Talos Rules 2016-05-17
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-plugins, exploit-kit, file-flash, file-image, file-multimedia, file-office, file-other, file-pdf, indicator-compromise, indicator-obfuscation, malware-cnc, malware-other, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-05-17 16:51:53 UTC

Snort Subscriber Rules Update

Date: 2016-05-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38948 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38947 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38946 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38945 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38944 <-> ENABLED <-> FILE-PDF Adobe Reader XFA javascript out of bound memory corruption attempt (file-pdf.rules)
 * 1:38943 <-> ENABLED <-> FILE-PDF Adobe Reader XFA javascript out of bound memory corruption attempt (file-pdf.rules)
 * 1:38942 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite DownloadServlet servlet directory traversal attempt (server-webapp.rules)
 * 1:38941 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite DownloadServlet servlet directory traversal attempt (server-webapp.rules)
 * 1:38940 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite DownloadServlet servlet directory traversal attempt (server-webapp.rules)
 * 1:38939 <-> DISABLED <-> SERVER-WEBAPP ORACLE-SERVER Oracle Application Testing Suite filename directory traversal attempt (server-webapp.rules)
 * 1:38938 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules)
 * 1:38937 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules)
 * 1:38936 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules)
 * 1:38935 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules)
 * 1:38934 <-> ENABLED <-> SERVER-WEBAPP Oracle Application Testing Suite actionservlet directory traversal attempt (server-webapp.rules)
 * 1:38933 <-> DISABLED <-> INDICATOR-COMPROMISE IRC nick change on non-standard port (indicator-compromise.rules)
 * 1:38932 <-> ENABLED <-> FILE-PDF Adobe Reader submitForm read out of bounds attempt (file-pdf.rules)
 * 1:38931 <-> ENABLED <-> FILE-PDF Adobe Reader submitForm read out of bounds attempt (file-pdf.rules)
 * 1:38930 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer user_id SQL injection attempt (server-webapp.rules)
 * 1:38929 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer user_id SQL injection attempt (server-webapp.rules)
 * 1:38928 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer setSkin SQL injection attempt (server-webapp.rules)
 * 1:38927 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer setSkin SQL injection attempt (server-webapp.rules)
 * 1:38926 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer deleteTab SQL injection attempt (server-webapp.rules)
 * 1:38925 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer deleteTab SQL injection attempt (server-webapp.rules)
 * 1:38924 <-> ENABLED <-> FILE-PDF Adobe Reader compareDocuments JavaScript function use-after-free attempt (file-pdf.rules)
 * 1:38923 <-> ENABLED <-> FILE-PDF Adobe Reader compareDocuments JavaScript function use-after-free attempt (file-pdf.rules)
 * 1:38922 <-> DISABLED <-> INDICATOR-OBFUSCATION Brotli encoding evasion attempt (indicator-obfuscation.rules)
 * 1:38921 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules)
 * 1:38920 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules)
 * 1:38919 <-> ENABLED <-> FILE-PDF Adobe Reader createAVView JavaScript use-after-free attempt (file-pdf.rules)
 * 1:38918 <-> ENABLED <-> FILE-PDF Adobe Reader createAVView JavaScript use-after-free attempt (file-pdf.rules)
 * 1:38917 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant CNC traffic (malware-cnc.rules)
 * 1:38916 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex download attempt (malware-cnc.rules)
 * 1:38915 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules)
 * 1:38914 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules)
 * 1:38913 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt (server-webapp.rules)
 * 1:38912 <-> ENABLED <-> FILE-PDF Adobe Reader DisablePermEnforcement JavaScript function use-after-free attempt (file-pdf.rules)
 * 1:38911 <-> ENABLED <-> FILE-PDF Adobe Reader DisablePermEnforcement JavaScript function use-after-free attempt (file-pdf.rules)
 * 1:38910 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules)
 * 1:38909 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules)
