Talos Rules 2016-12-20
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the exploit-kit, file-flash, malware-cnc, os-linux, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-12-20 16:42:04 UTC

Snort Subscriber Rules Update

Date: 2016-12-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41082 <-> DISABLED <-> SERVER-OTHER Tarantool Msgpuck mp_check denial of service vulnerability attempt (server-other.rules)
 * 1:41081 <-> ENABLED <-> SERVER-OTHER Tarantool initial connection banner detected (server-other.rules)
 * 1:41080 <-> DISABLED <-> SERVER-OTHER Tarantool xrow_header_decode out of bounds read attempt (server-other.rules)
 * 1:41079 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 traffic to/from EXTERNAL_NET (protocol-scada.rules)
 * 1:41078 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 traffic to/from EXTERNAL_NET (protocol-scada.rules)
 * 1:41077 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 unknown ASDU type detected (protocol-scada.rules)
 * 1:41076 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 double command issued (protocol-scada.rules)
 * 1:41075 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 counter interrogation command (protocol-scada.rules)
 * 1:41074 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 clock sync command (protocol-scada.rules)
 * 1:41073 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 bitstring of 32 bits (protocol-scada.rules)
 * 1:41072 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Test command with time tag (protocol-scada.rules)
 * 1:41071 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Step point information (protocol-scada.rules)
 * 1:41070 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Single point information (protocol-scada.rules)
 * 1:41069 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Single command (protocol-scada.rules)
 * 1:41068 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Set point command (protocol-scada.rules)
 * 1:41067 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Rest process command (protocol-scada.rules)
 * 1:41066 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Regulating step command (protocol-scada.rules)
 * 1:41065 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Read command (protocol-scada.rules)
 * 1:41064 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Query Log (protocol-scada.rules)
 * 1:41063 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Parameter value (protocol-scada.rules)
 * 1:41062 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Packed start events (protocol-scada.rules)
 * 1:41061 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Measured value (protocol-scada.rules)
 * 1:41060 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 List directory (protocol-scada.rules)
 * 1:41059 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Last section (protocol-scada.rules)
 * 1:41058 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Interrogation command (protocol-scada.rules)
 * 1:41057 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Integrated totals (protocol-scada.rules)
 * 1:41056 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 File ready (protocol-scada.rules)
 * 1:41055 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 End of initialization (protocol-scada.rules)
 * 1:41054 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Double point information (protocol-scada.rules)
 * 1:41053 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Ack file (protocol-scada.rules)
 * 1:41052 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 TESTFR CON (protocol-scada.rules)
 * 1:41051 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 TESTFR ACT (protocol-scada.rules)
 * 1:41050 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STOPDT CON (protocol-scada.rules)
 * 1:41049 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STOPDT ACT (protocol-scada.rules)
 * 1:41048 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STARTDT CON (protocol-scada.rules)
 * 1:41047 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STARTDT ACT (protocol-scada.rules)
 * 1:41046 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TextField setter use after free attempt (file-flash.rules)
 * 1:41045 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TextField setter use after free attempt (file-flash.rules)
 * 1:41044 <-> DISABLED <-> PROTOCOL-SCADA Rockwell Controllogix Crash CPU attempt (protocol-scada.rules)
 * 1:41043 <-> DISABLED <-> PROTOCOL-SCADA Rockwell Controllogix Ethernet Reset attempt (protocol-scada.rules)
 * 1:41042 <-> DISABLED <-> PROTOCOL-SCADA Rockwell Controllogix Dump Boot Code attempt (protocol-scada.rules)
 * 1:41041 <-> ENABLED <-> OS-LINUX Ubuntu Apport CrashDB crash report code injection attempt (os-linux.rules)
 * 1:41040 <-> ENABLED <-> OS-LINUX Ubuntu Apport CrashDB crash report code injection attempt (os-linux.rules)
 * 1:41039 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA wmi_domain_controllers command injection attempt (server-webapp.rules)
 * 1:41038 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA testConfiguration command injection attempt (server-webapp.rules)
 * 1:41037 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA domains command injection attempt (server-webapp.rules)
 * 1:41036 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA ManagePatches servlet command injection attempt (server-webapp.rules)
 * 1:41035 <-> ENABLED <-> EXPLOIT-KIT Sundown Exploit Kit redirection attempt (exploit-kit.rules)
 * 1:41034 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:41033 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Proteus outbound connection (malware-cnc.rules)
 * 1:41032 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Deep Discovery Inspector hotfix_upload.cgi command injection attempt (server-webapp.rules)
 * 1:41031 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Athena variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:30259 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Strictor variant outbound connection attempt (malware-cnc.rules)
 * 1:40517 <-> DISABLED <-> PROTOCOL-SCADA Rockwell Controllogix Network Policy Change attempt (protocol-scada.rules)
 * 1:40518 <-> DISABLED <-> PROTOCOL-SCADA Rockwell Controllogix Stop CPU attempt (protocol-scada.rules)
 * 1:40604 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:40605 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:40606 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:40607 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:40783 <-> DISABLED <-> SERVER-WEBAPP ZyXEL TR-064 GetSecurityKeys information disclosure attempt (server-webapp.rules)
 * 1:40784 <-> ENABLED <-> SERVER-WEBAPP ZyXEL TR-064 SetNTPServers command injection attempt (server-webapp.rules)

