Talos Rules 2017-10-10
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2017-11762: A coding deficiency exists in Microsoft Graphics that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44518 through 44519.

Microsoft Vulnerability CVE-2017-11763: A coding deficiency exists in Microsoft Graphics that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44528 through 44529.

Microsoft Vulnerability CVE-2017-11793: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44508 through 44509.

Microsoft Vulnerability CVE-2017-11798: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44532 through 44533.

Microsoft Vulnerability CVE-2017-11800: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 44333 through 44334.

Microsoft Vulnerability CVE-2017-11810: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44510 through 44511.

Microsoft Vulnerability CVE-2017-11822: Microsoft Internet Explorer suffers from programming errors that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44512 through 44513.

Microsoft Vulnerability CVE-2017-8689: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44516 through 44517.

Microsoft Vulnerability CVE-2017-8694: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44514 through 44515.

Microsoft Vulnerability CVE-2017-8727: A coding deficiency exists in Microsoft Windows Shell that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44526 through 44527.

Talos also has added and modified multiple rules in the browser-ie, file-image, file-office, file-other, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-10-10 17:50:14 UTC

Snort Subscriber Rules Update

Date: 2017-10-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44536 <-> DISABLED <-> SERVER-WEBAPP HP IMC wmiConfigContent Java expression language injection attempt (server-webapp.rules)
 * 1:44535 <-> DISABLED <-> SERVER-WEBAPP HP IMC wmiConfigContent Java expression language injection attempt (server-webapp.rules)
 * 1:44534 <-> DISABLED <-> SERVER-WEBAPP HP IMC wmiConfigContent Java expression language injection attempt (server-webapp.rules)
 * 1:44533 <-> ENABLED <-> BROWSER-IE Microsoft Edge getOwnPropertyDescriptor memory corruption attempt (browser-ie.rules)
 * 1:44532 <-> ENABLED <-> BROWSER-IE Microsoft Edge getOwnPropertyDescriptor memory corruption attempt (browser-ie.rules)
 * 1:44531 <-> ENABLED <-> SERVER-APACHE Apache Tomcat remote JSP file upload attempt (server-apache.rules)
 * 1:44530 <-> DISABLED <-> SERVER-WEBAPP HP Intelligent Management Center DeviceService Java expression language injection attempt (server-webapp.rules)
 * 1:44529 <-> DISABLED <-> FILE-OTHER Microsoft Graphics remote code execution attempt (file-other.rules)
 * 1:44528 <-> DISABLED <-> FILE-OTHER Microsoft Graphics remote code execution attempt (file-other.rules)
 * 1:44527 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:44526 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:44519 <-> DISABLED <-> FILE-OFFICE Microsoft Graphics remote code execution attempt (file-office.rules)
 * 1:44518 <-> DISABLED <-> FILE-OFFICE Microsoft Graphics remote code execution attempt (file-office.rules)
 * 1:44517 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CreateMenu use after free attempt (os-windows.rules)
 * 1:44516 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CreateMenu use after free attempt (os-windows.rules)
 * 1:44515 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32kfull.sys privilege escalation attempt (os-windows.rules)
 * 1:44514 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32kfull.sys privilege escalation attempt (os-windows.rules)
 * 1:44513 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:44512 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:44511 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt (browser-ie.rules)
 * 1:44510 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt (browser-ie.rules)
 * 1:44509 <-> ENABLED <-> BROWSER-IE scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:44508 <-> ENABLED <-> BROWSER-IE scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:44507 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection Manager information disclosure attempt (server-webapp.rules)
 * 1:44506 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection Manager directory traversal attempt (server-webapp.rules)
 * 1:44505 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection Manager directory traversal attempt (server-webapp.rules)
 * 1:44504 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection Manager directory traversal attempt (server-webapp.rules)
 * 3:44520 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0461 attack attempt (file-office.rules)
 * 3:44521 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0461 attack attempt (file-office.rules)
 * 3:44522 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0460 attack attempt (file-office.rules)
 * 3:44523 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0460 attack attempt (file-office.rules)
 * 3:44524 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0459 attack attempt (file-image.rules)
 * 3:44525 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0459 attack attempt (file-image.rules)

Modified Rules:


