function download detected (policy-other.rules)
 * 1:38021 <-> DISABLED <-> FILE-FLASH Adobe Flash file with large DefineBinaryData tag (file-flash.rules)
 * 1:38022 <-> DISABLED <-> FILE-FLASH Adobe Flash file with RC4 decryption routine detected (file-flash.rules)
 * 1:38023 <-> DISABLED <-> FILE-FLASH Adobe Flash file CreateFileA shellcode found (file-flash.rules)
 * 1:38055 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing defaultValue function download detected (policy-other.rules)
 * 1:38024 <-> DISABLED <-> FILE-FLASH Adobe Flash file with large DefineBinaryData tag (file-flash.rules)
 * 1:38056 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing domainMemory function download detected (policy-other.rules)
 * 1:38025 <-> DISABLED <-> FILE-FLASH Adobe Flash file with large DefineBinaryData tag (file-flash.rules)
 * 1:38057 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing parseFloat function download detected (policy-other.rules)
 * 1:38026 <-> DISABLED <-> FILE-FLASH Adobe Flash file with RC4 decryption routine detected (file-flash.rules)
 * 1:29284 <-> DISABLED <-> FILE-FLASH Adobe Flash Player sharable ByteArray code execution attempt (file-flash.rules)
 * 1:38059 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing protoType.valueOf function download detected (policy-other.rules)
 * 1:38028 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing loadBytes function (policy-other.rules)
 * 1:38029 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing atomicCompareAndSwapLength function download detected (policy-other.rules)
 * 1:38058 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing getDefinitionByName function download detected (policy-other.rules)
 * 1:29282 <-> DISABLED <-> FILE-FLASH Adobe Flash Player sharable ByteArray code execution attempt (file-flash.rules)

2016-04-14 15:34:24 UTC

Snort Subscriber Rules Update

Date: 2016-04-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38542 <-> DISABLED <-> MALWARE-CNC VBS Trojan Downloading Encoded Executable (malware-cnc.rules)
 * 1:38510 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpySoft variant exfiltration attempt (malware-cnc.rules)
 * 1:38509 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Boaxxe variant outbound connection (malware-cnc.rules)
 * 1:38511 <-> DISABLED <-> SERVER-WEBAPP Novell Service Desk directory traversal attempt (server-webapp.rules)
 * 1:38512 <-> DISABLED <-> SERVER-WEBAPP ATutor question_import.php directory traversal attempt (server-webapp.rules)
 * 1:38513 <-> DISABLED <-> SERVER-WEBAPP ATutor question_import.php directory traversal attempt (server-webapp.rules)
 * 1:38515 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sweeper outbound connection attempt (malware-cnc.rules)
 * 1:38514 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sweeper outbound connection attempt (malware-cnc.rules)
 * 1:38516 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sweeper outbound connection attempt (malware-cnc.rules)
 * 1:38517 <-> ENABLED <-> MALWARE-CNC binary download while video expected (malware-cnc.rules)
 * 1:38518 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt (server-webapp.rules)
 * 1:38520 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt (server-webapp.rules)
 * 1:38519 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt (server-webapp.rules)
 * 1:38521 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit redirect page detected (exploit-kit.rules)
 * 1:38522 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:38523 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:38525 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Troll dropper document file detected (malware-other.rules)
 * 1:38524 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:38526 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Troll dropper document file detected (malware-other.rules)
 * 1:38527 <-> ENABLED <-> BLACKLIST DNS request for known malware domain melon25.ru - XBot (blacklist.rules)
 * 1:38528 <-> DISABLED <-> MALWARE-CNC XBot Command Request get_action (malware-cnc.rules)
 * 1:38530 <-> ENABLED <-> MALWARE-CNC Obfuscated Javascript Attack runtime detection (malware-cnc.rules)
 * 1:38529 <-> DISABLED <-> MALWARE-OTHER XBot CC Social Engineering (malware-other.rules)
 * 1:38531 <-> DISABLED <-> SERVER-WEBAPP WSN Live SQL injection attempt SQL injection attempt (server-webapp.rules)
 * 1:38532 <-> DISABLED <-> FILE-FLASH Rig Exploit Kit exploitation attempt (file-flash.rules)
 * 1:38533 <-> DISABLED <-> FILE-FLASH Rig Exploit Kit exploitation attempt (file-flash.rules)
 * 1:38534 <-> DISABLED <-> FILE-FLASH Rig Exploit Kit exploitation attempt (file-flash.rules)
 * 1:38535 <-> DISABLED <-> FILE-FLASH Rig Exploit Kit exploitation attempt (file-flash.rules)
 * 1:38536 <-> DISABLED <-> SERVER-WEBAPP Wordpress Scoreme cross site scripting attempt (server-webapp.rules)
 * 1:38537 <-> DISABLED <-> BROWSER-PLUGINS Symantec NavComUI AxSysListView32 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38538 <-> DISABLED <-> BROWSER-PLUGINS Symantec NavComUI AxSysListView32 ActiveX function call access attempt (browser-plugins.rules)
 * 1:38540 <-> DISABLED <-> BROWSER-PLUGINS Symantec NavComUI AxSysListView32OAA ActiveX function call access attempt (browser-plugins.rules)
 * 1:38539 <-> DISABLED <-> BROWSER-PLUGINS Symantec NavComUI AxSysListView32OAA ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38541 <-> DISABLED <-> INDICATOR-OBFUSCATION newline only separator evasion (indicator-obfuscation.rules)
 * 3:38543 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Central Web Framework remote file include attempt (server-webapp.rules)