 * 1:38908 <-> ENABLED <-> FILE-PDF Adobe Reader PDF execMenuItem use after free attempt (file-pdf.rules)
 * 1:38907 <-> ENABLED <-> FILE-PDF Adobe Reader PDF execMenuItem use after free attempt (file-pdf.rules)
 * 1:38906 <-> ENABLED <-> FILE-PDF Adobe Reader PDF setPageAction execMenuItem use after free attempt (file-pdf.rules)
 * 1:38905 <-> ENABLED <-> FILE-PDF Adobe Reader PDF setAction execMenuItem use after free attempt (file-pdf.rules)
 * 1:38904 <-> ENABLED <-> FILE-PDF Adobe Reader PDF onEvent execMenuItem use after free attempt (file-pdf.rules)
 * 1:38903 <-> ENABLED <-> FILE-PDF Adobe Reader PDF defineGetter execMenuItem use after free attempt (file-pdf.rules)
 * 1:38902 <-> ENABLED <-> FILE-PDF Adobe Reader PDF setPageAction execMenuItem use after free attempt (file-pdf.rules)
 * 1:38901 <-> ENABLED <-> FILE-PDF Adobe Reader PDF setAction execMenuItem use after free attempt (file-pdf.rules)
 * 1:38900 <-> ENABLED <-> FILE-PDF Adobe Reader PDF onEvent execMenuItem use after free attempt (file-pdf.rules)
 * 1:38899 <-> ENABLED <-> FILE-PDF Adobe Reader PDF defineGetter execMenuItem use after free attempt (file-pdf.rules)
 * 1:38898 <-> DISABLED <-> FILE-OTHER Adobe Illustrator CS4 aires.dll dll-load exploit attempt (file-other.rules)
 * 1:38897 <-> DISABLED <-> FILE-OTHER Adobe Illustrator CS4 aires.dll dll-load exploit attempt (file-other.rules)
 * 1:38896 <-> ENABLED <-> FILE-PDF Adobe Reader XFA prePrint use after free attempt (file-pdf.rules)
 * 1:38895 <-> ENABLED <-> FILE-PDF Adobe Reader XFA prePrint use after free attempt (file-pdf.rules)
 * 1:38894 <-> ENABLED <-> SERVER-WEBAPP Jenkins CI Server insecure deserialization command execution attempt (server-webapp.rules)
 * 1:38893 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Maktub variant download attempt (malware-other.rules)
 * 1:38892 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Maktub variant download attempt (malware-other.rules)
 * 1:38891 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kirts initial registration (malware-cnc.rules)
 * 1:38890 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kirts exfiltration attempt (malware-cnc.rules)
 * 1:38889 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules)
 * 1:38888 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules)
 * 1:38887 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky JS dropper outbound connection (malware-cnc.rules)
 * 1:38886 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bayrob variant outbound connection attempt (malware-cnc.rules)
 * 1:38885 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cerber outbound registration attempt (malware-cnc.rules)
 * 1:38884 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FileReference type confusion attempt (file-flash.rules)
 * 1:38883 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FileReference type confusion attempt (file-flash.rules)
 * 1:38882 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FileReference type confusion attempt (file-flash.rules)
 * 1:38881 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FileReference type confusion attempt (file-flash.rules)
 * 1:38880 <-> ENABLED <-> SERVER-WEBAPP HP Enterprise Vertica validateAdminConfig command injection attempt (server-webapp.rules)
 * 1:38879 <-> ENABLED <-> SERVER-WEBAPP HP Enterprise Vertica validateAdminConfig command injection attempt (server-webapp.rules)
 * 1:38878 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules)
 * 1:38877 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules)
 * 1:38876 <-> DISABLED <-> EXPLOIT-KIT Obfuscated exploit download attempt (exploit-kit.rules)
 * 1:35718 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:35717 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:35716 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:35715 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:35714 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt (file-multimedia.rules)
 * 1:35713 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt (file-multimedia.rules)
 * 1:35712 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt (file-multimedia.rules)
 * 1:35711 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt (file-multimedia.rules)
 * 1:35627 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:35626 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:35625 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:35624 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)

