Talos Rules 2017-05-11
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, exploit-kit, file-flash, file-image, file-java, file-office, file-other, file-pdf, indicator-obfuscation, indicator-shellcode, malware-cnc, malware-other, protocol-dns, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2017-05-11 16:50:43 UTC

Snort Subscriber Rules Update

Date: 2017-05-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42822 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Carp variant download attempt (malware-other.rules)
 * 1:42825 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Carp variant download attempt (malware-other.rules)
 * 1:42823 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Carp variant download attempt (malware-other.rules)
 * 1:42827 <-> DISABLED <-> SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt (server-webapp.rules)
 * 1:42824 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Carp variant download attempt (malware-other.rules)
 * 1:42828 <-> DISABLED <-> SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt (server-webapp.rules)
 * 1:42842 <-> DISABLED <-> SERVER-WEBAPP Borland AccuRev Reprise License Server directory traversal attempt (server-webapp.rules)
 * 1:42850 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWALL Global Management System SQL injection attempt (server-webapp.rules)
 * 1:42832 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - SessionI (blacklist.rules)
 * 1:42838 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Backdoor.Chopper (blacklist.rules)
 * 1:42833 <-> ENABLED <-> MALWARE-CNC Kasperagent outbound connection detected (malware-cnc.rules)
 * 1:42834 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42839 <-> DISABLED <-> SERVER-WEBAPP Crypttech CryptoLog login.php SQL injection attempt (server-webapp.rules)
 * 1:42831 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - micro (blacklist.rules)
 * 1:42836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42851 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWALL Global Management System SQL injection attempt (server-webapp.rules)
 * 1:42849 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection Manager SQL injection attempt (server-webapp.rules)
 * 1:42829 <-> DISABLED <-> SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt (server-webapp.rules)
 * 1:42841 <-> ENABLED <-> BLACKLIST suspicious .bit tcp dns query (blacklist.rules)
 * 1:42835 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42830 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Sublink (blacklist.rules)
 * 1:42843 <-> DISABLED <-> SERVER-WEBAPP Unitrends Enterprise Backup Appliance download-files command injection attempt (server-webapp.rules)
 * 1:42826 <-> DISABLED <-> SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt (server-webapp.rules)
 * 1:42844 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIF heap overflow attempt (file-image.rules)
 * 1:42845 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIF heap overflow attempt (file-image.rules)
 * 1:42846 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIF heap overflow attempt (file-image.rules)
 * 1:42847 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIF heap overflow attempt (file-image.rules)
 * 1:42848 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection Manager SQL injection attempt (server-webapp.rules)
 * 1:42852 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWALL Global Management System SQL injection attempt (server-webapp.rules)
 * 1:42840 <-> DISABLED <-> SERVER-WEBAPP Crypttech CryptoLog logshares_ajax.php command injection attempt (server-webapp.rules)
 * 1:42837 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)

Modified Rules:


 * 1:30007 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Microsoft Internet Explorer 7 on Windows XP with Java before v1.7.17  (exploit-kit.rules)
 * 1:42805 <-> DISABLED <-> SERVER-WEBAPP Intel AMT remote administration tool authentication bypass attempt (server-webapp.rules)
 * 1:41964 <-> DISABLED <-> FILE-OFFICE Microsoft Word 2010 use-after-free memory corruption vulnerability attempt (file-office.rules)
 * 1:40813 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Silverlight GetChar out of bounds read attempt (browser-plugins.rules)
 * 1:40814 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Silverlight GetChar out of bounds read attempt (browser-plugins.rules)
 * 1:39568 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadPCMFromByteArray exception null pointer access attempt (file-flash.rules)
 * 1:39874 <-> DISABLED <-> FILE-OTHER Microsoft Windows PDF parsing invalid JPEG2000 SIZ marker attempt (file-other.rules)
 * 1:37665 <-> ENABLED <-> FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt (file-java.rules)
 * 1:37664 <-> ENABLED <-> FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt (file-java.rules)
 * 1:37653 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadPCMFromByteArray exception null pointer access attempt (file-flash.rules)
 * 1:37010 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TextBlock object use after free attempt (browser-ie.rules)
 * 1:37009 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TextBlock object use after free attempt (browser-ie.rules)
 * 1:36301 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules)
 * 1:31471 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules)
 * 1:31470 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules)
 * 1:31469 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules)
 * 1:31406 <-> DISABLED <-> SERVER-OTHER Samsung TV denial of service attempt (server-other.rules)
 * 1:42405 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance cache_id command injection attempt (server-webapp.rules)
 * 1:30003 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit payload download attempt (exploit-kit.rules)
 * 1:13249 <-> DISABLED <-> PROTOCOL-DNS dns response for rfc1918 10/8 address detected (protocol-dns.rules)
 * 1:14265 <-> DISABLED <-> PROTOCOL-SCADA Multiple Schneider Electric SCADA products buffer overflow attempt (protocol-scada.rules)
 * 1:16172 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader U3D line set heap corruption attempt (file-pdf.rules)
 * 1:17323 <-> DISABLED <-> INDICATOR-SHELLCODE x86 OS agnostic fnstenv geteip dword xor decoder unescaped (indicator-shellcode.rules)
 * 1:18517 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer long URL buffer overflow attempt (browser-ie.rules)
 * 1:20242 <-> DISABLED <-> PROTOCOL-DNS Oracle Secure Backup observice.exe dns response overflow attempt (protocol-dns.rules)
 * 1:23236 <-> DISABLED <-> INDICATOR-SHELLCODE x86 OS agnostic alpha numeric upper case javascript decoder (indicator-shellcode.rules)
 * 1:24667 <-> ENABLED <-> EXPLOIT-KIT KaiXin exploit kit attack vector attempt (exploit-kit.rules)
 * 1:24668 <-> ENABLED <-> EXPLOIT-KIT KaiXin exploit kit attack vector attempt (exploit-kit.rules)
 * 1:24669 <-> ENABLED <-> EXPLOIT-KIT KaiXin exploit kit attack vector attempt (exploit-kit.rules)
 * 1:24670 <-> ENABLED <-> EXPLOIT-KIT KaiXin exploit kit attack vector attempt (exploit-kit.rules)
 * 1:25459 <-> DISABLED <-> FILE-PDF Multiple products incomplete JP2K image geometry potentially malicious PDF detected (file-pdf.rules)
 * 1:25460 <-> DISABLED <-> FILE-PDF Multiple products incomplete JP2K image geometry potentially malicious PDF detected (file-pdf.rules)
 * 1:29620 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop malformed PNG detected tRNS overflow attempt (file-image.rules)
 * 1:29813 <-> DISABLED <-> INDICATOR-OBFUSCATION randomized HTML number encodings detected in clsid access attempt (indicator-obfuscation.rules)
 * 1:29957 <-> DISABLED <-> SERVER-OTHER Kolibri HTTP Server uri buffer overflow attempt (server-other.rules)
 * 1:42404 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance cache_id command injection attempt (server-webapp.rules)
 * 1:42403 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance cache_id command injection attempt (server-webapp.rules)
 * 1:30001 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit landing page detected (exploit-kit.rules)
 * 1:30006 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Microsoft Internet Explorer 6 on Windows XP (exploit-kit.rules)
 * 1:41965 <-> DISABLED <-> FILE-OFFICE Microsoft Word 2010 use-after-free memory corruption vulnerability attempt (file-office.rules)
 * 1:30005 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Google Chrome with Java before v1.7.17 (exploit-kit.rules)
 * 1:30004 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Java before v1.7.17 (exploit-kit.rules)
 * 1:30008 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Microsoft Internet Explorer 8 on Windows XP (exploit-kit.rules)
 * 1:30009 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Java v1.6.32 and older (exploit-kit.rules)
 * 3:35913 <-> ENABLED <-> SERVER-OTHER EMC AutoStart ftAgent.exe authentication attempt (server-other.rules)