2016-12-20 16:42:04 UTC

Snort Subscriber Rules Update

Date: 2016-12-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41047 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STARTDT ACT (protocol-scada.rules)
 * 1:41048 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STARTDT CON (protocol-scada.rules)
 * 1:41046 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TextField setter use after free attempt (file-flash.rules)
 * 1:41033 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Proteus outbound connection (malware-cnc.rules)
 * 1:41032 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Deep Discovery Inspector hotfix_upload.cgi command injection attempt (server-webapp.rules)
 * 1:41031 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Athena variant outbound connection (malware-cnc.rules)
 * 1:41034 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:41035 <-> ENABLED <-> EXPLOIT-KIT Sundown Exploit Kit redirection attempt (exploit-kit.rules)
 * 1:41036 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA ManagePatches servlet command injection attempt (server-webapp.rules)
 * 1:41037 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA domains command injection attempt (server-webapp.rules)
 * 1:41038 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA testConfiguration command injection attempt (server-webapp.rules)
 * 1:41039 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA wmi_domain_controllers command injection attempt (server-webapp.rules)
 * 1:41040 <-> ENABLED <-> OS-LINUX Ubuntu Apport CrashDB crash report code injection attempt (os-linux.rules)
 * 1:41041 <-> ENABLED <-> OS-LINUX Ubuntu Apport CrashDB crash report code injection attempt (os-linux.rules)
 * 1:41042 <-> DISABLED <-> PROTOCOL-SCADA Rockwell Controllogix Dump Boot Code attempt (protocol-scada.rules)
 * 1:41043 <-> DISABLED <-> PROTOCOL-SCADA Rockwell Controllogix Ethernet Reset attempt (protocol-scada.rules)
 * 1:41044 <-> DISABLED <-> PROTOCOL-SCADA Rockwell Controllogix Crash CPU attempt (protocol-scada.rules)
 * 1:41045 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TextField setter use after free attempt (file-flash.rules)
 * 1:41049 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STOPDT ACT (protocol-scada.rules)
 * 1:41050 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STOPDT CON (protocol-scada.rules)
 * 1:41051 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 TESTFR ACT (protocol-scada.rules)
 * 1:41052 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 TESTFR CON (protocol-scada.rules)
 * 1:41053 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Ack file (protocol-scada.rules)
 * 1:41054 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Double point information (protocol-scada.rules)
 * 1:41055 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 End of initialization (protocol-scada.rules)
 * 1:41056 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 File ready (protocol-scada.rules)
 * 1:41057 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Integrated totals (protocol-scada.rules)
 * 1:41058 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Interrogation command (protocol-scada.rules)
 * 1:41059 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Last section (protocol-scada.rules)
 * 1:41060 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 List directory (protocol-scada.rules)
 * 1:41061 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Measured value (protocol-scada.rules)
 * 1:41062 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Packed start events (protocol-scada.rules)
 * 1:41063 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Parameter value (protocol-scada.rules)
 * 1:41064 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Query Log (protocol-scada.rules)
 * 1:41065 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Read command (protocol-scada.rules)
 * 1:41066 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Regulating step command (protocol-scada.rules)
 * 1:41067 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Rest process command (protocol-scada.rules)
 * 1:41068 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Set point command (protocol-scada.rules)
 * 1:41082 <-> DISABLED <-> SERVER-OTHER Tarantool Msgpuck mp_check denial of service vulnerability attempt (server-other.rules)
 * 1:41081 <-> ENABLED <-> SERVER-OTHER Tarantool initial connection banner detected (server-other.rules)
 * 1:41080 <-> DISABLED <-> SERVER-OTHER Tarantool xrow_header_decode out of bounds read attempt (server-other.rules)
 * 1:41079 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 traffic to/from EXTERNAL_NET (protocol-scada.rules)
 * 1:41078 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 traffic to/from EXTERNAL_NET (protocol-scada.rules)
 * 1:41077 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 unknown ASDU type detected (protocol-scada.rules)
 * 1:41076 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 double command issued (protocol-scada.rules)
 * 1:41075 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 counter interrogation command (protocol-scada.rules)
 * 1:41074 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 clock sync command (protocol-scada.rules)
 * 1:41072 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Test command with time tag (protocol-scada.rules)
 * 1:41073 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 bitstring of 32 bits (protocol-scada.rules)
 * 1:41071 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Step point information (protocol-scada.rules)
 * 1:41070 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Single point information (protocol-scada.rules)
 * 1:41069 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Single command (protocol-scada.rules)

