Talos Rules 2016-05-24
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-plugins, exploit-kit, file-executable, file-flash, file-image, file-office, file-other, file-pdf, malware-cnc, malware-tools, server-other and sql rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-05-24 22:04:37 UTC

Snort Subscriber Rules Update

Date: 2016-05-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39042 <-> DISABLED <-> BROWSER-PLUGINS National Instruments ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38970 <-> ENABLED <-> SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt (server-webapp.rules)
 * 1:38972 <-> ENABLED <-> FILE-FLASH Adobe Flash Player OpportunityGenerator.update memory corruption attempt (file-flash.rules)
 * 1:38973 <-> ENABLED <-> FILE-FLASH Adobe Flash Player OpportunityGenerator.update memory corruption attempt (file-flash.rules)
 * 1:38975 <-> DISABLED <-> FILE-PDF Adobe Reader clearGlobalSecurityStore information leak attempt (file-pdf.rules)
 * 1:38976 <-> DISABLED <-> FILE-PDF Adobe Reader clearGlobalSecurityStore information leak attempt (file-pdf.rules)
 * 1:39039 <-> DISABLED <-> BROWSER-PLUGINS Emerson ROCLINK800 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39026 <-> ENABLED <-> FILE-FLASH Adobe Flash Player selection.setFocus use after free attempt (file-flash.rules)
 * 1:39023 <-> ENABLED <-> FILE-FLASH Adobe Flash Player selection.setFocus use after free attempt (file-flash.rules)
 * 1:39024 <-> ENABLED <-> FILE-FLASH Adobe Flash Player selection.setFocus use after free attempt (file-flash.rules)
 * 1:39025 <-> ENABLED <-> FILE-FLASH Adobe Flash Player selection.setFocus use after free attempt (file-flash.rules)
 * 1:39018 <-> ENABLED <-> FILE-PDF Adobe Reader XFA FormInstanceManager use after free attempt (file-pdf.rules)
 * 1:39022 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK use-after-free attempt (file-flash.rules)
 * 1:39020 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK use-after-free attempt (file-flash.rules)
 * 1:39021 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK use-after-free attempt (file-flash.rules)
 * 1:39017 <-> ENABLED <-> FILE-PDF Adobe Reader XFA FormInstanceManager use after free attempt (file-pdf.rules)
 * 1:39019 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK use-after-free attempt (file-flash.rules)
 * 1:39016 <-> ENABLED <-> FILE-PDF Adobe Reader AcroForm dictionary object use after free attempt (file-pdf.rules)
 * 1:39013 <-> ENABLED <-> FILE-PDF Adobe Reader CTJPEGDecoderReadNextTile out of bounds read attempt (file-pdf.rules)
 * 1:39014 <-> ENABLED <-> FILE-PDF Adobe Reader CTJPEGDecoderReadNextTile out of bounds read attempt (file-pdf.rules)
 * 1:39015 <-> ENABLED <-> FILE-PDF Adobe Reader AcroForm dictionary object use after free attempt (file-pdf.rules)
 * 1:39008 <-> ENABLED <-> FILE-PDF Adobe Reader XFA form use-after-free attempt (file-pdf.rules)
 * 1:39012 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setMetadata memory corruption attempt (file-flash.rules)
 * 1:39010 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setMetadata memory corruption attempt (file-flash.rules)
 * 1:39011 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setMetadata memory corruption attempt (file-flash.rules)
 * 1:39007 <-> ENABLED <-> FILE-PDF Adobe Reader XFA form use-after-free attempt (file-pdf.rules)
 * 1:39009 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setMetadata memory corruption attempt (file-flash.rules)
 * 1:39006 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39003 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39004 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39005 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39002 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39000 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39001 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38999 <-> ENABLED <-> FILE-FLASH Adobe Flash Player addProperty use after free attempt (file-flash.rules)
 * 1:38997 <-> ENABLED <-> FILE-FLASH Adobe Flash Player addProperty use after free attempt (file-flash.rules)
 * 1:38996 <-> ENABLED <-> FILE-FLASH Adobe Flash Player addProperty use after free attempt (file-flash.rules)
 * 1:38998 <-> ENABLED <-> FILE-FLASH Adobe Flash Player addProperty use after free attempt (file-flash.rules)
 * 1:38995 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:38992 <-> ENABLED <-> FILE-PDF Adobe Reader execAVDialog JavaScript function use-after-free attempt (file-pdf.rules)
 * 1:38987 <-> DISABLED <-> SERVER-WEBAPP SAP NetWeaver xMII directory traversal attempt (server-webapp.rules)
 * 1:38982 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:38969 <-> ENABLED <-> SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt (server-webapp.rules)
 * 1:38966 <-> ENABLED <-> FILE-PDF Adobe Reader malformed JPX image out of bounds read attempt (file-pdf.rules)