Modified Rules:


 * 1:38871 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38743 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38744 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:37319 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rpawinet.dll dll-load exploit attempt (file-office.rules)
 * 1:38355 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules)
 * 1:37318 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rpawinet.dll dll-load exploit attempt (file-office.rules)
 * 1:35983 <-> ENABLED <-> FILE-OTHER Windows Media Player mcl remote file execution attempt (file-other.rules)
 * 1:36271 <-> ENABLED <-> FILE-OTHER Windows Media Player mcl remote file execution attempt (file-other.rules)
 * 1:29508 <-> DISABLED <-> BROWSER-PLUGINS ABB Test Signal Viewer CWGraph3D ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35982 <-> ENABLED <-> FILE-OTHER Windows Media Player mcl remote file execution attempt (file-other.rules)
 * 1:29506 <-> DISABLED <-> BROWSER-PLUGINS ABB Test Signal Viewer CWGraph3D ActiveX clsid access attempt (browser-plugins.rules)
 * 1:29507 <-> DISABLED <-> BROWSER-PLUGINS ABB Test Signal Viewer CWGraph3D ActiveX clsid access attempt (browser-plugins.rules)
 * 1:29409 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader javascript toolbar button use after free attempt (file-pdf.rules)
 * 1:29410 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader javascript toolbar button use after free attempt (file-pdf.rules)
 * 1:24726 <-> DISABLED <-> BROWSER-PLUGINS IBM Rational Rhapsody BBFlashback ActiveX function call access attempt (browser-plugins.rules)
 * 1:29092 <-> DISABLED <-> BROWSER-PLUGINS ABB Test Signal Viewer CWGraph3D ActiveX clsid access attempt (browser-plugins.rules)
 * 1:24725 <-> DISABLED <-> BROWSER-PLUGINS IBM Rational Rhapsody BBFlashback ActiveX clsid access attempt (browser-plugins.rules)
 * 1:24723 <-> DISABLED <-> BROWSER-PLUGINS IBM Rational Rhapsody BBFlashback ActiveX clsid access attempt (browser-plugins.rules)
 * 1:24724 <-> DISABLED <-> BROWSER-PLUGINS IBM Rational Rhapsody BBFlashback ActiveX function call access attempt (browser-plugins.rules)
 * 1:19618 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules)
 * 1:19620 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules)
 * 1:19189 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt (os-windows.rules)
 * 1:19221 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt (os-windows.rules)

