Talos Rules 2017-07-11
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2017-0243: A coding deficiency exists in Microsoft Office that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 42755 through 42756.

Microsoft Vulnerability CVE-2017-8577: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 43490 through 43491.

Microsoft Vulnerability CVE-2017-8578: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 43473 through 43474.

Microsoft Vulnerability CVE-2017-8594: Microsoft Internet Explorer suffers from programming errors that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 43521 through 43522.

Microsoft Vulnerability CVE-2017-8598: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 43469 through 43470.

Microsoft Vulnerability CVE-2017-8601: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 43465 through 43466.

Microsoft Vulnerability CVE-2017-8605: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 42753 through 42754.

Microsoft Vulnerability CVE-2017-8617: Microsoft Edge suffers from programming errors that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 43460 through 43463.

Microsoft Vulnerability CVE-2017-8618: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 43471 through 43472.

Microsoft Vulnerability CVE-2017-8619: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 43492 through 43493.

Talos also has added and modified multiple rules in the browser-ie, browser-other, browser-plugins, file-flash, file-other, indicator-compromise, malware-cnc, os-windows, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-07-11 18:31:34 UTC

Snort Subscriber Rules Update

Date: 2017-07-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:43464 <-> DISABLED <-> SERVER-OTHER HP Intelligent Management Center dbman RestartDB opcode command injection attempt (server-other.rules)
 * 1:43465 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:43463 <-> DISABLED <-> BROWSER-IE Microsoft Edge use-after-free attempt (browser-ie.rules)
 * 1:43462 <-> DISABLED <-> BROWSER-IE Microsoft Edge use-after-free attempt (browser-ie.rules)
 * 1:43460 <-> DISABLED <-> BROWSER-IE Microsoft Edge use-after-free attempt (browser-ie.rules)
 * 1:43461 <-> DISABLED <-> BROWSER-IE Microsoft Edge use-after-free attempt (browser-ie.rules)
 * 1:43466 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:43467 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fireball variant outbound connection (malware-cnc.rules)
 * 1:43468 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fireball variant outbound connection (malware-cnc.rules)
 * 1:43469 <-> ENABLED <-> BROWSER-IE Microsoft Edge uninitialized memory attempt (browser-ie.rules)
 * 1:43470 <-> ENABLED <-> BROWSER-IE Microsoft Edge uninitialized memory attempt (browser-ie.rules)
 * 1:43471 <-> ENABLED <-> BROWSER-IE Microsoft Edge VBScript VarType out of bounds read attempt (browser-ie.rules)
 * 1:43472 <-> ENABLED <-> BROWSER-IE Microsoft Edge VBScript VarType out of bounds read attempt (browser-ie.rules)
 * 1:43473 <-> ENABLED <-> OS-WINDOWS Microsoft win32u PlgBlt out of bounds memory write attempt (os-windows.rules)
 * 1:43474 <-> ENABLED <-> OS-WINDOWS Microsoft win32u PlgBlt out of bounds memory write attempt (os-windows.rules)
 * 1:43475 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Agent ransomware downloader outbound connection detected (malware-cnc.rules)
 * 1:43476 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Agent ransomware downloader outbound connection detected (malware-cnc.rules)
 * 1:43477 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Agent ransomware downloader outbound connection detected (malware-cnc.rules)
 * 1:43478 <-> DISABLED <-> MALWARE-CNC Win.Trojan.AgentInfo variant outbound connection (malware-cnc.rules)
 * 1:43479 <-> ENABLED <-> FILE-FLASH Adobe Flash Player applyFilter memory corruption attempt (file-flash.rules)
 * 1:43480 <-> ENABLED <-> FILE-FLASH Adobe Flash Player applyFilter memory corruption attempt (file-flash.rules)
 * 1:43481 <-> DISABLED <-> FILE-OTHER Vim modelines remote command execution attempt (file-other.rules)
 * 1:43482 <-> DISABLED <-> FILE-OTHER Vim modelines remote command execution attempt (file-other.rules)
 * 1:43490 <-> DISABLED <-> OS-WINDOWS Microsoft Windows unsafe memory access privilege escalation attempt (os-windows.rules)
 * 1:43491 <-> DISABLED <-> OS-WINDOWS Microsoft Windows unsafe memory access privilege escalation attempt (os-windows.rules)
 * 1:43492 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge array out of bounds write (browser-ie.rules)
 * 1:43493 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge array out of bounds write (browser-ie.rules)
 * 1:43494 <-> DISABLED <-> SERVER-WEBAPP Lets Encrypt SSL certificate for domain resembling appleid (server-webapp.rules)
 * 1:43495 <-> DISABLED <-> SERVER-WEBAPP Lets Encrypt SSL certificate for domain resembling paypal (server-webapp.rules)