 * 1:43638 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel null pointer dereference attempt (file-office.rules)
 * 1:35487 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Notepad remote printer file access attempt (os-windows.rules)
 * 1:30243 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malicious cce value following a PtgMemFunc token (file-office.rules)
 * 1:13287 <-> DISABLED <-> OS-WINDOWS Microsoft Windows remote kernel tcp/ip igmp vulnerability exploit attempt (os-windows.rules)
 * 1:35488 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Notepad remote printer file access attempt (os-windows.rules)
 * 1:40459 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel malicious cce value following a PtgMemFunc token (file-office.rules)
 * 1:40460 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel malicious cce value following a PtgMemFunc token (file-office.rules)
 * 1:41355 <-> DISABLED <-> SERVER-WEBAPP WordPress Admin API ajax-actions.php directory traversal attempt (server-webapp.rules)
 * 1:41581 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed CellXF memory corruption attempt (file-office.rules)
 * 1:41582 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed CellXF memory corruption attempt (file-office.rules)
 * 1:41976 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel shared strings memory corruption attempt (file-office.rules)
 * 1:41977 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel shared strings memory corruption attempt (file-office.rules)
 * 1:41979 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel shared strings memory corruption attempt (file-office.rules)
 * 1:41980 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel shared strings memory corruption attempt (file-office.rules)
 * 1:43157 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Device Guard code execution attempt (os-windows.rules)
 * 1:43158 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Device Guard code execution attempt (os-windows.rules)
 * 1:43173 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 RS2 x64 linked cursor double free attempt (os-windows.rules)
 * 1:43174 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 RS2 x64 linked cursor double free attempt (os-windows.rules)
 * 1:44472 <-> ENABLED <-> SERVER-WEBAPP Netgear ReadyNAS Surveillance upgrade_handle.php command injection attempt (server-webapp.rules)
 * 1:44471 <-> ENABLED <-> SERVER-WEBAPP Netgear ReadyNAS Surveillance upgrade_handle.php command injection attempt (server-webapp.rules)
 * 1:43641 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel null pointer dereference attempt (file-office.rules)
 * 1:44334 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra Core type confusion attempt (browser-ie.rules)
 * 1:44333 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra Core type confusion attempt (browser-ie.rules)
 * 1:30242 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malicious cce value following a PtgMemFunc token (file-office.rules)
 * 1:43640 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel null pointer dereference attempt (file-office.rules)
 * 1:43639 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel null pointer dereference attempt (file-office.rules)
 * 3:44451 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0458 attack attempt (file-image.rules)
 * 3:44452 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0458 attack attempt (file-image.rules)

2017-10-10 17:50:14 UTC

Snort Subscriber Rules Update

Date: 2017-10-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44516 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CreateMenu use after free attempt (os-windows.rules)
 * 1:44514 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32kfull.sys privilege escalation attempt (os-windows.rules)
 * 1:44515 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32kfull.sys privilege escalation attempt (os-windows.rules)
 * 1:44512 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:44513 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:44511 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt (browser-ie.rules)
 * 1:44509 <-> ENABLED <-> BROWSER-IE scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:44507 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection Manager information disclosure attempt (server-webapp.rules)
 * 1:44508 <-> ENABLED <-> BROWSER-IE scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:44529 <-> DISABLED <-> FILE-OTHER Microsoft Graphics remote code execution attempt (file-other.rules)
 * 1:44505 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection Manager directory traversal attempt (server-webapp.rules)
 * 1:44530 <-> DISABLED <-> SERVER-WEBAPP HP Intelligent Management Center DeviceService Java expression language injection attempt (server-webapp.rules)
 * 1:44532 <-> ENABLED <-> BROWSER-IE Microsoft Edge getOwnPropertyDescriptor memory corruption attempt (browser-ie.rules)
 * 1:44533 <-> ENABLED <-> BROWSER-IE Microsoft Edge getOwnPropertyDescriptor memory corruption attempt (browser-ie.rules)
 * 1:44528 <-> DISABLED <-> FILE-OTHER Microsoft Graphics remote code execution attempt (file-other.rules)
 * 1:44534 <-> DISABLED <-> SERVER-WEBAPP HP IMC wmiConfigContent Java expression language injection attempt (server-webapp.rules)
 * 1:44535 <-> DISABLED <-> SERVER-WEBAPP HP IMC wmiConfigContent Java expression language injection attempt (server-webapp.rules)
 * 1:44506 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection Manager directory traversal attempt (server-webapp.rules)
 * 1:44510 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt (browser-ie.rules)
 * 1:44531 <-> ENABLED <-> SERVER-APACHE Apache Tomcat remote JSP file upload attempt (server-apache.rules)
 * 1:44504 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection Manager directory traversal attempt (server-webapp.rules)
 * 1:44517 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CreateMenu use after free attempt (os-windows.rules)
 * 1:44536 <-> DISABLED <-> SERVER-WEBAPP HP IMC wmiConfigContent Java expression language injection attempt (server-webapp.rules)
 * 1:44518 <-> DISABLED <-> FILE-OFFICE Microsoft Graphics remote code execution attempt (file-office.rules)
 * 1:44526 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:44527 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:44519 <-> DISABLED <-> FILE-OFFICE Microsoft Graphics remote code execution attempt (file-office.rules)
 * 3:44520 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0461 attack attempt (file-office.rules)
 * 3:44521 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0461 attack attempt (file-office.rules)
 * 3:44522 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0460 attack attempt (file-office.rules)
 * 3:44523 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0460 attack attempt (file-office.rules)
 * 3:44524 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0459 attack attempt (file-image.rules)
 * 3:44525 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0459 attack attempt (file-image.rules)