 * 1:38967 <-> ENABLED <-> FILE-PDF Adobe Reader malformed JPX image out of bounds read attempt (file-pdf.rules)
 * 1:39037 <-> DISABLED <-> FILE-OFFICE RTF file with embedded OLE object itself embedding a Flash file (file-office.rules)
 * 1:39038 <-> DISABLED <-> BROWSER-PLUGINS Emerson ROCLINK800 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39044 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi MX ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39033 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASSetNative use-after-free attempt (file-flash.rules)
 * 1:39053 <-> ENABLED <-> MALWARE-CNC Win.Trojan.7ev3n variant outbound connection (malware-cnc.rules)
 * 1:38994 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus config file download (malware-cnc.rules)
 * 1:39052 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Adialer variant outbound connection attempt (malware-cnc.rules)
 * 1:39051 <-> ENABLED <-> BLACKLIST DNS request for known malware domain adsl.carpediem.fr - Win.Trojan.Adialer (blacklist.rules)
 * 1:38993 <-> ENABLED <-> SQL use of sleep function in HTTP header - likely SQL injection attempt (sql.rules)
 * 1:38991 <-> ENABLED <-> FILE-PDF Adobe Reader execAVDialog JavaScript function use-after-free attempt (file-pdf.rules)
 * 1:38990 <-> DISABLED <-> SERVER-WEBAPP Apache Struts I18NInterceptor locale object cross site scripting attempt (server-webapp.rules)
 * 1:38988 <-> DISABLED <-> SERVER-WEBAPP SAP NetWeaver xMII directory traversal attempt (server-webapp.rules)
 * 1:38989 <-> DISABLED <-> MALWARE-TOOLS TorStresser http DoS tool (malware-tools.rules)
 * 1:39036 <-> DISABLED <-> FILE-OFFICE RTF file with embedded OLE object itself embedding a Flash file (file-office.rules)
 * 1:38986 <-> DISABLED <-> SERVER-WEBAPP SAP NetWeaver xMII directory traversal attempt (server-webapp.rules)
 * 1:38984 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:38985 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:38983 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:38981 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed FlateDecode stream use after free attempt (file-pdf.rules)
 * 1:38980 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed FlateDecode stream use after free attempt (file-pdf.rules)
 * 1:38979 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer methodDetail SQL injection attempt (server-webapp.rules)
 * 1:38978 <-> DISABLED <-> FILE-PDF Adobe Acrobat memory corruption vulnerability attempt (file-pdf.rules)
 * 1:38977 <-> DISABLED <-> FILE-PDF Adobe Acrobat memory corruption vulnerability attempt (file-pdf.rules)
 * 1:38971 <-> ENABLED <-> FILE-FLASH Adobe Flash Player OpportunityGenerator.update memory corruption attempt (file-flash.rules)
 * 1:38974 <-> ENABLED <-> FILE-FLASH Adobe Flash Player OpportunityGenerator.update memory corruption attempt (file-flash.rules)
 * 1:39041 <-> DISABLED <-> BROWSER-PLUGINS National Instruments ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39028 <-> ENABLED <-> FILE-PDF Adobe Reader JPEG 2000 memory corruption attempt (file-pdf.rules)
 * 1:39027 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager downTimeScheduler.do SQL injection attempt (server-webapp.rules)
 * 1:38968 <-> ENABLED <-> SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt (server-webapp.rules)
 * 1:39032 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASSetNative use-after-free attempt (file-flash.rules)
 * 1:39031 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASSetNative use-after-free attempt (file-flash.rules)
 * 1:39043 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi MX ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39030 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASSetNative use-after-free attempt (file-flash.rules)
 * 1:39029 <-> ENABLED <-> FILE-PDF Adobe Reader JPEG 2000 memory corruption attempt (file-pdf.rules)
 * 1:39040 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt variant outbound connection (malware-cnc.rules)
 * 3:39034 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0153 attack attempt (file-other.rules)
 * 3:39035 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0153 attack attempt (file-other.rules)
 * 3:39045 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0154 attack attempt (file-other.rules)
 * 3:39046 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0154 attack attempt (file-other.rules)
 * 3:39047 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0169 attack attempt (file-executable.rules)
 * 3:39048 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0169 attack attempt (file-executable.rules)
 * 3:39049 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-CAN-0145 attack attempt (file-office.rules)
 * 3:39050 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-CAN-0145 attack attempt (file-office.rules)