2016-05-17 16:51:53 UTC

Snort Subscriber Rules Update

Date: 2016-05-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35626 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:35712 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt (file-multimedia.rules)
 * 1:35713 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt (file-multimedia.rules)
 * 1:35715 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:35716 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:35625 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:35717 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:35624 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:35714 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt (file-multimedia.rules)
 * 1:35711 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt (file-multimedia.rules)
 * 1:35718 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:38876 <-> DISABLED <-> EXPLOIT-KIT Obfuscated exploit download attempt (exploit-kit.rules)
 * 1:38877 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules)
 * 1:38878 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules)
 * 1:38879 <-> ENABLED <-> SERVER-WEBAPP HP Enterprise Vertica validateAdminConfig command injection attempt (server-webapp.rules)
 * 1:38880 <-> ENABLED <-> SERVER-WEBAPP HP Enterprise Vertica validateAdminConfig command injection attempt (server-webapp.rules)
 * 1:38881 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FileReference type confusion attempt (file-flash.rules)
 * 1:38882 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FileReference type confusion attempt (file-flash.rules)
 * 1:38883 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FileReference type confusion attempt (file-flash.rules)
 * 1:38884 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FileReference type confusion attempt (file-flash.rules)
 * 1:38885 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cerber outbound registration attempt (malware-cnc.rules)
 * 1:38886 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bayrob variant outbound connection attempt (malware-cnc.rules)
 * 1:38887 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky JS dropper outbound connection (malware-cnc.rules)
 * 1:38888 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules)
 * 1:38890 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kirts exfiltration attempt (malware-cnc.rules)
 * 1:38889 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules)
 * 1:38891 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kirts initial registration (malware-cnc.rules)
 * 1:38892 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Maktub variant download attempt (malware-other.rules)
 * 1:38893 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Maktub variant download attempt (malware-other.rules)
 * 1:38895 <-> ENABLED <-> FILE-PDF Adobe Reader XFA prePrint use after free attempt (file-pdf.rules)
 * 1:38894 <-> ENABLED <-> SERVER-WEBAPP Jenkins CI Server insecure deserialization command execution attempt (server-webapp.rules)
 * 1:38896 <-> ENABLED <-> FILE-PDF Adobe Reader XFA prePrint use after free attempt (file-pdf.rules)
 * 1:38897 <-> DISABLED <-> FILE-OTHER Adobe Illustrator CS4 aires.dll dll-load exploit attempt (file-other.rules)
 * 1:38898 <-> DISABLED <-> FILE-OTHER Adobe Illustrator CS4 aires.dll dll-load exploit attempt (file-other.rules)
 * 1:38900 <-> ENABLED <-> FILE-PDF Adobe Reader PDF onEvent execMenuItem use after free attempt (file-pdf.rules)
 * 1:38899 <-> ENABLED <-> FILE-PDF Adobe Reader PDF defineGetter execMenuItem use after free attempt (file-pdf.rules)
 * 1:38901 <-> ENABLED <-> FILE-PDF Adobe Reader PDF setAction execMenuItem use after free attempt (file-pdf.rules)
 * 1:38902 <-> ENABLED <-> FILE-PDF Adobe Reader PDF setPageAction execMenuItem use after free attempt (file-pdf.rules)
 * 1:38903 <-> ENABLED <-> FILE-PDF Adobe Reader PDF defineGetter execMenuItem use after free attempt (file-pdf.rules)
 * 1:38905 <-> ENABLED <-> FILE-PDF Adobe Reader PDF setAction execMenuItem use after free attempt (file-pdf.rules)
 * 1:38904 <-> ENABLED <-> FILE-PDF Adobe Reader PDF onEvent execMenuItem use after free attempt (file-pdf.rules)
 * 1:38906 <-> ENABLED <-> FILE-PDF Adobe Reader PDF setPageAction execMenuItem use after free attempt (file-pdf.rules)
 * 1:38907 <-> ENABLED <-> FILE-PDF Adobe Reader PDF execMenuItem use after free attempt (file-pdf.rules)
 * 1:38908 <-> ENABLED <-> FILE-PDF Adobe Reader PDF execMenuItem use after free attempt (file-pdf.rules)
 * 1:38910 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules)
 * 1:38909 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules)
 * 1:38911 <-> ENABLED <-> FILE-PDF Adobe Reader DisablePermEnforcement JavaScript function use-after-free attempt (file-pdf.rules)
 * 1:38912 <-> ENABLED <-> FILE-PDF Adobe Reader DisablePermEnforcement JavaScript function use-after-free attempt (file-pdf.rules)
 * 1:38913 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt (server-webapp.rules)
 * 1:38915 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules)
 * 1:38914 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules)
 * 1:38916 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex download attempt (malware-cnc.rules)
 * 1:38917 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant CNC traffic (malware-cnc.rules)
 * 1:38918 <-> ENABLED <-> FILE-PDF Adobe Reader createAVView JavaScript use-after-free attempt (file-pdf.rules)
 * 1:38919 <-> ENABLED <-> FILE-PDF Adobe Reader createAVView JavaScript use-after-free attempt (file-pdf.rules)
 * 1:38920 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules)
 * 1:38921 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules)
 * 1:38922 <-> DISABLED <-> INDICATOR-OBFUSCATION Brotli encoding evasion attempt (indicator-obfuscation.rules)
 * 1:38923 <-> ENABLED <-> FILE-PDF Adobe Reader compareDocuments JavaScript function use-after-free attempt (file-pdf.rules)
 * 1:38924 <-> ENABLED <-> FILE-PDF Adobe Reader compareDocuments JavaScript function use-after-free attempt (file-pdf.rules)
 * 1:38925 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer deleteTab SQL injection attempt (server-webapp.rules)
 * 1:38926 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer deleteTab SQL injection attempt (server-webapp.rules)
 * 1:38927 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer setSkin SQL injection attempt (server-webapp.rules)
 * 1:38948 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38947 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38946 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38945 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38944 <-> ENABLED <-> FILE-PDF Adobe Reader XFA javascript out of bound memory corruption attempt (file-pdf.rules)
 * 1:38943 <-> ENABLED <-> FILE-PDF Adobe Reader XFA javascript out of bound memory corruption attempt (file-pdf.rules)
 * 1:38942 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite DownloadServlet servlet directory traversal attempt (server-webapp.rules)
 * 1:38941 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite DownloadServlet servlet directory traversal attempt (server-webapp.rules)
 * 1:38940 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite DownloadServlet servlet directory traversal attempt (server-webapp.rules)
 * 1:38939 <-> DISABLED <-> SERVER-WEBAPP ORACLE-SERVER Oracle Application Testing Suite filename directory traversal attempt (server-webapp.rules)
 * 1:38938 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules)
 * 1:38937 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules)
 * 1:38936 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules)
 * 1:38935 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules)
 * 1:38934 <-> ENABLED <-> SERVER-WEBAPP Oracle Application Testing Suite actionservlet directory traversal attempt (server-webapp.rules)
 * 1:38933 <-> DISABLED <-> INDICATOR-COMPROMISE IRC nick change on non-standard port (indicator-compromise.rules)
 * 1:38932 <-> ENABLED <-> FILE-PDF Adobe Reader submitForm read out of bounds attempt (file-pdf.rules)
 * 1:38931 <-> ENABLED <-> FILE-PDF Adobe Reader submitForm read out of bounds attempt (file-pdf.rules)
 * 1:38930 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer user_id SQL injection attempt (server-webapp.rules)
 * 1:38928 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer setSkin SQL injection attempt (server-webapp.rules)
 * 1:35627 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:38929 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer user_id SQL injection attempt (server-webapp.rules)

