Talos Rules 2017-10-31
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, browser-plugins, exploit-kit, file-office, file-other, indicator-obfuscation, malware-cnc, os-windows, policy-other, pua-adware, server-apache, server-MySQL and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-10-31 14:08:22 UTC

Snort Subscriber Rules Update

Date: 2017-10-31

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44702 <-> DISABLED <-> POLICY-OTHER Inedo BuildMaster web server login with default credentials attempt (policy-other.rules)
 * 1:44701 <-> DISABLED <-> SERVER-OTHER Veritas Backup Exec Agent use after free attempt (server-other.rules)
 * 1:44700 <-> DISABLED <-> SERVER-OTHER Veritas Backup Exec Agent use after free attempt (server-other.rules)
 * 1:44699 <-> DISABLED <-> SERVER-WEBAPP Internal field separator use in HTTP URI attempt (server-webapp.rules)
 * 1:44698 <-> DISABLED <-> SERVER-WEBAPP Internal field separator use in HTTP URI attempt (server-webapp.rules)
 * 1:44697 <-> DISABLED <-> MALWARE-CNC SquirrelMail directory traversal attempt (malware-cnc.rules)
 * 1:44696 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess MSRPC server integer overflow attempt (server-other.rules)
 * 1:44695 <-> DISABLED <-> FILE-OFFICE Microsoft Office dde field code execution attempt (file-office.rules)
 * 1:44694 <-> DISABLED <-> FILE-OFFICE Microsoft Office dde field code execution attempt (file-office.rules)
 * 1:44693 <-> DISABLED <-> INDICATOR-OBFUSCATION CoinHive cryptocurrency mining attempt (indicator-obfuscation.rules)
 * 1:44692 <-> DISABLED <-> INDICATOR-OBFUSCATION CoinHive cryptocurrency mining attempt (indicator-obfuscation.rules)
 * 1:44691 <-> DISABLED <-> PUA-ADWARE Win.Adware.Clover outbound connection (pua-adware.rules)
 * 1:44690 <-> DISABLED <-> SERVER-OTHER ElasticSearch script remote code execution attempt (server-other.rules)
 * 1:44689 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gen variant outbound communication (malware-cnc.rules)
 * 1:44688 <-> ENABLED <-> SERVER-WEBAPP Netgear DGN1000 series routers arbitrary command execution attempt (server-webapp.rules)
 * 1:44687 <-> ENABLED <-> SERVER-WEBAPP Netgear DGN1000 series routers authentication bypass attempt (server-webapp.rules)
 * 1:44686 <-> DISABLED <-> SERVER-OTHER TVMOBiLi HttpUtils.dll denial of service attempt (server-other.rules)
 * 1:44685 <-> DISABLED <-> SERVER-OTHER TVMOBiLi HttpUtils.dll denial of service attempt (server-other.rules)
 * 1:44684 <-> DISABLED <-> SERVER-WEBAPP Kaltura userzone cookie PHP object injection attempt (server-webapp.rules)
 * 1:44683 <-> DISABLED <-> SERVER-OTHER Novell GroupWise Post Office Agent heap overflow attempt (server-other.rules)
 * 1:44682 <-> DISABLED <-> SERVER-OTHER Novell GroupWise Post Office Agent heap overflow attempt (server-other.rules)
 * 1:44681 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.IoTReaper_Botnet telnet connection attempt (malware-cnc.rules)
 * 1:44680 <-> DISABLED <-> SERVER-OTHER Beetel Connection Manager username buffer overflow attempt (server-other.rules)
 * 1:44679 <-> DISABLED <-> SERVER-OTHER Beetel Connection Manager username buffer overflow attempt (server-other.rules)
 * 1:44678 <-> DISABLED <-> POLICY-OTHER NetSupport Manager RAT outbound connection detected (policy-other.rules)
 * 1:44677 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nemucod outbound connection (malware-cnc.rules)
 * 1:44676 <-> DISABLED <-> SERVER-OTHER Wireshark Sigcomp buffer overflow attempt (server-other.rules)
 * 1:44675 <-> DISABLED <-> SERVER-OTHER iSCSI target multiple implementations iSNS stack buffer overflow attempt (server-other.rules)
 * 1:44674 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query integer overflow attempt (server-mysql.rules)
 * 1:44673 <-> DISABLED <-> SERVER-WEBAPP HP OpenView NNM snmpviewer.exe CGI parameter buffer overflow attempt (server-webapp.rules)
 * 1:44672 <-> DISABLED <-> SERVER-WEBAPP HP OpenView NNM snmpviewer.exe CGI parameter buffer overflow attempt (server-webapp.rules)
 * 1:44671 <-> DISABLED <-> SERVER-WEBAPP HP OpenView NNM snmpviewer.exe CGI parameter buffer overflow attempt (server-webapp.rules)
 * 1:44670 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook SMB attach by reference code execution attempt (file-office.rules)
 * 1:44669 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook SMB attach by reference code execution attempt (file-office.rules)
 * 1:44668 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess cross site scripting attempt (server-webapp.rules)
 * 1:44667 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess cross site scripting attempt (server-webapp.rules)

