Talos Rules 2017-11-21
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-firefox, browser-ie, file-flash, file-image, file-office, file-other, file-pdf, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-11-21 17:12:13 UTC

Snort Subscriber Rules Update

Date: 2017-11-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44990 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor object with automatic execution embedded in RTF attempt (file-office.rules)
 * 1:44989 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor object with automatic execution embedded in RTF attempt (file-office.rules)
 * 1:44988 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF font character encoding out of bounds write attempt (file-pdf.rules)
 * 1:44987 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF font character encoding out of bounds write attempt (file-pdf.rules)
 * 1:44985 <-> DISABLED <-> SERVER-OTHER Galil RIO-47100 denial of service attempt (server-other.rules)
 * 1:44984 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:44983 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:44982 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Kristina encryption over SMB attempt (malware-other.rules)
 * 1:44981 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Kristina encryption over SMB attempt (malware-other.rules)
 * 1:44980 <-> DISABLED <-> FILE-PDF Foxit Reader util printf information disclosure attempt (file-pdf.rules)
 * 1:44979 <-> DISABLED <-> FILE-PDF Foxit Reader util printf information disclosure attempt (file-pdf.rules)
 * 1:44978 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox browser engine memory corruption attempt (browser-firefox.rules)
 * 1:44977 <-> DISABLED <-> FILE-PDF Adobe Reader ActualText attribute type confusion attempt (file-pdf.rules)
 * 1:44976 <-> DISABLED <-> FILE-PDF Adobe Reader ActualText attribute type confusion attempt (file-pdf.rules)
 * 1:44975 <-> ENABLED <-> MALWARE-CNC Php.Dropper.Mayhem cnc communication attempt (malware-cnc.rules)
 * 1:44974 <-> DISABLED <-> SERVER-OTHER Cisco IOS Smart Install identification attempt (server-other.rules)
 * 1:44973 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection attempt (malware-cnc.rules)
 * 1:44972 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection attempt (malware-cnc.rules)
 * 1:44971 <-> DISABLED <-> SERVER-OTHER QNAP transcode server command injection attempt (server-other.rules)
 * 1:44970 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF EmfPlusFont memory corruption attempt (file-image.rules)
 * 1:44969 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF EmfPlusFont memory corruption attempt (file-image.rules)
 * 1:44968 <-> ENABLED <-> FILE-PDF Acrobat malformed html tag out of bounds read attempt (file-pdf.rules)
 * 1:44967 <-> ENABLED <-> FILE-PDF Acrobat malformed html tag out of bounds read attempt (file-pdf.rules)
 * 1:44966 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro security bypass attempt (file-other.rules)
 * 1:44965 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro security bypass attempt (file-other.rules)
 * 1:44964 <-> ENABLED <-> FILE-FLASH Adobe Flash Player tvsdk object use after free attempt (file-flash.rules)
 * 1:44963 <-> ENABLED <-> FILE-FLASH Adobe Flash Player tvsdk object use after free attempt (file-flash.rules)
 * 1:44962 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader untrusted pointer dereference attempt (file-pdf.rules)
 * 1:44961 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader untrusted pointer dereference attempt (file-pdf.rules)
 * 1:44960 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF malformed YCbCrCoefficients values memory corruption attempt (file-image.rules)
 * 1:44959 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF malformed YCbCrCoefficients values memory corruption attempt (file-image.rules)
 * 1:44958 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed XObject use after free attempt (file-pdf.rules)
 * 1:44957 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed XObject use after free attempt (file-pdf.rules)
 * 1:44956 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript infinite recursion heap overflow attempt (file-pdf.rules)
 * 1:44955 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript infinite recursion heap overflow attempt (file-pdf.rules)
 * 1:44954 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds buffer overflow attempt (file-other.rules)
 * 1:44953 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds buffer overflow attempt (file-other.rules)
 * 1:44952 <-> DISABLED <-> FILE-FLASH Adobe Flash Player Primetime SDK use after free attempt (file-flash.rules)
 * 1:44951 <-> DISABLED <-> FILE-FLASH Adobe Flash Player Primetime SDK use after free attempt (file-flash.rules)