Modified Rules:


 * 1:38945 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:37429 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:37430 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:38948 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:24015 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Magania variant outbound connection (malware-cnc.rules)
 * 1:33654 <-> DISABLED <-> SERVER-OTHER OpenSSH maxstartup threshold connection exhaustion denial of service attempt (server-other.rules)
 * 1:24792 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent - Google page (blacklist.rules)
 * 1:38744 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38947 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:37428 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:38946 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38871 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38439 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit news uri structure (exploit-kit.rules)
 * 1:38743 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:37427 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)

2016-05-24 22:04:37 UTC

Snort Subscriber Rules Update

Date: 2016-05-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39030 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASSetNative use-after-free attempt (file-flash.rules)
 * 1:39029 <-> ENABLED <-> FILE-PDF Adobe Reader JPEG 2000 memory corruption attempt (file-pdf.rules)
 * 1:39036 <-> DISABLED <-> FILE-OFFICE RTF file with embedded OLE object itself embedding a Flash file (file-office.rules)
 * 1:39026 <-> ENABLED <-> FILE-FLASH Adobe Flash Player selection.setFocus use after free attempt (file-flash.rules)
 * 1:39043 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi MX ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39039 <-> DISABLED <-> BROWSER-PLUGINS Emerson ROCLINK800 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38977 <-> DISABLED <-> FILE-PDF Adobe Acrobat memory corruption vulnerability attempt (file-pdf.rules)
 * 1:38971 <-> ENABLED <-> FILE-FLASH Adobe Flash Player OpportunityGenerator.update memory corruption attempt (file-flash.rules)
 * 1:39025 <-> ENABLED <-> FILE-FLASH Adobe Flash Player selection.setFocus use after free attempt (file-flash.rules)
 * 1:39023 <-> ENABLED <-> FILE-FLASH Adobe Flash Player selection.setFocus use after free attempt (file-flash.rules)
 * 1:39024 <-> ENABLED <-> FILE-FLASH Adobe Flash Player selection.setFocus use after free attempt (file-flash.rules)
 * 1:39022 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK use-after-free attempt (file-flash.rules)
 * 1:39020 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK use-after-free attempt (file-flash.rules)
 * 1:39021 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK use-after-free attempt (file-flash.rules)
 * 1:39018 <-> ENABLED <-> FILE-PDF Adobe Reader XFA FormInstanceManager use after free attempt (file-pdf.rules)
 * 1:39019 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK use-after-free attempt (file-flash.rules)
 * 1:39017 <-> ENABLED <-> FILE-PDF Adobe Reader XFA FormInstanceManager use after free attempt (file-pdf.rules)
 * 1:39015 <-> ENABLED <-> FILE-PDF Adobe Reader AcroForm dictionary object use after free attempt (file-pdf.rules)
 * 1:39016 <-> ENABLED <-> FILE-PDF Adobe Reader AcroForm dictionary object use after free attempt (file-pdf.rules)
 * 1:39013 <-> ENABLED <-> FILE-PDF Adobe Reader CTJPEGDecoderReadNextTile out of bounds read attempt (file-pdf.rules)
 * 1:39014 <-> ENABLED <-> FILE-PDF Adobe Reader CTJPEGDecoderReadNextTile out of bounds read attempt (file-pdf.rules)
 * 1:39012 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setMetadata memory corruption attempt (file-flash.rules)
 * 1:39010 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setMetadata memory corruption attempt (file-flash.rules)
 * 1:39011 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setMetadata memory corruption attempt (file-flash.rules)
 * 1:39009 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setMetadata memory corruption attempt (file-flash.rules)
 * 1:39007 <-> ENABLED <-> FILE-PDF Adobe Reader XFA form use-after-free attempt (file-pdf.rules)
 * 1:39008 <-> ENABLED <-> FILE-PDF Adobe Reader XFA form use-after-free attempt (file-pdf.rules)
 * 1:39005 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39006 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39003 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39004 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39002 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39000 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39001 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38999 <-> ENABLED <-> FILE-FLASH Adobe Flash Player addProperty use after free attempt (file-flash.rules)
 * 1:38998 <-> ENABLED <-> FILE-FLASH Adobe Flash Player addProperty use after free attempt (file-flash.rules)
 * 1:38996 <-> ENABLED <-> FILE-FLASH Adobe Flash Player addProperty use after free attempt (file-flash.rules)
 * 1:38997 <-> ENABLED <-> FILE-FLASH Adobe Flash Player addProperty use after free attempt (file-flash.rules)
 * 1:38995 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:38992 <-> ENABLED <-> FILE-PDF Adobe Reader execAVDialog JavaScript function use-after-free attempt (file-pdf.rules)