Modified Rules:


 * 1:32896 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX clsid access attempt (browser-plugins.rules)
 * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules)
 * 1:19140 <-> DISABLED <-> SERVER-WEBAPP HP OpenView NNM snmpviewer.exe CGI parameter buffer overflow attempt (server-webapp.rules)
 * 1:25808 <-> DISABLED <-> EXPLOIT-KIT Fiesta exploit kit landing page detection - specific-structure (exploit-kit.rules)
 * 1:26275 <-> DISABLED <-> SERVER-WEBAPP DD-WRT httpd cgi-bin remote command execution attempt (server-webapp.rules)
 * 1:44595 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DNSMessenger outbound connection (malware-cnc.rules)
 * 1:26299 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query polygon object integer overflow attempt (server-mysql.rules)
 * 1:26300 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query multistring object integer overflow attempt (server-mysql.rules)
 * 1:26301 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query multipolygon object integer overflow attempt (server-mysql.rules)
 * 1:26302 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query linestring object integer overflow attempt (server-mysql.rules)
 * 1:43482 <-> DISABLED <-> FILE-OTHER Vim modelines remote command execution attempt (file-other.rules)
 * 1:26303 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query polygon object integer overflow attempt (server-mysql.rules)
 * 1:26304 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query multistring object integer overflow attempt (server-mysql.rules)
 * 1:26305 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query multipolygon object integer overflow attempt (server-mysql.rules)
 * 1:26306 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query linestring object integer overflow attempt (server-mysql.rules)
 * 1:43481 <-> DISABLED <-> FILE-OTHER Vim modelines remote command execution attempt (file-other.rules)
 * 1:26307 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query polygon object integer overflow attempt (server-mysql.rules)
 * 1:26308 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query multistring object integer overflow attempt (server-mysql.rules)
 * 1:26309 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query multipolygon object integer overflow attempt (server-mysql.rules)
 * 1:43279 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess cross site scripting attempt (server-webapp.rules)
 * 1:26310 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query linestring object integer overflow attempt (server-mysql.rules)
 * 1:26311 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query polygon object integer overflow attempt (server-mysql.rules)
 * 1:26312 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query multistring object integer overflow attempt (server-mysql.rules)
 * 1:26313 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query multipolygon object integer overflow attempt (server-mysql.rules)
 * 1:27810 <-> DISABLED <-> EXPLOIT-KIT Fiesta exploit kit redirection (exploit-kit.rules)
 * 1:42170 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt (browser-ie.rules)
 * 1:28436 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules)
 * 1:29444 <-> DISABLED <-> EXPLOIT-KIT Fiesta exploit kit flashplayer11 payload download (exploit-kit.rules)
 * 1:32894 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX clsid access attempt (browser-plugins.rules)
 * 1:32895 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX function call access attempt (browser-plugins.rules)
 * 1:42169 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt (browser-ie.rules)
 * 1:39908 <-> DISABLED <-> SERVER-APACHE Apache Tomcat Commons FileUpload library denial of service attempt (server-apache.rules)
 * 1:37678 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules)
 * 1:34334 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Adobe Reader exploit download (exploit-kit.rules)
 * 1:34332 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Oracle Java exploit download (exploit-kit.rules)
 * 1:34331 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Microsoft SilverLight exploit download (exploit-kit.rules)
 * 1:34330 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Adobe Flash exploit download (exploit-kit.rules)
 * 1:33637 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query object integer overflow attempt (server-mysql.rules)
 * 1:32897 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX function call access attempt (browser-plugins.rules)