 * 1:44950 <-> ENABLED <-> FILE-PDF Acrobat TrueTypeFont file out of bounds read attempt (file-pdf.rules)
 * 1:44949 <-> ENABLED <-> FILE-PDF Acrobat TrueTypeFont file out of bounds read attempt (file-pdf.rules)
 * 1:44948 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader double free attempt (file-pdf.rules)
 * 1:44947 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader double free attempt (file-pdf.rules)
 * 1:44946 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules)
 * 1:44945 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules)
 * 1:44944 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules)
 * 1:44943 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules)
 * 1:44942 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader FDF file security bypass attempt (file-other.rules)
 * 1:44941 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader FDF file security bypass attempt (file-other.rules)
 * 1:44940 <-> ENABLED <-> FILE-PDF Adobe Acrobat field dictionary value Unicode buffer overflow attempt (file-pdf.rules)
 * 1:44939 <-> ENABLED <-> FILE-PDF Adobe Acrobat field dictionary value Unicode buffer overflow attempt (file-pdf.rules)
 * 1:44938 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMFPlus out of bounds buffer overflow attempt (file-other.rules)
 * 1:44937 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMFPlus out of bounds buffer overflow attempt (file-other.rules)
 * 1:44936 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS out of bounds read attempt (file-other.rules)
 * 1:44935 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS out of bounds read attempt (file-other.rules)
 * 1:44934 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader untrusted pointer dereference attempt (file-pdf.rules)
 * 1:44933 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader untrusted pointer dereference attempt (file-pdf.rules)
 * 1:44932 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file embedded JPEG invalid SOS data memory corruption attempt (file-other.rules)
 * 1:44931 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file embedded JPEG invalid SOS data memory corruption attempt (file-other.rules)
 * 1:44930 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF out of bounds write attempt (file-image.rules)
 * 1:44929 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF out of bounds write attempt (file-image.rules)
 * 1:44928 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture out of bounds read attempt (file-other.rules)
 * 1:44927 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture out of bounds read attempt (file-other.rules)
 * 1:44926 <-> ENABLED <-> FILE-PDF Adobe Acrobat thermometer object untrusted pointer dereference attempt (file-pdf.rules)
 * 1:44925 <-> ENABLED <-> FILE-PDF Adobe Acrobat thermometer object untrusted pointer dereference attempt (file-pdf.rules)
 * 1:44924 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF Bezier curve out of bounds read attempt (file-other.rules)
 * 1:44923 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF Bezier curve out of bounds read attempt (file-other.rules)
 * 1:44922 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager manageApplications.do SQL injection attempt (server-webapp.rules)
 * 1:44921 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager manageApplications.do SQL injection attempt (server-webapp.rules)
 * 1:44920 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusRectF out of bounds read attempt (file-other.rules)
 * 1:44919 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusRectF out of bounds read attempt (file-other.rules)
 * 1:44918 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager GraphicalView.do SQL injection attempt (server-webapp.rules)
 * 1:44917 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager GraphicalView.do SQL injection attempt (server-webapp.rules)
 * 1:44916 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager GraphicalView.do SQL injection attempt (server-webapp.rules)
 * 1:44915 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PrintParams out of bounds array index attempt (file-pdf.rules)
 * 1:44914 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PrintParams out of bounds array index attempt (file-pdf.rules)
 * 1:44913 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro invalid APP13 marker size attempt (file-image.rules)
 * 1:44912 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro invalid APP13 marker size attempt (file-image.rules)
 * 1:44911 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Fruitfly variant outbound connection detected (malware-cnc.rules)
 * 1:44907 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader javscript use after free attempt (file-pdf.rules)