 * 1:38987 <-> DISABLED <-> SERVER-WEBAPP SAP NetWeaver xMII directory traversal attempt (server-webapp.rules)
 * 1:38982 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:38967 <-> ENABLED <-> FILE-PDF Adobe Reader malformed JPX image out of bounds read attempt (file-pdf.rules)
 * 1:38966 <-> ENABLED <-> FILE-PDF Adobe Reader malformed JPX image out of bounds read attempt (file-pdf.rules)
 * 1:38969 <-> ENABLED <-> SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt (server-webapp.rules)
 * 1:39051 <-> ENABLED <-> BLACKLIST DNS request for known malware domain adsl.carpediem.fr - Win.Trojan.Adialer (blacklist.rules)
 * 1:39053 <-> ENABLED <-> MALWARE-CNC Win.Trojan.7ev3n variant outbound connection (malware-cnc.rules)
 * 1:38970 <-> ENABLED <-> SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt (server-webapp.rules)
 * 1:39052 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Adialer variant outbound connection attempt (malware-cnc.rules)
 * 1:39038 <-> DISABLED <-> BROWSER-PLUGINS Emerson ROCLINK800 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38972 <-> ENABLED <-> FILE-FLASH Adobe Flash Player OpportunityGenerator.update memory corruption attempt (file-flash.rules)
 * 1:38973 <-> ENABLED <-> FILE-FLASH Adobe Flash Player OpportunityGenerator.update memory corruption attempt (file-flash.rules)
 * 1:38974 <-> ENABLED <-> FILE-FLASH Adobe Flash Player OpportunityGenerator.update memory corruption attempt (file-flash.rules)
 * 1:38975 <-> DISABLED <-> FILE-PDF Adobe Reader clearGlobalSecurityStore information leak attempt (file-pdf.rules)
 * 1:38976 <-> DISABLED <-> FILE-PDF Adobe Reader clearGlobalSecurityStore information leak attempt (file-pdf.rules)
 * 1:38978 <-> DISABLED <-> FILE-PDF Adobe Acrobat memory corruption vulnerability attempt (file-pdf.rules)
 * 1:38979 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer methodDetail SQL injection attempt (server-webapp.rules)
 * 1:38968 <-> ENABLED <-> SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt (server-webapp.rules)
 * 1:38980 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed FlateDecode stream use after free attempt (file-pdf.rules)
 * 1:38981 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed FlateDecode stream use after free attempt (file-pdf.rules)
 * 1:38983 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:39041 <-> DISABLED <-> BROWSER-PLUGINS National Instruments ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39042 <-> DISABLED <-> BROWSER-PLUGINS National Instruments ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39040 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt variant outbound connection (malware-cnc.rules)
 * 1:38984 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:38985 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:38986 <-> DISABLED <-> SERVER-WEBAPP SAP NetWeaver xMII directory traversal attempt (server-webapp.rules)
 * 1:38988 <-> DISABLED <-> SERVER-WEBAPP SAP NetWeaver xMII directory traversal attempt (server-webapp.rules)
 * 1:38989 <-> DISABLED <-> MALWARE-TOOLS TorStresser http DoS tool (malware-tools.rules)
 * 1:38990 <-> DISABLED <-> SERVER-WEBAPP Apache Struts I18NInterceptor locale object cross site scripting attempt (server-webapp.rules)
 * 1:38991 <-> ENABLED <-> FILE-PDF Adobe Reader execAVDialog JavaScript function use-after-free attempt (file-pdf.rules)
 * 1:38993 <-> ENABLED <-> SQL use of sleep function in HTTP header - likely SQL injection attempt (sql.rules)
 * 1:38994 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus config file download (malware-cnc.rules)
 * 1:39037 <-> DISABLED <-> FILE-OFFICE RTF file with embedded OLE object itself embedding a Flash file (file-office.rules)
 * 1:39033 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASSetNative use-after-free attempt (file-flash.rules)
 * 1:39031 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASSetNative use-after-free attempt (file-flash.rules)
 * 1:39032 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASSetNative use-after-free attempt (file-flash.rules)
 * 1:39044 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi MX ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39028 <-> ENABLED <-> FILE-PDF Adobe Reader JPEG 2000 memory corruption attempt (file-pdf.rules)
 * 1:39027 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager downTimeScheduler.do SQL injection attempt (server-webapp.rules)
 * 3:39034 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0153 attack attempt (file-other.rules)
 * 3:39035 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0153 attack attempt (file-other.rules)
 * 3:39045 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0154 attack attempt (file-other.rules)
 * 3:39046 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0154 attack attempt (file-other.rules)
 * 3:39047 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0169 attack attempt (file-executable.rules)
 * 3:39048 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0169 attack attempt (file-executable.rules)
 * 3:39049 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-CAN-0145 attack attempt (file-office.rules)
 * 3:39050 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-CAN-0145 attack attempt (file-office.rules)