Modified Rules:


 * 1:38744 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38871 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38355 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules)
 * 1:38743 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:37318 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rpawinet.dll dll-load exploit attempt (file-office.rules)
 * 1:37319 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rpawinet.dll dll-load exploit attempt (file-office.rules)
 * 1:35983 <-> ENABLED <-> FILE-OTHER Windows Media Player mcl remote file execution attempt (file-other.rules)
 * 1:36271 <-> ENABLED <-> FILE-OTHER Windows Media Player mcl remote file execution attempt (file-other.rules)
 * 1:35982 <-> ENABLED <-> FILE-OTHER Windows Media Player mcl remote file execution attempt (file-other.rules)
 * 1:29508 <-> DISABLED <-> BROWSER-PLUGINS ABB Test Signal Viewer CWGraph3D ActiveX clsid access attempt (browser-plugins.rules)
 * 1:29507 <-> DISABLED <-> BROWSER-PLUGINS ABB Test Signal Viewer CWGraph3D ActiveX clsid access attempt (browser-plugins.rules)
 * 1:29410 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader javascript toolbar button use after free attempt (file-pdf.rules)
 * 1:29506 <-> DISABLED <-> BROWSER-PLUGINS ABB Test Signal Viewer CWGraph3D ActiveX clsid access attempt (browser-plugins.rules)
 * 1:29092 <-> DISABLED <-> BROWSER-PLUGINS ABB Test Signal Viewer CWGraph3D ActiveX clsid access attempt (browser-plugins.rules)
 * 1:29409 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader javascript toolbar button use after free attempt (file-pdf.rules)
 * 1:24725 <-> DISABLED <-> BROWSER-PLUGINS IBM Rational Rhapsody BBFlashback ActiveX clsid access attempt (browser-plugins.rules)
 * 1:24726 <-> DISABLED <-> BROWSER-PLUGINS IBM Rational Rhapsody BBFlashback ActiveX function call access attempt (browser-plugins.rules)
 * 1:24723 <-> DISABLED <-> BROWSER-PLUGINS IBM Rational Rhapsody BBFlashback ActiveX clsid access attempt (browser-plugins.rules)
 * 1:24724 <-> DISABLED <-> BROWSER-PLUGINS IBM Rational Rhapsody BBFlashback ActiveX function call access attempt (browser-plugins.rules)
 * 1:19620 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules)
 * 1:19221 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt (os-windows.rules)
 * 1:19618 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules)
 * 1:19189 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt (os-windows.rules)