 * 1:43496 <-> DISABLED <-> SERVER-WEBAPP Lets Encrypt SSL certificate issuer detected (server-webapp.rules)
 * 1:43497 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EPM brokercreatefile file access bypass attempt (browser-ie.rules)
 * 1:43498 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EPM brokercreatefile file access bypass attempt (browser-ie.rules)
 * 1:43499 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure cross site scripting attempt (server-webapp.rules)
 * 1:43500 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure cross site scripting attempt (server-webapp.rules)
 * 1:43501 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure cross site scripting attempt (server-webapp.rules)
 * 1:43502 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure cross site scripting attempt (server-webapp.rules)
 * 1:43503 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt (server-webapp.rules)
 * 1:43504 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt (server-webapp.rules)
 * 1:43505 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt (server-webapp.rules)
 * 1:43506 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt (server-webapp.rules)
 * 1:43507 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt (server-webapp.rules)
 * 1:43508 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt (server-webapp.rules)
 * 1:43509 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt (server-webapp.rules)
 * 1:43510 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt (server-webapp.rules)
 * 1:43511 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt (server-webapp.rules)
 * 1:43512 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt (server-webapp.rules)
 * 1:43513 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt (server-webapp.rules)
 * 1:43514 <-> DISABLED <-> SERVER-OTHER Cisco IOS authentication proxy authentication request attempt (server-other.rules)
 * 1:43515 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer cross-domain violation via cached object attempt (browser-ie.rules)
 * 1:43516 <-> DISABLED <-> BROWSER-OTHER Apple Safari nested xml tag denial of service attempt (browser-other.rules)
 * 1:43533 <-> ENABLED <-> FILE-FLASH Adobe Flash Player memory corruption attempt (file-flash.rules)
 * 1:43532 <-> ENABLED <-> FILE-FLASH Adobe Flash Player memory corruption attempt (file-flash.rules)
 * 1:43531 <-> ENABLED <-> FILE-FLASH Adobe Flash Player memory corruption attempt (file-flash.rules)
 * 1:43530 <-> ENABLED <-> FILE-FLASH Adobe Flash Player memory corruption attempt (file-flash.rules)
 * 1:43529 <-> ENABLED <-> FILE-FLASH Adobe Flash Player memory corruption attempt (file-flash.rules)
 * 1:43528 <-> ENABLED <-> FILE-FLASH Adobe Flash Player memory corruption attempt (file-flash.rules)
 * 1:43527 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Deltasource variant outbound connection detected (malware-cnc.rules)
 * 1:43526 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Deltasource variant outbound connection detected (malware-cnc.rules)
 * 1:43525 <-> DISABLED <-> SERVER-OTHER Cisco ASA malformed SCCP packet denial of service attempt (server-other.rules)
 * 1:43524 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Donvibs variant outbound connection attempt (malware-cnc.rules)
 * 1:43523 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Donvibs variant outbound connection attempt (malware-cnc.rules)
 * 1:43520 <-> DISABLED <-> BROWSER-PLUGINS Pegasus ImagXpress ActiveX clsid access attempt (browser-plugins.rules)
 * 1:43521 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 type confusion vulnerability attempt (browser-ie.rules)
 * 1:43522 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 type confusion vulnerability attempt (browser-ie.rules)
 * 1:43519 <-> DISABLED <-> BROWSER-PLUGINS Pegasus ImagXpress ActiveX clsid access attempt (browser-plugins.rules)
 * 1:43517 <-> DISABLED <-> BROWSER-OTHER Apple Safari nested xml tag denial of service attempt (browser-other.rules)
 * 3:43483 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0369 attack attempt (server-other.rules)
 * 3:43484 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0369 attack attempt (server-other.rules)
 * 3:43485 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0369 attack attempt (server-other.rules)
 * 3:43486 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0368 attack attempt (server-other.rules)
 * 3:43487 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0370 attack attempt (server-webapp.rules)
 * 3:43488 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0372 attack attempt (server-webapp.rules)
 * 3:43489 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0374 attack attempt (server-other.rules)
 * 3:43518 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0373 attack attempt (server-other.rules)