Modified Rules:


 * 1:43638 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel null pointer dereference attempt (file-office.rules)
 * 1:44333 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra Core type confusion attempt (browser-ie.rules)
 * 1:35488 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Notepad remote printer file access attempt (os-windows.rules)
 * 1:13287 <-> DISABLED <-> OS-WINDOWS Microsoft Windows remote kernel tcp/ip igmp vulnerability exploit attempt (os-windows.rules)
 * 1:35487 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Notepad remote printer file access attempt (os-windows.rules)
 * 1:30243 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malicious cce value following a PtgMemFunc token (file-office.rules)
 * 1:44472 <-> ENABLED <-> SERVER-WEBAPP Netgear ReadyNAS Surveillance upgrade_handle.php command injection attempt (server-webapp.rules)
 * 1:40460 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel malicious cce value following a PtgMemFunc token (file-office.rules)
 * 1:41355 <-> DISABLED <-> SERVER-WEBAPP WordPress Admin API ajax-actions.php directory traversal attempt (server-webapp.rules)
 * 1:41581 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed CellXF memory corruption attempt (file-office.rules)
 * 1:41582 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed CellXF memory corruption attempt (file-office.rules)
 * 1:41976 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel shared strings memory corruption attempt (file-office.rules)
 * 1:41977 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel shared strings memory corruption attempt (file-office.rules)
 * 1:44471 <-> ENABLED <-> SERVER-WEBAPP Netgear ReadyNAS Surveillance upgrade_handle.php command injection attempt (server-webapp.rules)
 * 1:40459 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel malicious cce value following a PtgMemFunc token (file-office.rules)
 * 1:41979 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel shared strings memory corruption attempt (file-office.rules)
 * 1:30242 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malicious cce value following a PtgMemFunc token (file-office.rules)
 * 1:41980 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel shared strings memory corruption attempt (file-office.rules)
 * 1:43157 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Device Guard code execution attempt (os-windows.rules)
 * 1:43158 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Device Guard code execution attempt (os-windows.rules)
 * 1:43173 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 RS2 x64 linked cursor double free attempt (os-windows.rules)
 * 1:43174 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 RS2 x64 linked cursor double free attempt (os-windows.rules)
 * 1:44334 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra Core type confusion attempt (browser-ie.rules)
 * 1:43639 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel null pointer dereference attempt (file-office.rules)
 * 1:43641 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel null pointer dereference attempt (file-office.rules)
 * 1:43640 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel null pointer dereference attempt (file-office.rules)
 * 3:44451 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0458 attack attempt (file-image.rules)
 * 3:44452 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0458 attack attempt (file-image.rules)