2016-05-17 16:51:53 UTC

Snort Subscriber Rules Update

Date: 2016-05-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35711 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt (file-multimedia.rules)
 * 1:35713 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt (file-multimedia.rules)
 * 1:38879 <-> ENABLED <-> SERVER-WEBAPP HP Enterprise Vertica validateAdminConfig command injection attempt (server-webapp.rules)
 * 1:38940 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite DownloadServlet servlet directory traversal attempt (server-webapp.rules)
 * 1:38941 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite DownloadServlet servlet directory traversal attempt (server-webapp.rules)
 * 1:38942 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite DownloadServlet servlet directory traversal attempt (server-webapp.rules)
 * 1:38943 <-> ENABLED <-> FILE-PDF Adobe Reader XFA javascript out of bound memory corruption attempt (file-pdf.rules)
 * 1:38944 <-> ENABLED <-> FILE-PDF Adobe Reader XFA javascript out of bound memory corruption attempt (file-pdf.rules)
 * 1:38945 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38946 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38947 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38948 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38936 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules)
 * 1:38913 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt (server-webapp.rules)
 * 1:38915 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules)
 * 1:38912 <-> ENABLED <-> FILE-PDF Adobe Reader DisablePermEnforcement JavaScript function use-after-free attempt (file-pdf.rules)
 * 1:38911 <-> ENABLED <-> FILE-PDF Adobe Reader DisablePermEnforcement JavaScript function use-after-free attempt (file-pdf.rules)
 * 1:38908 <-> ENABLED <-> FILE-PDF Adobe Reader PDF execMenuItem use after free attempt (file-pdf.rules)
 * 1:38910 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules)
 * 1:38907 <-> ENABLED <-> FILE-PDF Adobe Reader PDF execMenuItem use after free attempt (file-pdf.rules)
 * 1:38905 <-> ENABLED <-> FILE-PDF Adobe Reader PDF setAction execMenuItem use after free attempt (file-pdf.rules)
 * 1:38906 <-> ENABLED <-> FILE-PDF Adobe Reader PDF setPageAction execMenuItem use after free attempt (file-pdf.rules)
 * 1:38903 <-> ENABLED <-> FILE-PDF Adobe Reader PDF defineGetter execMenuItem use after free attempt (file-pdf.rules)
 * 1:38901 <-> ENABLED <-> FILE-PDF Adobe Reader PDF setAction execMenuItem use after free attempt (file-pdf.rules)
 * 1:38902 <-> ENABLED <-> FILE-PDF Adobe Reader PDF setPageAction execMenuItem use after free attempt (file-pdf.rules)
 * 1:38898 <-> DISABLED <-> FILE-OTHER Adobe Illustrator CS4 aires.dll dll-load exploit attempt (file-other.rules)
 * 1:38900 <-> ENABLED <-> FILE-PDF Adobe Reader PDF onEvent execMenuItem use after free attempt (file-pdf.rules)
 * 1:38897 <-> DISABLED <-> FILE-OTHER Adobe Illustrator CS4 aires.dll dll-load exploit attempt (file-other.rules)
 * 1:38895 <-> ENABLED <-> FILE-PDF Adobe Reader XFA prePrint use after free attempt (file-pdf.rules)
 * 1:38896 <-> ENABLED <-> FILE-PDF Adobe Reader XFA prePrint use after free attempt (file-pdf.rules)
 * 1:38893 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Maktub variant download attempt (malware-other.rules)
 * 1:38892 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Maktub variant download attempt (malware-other.rules)
 * 1:38890 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kirts exfiltration attempt (malware-cnc.rules)
 * 1:38891 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kirts initial registration (malware-cnc.rules)
 * 1:38888 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules)
 * 1:38887 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky JS dropper outbound connection (malware-cnc.rules)
 * 1:38884 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FileReference type confusion attempt (file-flash.rules)
 * 1:38885 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cerber outbound registration attempt (malware-cnc.rules)
 * 1:38882 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FileReference type confusion attempt (file-flash.rules)
 * 1:38883 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FileReference type confusion attempt (file-flash.rules)
 * 1:38881 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FileReference type confusion attempt (file-flash.rules)
 * 1:38880 <-> ENABLED <-> SERVER-WEBAPP HP Enterprise Vertica validateAdminConfig command injection attempt (server-webapp.rules)
 * 1:35624 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:35625 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:35716 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:35715 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:35627 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:35626 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
 * 1:35718 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:38939 <-> DISABLED <-> SERVER-WEBAPP ORACLE-SERVER Oracle Application Testing Suite filename directory traversal attempt (server-webapp.rules)
 * 1:38938 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules)
 * 1:38876 <-> DISABLED <-> EXPLOIT-KIT Obfuscated exploit download attempt (exploit-kit.rules)
 * 1:38877 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules)
 * 1:38878 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules)
 * 1:38886 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bayrob variant outbound connection attempt (malware-cnc.rules)
 * 1:38889 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules)
 * 1:38894 <-> ENABLED <-> SERVER-WEBAPP Jenkins CI Server insecure deserialization command execution attempt (server-webapp.rules)
 * 1:38899 <-> ENABLED <-> FILE-PDF Adobe Reader PDF defineGetter execMenuItem use after free attempt (file-pdf.rules)
 * 1:38904 <-> ENABLED <-> FILE-PDF Adobe Reader PDF onEvent execMenuItem use after free attempt (file-pdf.rules)
 * 1:35717 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules)
 * 1:38909 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules)
 * 1:38914 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules)
 * 1:38916 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex download attempt (malware-cnc.rules)
 * 1:38917 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant CNC traffic (malware-cnc.rules)
 * 1:38918 <-> ENABLED <-> FILE-PDF Adobe Reader createAVView JavaScript use-after-free attempt (file-pdf.rules)
 * 1:38919 <-> ENABLED <-> FILE-PDF Adobe Reader createAVView JavaScript use-after-free attempt (file-pdf.rules)
 * 1:38920 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules)
 * 1:38921 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules)
 * 1:38922 <-> DISABLED <-> INDICATOR-OBFUSCATION Brotli encoding evasion attempt (indicator-obfuscation.rules)
 * 1:38923 <-> ENABLED <-> FILE-PDF Adobe Reader compareDocuments JavaScript function use-after-free attempt (file-pdf.rules)
 * 1:38924 <-> ENABLED <-> FILE-PDF Adobe Reader compareDocuments JavaScript function use-after-free attempt (file-pdf.rules)
 * 1:38925 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer deleteTab SQL injection attempt (server-webapp.rules)
 * 1:38935 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules)
 * 1:38934 <-> ENABLED <-> SERVER-WEBAPP Oracle Application Testing Suite actionservlet directory traversal attempt (server-webapp.rules)
 * 1:35712 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt (file-multimedia.rules)
 * 1:38926 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer deleteTab SQL injection attempt (server-webapp.rules)
 * 1:38927 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer setSkin SQL injection attempt (server-webapp.rules)
 * 1:38932 <-> ENABLED <-> FILE-PDF Adobe Reader submitForm read out of bounds attempt (file-pdf.rules)
 * 1:38930 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer user_id SQL injection attempt (server-webapp.rules)
 * 1:35714 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt (file-multimedia.rules)
 * 1:38929 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer user_id SQL injection attempt (server-webapp.rules)
 * 1:38931 <-> ENABLED <-> FILE-PDF Adobe Reader submitForm read out of bounds attempt (file-pdf.rules)
 * 1:38928 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer setSkin SQL injection attempt (server-webapp.rules)
 * 1:38937 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules)
 * 1:38933 <-> DISABLED <-> INDICATOR-COMPROMISE IRC nick change on non-standard port (indicator-compromise.rules)