 * 1:44906 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader javscript use after free attempt (file-pdf.rules)
 * 1:44905 <-> DISABLED <-> FILE-PDF Adobe Acrobat untrusted pointer dereference attempt (file-pdf.rules)
 * 1:44904 <-> DISABLED <-> FILE-PDF Adobe Acrobat untrusted pointer dereference attempt (file-pdf.rules)
 * 1:44903 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK Metadata memory corruption attempt (file-flash.rules)
 * 1:44902 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK Metadata memory corruption attempt (file-flash.rules)
 * 1:44901 <-> ENABLED <-> FILE-PDF Adobe Reader PDF embedded javascript events use after free attempt (file-pdf.rules)
 * 1:44900 <-> ENABLED <-> FILE-PDF Adobe Reader PDF embedded javascript events use after free attempt (file-pdf.rules)
 * 1:44899 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner inbound request attempt (malware-cnc.rules)
 * 1:44898 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner outbound request attempt (malware-cnc.rules)
 * 1:44897 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner outbound request attempt (malware-cnc.rules)
 * 1:44896 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner outbound request attempt (malware-cnc.rules)
 * 1:44895 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner inbound request attempt (malware-cnc.rules)
 * 1:44894 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF out of bounds read attempt (file-other.rules)
 * 1:44893 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF out of bounds read attempt (file-other.rules)
 * 1:44892 <-> ENABLED <-> FILE-FLASH Adobe Flash Player determinePreferredLocales memory corruption attempt (file-flash.rules)
 * 1:44891 <-> ENABLED <-> FILE-FLASH Adobe Flash Player determinePreferredLocales memory corruption attempt (file-flash.rules)
 * 1:44890 <-> DISABLED <-> SERVER-OTHER CouchDB remote privilege escalation attempt (server-other.rules)
 * 1:44889 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - WidgiToolbar (blacklist.rules)
 * 1:44888 <-> ENABLED <-> FILE-FLASH Adobe Flash Player bitmap hitTest integer overflow attempt (file-flash.rules)
 * 1:44887 <-> ENABLED <-> FILE-FLASH Adobe Flash Player bitmap hitTest integer overflow attempt (file-flash.rules)
 * 1:44886 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Volgmer (blacklist.rules)
 * 3:44908 <-> ENABLED <-> FILE-OTHER KeyView SDK WordPerfect parsing stack buffer overflow attempt (file-other.rules)
 * 3:44909 <-> ENABLED <-> FILE-OTHER KeyView SDK WordPerfect parsing stack buffer overflow attempt (file-other.rules)
 * 3:44910 <-> ENABLED <-> SERVER-OTHER Altiris Express Server Engine stack buffer overflow attempt (server-other.rules)
 * 3:44986 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0486 attack attempt (server-other.rules)

Modified Rules:


 * 1:44061 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt (file-image.rules)
 * 1:44062 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt (file-image.rules)
 * 1:44059 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt (file-image.rules)
 * 1:44060 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt (file-image.rules)
 * 1:43918 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt (file-pdf.rules)
 * 1:43921 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt (file-pdf.rules)
 * 1:43448 <-> DISABLED <-> FILE-PDF malformed embedded JPEG2000 image information disclosure attempt (file-pdf.rules)
 * 1:43447 <-> DISABLED <-> FILE-PDF malformed embedded JPEG2000 image information disclosure attempt (file-pdf.rules)
 * 1:43446 <-> DISABLED <-> FILE-PDF malformed embedded JPEG2000 image information disclosure attempt (file-pdf.rules)
 * 1:42318 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream width out of bounds read attempt (file-pdf.rules)
 * 1:42317 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream width out of bounds read attempt (file-pdf.rules)
 * 1:39498 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer header tag HTML injection remote code execution attempt (browser-ie.rules)
 * 1:39497 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer header tag HTML injection remote code execution attempt (browser-ie.rules)
 * 1:42342 <-> DISABLED <-> FILE-PDF Adobe PDF CFF font parsing memory corruption vulnerability attempt (file-pdf.rules)
 * 1:42344 <-> DISABLED <-> FILE-PDF Adobe PDF CFF font parsing memory corruption vulnerability attempt (file-pdf.rules)
 * 1:42475 <-> DISABLED <-> FILE-PDF malformed embedded JPEG2000 image information disclosure attempt (file-pdf.rules)
 * 1:42476 <-> DISABLED <-> FILE-PDF malformed embedded JPEG2000 image information disclosure attempt (file-pdf.rules)
 * 1:43445 <-> DISABLED <-> FILE-PDF malformed embedded JPEG2000 image information disclosure attempt (file-pdf.rules)