2017-10-10 17:50:14 UTC

Snort Subscriber Rules Update

Date: 2017-10-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44530 <-> DISABLED <-> SERVER-WEBAPP HP Intelligent Management Center DeviceService Java expression language injection attempt (server-webapp.rules)
 * 1:44532 <-> ENABLED <-> BROWSER-IE Microsoft Edge getOwnPropertyDescriptor memory corruption attempt (browser-ie.rules)
 * 1:44535 <-> DISABLED <-> SERVER-WEBAPP HP IMC wmiConfigContent Java expression language injection attempt (server-webapp.rules)
 * 1:44536 <-> DISABLED <-> SERVER-WEBAPP HP IMC wmiConfigContent Java expression language injection attempt (server-webapp.rules)
 * 1:44533 <-> ENABLED <-> BROWSER-IE Microsoft Edge getOwnPropertyDescriptor memory corruption attempt (browser-ie.rules)
 * 1:44505 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection Manager directory traversal attempt (server-webapp.rules)
 * 1:44534 <-> DISABLED <-> SERVER-WEBAPP HP IMC wmiConfigContent Java expression language injection attempt (server-webapp.rules)
 * 1:44529 <-> DISABLED <-> FILE-OTHER Microsoft Graphics remote code execution attempt (file-other.rules)
 * 1:44506 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection Manager directory traversal attempt (server-webapp.rules)
 * 1:44507 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection Manager information disclosure attempt (server-webapp.rules)
 * 1:44508 <-> ENABLED <-> BROWSER-IE scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:44509 <-> ENABLED <-> BROWSER-IE scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:44510 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt (browser-ie.rules)
 * 1:44511 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt (browser-ie.rules)
 * 1:44512 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:44513 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:44514 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32kfull.sys privilege escalation attempt (os-windows.rules)
 * 1:44515 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32kfull.sys privilege escalation attempt (os-windows.rules)
 * 1:44516 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CreateMenu use after free attempt (os-windows.rules)
 * 1:44517 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CreateMenu use after free attempt (os-windows.rules)
 * 1:44504 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection Manager directory traversal attempt (server-webapp.rules)
 * 1:44531 <-> ENABLED <-> SERVER-APACHE Apache Tomcat remote JSP file upload attempt (server-apache.rules)
 * 1:44518 <-> DISABLED <-> FILE-OFFICE Microsoft Graphics remote code execution attempt (file-office.rules)
 * 1:44519 <-> DISABLED <-> FILE-OFFICE Microsoft Graphics remote code execution attempt (file-office.rules)
 * 1:44526 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:44527 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:44528 <-> DISABLED <-> FILE-OTHER Microsoft Graphics remote code execution attempt (file-other.rules)
 * 3:44520 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0461 attack attempt (file-office.rules)
 * 3:44521 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0461 attack attempt (file-office.rules)
 * 3:44522 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0460 attack attempt (file-office.rules)
 * 3:44523 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0460 attack attempt (file-office.rules)
 * 3:44524 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0459 attack attempt (file-image.rules)
 * 3:44525 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0459 attack attempt (file-image.rules)

Modified Rules:


 * 1:30242 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malicious cce value following a PtgMemFunc token (file-office.rules)
 * 1:13287 <-> DISABLED <-> OS-WINDOWS Microsoft Windows remote kernel tcp/ip igmp vulnerability exploit attempt (os-windows.rules)
 * 1:43638 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel null pointer dereference attempt (file-office.rules)
 * 1:41979 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel shared strings memory corruption attempt (file-office.rules)
 * 1:40459 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel malicious cce value following a PtgMemFunc token (file-office.rules)
 * 1:35487 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Notepad remote printer file access attempt (os-windows.rules)
 * 1:30243 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malicious cce value following a PtgMemFunc token (file-office.rules)
 * 1:44333 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra Core type confusion attempt (browser-ie.rules)
 * 1:35488 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Notepad remote printer file access attempt (os-windows.rules)
 * 1:40460 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel malicious cce value following a PtgMemFunc token (file-office.rules)
 * 1:41355 <-> DISABLED <-> SERVER-WEBAPP WordPress Admin API ajax-actions.php directory traversal attempt (server-webapp.rules)
 * 1:41581 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed CellXF memory corruption attempt (file-office.rules)
 * 1:41582 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed CellXF memory corruption attempt (file-office.rules)
 * 1:41976 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel shared strings memory corruption attempt (file-office.rules)
 * 1:41977 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel shared strings memory corruption attempt (file-office.rules)
 * 1:41980 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel shared strings memory corruption attempt (file-office.rules)
 * 1:44472 <-> ENABLED <-> SERVER-WEBAPP Netgear ReadyNAS Surveillance upgrade_handle.php command injection attempt (server-webapp.rules)
 * 1:43157 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Device Guard code execution attempt (os-windows.rules)
 * 1:43158 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Device Guard code execution attempt (os-windows.rules)
 * 1:43173 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 RS2 x64 linked cursor double free attempt (os-windows.rules)
 * 1:43174 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 RS2 x64 linked cursor double free attempt (os-windows.rules)
 * 1:44471 <-> ENABLED <-> SERVER-WEBAPP Netgear ReadyNAS Surveillance upgrade_handle.php command injection attempt (server-webapp.rules)
 * 1:44334 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra Core type confusion attempt (browser-ie.rules)
 * 1:43640 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel null pointer dereference attempt (file-office.rules)
 * 1:43639 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel null pointer dereference attempt (file-office.rules)
 * 1:43641 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel null pointer dereference attempt (file-office.rules)
 * 3:44451 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0458 attack attempt (file-image.rules)
 * 3:44452 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0458 attack attempt (file-image.rules)