Modified Rules:


 * 1:37430 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:33654 <-> DISABLED <-> SERVER-OTHER OpenSSH maxstartup threshold connection exhaustion denial of service attempt (server-other.rules)
 * 1:24792 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent - Google page (blacklist.rules)
 * 1:24015 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Magania variant outbound connection (malware-cnc.rules)
 * 1:38947 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38948 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38946 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38871 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38945 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38744 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:37427 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:37428 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:38439 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit news uri structure (exploit-kit.rules)
 * 1:38743 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:37429 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)

2016-05-24 22:04:37 UTC

Snort Subscriber Rules Update

Date: 2016-05-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38992 <-> ENABLED <-> FILE-PDF Adobe Reader execAVDialog JavaScript function use-after-free attempt (file-pdf.rules)
 * 1:38994 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus config file download (malware-cnc.rules)
 * 1:38991 <-> ENABLED <-> FILE-PDF Adobe Reader execAVDialog JavaScript function use-after-free attempt (file-pdf.rules)
 * 1:38989 <-> DISABLED <-> MALWARE-TOOLS TorStresser http DoS tool (malware-tools.rules)
 * 1:38990 <-> DISABLED <-> SERVER-WEBAPP Apache Struts I18NInterceptor locale object cross site scripting attempt (server-webapp.rules)
 * 1:38987 <-> DISABLED <-> SERVER-WEBAPP SAP NetWeaver xMII directory traversal attempt (server-webapp.rules)
 * 1:38985 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:38986 <-> DISABLED <-> SERVER-WEBAPP SAP NetWeaver xMII directory traversal attempt (server-webapp.rules)
 * 1:38982 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:38984 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:38981 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed FlateDecode stream use after free attempt (file-pdf.rules)
 * 1:38980 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed FlateDecode stream use after free attempt (file-pdf.rules)
 * 1:38978 <-> DISABLED <-> FILE-PDF Adobe Acrobat memory corruption vulnerability attempt (file-pdf.rules)
 * 1:38968 <-> ENABLED <-> SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt (server-webapp.rules)
 * 1:38966 <-> ENABLED <-> FILE-PDF Adobe Reader malformed JPX image out of bounds read attempt (file-pdf.rules)
 * 1:38967 <-> ENABLED <-> FILE-PDF Adobe Reader malformed JPX image out of bounds read attempt (file-pdf.rules)
 * 1:38969 <-> ENABLED <-> SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt (server-webapp.rules)
 * 1:38970 <-> ENABLED <-> SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt (server-webapp.rules)
 * 1:38971 <-> ENABLED <-> FILE-FLASH Adobe Flash Player OpportunityGenerator.update memory corruption attempt (file-flash.rules)
 * 1:38972 <-> ENABLED <-> FILE-FLASH Adobe Flash Player OpportunityGenerator.update memory corruption attempt (file-flash.rules)
 * 1:38973 <-> ENABLED <-> FILE-FLASH Adobe Flash Player OpportunityGenerator.update memory corruption attempt (file-flash.rules)
 * 1:38974 <-> ENABLED <-> FILE-FLASH Adobe Flash Player OpportunityGenerator.update memory corruption attempt (file-flash.rules)
 * 1:38975 <-> DISABLED <-> FILE-PDF Adobe Reader clearGlobalSecurityStore information leak attempt (file-pdf.rules)
 * 1:38976 <-> DISABLED <-> FILE-PDF Adobe Reader clearGlobalSecurityStore information leak attempt (file-pdf.rules)
 * 1:38977 <-> DISABLED <-> FILE-PDF Adobe Acrobat memory corruption vulnerability attempt (file-pdf.rules)
 * 1:38979 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer methodDetail SQL injection attempt (server-webapp.rules)
 * 1:38983 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:38988 <-> DISABLED <-> SERVER-WEBAPP SAP NetWeaver xMII directory traversal attempt (server-webapp.rules)
 * 1:38993 <-> ENABLED <-> SQL use of sleep function in HTTP header - likely SQL injection attempt (sql.rules)
 * 1:38995 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:38996 <-> ENABLED <-> FILE-FLASH Adobe Flash Player addProperty use after free attempt (file-flash.rules)
 * 1:38997 <-> ENABLED <-> FILE-FLASH Adobe Flash Player addProperty use after free attempt (file-flash.rules)
 * 1:38998 <-> ENABLED <-> FILE-FLASH Adobe Flash Player addProperty use after free attempt (file-flash.rules)
 * 1:38999 <-> ENABLED <-> FILE-FLASH Adobe Flash Player addProperty use after free attempt (file-flash.rules)
 * 1:39000 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39001 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39002 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39003 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39004 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39005 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39006 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39007 <-> ENABLED <-> FILE-PDF Adobe Reader XFA form use-after-free attempt (file-pdf.rules)