Modified Rules:


 * 1:32666 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Coreshell variant outbound connection (malware-cnc.rules)
 * 1:37970 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:29288 <-> DISABLED <-> FILE-FLASH Adobe Flash Player sharable ByteArray code execution attempt (file-flash.rules)
 * 1:31299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Necurs or Win.Trojan.Locky variant outbound detection (malware-cnc.rules)
 * 1:29285 <-> DISABLED <-> FILE-FLASH Adobe Flash Player sharable ByteArray code execution attempt (file-flash.rules)
 * 1:29286 <-> DISABLED <-> FILE-FLASH Adobe Flash Player sharable ByteArray code execution attempt (file-flash.rules)
 * 1:29283 <-> DISABLED <-> FILE-FLASH Adobe Flash Player sharable ByteArray code execution attempt (file-flash.rules)
 * 1:29284 <-> DISABLED <-> FILE-FLASH Adobe Flash Player sharable ByteArray code execution attempt (file-flash.rules)
 * 1:12252 <-> DISABLED <-> BROWSER-PLUGINS Symantec NavComUI AxSysListView32OAA ActiveX function call access attempt (browser-plugins.rules)
 * 1:29281 <-> DISABLED <-> FILE-FLASH Adobe Flash Player sharable ByteArray code execution attempt (file-flash.rules)
 * 1:12248 <-> DISABLED <-> BROWSER-PLUGINS Symantec NavComUI AxSysListView32 ActiveX function call access attempt (browser-plugins.rules)
 * 1:12250 <-> DISABLED <-> BROWSER-PLUGINS Symantec NavComUI AxSysListView32OAA ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38031 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing loadBytes function download detected (policy-other.rules)
 * 1:38030 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing ExternalInterface function download detected (policy-other.rules)
 * 1:38364 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules)
 * 1:38032 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing atomicCompareAndSwapLength function download detected (policy-other.rules)
 * 1:38033 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing allowLoadBytesCodeExecution function download detected  (policy-other.rules)
 * 1:38034 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing allowLoadBytesCodeExecution function download detected (policy-other.rules)
 * 1:38050 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing defaultValue function download detected (policy-other.rules)
 * 1:38051 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing domainMemory function download detected (policy-other.rules)
 * 1:38052 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing parseFloat function download detected (policy-other.rules)
 * 1:12246 <-> DISABLED <-> BROWSER-PLUGINS Symantec NavComUI AxSysListView32 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38053 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing getDefinitionByName function download detected (policy-other.rules)
 * 1:29282 <-> DISABLED <-> FILE-FLASH Adobe Flash Player sharable ByteArray code execution attempt (file-flash.rules)
 * 1:38054 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing protoType.valueOf function download detected (policy-other.rules)
 * 1:29287 <-> DISABLED <-> FILE-FLASH Adobe Flash Player sharable ByteArray code execution attempt (file-flash.rules)
 * 1:38055 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing defaultValue function download detected (policy-other.rules)
 * 1:38020 <-> DISABLED <-> FILE-FLASH Adobe Flash file with CreateFileA shellcode (file-flash.rules)
 * 1:38056 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing domainMemory function download detected (policy-other.rules)
 * 1:38021 <-> DISABLED <-> FILE-FLASH Adobe Flash file with large DefineBinaryData tag (file-flash.rules)
 * 1:38022 <-> DISABLED <-> FILE-FLASH Adobe Flash file with RC4 decryption routine detected (file-flash.rules)
 * 1:38057 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing parseFloat function download detected (policy-other.rules)
 * 1:38023 <-> DISABLED <-> FILE-FLASH Adobe Flash file CreateFileA shellcode found (file-flash.rules)
 * 1:38024 <-> DISABLED <-> FILE-FLASH Adobe Flash file with large DefineBinaryData tag (file-flash.rules)
 * 1:38026 <-> DISABLED <-> FILE-FLASH Adobe Flash file with RC4 decryption routine detected (file-flash.rules)
 * 1:38025 <-> DISABLED <-> FILE-FLASH Adobe Flash file with large DefineBinaryData tag (file-flash.rules)
 * 1:38059 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing protoType.valueOf function download detected (policy-other.rules)
 * 1:38058 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing getDefinitionByName function download detected (policy-other.rules)
 * 1:38028 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing loadBytes function (policy-other.rules)
 * 1:38029 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing atomicCompareAndSwapLength function download detected (policy-other.rules)
 * 1:38027 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing ExternalInterface function download detected (policy-other.rules)