2017-05-11 16:50:43 UTC

Snort Subscriber Rules Update

Date: 2017-05-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42852 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWALL Global Management System SQL injection attempt (server-webapp.rules)
 * 1:42850 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWALL Global Management System SQL injection attempt (server-webapp.rules)
 * 1:42851 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWALL Global Management System SQL injection attempt (server-webapp.rules)
 * 1:42848 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection Manager SQL injection attempt (server-webapp.rules)
 * 1:42849 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection Manager SQL injection attempt (server-webapp.rules)
 * 1:42846 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIF heap overflow attempt (file-image.rules)
 * 1:42847 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIF heap overflow attempt (file-image.rules)
 * 1:42844 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIF heap overflow attempt (file-image.rules)
 * 1:42845 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIF heap overflow attempt (file-image.rules)
 * 1:42843 <-> DISABLED <-> SERVER-WEBAPP Unitrends Enterprise Backup Appliance download-files command injection attempt (server-webapp.rules)
 * 1:42841 <-> ENABLED <-> BLACKLIST suspicious .bit tcp dns query (blacklist.rules)
 * 1:42842 <-> DISABLED <-> SERVER-WEBAPP Borland AccuRev Reprise License Server directory traversal attempt (server-webapp.rules)
 * 1:42839 <-> DISABLED <-> SERVER-WEBAPP Crypttech CryptoLog login.php SQL injection attempt (server-webapp.rules)
 * 1:42840 <-> DISABLED <-> SERVER-WEBAPP Crypttech CryptoLog logshares_ajax.php command injection attempt (server-webapp.rules)
 * 1:42837 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42838 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Backdoor.Chopper (blacklist.rules)
 * 1:42836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42835 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42833 <-> ENABLED <-> MALWARE-CNC Kasperagent outbound connection detected (malware-cnc.rules)
 * 1:42834 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42832 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - SessionI (blacklist.rules)
 * 1:42831 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - micro (blacklist.rules)
 * 1:42830 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Sublink (blacklist.rules)
 * 1:42828 <-> DISABLED <-> SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt (server-webapp.rules)
 * 1:42829 <-> DISABLED <-> SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt (server-webapp.rules)
 * 1:42826 <-> DISABLED <-> SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt (server-webapp.rules)
 * 1:42827 <-> DISABLED <-> SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt (server-webapp.rules)
 * 1:42824 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Carp variant download attempt (malware-other.rules)
 * 1:42825 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Carp variant download attempt (malware-other.rules)
 * 1:42822 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Carp variant download attempt (malware-other.rules)
 * 1:42823 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Carp variant download attempt (malware-other.rules)

Modified Rules:


 * 1:30008 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Microsoft Internet Explorer 8 on Windows XP (exploit-kit.rules)
 * 1:41964 <-> DISABLED <-> FILE-OFFICE Microsoft Word 2010 use-after-free memory corruption vulnerability attempt (file-office.rules)
 * 1:13249 <-> DISABLED <-> PROTOCOL-DNS dns response for rfc1918 10/8 address detected (protocol-dns.rules)
 * 1:14265 <-> DISABLED <-> PROTOCOL-SCADA Multiple Schneider Electric SCADA products buffer overflow attempt (protocol-scada.rules)
 * 1:16172 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader U3D line set heap corruption attempt (file-pdf.rules)
 * 1:17323 <-> DISABLED <-> INDICATOR-SHELLCODE x86 OS agnostic fnstenv geteip dword xor decoder unescaped (indicator-shellcode.rules)
 * 1:18517 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer long URL buffer overflow attempt (browser-ie.rules)
 * 1:20242 <-> DISABLED <-> PROTOCOL-DNS Oracle Secure Backup observice.exe dns response overflow attempt (protocol-dns.rules)
 * 1:23236 <-> DISABLED <-> INDICATOR-SHELLCODE x86 OS agnostic alpha numeric upper case javascript decoder (indicator-shellcode.rules)
 * 1:24667 <-> ENABLED <-> EXPLOIT-KIT KaiXin exploit kit attack vector attempt (exploit-kit.rules)
 * 1:24668 <-> ENABLED <-> EXPLOIT-KIT KaiXin exploit kit attack vector attempt (exploit-kit.rules)
 * 1:24669 <-> ENABLED <-> EXPLOIT-KIT KaiXin exploit kit attack vector attempt (exploit-kit.rules)
 * 1:24670 <-> ENABLED <-> EXPLOIT-KIT KaiXin exploit kit attack vector attempt (exploit-kit.rules)
 * 1:25459 <-> DISABLED <-> FILE-PDF Multiple products incomplete JP2K image geometry potentially malicious PDF detected (file-pdf.rules)
 * 1:25460 <-> DISABLED <-> FILE-PDF Multiple products incomplete JP2K image geometry potentially malicious PDF detected (file-pdf.rules)
 * 1:29620 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop malformed PNG detected tRNS overflow attempt (file-image.rules)
 * 1:29813 <-> DISABLED <-> INDICATOR-OBFUSCATION randomized HTML number encodings detected in clsid access attempt (indicator-obfuscation.rules)
 * 1:29957 <-> DISABLED <-> SERVER-OTHER Kolibri HTTP Server uri buffer overflow attempt (server-other.rules)
 * 1:30001 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit landing page detected (exploit-kit.rules)
 * 1:31406 <-> DISABLED <-> SERVER-OTHER Samsung TV denial of service attempt (server-other.rules)
 * 1:41965 <-> DISABLED <-> FILE-OFFICE Microsoft Word 2010 use-after-free memory corruption vulnerability attempt (file-office.rules)
 * 1:30003 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit payload download attempt (exploit-kit.rules)
 * 1:31469 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules)
 * 1:31470 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules)
 * 1:42403 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance cache_id command injection attempt (server-webapp.rules)
 * 1:42405 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance cache_id command injection attempt (server-webapp.rules)
 * 1:42805 <-> DISABLED <-> SERVER-WEBAPP Intel AMT remote administration tool authentication bypass attempt (server-webapp.rules)
 * 1:31471 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules)
 * 1:36301 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules)
 * 1:37009 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TextBlock object use after free attempt (browser-ie.rules)
 * 1:37010 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TextBlock object use after free attempt (browser-ie.rules)
 * 1:37653 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadPCMFromByteArray exception null pointer access attempt (file-flash.rules)
 * 1:37664 <-> ENABLED <-> FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt (file-java.rules)
 * 1:42404 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance cache_id command injection attempt (server-webapp.rules)
 * 1:30009 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Java v1.6.32 and older (exploit-kit.rules)
 * 1:37665 <-> ENABLED <-> FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt (file-java.rules)
 * 1:39568 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadPCMFromByteArray exception null pointer access attempt (file-flash.rules)
 * 1:39874 <-> DISABLED <-> FILE-OTHER Microsoft Windows PDF parsing invalid JPEG2000 SIZ marker attempt (file-other.rules)
 * 1:40813 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Silverlight GetChar out of bounds read attempt (browser-plugins.rules)
 * 1:40814 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Silverlight GetChar out of bounds read attempt (browser-plugins.rules)
 * 1:30006 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Microsoft Internet Explorer 6 on Windows XP (exploit-kit.rules)
 * 1:30007 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Microsoft Internet Explorer 7 on Windows XP with Java before v1.7.17  (exploit-kit.rules)
 * 1:30005 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Google Chrome with Java before v1.7.17 (exploit-kit.rules)
 * 1:30004 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Java before v1.7.17 (exploit-kit.rules)
 * 3:35913 <-> ENABLED <-> SERVER-OTHER EMC AutoStart ftAgent.exe authentication attempt (server-other.rules)