2017-10-31 14:08:22 UTC

Snort Subscriber Rules Update

Date: 2017-10-31

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44698 <-> DISABLED <-> SERVER-WEBAPP Internal field separator use in HTTP URI attempt (server-webapp.rules)
 * 1:44696 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess MSRPC server integer overflow attempt (server-other.rules)
 * 1:44697 <-> DISABLED <-> MALWARE-CNC SquirrelMail directory traversal attempt (malware-cnc.rules)
 * 1:44701 <-> DISABLED <-> SERVER-OTHER Veritas Backup Exec Agent use after free attempt (server-other.rules)
 * 1:44699 <-> DISABLED <-> SERVER-WEBAPP Internal field separator use in HTTP URI attempt (server-webapp.rules)
 * 1:44700 <-> DISABLED <-> SERVER-OTHER Veritas Backup Exec Agent use after free attempt (server-other.rules)
 * 1:44667 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess cross site scripting attempt (server-webapp.rules)
 * 1:44668 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess cross site scripting attempt (server-webapp.rules)
 * 1:44669 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook SMB attach by reference code execution attempt (file-office.rules)
 * 1:44670 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook SMB attach by reference code execution attempt (file-office.rules)
 * 1:44671 <-> DISABLED <-> SERVER-WEBAPP HP OpenView NNM snmpviewer.exe CGI parameter buffer overflow attempt (server-webapp.rules)
 * 1:44672 <-> DISABLED <-> SERVER-WEBAPP HP OpenView NNM snmpviewer.exe CGI parameter buffer overflow attempt (server-webapp.rules)
 * 1:44673 <-> DISABLED <-> SERVER-WEBAPP HP OpenView NNM snmpviewer.exe CGI parameter buffer overflow attempt (server-webapp.rules)
 * 1:44674 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query integer overflow attempt (server-mysql.rules)
 * 1:44675 <-> DISABLED <-> SERVER-OTHER iSCSI target multiple implementations iSNS stack buffer overflow attempt (server-other.rules)
 * 1:44676 <-> DISABLED <-> SERVER-OTHER Wireshark Sigcomp buffer overflow attempt (server-other.rules)
 * 1:44677 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nemucod outbound connection (malware-cnc.rules)
 * 1:44678 <-> DISABLED <-> POLICY-OTHER NetSupport Manager RAT outbound connection detected (policy-other.rules)
 * 1:44679 <-> DISABLED <-> SERVER-OTHER Beetel Connection Manager username buffer overflow attempt (server-other.rules)
 * 1:44680 <-> DISABLED <-> SERVER-OTHER Beetel Connection Manager username buffer overflow attempt (server-other.rules)
 * 1:44681 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.IoTReaper_Botnet telnet connection attempt (malware-cnc.rules)
 * 1:44682 <-> DISABLED <-> SERVER-OTHER Novell GroupWise Post Office Agent heap overflow attempt (server-other.rules)
 * 1:44683 <-> DISABLED <-> SERVER-OTHER Novell GroupWise Post Office Agent heap overflow attempt (server-other.rules)
 * 1:44684 <-> DISABLED <-> SERVER-WEBAPP Kaltura userzone cookie PHP object injection attempt (server-webapp.rules)
 * 1:44685 <-> DISABLED <-> SERVER-OTHER TVMOBiLi HttpUtils.dll denial of service attempt (server-other.rules)
 * 1:44686 <-> DISABLED <-> SERVER-OTHER TVMOBiLi HttpUtils.dll denial of service attempt (server-other.rules)
 * 1:44687 <-> ENABLED <-> SERVER-WEBAPP Netgear DGN1000 series routers authentication bypass attempt (server-webapp.rules)
 * 1:44688 <-> ENABLED <-> SERVER-WEBAPP Netgear DGN1000 series routers arbitrary command execution attempt (server-webapp.rules)
 * 1:44689 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gen variant outbound communication (malware-cnc.rules)
 * 1:44690 <-> DISABLED <-> SERVER-OTHER ElasticSearch script remote code execution attempt (server-other.rules)
 * 1:44691 <-> DISABLED <-> PUA-ADWARE Win.Adware.Clover outbound connection (pua-adware.rules)
 * 1:44692 <-> DISABLED <-> INDICATOR-OBFUSCATION CoinHive cryptocurrency mining attempt (indicator-obfuscation.rules)
 * 1:44702 <-> DISABLED <-> POLICY-OTHER Inedo BuildMaster web server login with default credentials attempt (policy-other.rules)
 * 1:44693 <-> DISABLED <-> INDICATOR-OBFUSCATION CoinHive cryptocurrency mining attempt (indicator-obfuscation.rules)
 * 1:44694 <-> DISABLED <-> FILE-OFFICE Microsoft Office dde field code execution attempt (file-office.rules)
 * 1:44695 <-> DISABLED <-> FILE-OFFICE Microsoft Office dde field code execution attempt (file-office.rules)