2017-11-21 17:12:13 UTC

Snort Subscriber Rules Update

Date: 2017-11-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44964 <-> ENABLED <-> FILE-FLASH Adobe Flash Player tvsdk object use after free attempt (file-flash.rules)
 * 1:44887 <-> ENABLED <-> FILE-FLASH Adobe Flash Player bitmap hitTest integer overflow attempt (file-flash.rules)
 * 1:44886 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Volgmer (blacklist.rules)
 * 1:44888 <-> ENABLED <-> FILE-FLASH Adobe Flash Player bitmap hitTest integer overflow attempt (file-flash.rules)
 * 1:44889 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - WidgiToolbar (blacklist.rules)
 * 1:44890 <-> DISABLED <-> SERVER-OTHER CouchDB remote privilege escalation attempt (server-other.rules)
 * 1:44891 <-> ENABLED <-> FILE-FLASH Adobe Flash Player determinePreferredLocales memory corruption attempt (file-flash.rules)
 * 1:44892 <-> ENABLED <-> FILE-FLASH Adobe Flash Player determinePreferredLocales memory corruption attempt (file-flash.rules)
 * 1:44893 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF out of bounds read attempt (file-other.rules)
 * 1:44894 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF out of bounds read attempt (file-other.rules)
 * 1:44895 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner inbound request attempt (malware-cnc.rules)
 * 1:44896 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner outbound request attempt (malware-cnc.rules)
 * 1:44897 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner outbound request attempt (malware-cnc.rules)
 * 1:44898 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner outbound request attempt (malware-cnc.rules)
 * 1:44899 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner inbound request attempt (malware-cnc.rules)
 * 1:44900 <-> ENABLED <-> FILE-PDF Adobe Reader PDF embedded javascript events use after free attempt (file-pdf.rules)
 * 1:44901 <-> ENABLED <-> FILE-PDF Adobe Reader PDF embedded javascript events use after free attempt (file-pdf.rules)
 * 1:44902 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK Metadata memory corruption attempt (file-flash.rules)
 * 1:44903 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK Metadata memory corruption attempt (file-flash.rules)
 * 1:44904 <-> DISABLED <-> FILE-PDF Adobe Acrobat untrusted pointer dereference attempt (file-pdf.rules)
 * 1:44905 <-> DISABLED <-> FILE-PDF Adobe Acrobat untrusted pointer dereference attempt (file-pdf.rules)
 * 1:44906 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader javscript use after free attempt (file-pdf.rules)
 * 1:44907 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader javscript use after free attempt (file-pdf.rules)
 * 1:44911 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Fruitfly variant outbound connection detected (malware-cnc.rules)
 * 1:44912 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro invalid APP13 marker size attempt (file-image.rules)
 * 1:44913 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro invalid APP13 marker size attempt (file-image.rules)
 * 1:44914 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PrintParams out of bounds array index attempt (file-pdf.rules)
 * 1:44916 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager GraphicalView.do SQL injection attempt (server-webapp.rules)
 * 1:44915 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PrintParams out of bounds array index attempt (file-pdf.rules)
 * 1:44917 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager GraphicalView.do SQL injection attempt (server-webapp.rules)
 * 1:44918 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager GraphicalView.do SQL injection attempt (server-webapp.rules)
 * 1:44919 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusRectF out of bounds read attempt (file-other.rules)
 * 1:44920 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusRectF out of bounds read attempt (file-other.rules)
 * 1:44921 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager manageApplications.do SQL injection attempt (server-webapp.rules)
 * 1:44922 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager manageApplications.do SQL injection attempt (server-webapp.rules)
 * 1:44923 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF Bezier curve out of bounds read attempt (file-other.rules)
 * 1:44924 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF Bezier curve out of bounds read attempt (file-other.rules)
 * 1:44925 <-> ENABLED <-> FILE-PDF Adobe Acrobat thermometer object untrusted pointer dereference attempt (file-pdf.rules)
 * 1:44926 <-> ENABLED <-> FILE-PDF Adobe Acrobat thermometer object untrusted pointer dereference attempt (file-pdf.rules)