 * 1:39008 <-> ENABLED <-> FILE-PDF Adobe Reader XFA form use-after-free attempt (file-pdf.rules)
 * 1:39009 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setMetadata memory corruption attempt (file-flash.rules)
 * 1:39010 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setMetadata memory corruption attempt (file-flash.rules)
 * 1:39011 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setMetadata memory corruption attempt (file-flash.rules)
 * 1:39012 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setMetadata memory corruption attempt (file-flash.rules)
 * 1:39013 <-> ENABLED <-> FILE-PDF Adobe Reader CTJPEGDecoderReadNextTile out of bounds read attempt (file-pdf.rules)
 * 1:39014 <-> ENABLED <-> FILE-PDF Adobe Reader CTJPEGDecoderReadNextTile out of bounds read attempt (file-pdf.rules)
 * 1:39015 <-> ENABLED <-> FILE-PDF Adobe Reader AcroForm dictionary object use after free attempt (file-pdf.rules)
 * 1:39016 <-> ENABLED <-> FILE-PDF Adobe Reader AcroForm dictionary object use after free attempt (file-pdf.rules)
 * 1:39017 <-> ENABLED <-> FILE-PDF Adobe Reader XFA FormInstanceManager use after free attempt (file-pdf.rules)
 * 1:39018 <-> ENABLED <-> FILE-PDF Adobe Reader XFA FormInstanceManager use after free attempt (file-pdf.rules)
 * 1:39019 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK use-after-free attempt (file-flash.rules)
 * 1:39020 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK use-after-free attempt (file-flash.rules)
 * 1:39021 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK use-after-free attempt (file-flash.rules)
 * 1:39022 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK use-after-free attempt (file-flash.rules)
 * 1:39023 <-> ENABLED <-> FILE-FLASH Adobe Flash Player selection.setFocus use after free attempt (file-flash.rules)
 * 1:39024 <-> ENABLED <-> FILE-FLASH Adobe Flash Player selection.setFocus use after free attempt (file-flash.rules)
 * 1:39025 <-> ENABLED <-> FILE-FLASH Adobe Flash Player selection.setFocus use after free attempt (file-flash.rules)
 * 1:39053 <-> ENABLED <-> MALWARE-CNC Win.Trojan.7ev3n variant outbound connection (malware-cnc.rules)
 * 1:39052 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Adialer variant outbound connection attempt (malware-cnc.rules)
 * 1:39051 <-> ENABLED <-> BLACKLIST DNS request for known malware domain adsl.carpediem.fr - Win.Trojan.Adialer (blacklist.rules)
 * 1:39044 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi MX ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39043 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi MX ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39042 <-> DISABLED <-> BROWSER-PLUGINS National Instruments ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39041 <-> DISABLED <-> BROWSER-PLUGINS National Instruments ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39040 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt variant outbound connection (malware-cnc.rules)
 * 1:39039 <-> DISABLED <-> BROWSER-PLUGINS Emerson ROCLINK800 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39038 <-> DISABLED <-> BROWSER-PLUGINS Emerson ROCLINK800 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39037 <-> DISABLED <-> FILE-OFFICE RTF file with embedded OLE object itself embedding a Flash file (file-office.rules)
 * 1:39036 <-> DISABLED <-> FILE-OFFICE RTF file with embedded OLE object itself embedding a Flash file (file-office.rules)
 * 1:39033 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASSetNative use-after-free attempt (file-flash.rules)
 * 1:39032 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASSetNative use-after-free attempt (file-flash.rules)
 * 1:39031 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASSetNative use-after-free attempt (file-flash.rules)
 * 1:39030 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASSetNative use-after-free attempt (file-flash.rules)
 * 1:39029 <-> ENABLED <-> FILE-PDF Adobe Reader JPEG 2000 memory corruption attempt (file-pdf.rules)
 * 1:39028 <-> ENABLED <-> FILE-PDF Adobe Reader JPEG 2000 memory corruption attempt (file-pdf.rules)
 * 1:39027 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager downTimeScheduler.do SQL injection attempt (server-webapp.rules)
 * 1:39026 <-> ENABLED <-> FILE-FLASH Adobe Flash Player selection.setFocus use after free attempt (file-flash.rules)
 * 3:39034 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0153 attack attempt (file-other.rules)
 * 3:39035 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0153 attack attempt (file-other.rules)
 * 3:39045 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0154 attack attempt (file-other.rules)
 * 3:39046 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0154 attack attempt (file-other.rules)
 * 3:39047 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0169 attack attempt (file-executable.rules)
 * 3:39048 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0169 attack attempt (file-executable.rules)
 * 3:39049 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-CAN-0145 attack attempt (file-office.rules)
 * 3:39050 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-CAN-0145 attack attempt (file-office.rules)