Modified Rules:


 * 1:32897 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX function call access attempt (browser-plugins.rules)
 * 1:33637 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query object integer overflow attempt (server-mysql.rules)
 * 1:32895 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX function call access attempt (browser-plugins.rules)
 * 1:29444 <-> DISABLED <-> EXPLOIT-KIT Fiesta exploit kit flashplayer11 payload download (exploit-kit.rules)
 * 1:27810 <-> DISABLED <-> EXPLOIT-KIT Fiesta exploit kit redirection (exploit-kit.rules)
 * 1:26313 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query multipolygon object integer overflow attempt (server-mysql.rules)
 * 1:26310 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query linestring object integer overflow attempt (server-mysql.rules)
 * 1:26311 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query polygon object integer overflow attempt (server-mysql.rules)
 * 1:26308 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query multistring object integer overflow attempt (server-mysql.rules)
 * 1:26306 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query linestring object integer overflow attempt (server-mysql.rules)
 * 1:26304 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query multistring object integer overflow attempt (server-mysql.rules)
 * 1:26305 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query multipolygon object integer overflow attempt (server-mysql.rules)
 * 1:19140 <-> DISABLED <-> SERVER-WEBAPP HP OpenView NNM snmpviewer.exe CGI parameter buffer overflow attempt (server-webapp.rules)
 * 1:25808 <-> DISABLED <-> EXPLOIT-KIT Fiesta exploit kit landing page detection - specific-structure (exploit-kit.rules)
 * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules)
 * 1:42169 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt (browser-ie.rules)
 * 1:37678 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39908 <-> DISABLED <-> SERVER-APACHE Apache Tomcat Commons FileUpload library denial of service attempt (server-apache.rules)
 * 1:34334 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Adobe Reader exploit download (exploit-kit.rules)
 * 1:34332 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Oracle Java exploit download (exploit-kit.rules)
 * 1:34330 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Adobe Flash exploit download (exploit-kit.rules)
 * 1:26312 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query multistring object integer overflow attempt (server-mysql.rules)
 * 1:44595 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DNSMessenger outbound connection (malware-cnc.rules)
 * 1:26307 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query polygon object integer overflow attempt (server-mysql.rules)
 * 1:26301 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query multipolygon object integer overflow attempt (server-mysql.rules)
 * 1:26303 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query polygon object integer overflow attempt (server-mysql.rules)
 * 1:26299 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query polygon object integer overflow attempt (server-mysql.rules)
 * 1:42170 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt (browser-ie.rules)
 * 1:32896 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX clsid access attempt (browser-plugins.rules)
 * 1:34331 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Microsoft SilverLight exploit download (exploit-kit.rules)
 * 1:32894 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX clsid access attempt (browser-plugins.rules)
 * 1:26275 <-> DISABLED <-> SERVER-WEBAPP DD-WRT httpd cgi-bin remote command execution attempt (server-webapp.rules)
 * 1:43279 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess cross site scripting attempt (server-webapp.rules)
 * 1:26302 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query linestring object integer overflow attempt (server-mysql.rules)
 * 1:43481 <-> DISABLED <-> FILE-OTHER Vim modelines remote command execution attempt (file-other.rules)
 * 1:26300 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query multistring object integer overflow attempt (server-mysql.rules)
 * 1:43482 <-> DISABLED <-> FILE-OTHER Vim modelines remote command execution attempt (file-other.rules)
 * 1:26309 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query multipolygon object integer overflow attempt (server-mysql.rules)
 * 1:28436 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules)