 * 1:44927 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture out of bounds read attempt (file-other.rules)
 * 1:44928 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture out of bounds read attempt (file-other.rules)
 * 1:44929 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF out of bounds write attempt (file-image.rules)
 * 1:44930 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF out of bounds write attempt (file-image.rules)
 * 1:44931 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file embedded JPEG invalid SOS data memory corruption attempt (file-other.rules)
 * 1:44932 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file embedded JPEG invalid SOS data memory corruption attempt (file-other.rules)
 * 1:44933 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader untrusted pointer dereference attempt (file-pdf.rules)
 * 1:44934 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader untrusted pointer dereference attempt (file-pdf.rules)
 * 1:44935 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS out of bounds read attempt (file-other.rules)
 * 1:44936 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS out of bounds read attempt (file-other.rules)
 * 1:44937 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMFPlus out of bounds buffer overflow attempt (file-other.rules)
 * 1:44938 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMFPlus out of bounds buffer overflow attempt (file-other.rules)
 * 1:44939 <-> ENABLED <-> FILE-PDF Adobe Acrobat field dictionary value Unicode buffer overflow attempt (file-pdf.rules)
 * 1:44940 <-> ENABLED <-> FILE-PDF Adobe Acrobat field dictionary value Unicode buffer overflow attempt (file-pdf.rules)
 * 1:44941 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader FDF file security bypass attempt (file-other.rules)
 * 1:44942 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader FDF file security bypass attempt (file-other.rules)
 * 1:44943 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules)
 * 1:44944 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules)
 * 1:44945 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules)
 * 1:44946 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules)
 * 1:44947 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader double free attempt (file-pdf.rules)
 * 1:44948 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader double free attempt (file-pdf.rules)
 * 1:44949 <-> ENABLED <-> FILE-PDF Acrobat TrueTypeFont file out of bounds read attempt (file-pdf.rules)
 * 1:44950 <-> ENABLED <-> FILE-PDF Acrobat TrueTypeFont file out of bounds read attempt (file-pdf.rules)
 * 1:44951 <-> DISABLED <-> FILE-FLASH Adobe Flash Player Primetime SDK use after free attempt (file-flash.rules)
 * 1:44952 <-> DISABLED <-> FILE-FLASH Adobe Flash Player Primetime SDK use after free attempt (file-flash.rules)
 * 1:44953 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds buffer overflow attempt (file-other.rules)
 * 1:44954 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds buffer overflow attempt (file-other.rules)
 * 1:44955 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript infinite recursion heap overflow attempt (file-pdf.rules)
 * 1:44956 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript infinite recursion heap overflow attempt (file-pdf.rules)
 * 1:44957 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed XObject use after free attempt (file-pdf.rules)
 * 1:44958 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed XObject use after free attempt (file-pdf.rules)
 * 1:44959 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF malformed YCbCrCoefficients values memory corruption attempt (file-image.rules)
 * 1:44960 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF malformed YCbCrCoefficients values memory corruption attempt (file-image.rules)
 * 1:44961 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader untrusted pointer dereference attempt (file-pdf.rules)
 * 1:44962 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader untrusted pointer dereference attempt (file-pdf.rules)
 * 1:44963 <-> ENABLED <-> FILE-FLASH Adobe Flash Player tvsdk object use after free attempt (file-flash.rules)
 * 1:44990 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor object with automatic execution embedded in RTF attempt (file-office.rules)
 * 1:44989 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor object with automatic execution embedded in RTF attempt (file-office.rules)
 * 1:44988 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF font character encoding out of bounds write attempt (file-pdf.rules)
 * 1:44987 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF font character encoding out of bounds write attempt (file-pdf.rules)