Modified Rules:


 * 1:37430 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:38871 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38946 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38945 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:24792 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent - Google page (blacklist.rules)
 * 1:38947 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38948 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38744 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:24015 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Magania variant outbound connection (malware-cnc.rules)
 * 1:33654 <-> DISABLED <-> SERVER-OTHER OpenSSH maxstartup threshold connection exhaustion denial of service attempt (server-other.rules)
 * 1:37429 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:37428 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:38743 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:37427 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:38439 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit news uri structure (exploit-kit.rules)

2016-05-24 22:04:35 UTC

Snort Subscriber Rules Update

Date: 2016-05-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39053 <-> ENABLED <-> MALWARE-CNC Win.Trojan.7ev3n variant outbound connection (malware-cnc.rules)
 * 1:39052 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Adialer variant outbound connection attempt (malware-cnc.rules)
 * 1:39051 <-> ENABLED <-> BLACKLIST DNS request for known malware domain adsl.carpediem.fr - Win.Trojan.Adialer (blacklist.rules)
 * 1:39044 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi MX ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39043 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi MX ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39042 <-> DISABLED <-> BROWSER-PLUGINS National Instruments ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39041 <-> DISABLED <-> BROWSER-PLUGINS National Instruments ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39040 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt variant outbound connection (malware-cnc.rules)
 * 1:39039 <-> DISABLED <-> BROWSER-PLUGINS Emerson ROCLINK800 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39038 <-> DISABLED <-> BROWSER-PLUGINS Emerson ROCLINK800 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39037 <-> DISABLED <-> FILE-OFFICE RTF file with embedded OLE object itself embedding a Flash file (file-office.rules)
 * 1:39036 <-> DISABLED <-> FILE-OFFICE RTF file with embedded OLE object itself embedding a Flash file (file-office.rules)
 * 1:39033 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASSetNative use-after-free attempt (file-flash.rules)
 * 1:39032 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASSetNative use-after-free attempt (file-flash.rules)
 * 1:39031 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASSetNative use-after-free attempt (file-flash.rules)
 * 1:39030 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASSetNative use-after-free attempt (file-flash.rules)
 * 1:39029 <-> ENABLED <-> FILE-PDF Adobe Reader JPEG 2000 memory corruption attempt (file-pdf.rules)
 * 1:39028 <-> ENABLED <-> FILE-PDF Adobe Reader JPEG 2000 memory corruption attempt (file-pdf.rules)
 * 1:39027 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager downTimeScheduler.do SQL injection attempt (server-webapp.rules)
 * 1:39026 <-> ENABLED <-> FILE-FLASH Adobe Flash Player selection.setFocus use after free attempt (file-flash.rules)
 * 1:39025 <-> ENABLED <-> FILE-FLASH Adobe Flash Player selection.setFocus use after free attempt (file-flash.rules)
 * 1:39024 <-> ENABLED <-> FILE-FLASH Adobe Flash Player selection.setFocus use after free attempt (file-flash.rules)
 * 1:39023 <-> ENABLED <-> FILE-FLASH Adobe Flash Player selection.setFocus use after free attempt (file-flash.rules)
 * 1:39022 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK use-after-free attempt (file-flash.rules)
 * 1:39021 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK use-after-free attempt (file-flash.rules)
 * 1:39020 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK use-after-free attempt (file-flash.rules)
 * 1:39019 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK use-after-free attempt (file-flash.rules)
 * 1:39018 <-> ENABLED <-> FILE-PDF Adobe Reader XFA FormInstanceManager use after free attempt (file-pdf.rules)
 * 1:39017 <-> ENABLED <-> FILE-PDF Adobe Reader XFA FormInstanceManager use after free attempt (file-pdf.rules)
 * 1:39016 <-> ENABLED <-> FILE-PDF Adobe Reader AcroForm dictionary object use after free attempt (file-pdf.rules)
 * 1:39015 <-> ENABLED <-> FILE-PDF Adobe Reader AcroForm dictionary object use after free attempt (file-pdf.rules)
 * 1:39014 <-> ENABLED <-> FILE-PDF Adobe Reader CTJPEGDecoderReadNextTile out of bounds read attempt (file-pdf.rules)
 * 1:39013 <-> ENABLED <-> FILE-PDF Adobe Reader CTJPEGDecoderReadNextTile out of bounds read attempt (file-pdf.rules)
 * 1:39012 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setMetadata memory corruption attempt (file-flash.rules)
 * 1:39011 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setMetadata memory corruption attempt (file-flash.rules)
 * 1:39010 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setMetadata memory corruption attempt (file-flash.rules)
 * 1:39009 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setMetadata memory corruption attempt (file-flash.rules)
 * 1:39008 <-> ENABLED <-> FILE-PDF Adobe Reader XFA form use-after-free attempt (file-pdf.rules)
 * 1:39007 <-> ENABLED <-> FILE-PDF Adobe Reader XFA form use-after-free attempt (file-pdf.rules)