Modified Rules:


 * 1:41923 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (server-apache.rules)
 * 1:41922 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (server-apache.rules)
 * 1:36982 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer select use after free attempt (browser-ie.rules)
 * 1:43092 <-> DISABLED <-> INDICATOR-COMPROMISE OLE attachment with embedded PICT attempt (indicator-compromise.rules)
 * 1:36983 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer select use after free attempt (browser-ie.rules)
 * 1:41818 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (server-apache.rules)
 * 1:41819 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (server-apache.rules)

2017-07-11 18:31:34 UTC

Snort Subscriber Rules Update

Date: 2017-07-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:43533 <-> ENABLED <-> FILE-FLASH Adobe Flash Player memory corruption attempt (file-flash.rules)
 * 1:43532 <-> ENABLED <-> FILE-FLASH Adobe Flash Player memory corruption attempt (file-flash.rules)
 * 1:43531 <-> ENABLED <-> FILE-FLASH Adobe Flash Player memory corruption attempt (file-flash.rules)
 * 1:43530 <-> ENABLED <-> FILE-FLASH Adobe Flash Player memory corruption attempt (file-flash.rules)
 * 1:43529 <-> ENABLED <-> FILE-FLASH Adobe Flash Player memory corruption attempt (file-flash.rules)
 * 1:43528 <-> ENABLED <-> FILE-FLASH Adobe Flash Player memory corruption attempt (file-flash.rules)
 * 1:43527 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Deltasource variant outbound connection detected (malware-cnc.rules)
 * 1:43526 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Deltasource variant outbound connection detected (malware-cnc.rules)
 * 1:43525 <-> DISABLED <-> SERVER-OTHER Cisco ASA malformed SCCP packet denial of service attempt (server-other.rules)
 * 1:43524 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Donvibs variant outbound connection attempt (malware-cnc.rules)
 * 1:43523 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Donvibs variant outbound connection attempt (malware-cnc.rules)
 * 1:43522 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 type confusion vulnerability attempt (browser-ie.rules)
 * 1:43521 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 type confusion vulnerability attempt (browser-ie.rules)
 * 1:43520 <-> DISABLED <-> BROWSER-PLUGINS Pegasus ImagXpress ActiveX clsid access attempt (browser-plugins.rules)
 * 1:43519 <-> DISABLED <-> BROWSER-PLUGINS Pegasus ImagXpress ActiveX clsid access attempt (browser-plugins.rules)
 * 1:43517 <-> DISABLED <-> BROWSER-OTHER Apple Safari nested xml tag denial of service attempt (browser-other.rules)
 * 1:43516 <-> DISABLED <-> BROWSER-OTHER Apple Safari nested xml tag denial of service attempt (browser-other.rules)
 * 1:43515 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer cross-domain violation via cached object attempt (browser-ie.rules)
 * 1:43514 <-> DISABLED <-> SERVER-OTHER Cisco IOS authentication proxy authentication request attempt (server-other.rules)
 * 1:43513 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt (server-webapp.rules)
 * 1:43512 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt (server-webapp.rules)
 * 1:43511 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt (server-webapp.rules)
 * 1:43510 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt (server-webapp.rules)
 * 1:43509 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt (server-webapp.rules)
 * 1:43508 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt (server-webapp.rules)
 * 1:43507 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt (server-webapp.rules)
 * 1:43506 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt (server-webapp.rules)
 * 1:43505 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt (server-webapp.rules)
 * 1:43504 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt (server-webapp.rules)
 * 1:43503 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt (server-webapp.rules)
 * 1:43502 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure cross site scripting attempt (server-webapp.rules)
 * 1:43501 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure cross site scripting attempt (server-webapp.rules)
 * 1:43500 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure cross site scripting attempt (server-webapp.rules)
 * 1:43499 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure cross site scripting attempt (server-webapp.rules)
 * 1:43498 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EPM brokercreatefile file access bypass attempt (browser-ie.rules)
 * 1:43497 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EPM brokercreatefile file access bypass attempt (browser-ie.rules)
 * 1:43496 <-> DISABLED <-> SERVER-WEBAPP Lets Encrypt SSL certificate issuer detected (server-webapp.rules)