 * 1:44985 <-> DISABLED <-> SERVER-OTHER Galil RIO-47100 denial of service attempt (server-other.rules)
 * 1:44984 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:44983 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:44982 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Kristina encryption over SMB attempt (malware-other.rules)
 * 1:44981 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Kristina encryption over SMB attempt (malware-other.rules)
 * 1:44980 <-> DISABLED <-> FILE-PDF Foxit Reader util printf information disclosure attempt (file-pdf.rules)
 * 1:44979 <-> DISABLED <-> FILE-PDF Foxit Reader util printf information disclosure attempt (file-pdf.rules)
 * 1:44978 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox browser engine memory corruption attempt (browser-firefox.rules)
 * 1:44977 <-> DISABLED <-> FILE-PDF Adobe Reader ActualText attribute type confusion attempt (file-pdf.rules)
 * 1:44976 <-> DISABLED <-> FILE-PDF Adobe Reader ActualText attribute type confusion attempt (file-pdf.rules)
 * 1:44975 <-> ENABLED <-> MALWARE-CNC Php.Dropper.Mayhem cnc communication attempt (malware-cnc.rules)
 * 1:44974 <-> DISABLED <-> SERVER-OTHER Cisco IOS Smart Install identification attempt (server-other.rules)
 * 1:44973 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection attempt (malware-cnc.rules)
 * 1:44972 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection attempt (malware-cnc.rules)
 * 1:44971 <-> DISABLED <-> SERVER-OTHER QNAP transcode server command injection attempt (server-other.rules)
 * 1:44969 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF EmfPlusFont memory corruption attempt (file-image.rules)
 * 1:44970 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF EmfPlusFont memory corruption attempt (file-image.rules)
 * 1:44968 <-> ENABLED <-> FILE-PDF Acrobat malformed html tag out of bounds read attempt (file-pdf.rules)
 * 1:44967 <-> ENABLED <-> FILE-PDF Acrobat malformed html tag out of bounds read attempt (file-pdf.rules)
 * 1:44966 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro security bypass attempt (file-other.rules)
 * 1:44965 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro security bypass attempt (file-other.rules)
 * 3:44986 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0486 attack attempt (server-other.rules)
 * 3:44909 <-> ENABLED <-> FILE-OTHER KeyView SDK WordPerfect parsing stack buffer overflow attempt (file-other.rules)
 * 3:44908 <-> ENABLED <-> FILE-OTHER KeyView SDK WordPerfect parsing stack buffer overflow attempt (file-other.rules)
 * 3:44910 <-> ENABLED <-> SERVER-OTHER Altiris Express Server Engine stack buffer overflow attempt (server-other.rules)

Modified Rules:


 * 1:42476 <-> DISABLED <-> FILE-PDF malformed embedded JPEG2000 image information disclosure attempt (file-pdf.rules)
 * 1:42342 <-> DISABLED <-> FILE-PDF Adobe PDF CFF font parsing memory corruption vulnerability attempt (file-pdf.rules)
 * 1:42344 <-> DISABLED <-> FILE-PDF Adobe PDF CFF font parsing memory corruption vulnerability attempt (file-pdf.rules)
 * 1:44062 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt (file-image.rules)
 * 1:44060 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt (file-image.rules)
 * 1:44061 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt (file-image.rules)
 * 1:44059 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt (file-image.rules)
 * 1:43921 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt (file-pdf.rules)
 * 1:43448 <-> DISABLED <-> FILE-PDF malformed embedded JPEG2000 image information disclosure attempt (file-pdf.rules)
 * 1:43918 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt (file-pdf.rules)
 * 1:43446 <-> DISABLED <-> FILE-PDF malformed embedded JPEG2000 image information disclosure attempt (file-pdf.rules)
 * 1:43447 <-> DISABLED <-> FILE-PDF malformed embedded JPEG2000 image information disclosure attempt (file-pdf.rules)
 * 1:42318 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream width out of bounds read attempt (file-pdf.rules)
 * 1:42317 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream width out of bounds read attempt (file-pdf.rules)
 * 1:39498 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer header tag HTML injection remote code execution attempt (browser-ie.rules)
 * 1:39497 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer header tag HTML injection remote code execution attempt (browser-ie.rules)
 * 1:42475 <-> DISABLED <-> FILE-PDF malformed embedded JPEG2000 image information disclosure attempt (file-pdf.rules)
 * 1:43445 <-> DISABLED <-> FILE-PDF malformed embedded JPEG2000 image information disclosure attempt (file-pdf.rules)

2017-11-21 17:12:13 UTC

Snort Subscriber Rules Update