2017-10-31 14:08:22 UTC

Snort Subscriber Rules Update

Date: 2017-10-31

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44697 <-> DISABLED <-> MALWARE-CNC SquirrelMail directory traversal attempt (malware-cnc.rules)
 * 1:44700 <-> DISABLED <-> SERVER-OTHER Veritas Backup Exec Agent use after free attempt (server-other.rules)
 * 1:44682 <-> DISABLED <-> SERVER-OTHER Novell GroupWise Post Office Agent heap overflow attempt (server-other.rules)
 * 1:44696 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess MSRPC server integer overflow attempt (server-other.rules)
 * 1:44692 <-> DISABLED <-> INDICATOR-OBFUSCATION CoinHive cryptocurrency mining attempt (indicator-obfuscation.rules)
 * 1:44687 <-> ENABLED <-> SERVER-WEBAPP Netgear DGN1000 series routers authentication bypass attempt (server-webapp.rules)
 * 1:44677 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nemucod outbound connection (malware-cnc.rules)
 * 1:44680 <-> DISABLED <-> SERVER-OTHER Beetel Connection Manager username buffer overflow attempt (server-other.rules)
 * 1:44702 <-> DISABLED <-> POLICY-OTHER Inedo BuildMaster web server login with default credentials attempt (policy-other.rules)
 * 1:44681 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.IoTReaper_Botnet telnet connection attempt (malware-cnc.rules)
 * 1:44690 <-> DISABLED <-> SERVER-OTHER ElasticSearch script remote code execution attempt (server-other.rules)
 * 1:44668 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess cross site scripting attempt (server-webapp.rules)
 * 1:44667 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess cross site scripting attempt (server-webapp.rules)
 * 1:44670 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook SMB attach by reference code execution attempt (file-office.rules)
 * 1:44683 <-> DISABLED <-> SERVER-OTHER Novell GroupWise Post Office Agent heap overflow attempt (server-other.rules)
 * 1:44669 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook SMB attach by reference code execution attempt (file-office.rules)
 * 1:44693 <-> DISABLED <-> INDICATOR-OBFUSCATION CoinHive cryptocurrency mining attempt (indicator-obfuscation.rules)
 * 1:44684 <-> DISABLED <-> SERVER-WEBAPP Kaltura userzone cookie PHP object injection attempt (server-webapp.rules)
 * 1:44686 <-> DISABLED <-> SERVER-OTHER TVMOBiLi HttpUtils.dll denial of service attempt (server-other.rules)
 * 1:44674 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query integer overflow attempt (server-mysql.rules)
 * 1:44701 <-> DISABLED <-> SERVER-OTHER Veritas Backup Exec Agent use after free attempt (server-other.rules)
 * 1:44699 <-> DISABLED <-> SERVER-WEBAPP Internal field separator use in HTTP URI attempt (server-webapp.rules)
 * 1:44689 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gen variant outbound communication (malware-cnc.rules)
 * 1:44678 <-> DISABLED <-> POLICY-OTHER NetSupport Manager RAT outbound connection detected (policy-other.rules)
 * 1:44679 <-> DISABLED <-> SERVER-OTHER Beetel Connection Manager username buffer overflow attempt (server-other.rules)
 * 1:44675 <-> DISABLED <-> SERVER-OTHER iSCSI target multiple implementations iSNS stack buffer overflow attempt (server-other.rules)
 * 1:44676 <-> DISABLED <-> SERVER-OTHER Wireshark Sigcomp buffer overflow attempt (server-other.rules)
 * 1:44672 <-> DISABLED <-> SERVER-WEBAPP HP OpenView NNM snmpviewer.exe CGI parameter buffer overflow attempt (server-webapp.rules)
 * 1:44673 <-> DISABLED <-> SERVER-WEBAPP HP OpenView NNM snmpviewer.exe CGI parameter buffer overflow attempt (server-webapp.rules)
 * 1:44691 <-> DISABLED <-> PUA-ADWARE Win.Adware.Clover outbound connection (pua-adware.rules)
 * 1:44695 <-> DISABLED <-> FILE-OFFICE Microsoft Office dde field code execution attempt (file-office.rules)
 * 1:44685 <-> DISABLED <-> SERVER-OTHER TVMOBiLi HttpUtils.dll denial of service attempt (server-other.rules)
 * 1:44671 <-> DISABLED <-> SERVER-WEBAPP HP OpenView NNM snmpviewer.exe CGI parameter buffer overflow attempt (server-webapp.rules)
 * 1:44694 <-> DISABLED <-> FILE-OFFICE Microsoft Office dde field code execution attempt (file-office.rules)
 * 1:44698 <-> DISABLED <-> SERVER-WEBAPP Internal field separator use in HTTP URI attempt (server-webapp.rules)
 * 1:44688 <-> ENABLED <-> SERVER-WEBAPP Netgear DGN1000 series routers arbitrary command execution attempt (server-webapp.rules)