Modified Rules:


 * 1:30259 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Strictor variant outbound connection attempt (malware-cnc.rules)
 * 1:40517 <-> DISABLED <-> PROTOCOL-SCADA Rockwell Controllogix Network Policy Change attempt (protocol-scada.rules)
 * 1:40518 <-> DISABLED <-> PROTOCOL-SCADA Rockwell Controllogix Stop CPU attempt (protocol-scada.rules)
 * 1:40604 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:40605 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:40606 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:40607 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:40783 <-> DISABLED <-> SERVER-WEBAPP ZyXEL TR-064 GetSecurityKeys information disclosure attempt (server-webapp.rules)
 * 1:40784 <-> ENABLED <-> SERVER-WEBAPP ZyXEL TR-064 SetNTPServers command injection attempt (server-webapp.rules)

2016-12-20 16:42:04 UTC

Snort Subscriber Rules Update

Date: 2016-12-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41069 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Single command (protocol-scada.rules)
 * 1:41046 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TextField setter use after free attempt (file-flash.rules)
 * 1:41044 <-> DISABLED <-> PROTOCOL-SCADA Rockwell Controllogix Crash CPU attempt (protocol-scada.rules)
 * 1:41045 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TextField setter use after free attempt (file-flash.rules)
 * 1:41042 <-> DISABLED <-> PROTOCOL-SCADA Rockwell Controllogix Dump Boot Code attempt (protocol-scada.rules)
 * 1:41043 <-> DISABLED <-> PROTOCOL-SCADA Rockwell Controllogix Ethernet Reset attempt (protocol-scada.rules)
 * 1:41040 <-> ENABLED <-> OS-LINUX Ubuntu Apport CrashDB crash report code injection attempt (os-linux.rules)
 * 1:41041 <-> ENABLED <-> OS-LINUX Ubuntu Apport CrashDB crash report code injection attempt (os-linux.rules)
 * 1:41039 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA wmi_domain_controllers command injection attempt (server-webapp.rules)
 * 1:41074 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 clock sync command (protocol-scada.rules)
 * 1:41031 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Athena variant outbound connection (malware-cnc.rules)
 * 1:41079 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 traffic to/from EXTERNAL_NET (protocol-scada.rules)
 * 1:41033 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Proteus outbound connection (malware-cnc.rules)
 * 1:41032 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Deep Discovery Inspector hotfix_upload.cgi command injection attempt (server-webapp.rules)
 * 1:41081 <-> ENABLED <-> SERVER-OTHER Tarantool initial connection banner detected (server-other.rules)
 * 1:41080 <-> DISABLED <-> SERVER-OTHER Tarantool xrow_header_decode out of bounds read attempt (server-other.rules)
 * 1:41073 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 bitstring of 32 bits (protocol-scada.rules)
 * 1:41075 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 counter interrogation command (protocol-scada.rules)
 * 1:41076 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 double command issued (protocol-scada.rules)
 * 1:41077 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 unknown ASDU type detected (protocol-scada.rules)
 * 1:41072 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Test command with time tag (protocol-scada.rules)
 * 1:41035 <-> ENABLED <-> EXPLOIT-KIT Sundown Exploit Kit redirection attempt (exploit-kit.rules)
 * 1:41036 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA ManagePatches servlet command injection attempt (server-webapp.rules)
 * 1:41037 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA domains command injection attempt (server-webapp.rules)