 * 1:43495 <-> DISABLED <-> SERVER-WEBAPP Lets Encrypt SSL certificate for domain resembling paypal (server-webapp.rules)
 * 1:43494 <-> DISABLED <-> SERVER-WEBAPP Lets Encrypt SSL certificate for domain resembling appleid (server-webapp.rules)
 * 1:43493 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge array out of bounds write (browser-ie.rules)
 * 1:43492 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge array out of bounds write (browser-ie.rules)
 * 1:43491 <-> DISABLED <-> OS-WINDOWS Microsoft Windows unsafe memory access privilege escalation attempt (os-windows.rules)
 * 1:43490 <-> DISABLED <-> OS-WINDOWS Microsoft Windows unsafe memory access privilege escalation attempt (os-windows.rules)
 * 1:43482 <-> DISABLED <-> FILE-OTHER Vim modelines remote command execution attempt (file-other.rules)
 * 1:43481 <-> DISABLED <-> FILE-OTHER Vim modelines remote command execution attempt (file-other.rules)
 * 1:43480 <-> ENABLED <-> FILE-FLASH Adobe Flash Player applyFilter memory corruption attempt (file-flash.rules)
 * 1:43479 <-> ENABLED <-> FILE-FLASH Adobe Flash Player applyFilter memory corruption attempt (file-flash.rules)
 * 1:43478 <-> DISABLED <-> MALWARE-CNC Win.Trojan.AgentInfo variant outbound connection (malware-cnc.rules)
 * 1:43477 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Agent ransomware downloader outbound connection detected (malware-cnc.rules)
 * 1:43476 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Agent ransomware downloader outbound connection detected (malware-cnc.rules)
 * 1:43475 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Agent ransomware downloader outbound connection detected (malware-cnc.rules)
 * 1:43474 <-> ENABLED <-> OS-WINDOWS Microsoft win32u PlgBlt out of bounds memory write attempt (os-windows.rules)
 * 1:43473 <-> ENABLED <-> OS-WINDOWS Microsoft win32u PlgBlt out of bounds memory write attempt (os-windows.rules)
 * 1:43472 <-> ENABLED <-> BROWSER-IE Microsoft Edge VBScript VarType out of bounds read attempt (browser-ie.rules)
 * 1:43471 <-> ENABLED <-> BROWSER-IE Microsoft Edge VBScript VarType out of bounds read attempt (browser-ie.rules)
 * 1:43470 <-> ENABLED <-> BROWSER-IE Microsoft Edge uninitialized memory attempt (browser-ie.rules)
 * 1:43469 <-> ENABLED <-> BROWSER-IE Microsoft Edge uninitialized memory attempt (browser-ie.rules)
 * 1:43468 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fireball variant outbound connection (malware-cnc.rules)
 * 1:43467 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fireball variant outbound connection (malware-cnc.rules)
 * 1:43466 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:43465 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:43464 <-> DISABLED <-> SERVER-OTHER HP Intelligent Management Center dbman RestartDB opcode command injection attempt (server-other.rules)
 * 1:43463 <-> DISABLED <-> BROWSER-IE Microsoft Edge use-after-free attempt (browser-ie.rules)
 * 1:43462 <-> DISABLED <-> BROWSER-IE Microsoft Edge use-after-free attempt (browser-ie.rules)
 * 1:43461 <-> DISABLED <-> BROWSER-IE Microsoft Edge use-after-free attempt (browser-ie.rules)
 * 1:43460 <-> DISABLED <-> BROWSER-IE Microsoft Edge use-after-free attempt (browser-ie.rules)
 * 3:43483 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0369 attack attempt (server-other.rules)
 * 3:43484 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0369 attack attempt (server-other.rules)
 * 3:43485 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0369 attack attempt (server-other.rules)
 * 3:43486 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0368 attack attempt (server-other.rules)
 * 3:43487 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0370 attack attempt (server-webapp.rules)
 * 3:43488 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0372 attack attempt (server-webapp.rules)
 * 3:43489 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0374 attack attempt (server-other.rules)
 * 3:43518 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0373 attack attempt (server-other.rules)

Modified Rules:


 * 1:36982 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer select use after free attempt (browser-ie.rules)
 * 1:41922 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (server-apache.rules)
 * 1:41923 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (server-apache.rules)
 * 1:43092 <-> DISABLED <-> INDICATOR-COMPROMISE OLE attachment with embedded PICT attempt (indicator-compromise.rules)
 * 1:41819 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (server-apache.rules)
 * 1:41818 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (server-apache.rules)
 * 1:36983 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer select use after free attempt (browser-ie.rules)