Date: 2017-11-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44974 <-> DISABLED <-> SERVER-OTHER Cisco IOS Smart Install identification attempt (server-other.rules)
 * 1:44967 <-> ENABLED <-> FILE-PDF Acrobat malformed html tag out of bounds read attempt (file-pdf.rules)
 * 1:44968 <-> ENABLED <-> FILE-PDF Acrobat malformed html tag out of bounds read attempt (file-pdf.rules)
 * 1:44965 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro security bypass attempt (file-other.rules)
 * 1:44966 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro security bypass attempt (file-other.rules)
 * 1:44988 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF font character encoding out of bounds write attempt (file-pdf.rules)
 * 1:44964 <-> ENABLED <-> FILE-FLASH Adobe Flash Player tvsdk object use after free attempt (file-flash.rules)
 * 1:44962 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader untrusted pointer dereference attempt (file-pdf.rules)
 * 1:44963 <-> ENABLED <-> FILE-FLASH Adobe Flash Player tvsdk object use after free attempt (file-flash.rules)
 * 1:44960 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF malformed YCbCrCoefficients values memory corruption attempt (file-image.rules)
 * 1:44961 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader untrusted pointer dereference attempt (file-pdf.rules)
 * 1:44958 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed XObject use after free attempt (file-pdf.rules)
 * 1:44959 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF malformed YCbCrCoefficients values memory corruption attempt (file-image.rules)
 * 1:44956 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript infinite recursion heap overflow attempt (file-pdf.rules)
 * 1:44957 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed XObject use after free attempt (file-pdf.rules)
 * 1:44955 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript infinite recursion heap overflow attempt (file-pdf.rules)
 * 1:44953 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds buffer overflow attempt (file-other.rules)
 * 1:44954 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds buffer overflow attempt (file-other.rules)
 * 1:44951 <-> DISABLED <-> FILE-FLASH Adobe Flash Player Primetime SDK use after free attempt (file-flash.rules)
 * 1:44952 <-> DISABLED <-> FILE-FLASH Adobe Flash Player Primetime SDK use after free attempt (file-flash.rules)
 * 1:44949 <-> ENABLED <-> FILE-PDF Acrobat TrueTypeFont file out of bounds read attempt (file-pdf.rules)
 * 1:44950 <-> ENABLED <-> FILE-PDF Acrobat TrueTypeFont file out of bounds read attempt (file-pdf.rules)
 * 1:44948 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader double free attempt (file-pdf.rules)
 * 1:44946 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules)
 * 1:44947 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader double free attempt (file-pdf.rules)
 * 1:44944 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules)
 * 1:44945 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules)
 * 1:44943 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules)
 * 1:44941 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader FDF file security bypass attempt (file-other.rules)
 * 1:44942 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader FDF file security bypass attempt (file-other.rules)
 * 1:44939 <-> ENABLED <-> FILE-PDF Adobe Acrobat field dictionary value Unicode buffer overflow attempt (file-pdf.rules)
 * 1:44940 <-> ENABLED <-> FILE-PDF Adobe Acrobat field dictionary value Unicode buffer overflow attempt (file-pdf.rules)
 * 1:44937 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMFPlus out of bounds buffer overflow attempt (file-other.rules)
 * 1:44938 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMFPlus out of bounds buffer overflow attempt (file-other.rules)
 * 1:44935 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS out of bounds read attempt (file-other.rules)
 * 1:44936 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS out of bounds read attempt (file-other.rules)
 * 1:44934 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader untrusted pointer dereference attempt (file-pdf.rules)
 * 1:44933 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader untrusted pointer dereference attempt (file-pdf.rules)
 * 1:44931 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file embedded JPEG invalid SOS data memory corruption attempt (file-other.rules)
 * 1:44932 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file embedded JPEG invalid SOS data memory corruption attempt (file-other.rules)
 * 1:44929 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF out of bounds write attempt (file-image.rules)
 * 1:44930 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF out of bounds write attempt (file-image.rules)