2016-04-14 15:34:24 UTC

Snort Subscriber Rules Update

Date: 2016-04-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38542 <-> DISABLED <-> MALWARE-CNC VBS Trojan Downloading Encoded Executable (malware-cnc.rules)
 * 1:38541 <-> DISABLED <-> INDICATOR-OBFUSCATION newline only separator evasion (indicator-obfuscation.rules)
 * 1:38540 <-> DISABLED <-> BROWSER-PLUGINS Symantec NavComUI AxSysListView32OAA ActiveX function call access attempt (browser-plugins.rules)
 * 1:38539 <-> DISABLED <-> BROWSER-PLUGINS Symantec NavComUI AxSysListView32OAA ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38538 <-> DISABLED <-> BROWSER-PLUGINS Symantec NavComUI AxSysListView32 ActiveX function call access attempt (browser-plugins.rules)
 * 1:38537 <-> DISABLED <-> BROWSER-PLUGINS Symantec NavComUI AxSysListView32 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38536 <-> DISABLED <-> SERVER-WEBAPP Wordpress Scoreme cross site scripting attempt (server-webapp.rules)
 * 1:38535 <-> DISABLED <-> FILE-FLASH Rig Exploit Kit exploitation attempt (file-flash.rules)
 * 1:38534 <-> DISABLED <-> FILE-FLASH Rig Exploit Kit exploitation attempt (file-flash.rules)
 * 1:38533 <-> DISABLED <-> FILE-FLASH Rig Exploit Kit exploitation attempt (file-flash.rules)
 * 1:38532 <-> DISABLED <-> FILE-FLASH Rig Exploit Kit exploitation attempt (file-flash.rules)
 * 1:38531 <-> DISABLED <-> SERVER-WEBAPP WSN Live SQL injection attempt SQL injection attempt (server-webapp.rules)
 * 1:38530 <-> ENABLED <-> MALWARE-CNC Obfuscated Javascript Attack runtime detection (malware-cnc.rules)
 * 1:38529 <-> DISABLED <-> MALWARE-OTHER XBot CC Social Engineering (malware-other.rules)
 * 1:38528 <-> DISABLED <-> MALWARE-CNC XBot Command Request get_action (malware-cnc.rules)
 * 1:38527 <-> ENABLED <-> BLACKLIST DNS request for known malware domain melon25.ru - XBot (blacklist.rules)
 * 1:38526 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Troll dropper document file detected (malware-other.rules)
 * 1:38525 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Troll dropper document file detected (malware-other.rules)
 * 1:38524 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:38523 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:38522 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:38521 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit redirect page detected (exploit-kit.rules)
 * 1:38520 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt (server-webapp.rules)
 * 1:38519 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt (server-webapp.rules)
 * 1:38518 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt (server-webapp.rules)
 * 1:38517 <-> ENABLED <-> MALWARE-CNC binary download while video expected (malware-cnc.rules)
 * 1:38516 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sweeper outbound connection attempt (malware-cnc.rules)
 * 1:38515 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sweeper outbound connection attempt (malware-cnc.rules)
 * 1:38514 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sweeper outbound connection attempt (malware-cnc.rules)
 * 1:38513 <-> DISABLED <-> SERVER-WEBAPP ATutor question_import.php directory traversal attempt (server-webapp.rules)
 * 1:38512 <-> DISABLED <-> SERVER-WEBAPP ATutor question_import.php directory traversal attempt (server-webapp.rules)
 * 1:38511 <-> DISABLED <-> SERVER-WEBAPP Novell Service Desk directory traversal attempt (server-webapp.rules)
 * 1:38510 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpySoft variant exfiltration attempt (malware-cnc.rules)
 * 1:38509 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Boaxxe variant outbound connection (malware-cnc.rules)
 * 3:38543 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Central Web Framework remote file include attempt (server-webapp.rules)