Modified Rules:


 * 1:34332 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Oracle Java exploit download (exploit-kit.rules)
 * 1:34334 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Adobe Reader exploit download (exploit-kit.rules)
 * 1:37678 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39908 <-> DISABLED <-> SERVER-APACHE Apache Tomcat Commons FileUpload library denial of service attempt (server-apache.rules)
 * 1:42169 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt (browser-ie.rules)
 * 1:25808 <-> DISABLED <-> EXPLOIT-KIT Fiesta exploit kit landing page detection - specific-structure (exploit-kit.rules)
 * 1:32894 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX clsid access attempt (browser-plugins.rules)
 * 1:26313 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query multipolygon object integer overflow attempt (server-mysql.rules)
 * 1:26310 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query linestring object integer overflow attempt (server-mysql.rules)
 * 1:26301 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query multipolygon object integer overflow attempt (server-mysql.rules)
 * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules)
 * 1:26309 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query multipolygon object integer overflow attempt (server-mysql.rules)
 * 1:26302 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query linestring object integer overflow attempt (server-mysql.rules)
 * 1:26303 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query polygon object integer overflow attempt (server-mysql.rules)
 * 1:29444 <-> DISABLED <-> EXPLOIT-KIT Fiesta exploit kit flashplayer11 payload download (exploit-kit.rules)
 * 1:26299 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query polygon object integer overflow attempt (server-mysql.rules)
 * 1:26308 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query multistring object integer overflow attempt (server-mysql.rules)
 * 1:26311 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query polygon object integer overflow attempt (server-mysql.rules)
 * 1:26304 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query multistring object integer overflow attempt (server-mysql.rules)
 * 1:26312 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query multistring object integer overflow attempt (server-mysql.rules)
 * 1:26275 <-> DISABLED <-> SERVER-WEBAPP DD-WRT httpd cgi-bin remote command execution attempt (server-webapp.rules)
 * 1:19140 <-> DISABLED <-> SERVER-WEBAPP HP OpenView NNM snmpviewer.exe CGI parameter buffer overflow attempt (server-webapp.rules)
 * 1:26300 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query multistring object integer overflow attempt (server-mysql.rules)
 * 1:34331 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Microsoft SilverLight exploit download (exploit-kit.rules)
 * 1:32896 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX clsid access attempt (browser-plugins.rules)
 * 1:26307 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query polygon object integer overflow attempt (server-mysql.rules)
 * 1:43481 <-> DISABLED <-> FILE-OTHER Vim modelines remote command execution attempt (file-other.rules)
 * 1:27810 <-> DISABLED <-> EXPLOIT-KIT Fiesta exploit kit redirection (exploit-kit.rules)
 * 1:43279 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess cross site scripting attempt (server-webapp.rules)
 * 1:44595 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DNSMessenger outbound connection (malware-cnc.rules)
 * 1:32895 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX function call access attempt (browser-plugins.rules)
 * 1:42170 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt (browser-ie.rules)
 * 1:28436 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules)
 * 1:34330 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Adobe Flash exploit download (exploit-kit.rules)
 * 1:43482 <-> DISABLED <-> FILE-OTHER Vim modelines remote command execution attempt (file-other.rules)
 * 1:26306 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query linestring object integer overflow attempt (server-mysql.rules)
 * 1:26305 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query multipolygon object integer overflow attempt (server-mysql.rules)
 * 1:33637 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query object integer overflow attempt (server-mysql.rules)
 * 1:32897 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX function call access attempt (browser-plugins.rules)