 * 1:39006 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39005 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39004 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39003 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39002 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39001 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39000 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38999 <-> ENABLED <-> FILE-FLASH Adobe Flash Player addProperty use after free attempt (file-flash.rules)
 * 1:38998 <-> ENABLED <-> FILE-FLASH Adobe Flash Player addProperty use after free attempt (file-flash.rules)
 * 1:38997 <-> ENABLED <-> FILE-FLASH Adobe Flash Player addProperty use after free attempt (file-flash.rules)
 * 1:38996 <-> ENABLED <-> FILE-FLASH Adobe Flash Player addProperty use after free attempt (file-flash.rules)
 * 1:38995 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:38994 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus config file download (malware-cnc.rules)
 * 1:38993 <-> ENABLED <-> SQL use of sleep function in HTTP header - likely SQL injection attempt (sql.rules)
 * 1:38992 <-> ENABLED <-> FILE-PDF Adobe Reader execAVDialog JavaScript function use-after-free attempt (file-pdf.rules)
 * 1:38991 <-> ENABLED <-> FILE-PDF Adobe Reader execAVDialog JavaScript function use-after-free attempt (file-pdf.rules)
 * 1:38990 <-> DISABLED <-> SERVER-WEBAPP Apache Struts I18NInterceptor locale object cross site scripting attempt (server-webapp.rules)
 * 1:38989 <-> DISABLED <-> MALWARE-TOOLS TorStresser http DoS tool (malware-tools.rules)
 * 1:38988 <-> DISABLED <-> SERVER-WEBAPP SAP NetWeaver xMII directory traversal attempt (server-webapp.rules)
 * 1:38987 <-> DISABLED <-> SERVER-WEBAPP SAP NetWeaver xMII directory traversal attempt (server-webapp.rules)
 * 1:38986 <-> DISABLED <-> SERVER-WEBAPP SAP NetWeaver xMII directory traversal attempt (server-webapp.rules)
 * 1:38985 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:38984 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:38983 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:38982 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:38981 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed FlateDecode stream use after free attempt (file-pdf.rules)
 * 1:38980 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed FlateDecode stream use after free attempt (file-pdf.rules)
 * 1:38979 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer methodDetail SQL injection attempt (server-webapp.rules)
 * 1:38978 <-> DISABLED <-> FILE-PDF Adobe Acrobat memory corruption vulnerability attempt (file-pdf.rules)
 * 1:38977 <-> DISABLED <-> FILE-PDF Adobe Acrobat memory corruption vulnerability attempt (file-pdf.rules)
 * 1:38976 <-> DISABLED <-> FILE-PDF Adobe Reader clearGlobalSecurityStore information leak attempt (file-pdf.rules)
 * 1:38975 <-> DISABLED <-> FILE-PDF Adobe Reader clearGlobalSecurityStore information leak attempt (file-pdf.rules)
 * 1:38974 <-> ENABLED <-> FILE-FLASH Adobe Flash Player OpportunityGenerator.update memory corruption attempt (file-flash.rules)
 * 1:38973 <-> ENABLED <-> FILE-FLASH Adobe Flash Player OpportunityGenerator.update memory corruption attempt (file-flash.rules)
 * 1:38972 <-> ENABLED <-> FILE-FLASH Adobe Flash Player OpportunityGenerator.update memory corruption attempt (file-flash.rules)
 * 1:38971 <-> ENABLED <-> FILE-FLASH Adobe Flash Player OpportunityGenerator.update memory corruption attempt (file-flash.rules)
 * 1:38970 <-> ENABLED <-> SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt (server-webapp.rules)
 * 1:38969 <-> ENABLED <-> SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt (server-webapp.rules)
 * 1:38968 <-> ENABLED <-> SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt (server-webapp.rules)
 * 1:38967 <-> ENABLED <-> FILE-PDF Adobe Reader malformed JPX image out of bounds read attempt (file-pdf.rules)
 * 1:38966 <-> ENABLED <-> FILE-PDF Adobe Reader malformed JPX image out of bounds read attempt (file-pdf.rules)
 * 3:39034 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0153 attack attempt (file-other.rules)
 * 3:39035 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0153 attack attempt (file-other.rules)
 * 3:39045 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0154 attack attempt (file-other.rules)
 * 3:39046 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0154 attack attempt (file-other.rules)
 * 3:39047 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0169 attack attempt (file-executable.rules)
 * 3:39048 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0169 attack attempt (file-executable.rules)
 * 3:39049 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-CAN-0145 attack attempt (file-office.rules)
 * 3:39050 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-CAN-0145 attack attempt (file-office.rules)

Modified Rules:


 * 1:37429 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:37428 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:24792 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent - Google page (blacklist.rules)
 * 1:37430 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:38744 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38871 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38945 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38946 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38947 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38948 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:24015 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Magania variant outbound connection (malware-cnc.rules)
 * 1:33654 <-> DISABLED <-> SERVER-OTHER OpenSSH maxstartup threshold connection exhaustion denial of service attempt (server-other.rules)
 * 1:38743 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38439 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit news uri structure (exploit-kit.rules)
 * 1:37427 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)