 * 1:41034 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:41038 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA testConfiguration command injection attempt (server-webapp.rules)
 * 1:41078 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 traffic to/from EXTERNAL_NET (protocol-scada.rules)
 * 1:41047 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STARTDT ACT (protocol-scada.rules)
 * 1:41048 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STARTDT CON (protocol-scada.rules)
 * 1:41049 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STOPDT ACT (protocol-scada.rules)
 * 1:41050 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STOPDT CON (protocol-scada.rules)
 * 1:41051 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 TESTFR ACT (protocol-scada.rules)
 * 1:41052 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 TESTFR CON (protocol-scada.rules)
 * 1:41053 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Ack file (protocol-scada.rules)
 * 1:41054 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Double point information (protocol-scada.rules)
 * 1:41055 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 End of initialization (protocol-scada.rules)
 * 1:41082 <-> DISABLED <-> SERVER-OTHER Tarantool Msgpuck mp_check denial of service vulnerability attempt (server-other.rules)
 * 1:41056 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 File ready (protocol-scada.rules)
 * 1:41057 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Integrated totals (protocol-scada.rules)
 * 1:41058 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Interrogation command (protocol-scada.rules)
 * 1:41059 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Last section (protocol-scada.rules)
 * 1:41060 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 List directory (protocol-scada.rules)
 * 1:41061 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Measured value (protocol-scada.rules)
 * 1:41062 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Packed start events (protocol-scada.rules)
 * 1:41063 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Parameter value (protocol-scada.rules)
 * 1:41064 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Query Log (protocol-scada.rules)
 * 1:41065 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Read command (protocol-scada.rules)
 * 1:41066 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Regulating step command (protocol-scada.rules)
 * 1:41067 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Rest process command (protocol-scada.rules)
 * 1:41068 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Set point command (protocol-scada.rules)
 * 1:41071 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Step point information (protocol-scada.rules)
 * 1:41070 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Single point information (protocol-scada.rules)

Modified Rules:


 * 1:40607 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:40784 <-> ENABLED <-> SERVER-WEBAPP ZyXEL TR-064 SetNTPServers command injection attempt (server-webapp.rules)
 * 1:40606 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:40605 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:40518 <-> DISABLED <-> PROTOCOL-SCADA Rockwell Controllogix Stop CPU attempt (protocol-scada.rules)
 * 1:40604 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:30259 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Strictor variant outbound connection attempt (malware-cnc.rules)
 * 1:40517 <-> DISABLED <-> PROTOCOL-SCADA Rockwell Controllogix Network Policy Change attempt (protocol-scada.rules)
 * 1:40783 <-> DISABLED <-> SERVER-WEBAPP ZyXEL TR-064 GetSecurityKeys information disclosure attempt (server-webapp.rules)