2017-05-11 16:50:43 UTC

Snort Subscriber Rules Update

Date: 2017-05-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42852 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWALL Global Management System SQL injection attempt (server-webapp.rules)
 * 1:42851 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWALL Global Management System SQL injection attempt (server-webapp.rules)
 * 1:42850 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWALL Global Management System SQL injection attempt (server-webapp.rules)
 * 1:42849 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection Manager SQL injection attempt (server-webapp.rules)
 * 1:42848 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection Manager SQL injection attempt (server-webapp.rules)
 * 1:42847 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIF heap overflow attempt (file-image.rules)
 * 1:42846 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIF heap overflow attempt (file-image.rules)
 * 1:42845 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIF heap overflow attempt (file-image.rules)
 * 1:42844 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIF heap overflow attempt (file-image.rules)
 * 1:42843 <-> DISABLED <-> SERVER-WEBAPP Unitrends Enterprise Backup Appliance download-files command injection attempt (server-webapp.rules)
 * 1:42842 <-> DISABLED <-> SERVER-WEBAPP Borland AccuRev Reprise License Server directory traversal attempt (server-webapp.rules)
 * 1:42841 <-> ENABLED <-> BLACKLIST suspicious .bit tcp dns query (blacklist.rules)
 * 1:42840 <-> DISABLED <-> SERVER-WEBAPP Crypttech CryptoLog logshares_ajax.php command injection attempt (server-webapp.rules)
 * 1:42839 <-> DISABLED <-> SERVER-WEBAPP Crypttech CryptoLog login.php SQL injection attempt (server-webapp.rules)
 * 1:42838 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Backdoor.Chopper (blacklist.rules)
 * 1:42837 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42835 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42834 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42833 <-> ENABLED <-> MALWARE-CNC Kasperagent outbound connection detected (malware-cnc.rules)
 * 1:42832 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - SessionI (blacklist.rules)
 * 1:42831 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - micro (blacklist.rules)
 * 1:42830 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Sublink (blacklist.rules)
 * 1:42829 <-> DISABLED <-> SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt (server-webapp.rules)
 * 1:42828 <-> DISABLED <-> SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt (server-webapp.rules)
 * 1:42827 <-> DISABLED <-> SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt (server-webapp.rules)
 * 1:42826 <-> DISABLED <-> SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt (server-webapp.rules)
 * 1:42825 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Carp variant download attempt (malware-other.rules)
 * 1:42824 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Carp variant download attempt (malware-other.rules)
 * 1:42823 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Carp variant download attempt (malware-other.rules)
 * 1:42822 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Carp variant download attempt (malware-other.rules)

Modified Rules:


 * 1:30003 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit payload download attempt (exploit-kit.rules)
 * 1:42805 <-> DISABLED <-> SERVER-WEBAPP Intel AMT remote administration tool authentication bypass attempt (server-webapp.rules)
 * 1:42405 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance cache_id command injection attempt (server-webapp.rules)
 * 1:42404 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance cache_id command injection attempt (server-webapp.rules)
 * 1:42403 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance cache_id command injection attempt (server-webapp.rules)
 * 1:41965 <-> DISABLED <-> FILE-OFFICE Microsoft Word 2010 use-after-free memory corruption vulnerability attempt (file-office.rules)
 * 1:41964 <-> DISABLED <-> FILE-OFFICE Microsoft Word 2010 use-after-free memory corruption vulnerability attempt (file-office.rules)
 * 1:40814 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Silverlight GetChar out of bounds read attempt (browser-plugins.rules)
 * 1:40813 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Silverlight GetChar out of bounds read attempt (browser-plugins.rules)
 * 1:39874 <-> DISABLED <-> FILE-OTHER Microsoft Windows PDF parsing invalid JPEG2000 SIZ marker attempt (file-other.rules)
 * 1:39568 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadPCMFromByteArray exception null pointer access attempt (file-flash.rules)
 * 1:37665 <-> ENABLED <-> FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt (file-java.rules)
 * 1:37664 <-> ENABLED <-> FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt (file-java.rules)
 * 1:37653 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadPCMFromByteArray exception null pointer access attempt (file-flash.rules)
 * 1:37010 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TextBlock object use after free attempt (browser-ie.rules)
 * 1:13249 <-> DISABLED <-> PROTOCOL-DNS dns response for rfc1918 10/8 address detected (protocol-dns.rules)
 * 1:14265 <-> DISABLED <-> PROTOCOL-SCADA Multiple Schneider Electric SCADA products buffer overflow attempt (protocol-scada.rules)
 * 1:37009 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TextBlock object use after free attempt (browser-ie.rules)
 * 1:16172 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader U3D line set heap corruption attempt (file-pdf.rules)
 * 1:17323 <-> DISABLED <-> INDICATOR-SHELLCODE x86 OS agnostic fnstenv geteip dword xor decoder unescaped (indicator-shellcode.rules)
 * 1:18517 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer long URL buffer overflow attempt (browser-ie.rules)
 * 1:20242 <-> DISABLED <-> PROTOCOL-DNS Oracle Secure Backup observice.exe dns response overflow attempt (protocol-dns.rules)
 * 1:36301 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules)
 * 1:23236 <-> DISABLED <-> INDICATOR-SHELLCODE x86 OS agnostic alpha numeric upper case javascript decoder (indicator-shellcode.rules)
 * 1:24667 <-> ENABLED <-> EXPLOIT-KIT KaiXin exploit kit attack vector attempt (exploit-kit.rules)
 * 1:24668 <-> ENABLED <-> EXPLOIT-KIT KaiXin exploit kit attack vector attempt (exploit-kit.rules)
 * 1:24669 <-> ENABLED <-> EXPLOIT-KIT KaiXin exploit kit attack vector attempt (exploit-kit.rules)
 * 1:24670 <-> ENABLED <-> EXPLOIT-KIT KaiXin exploit kit attack vector attempt (exploit-kit.rules)
 * 1:31471 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules)
 * 1:25459 <-> DISABLED <-> FILE-PDF Multiple products incomplete JP2K image geometry potentially malicious PDF detected (file-pdf.rules)
 * 1:25460 <-> DISABLED <-> FILE-PDF Multiple products incomplete JP2K image geometry potentially malicious PDF detected (file-pdf.rules)
 * 1:29620 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop malformed PNG detected tRNS overflow attempt (file-image.rules)
 * 1:29813 <-> DISABLED <-> INDICATOR-OBFUSCATION randomized HTML number encodings detected in clsid access attempt (indicator-obfuscation.rules)
 * 1:31470 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules)
 * 1:29957 <-> DISABLED <-> SERVER-OTHER Kolibri HTTP Server uri buffer overflow attempt (server-other.rules)
 * 1:30001 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit landing page detected (exploit-kit.rules)
 * 1:31469 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules)
 * 1:31406 <-> DISABLED <-> SERVER-OTHER Samsung TV denial of service attempt (server-other.rules)
 * 1:30009 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Java v1.6.32 and older (exploit-kit.rules)
 * 1:30006 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Microsoft Internet Explorer 6 on Windows XP (exploit-kit.rules)
 * 1:30007 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Microsoft Internet Explorer 7 on Windows XP with Java before v1.7.17  (exploit-kit.rules)
 * 1:30008 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Microsoft Internet Explorer 8 on Windows XP (exploit-kit.rules)
 * 1:30005 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Google Chrome with Java before v1.7.17 (exploit-kit.rules)
 * 1:30004 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Java before v1.7.17 (exploit-kit.rules)
 * 3:35913 <-> ENABLED <-> SERVER-OTHER EMC AutoStart ftAgent.exe authentication attempt (server-other.rules)