Modified Rules:


 * 1:38364 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules)
 * 1:38059 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing protoType.valueOf function download detected (policy-other.rules)
 * 1:38058 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing getDefinitionByName function download detected (policy-other.rules)
 * 1:38057 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing parseFloat function download detected (policy-other.rules)
 * 1:38056 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing domainMemory function download detected (policy-other.rules)
 * 1:12246 <-> DISABLED <-> BROWSER-PLUGINS Symantec NavComUI AxSysListView32 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:12248 <-> DISABLED <-> BROWSER-PLUGINS Symantec NavComUI AxSysListView32 ActiveX function call access attempt (browser-plugins.rules)
 * 1:12250 <-> DISABLED <-> BROWSER-PLUGINS Symantec NavComUI AxSysListView32OAA ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38055 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing defaultValue function download detected (policy-other.rules)
 * 1:12252 <-> DISABLED <-> BROWSER-PLUGINS Symantec NavComUI AxSysListView32OAA ActiveX function call access attempt (browser-plugins.rules)
 * 1:29281 <-> DISABLED <-> FILE-FLASH Adobe Flash Player sharable ByteArray code execution attempt (file-flash.rules)
 * 1:29282 <-> DISABLED <-> FILE-FLASH Adobe Flash Player sharable ByteArray code execution attempt (file-flash.rules)
 * 1:29283 <-> DISABLED <-> FILE-FLASH Adobe Flash Player sharable ByteArray code execution attempt (file-flash.rules)
 * 1:38054 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing protoType.valueOf function download detected (policy-other.rules)
 * 1:29284 <-> DISABLED <-> FILE-FLASH Adobe Flash Player sharable ByteArray code execution attempt (file-flash.rules)
 * 1:29285 <-> DISABLED <-> FILE-FLASH Adobe Flash Player sharable ByteArray code execution attempt (file-flash.rules)
 * 1:29286 <-> DISABLED <-> FILE-FLASH Adobe Flash Player sharable ByteArray code execution attempt (file-flash.rules)
 * 1:29287 <-> DISABLED <-> FILE-FLASH Adobe Flash Player sharable ByteArray code execution attempt (file-flash.rules)
 * 1:38053 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing getDefinitionByName function download detected (policy-other.rules)
 * 1:29288 <-> DISABLED <-> FILE-FLASH Adobe Flash Player sharable ByteArray code execution attempt (file-flash.rules)
 * 1:31299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Necurs or Win.Trojan.Locky variant outbound detection (malware-cnc.rules)
 * 1:32666 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Coreshell variant outbound connection (malware-cnc.rules)
 * 1:37970 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:38052 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing parseFloat function download detected (policy-other.rules)
 * 1:38020 <-> DISABLED <-> FILE-FLASH Adobe Flash file with CreateFileA shellcode (file-flash.rules)
 * 1:38021 <-> DISABLED <-> FILE-FLASH Adobe Flash file with large DefineBinaryData tag (file-flash.rules)
 * 1:38022 <-> DISABLED <-> FILE-FLASH Adobe Flash file with RC4 decryption routine detected (file-flash.rules)
 * 1:38023 <-> DISABLED <-> FILE-FLASH Adobe Flash file CreateFileA shellcode found (file-flash.rules)
 * 1:38051 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing domainMemory function download detected (policy-other.rules)
 * 1:38024 <-> DISABLED <-> FILE-FLASH Adobe Flash file with large DefineBinaryData tag (file-flash.rules)
 * 1:38025 <-> DISABLED <-> FILE-FLASH Adobe Flash file with large DefineBinaryData tag (file-flash.rules)
 * 1:38026 <-> DISABLED <-> FILE-FLASH Adobe Flash file with RC4 decryption routine detected (file-flash.rules)
 * 1:38050 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing defaultValue function download detected (policy-other.rules)
 * 1:38034 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing allowLoadBytesCodeExecution function download detected (policy-other.rules)
 * 1:38033 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing allowLoadBytesCodeExecution function download detected  (policy-other.rules)
 * 1:38032 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing atomicCompareAndSwapLength function download detected (policy-other.rules)
 * 1:38031 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing loadBytes function download detected (policy-other.rules)
 * 1:38030 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing ExternalInterface function download detected (policy-other.rules)
 * 1:38029 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing atomicCompareAndSwapLength function download detected (policy-other.rules)
 * 1:38027 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing ExternalInterface function download detected (policy-other.rules)
 * 1:38028 <-> DISABLED <-> POLICY-OTHER Adobe Flash file containing loadBytes function (policy-other.rules)