Modified Rules:


 * 1:38871 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38355 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules)
 * 1:38743 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38744 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:36271 <-> ENABLED <-> FILE-OTHER Windows Media Player mcl remote file execution attempt (file-other.rules)
 * 1:37319 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rpawinet.dll dll-load exploit attempt (file-office.rules)
 * 1:35982 <-> ENABLED <-> FILE-OTHER Windows Media Player mcl remote file execution attempt (file-other.rules)
 * 1:37318 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rpawinet.dll dll-load exploit attempt (file-office.rules)
 * 1:29508 <-> DISABLED <-> BROWSER-PLUGINS ABB Test Signal Viewer CWGraph3D ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35983 <-> ENABLED <-> FILE-OTHER Windows Media Player mcl remote file execution attempt (file-other.rules)
 * 1:29507 <-> DISABLED <-> BROWSER-PLUGINS ABB Test Signal Viewer CWGraph3D ActiveX clsid access attempt (browser-plugins.rules)
 * 1:29409 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader javascript toolbar button use after free attempt (file-pdf.rules)
 * 1:29410 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader javascript toolbar button use after free attempt (file-pdf.rules)
 * 1:29506 <-> DISABLED <-> BROWSER-PLUGINS ABB Test Signal Viewer CWGraph3D ActiveX clsid access attempt (browser-plugins.rules)
 * 1:24723 <-> DISABLED <-> BROWSER-PLUGINS IBM Rational Rhapsody BBFlashback ActiveX clsid access attempt (browser-plugins.rules)
 * 1:29092 <-> DISABLED <-> BROWSER-PLUGINS ABB Test Signal Viewer CWGraph3D ActiveX clsid access attempt (browser-plugins.rules)
 * 1:24725 <-> DISABLED <-> BROWSER-PLUGINS IBM Rational Rhapsody BBFlashback ActiveX clsid access attempt (browser-plugins.rules)
 * 1:24726 <-> DISABLED <-> BROWSER-PLUGINS IBM Rational Rhapsody BBFlashback ActiveX function call access attempt (browser-plugins.rules)
 * 1:19620 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules)
 * 1:24724 <-> DISABLED <-> BROWSER-PLUGINS IBM Rational Rhapsody BBFlashback ActiveX function call access attempt (browser-plugins.rules)
 * 1:19618 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules)
 * 1:19189 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt (os-windows.rules)
 * 1:19221 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt (os-windows.rules)