 * 1:44927 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture out of bounds read attempt (file-other.rules)
 * 1:44928 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture out of bounds read attempt (file-other.rules)
 * 1:44925 <-> ENABLED <-> FILE-PDF Adobe Acrobat thermometer object untrusted pointer dereference attempt (file-pdf.rules)
 * 1:44926 <-> ENABLED <-> FILE-PDF Adobe Acrobat thermometer object untrusted pointer dereference attempt (file-pdf.rules)
 * 1:44917 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager GraphicalView.do SQL injection attempt (server-webapp.rules)
 * 1:44918 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager GraphicalView.do SQL injection attempt (server-webapp.rules)
 * 1:44915 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PrintParams out of bounds array index attempt (file-pdf.rules)
 * 1:44916 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager GraphicalView.do SQL injection attempt (server-webapp.rules)
 * 1:44913 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro invalid APP13 marker size attempt (file-image.rules)
 * 1:44914 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PrintParams out of bounds array index attempt (file-pdf.rules)
 * 1:44911 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Fruitfly variant outbound connection detected (malware-cnc.rules)
 * 1:44912 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro invalid APP13 marker size attempt (file-image.rules)
 * 1:44906 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader javscript use after free attempt (file-pdf.rules)
 * 1:44907 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader javscript use after free attempt (file-pdf.rules)
 * 1:44904 <-> DISABLED <-> FILE-PDF Adobe Acrobat untrusted pointer dereference attempt (file-pdf.rules)
 * 1:44905 <-> DISABLED <-> FILE-PDF Adobe Acrobat untrusted pointer dereference attempt (file-pdf.rules)
 * 1:44902 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK Metadata memory corruption attempt (file-flash.rules)
 * 1:44903 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PSDK Metadata memory corruption attempt (file-flash.rules)
 * 1:44900 <-> ENABLED <-> FILE-PDF Adobe Reader PDF embedded javascript events use after free attempt (file-pdf.rules)
 * 1:44901 <-> ENABLED <-> FILE-PDF Adobe Reader PDF embedded javascript events use after free attempt (file-pdf.rules)
 * 1:44899 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner inbound request attempt (malware-cnc.rules)
 * 1:44898 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner outbound request attempt (malware-cnc.rules)
 * 1:44895 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner inbound request attempt (malware-cnc.rules)
 * 1:44896 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner outbound request attempt (malware-cnc.rules)
 * 1:44893 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF out of bounds read attempt (file-other.rules)
 * 1:44894 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF out of bounds read attempt (file-other.rules)
 * 1:44892 <-> ENABLED <-> FILE-FLASH Adobe Flash Player determinePreferredLocales memory corruption attempt (file-flash.rules)
 * 1:44886 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Volgmer (blacklist.rules)
 * 1:44990 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor object with automatic execution embedded in RTF attempt (file-office.rules)
 * 1:44989 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor object with automatic execution embedded in RTF attempt (file-office.rules)
 * 1:44983 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:44984 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:44985 <-> DISABLED <-> SERVER-OTHER Galil RIO-47100 denial of service attempt (server-other.rules)
 * 1:44981 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Kristina encryption over SMB attempt (malware-other.rules)
 * 1:44982 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Kristina encryption over SMB attempt (malware-other.rules)
 * 1:44979 <-> DISABLED <-> FILE-PDF Foxit Reader util printf information disclosure attempt (file-pdf.rules)
 * 1:44980 <-> DISABLED <-> FILE-PDF Foxit Reader util printf information disclosure attempt (file-pdf.rules)
 * 1:44978 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox browser engine memory corruption attempt (browser-firefox.rules)
 * 1:44888 <-> ENABLED <-> FILE-FLASH Adobe Flash Player bitmap hitTest integer overflow attempt (file-flash.rules)
 * 1:44889 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - WidgiToolbar (blacklist.rules)
 * 1:44890 <-> DISABLED <-> SERVER-OTHER CouchDB remote privilege escalation attempt (server-other.rules)
 * 1:44891 <-> ENABLED <-> FILE-FLASH Adobe Flash Player determinePreferredLocales memory corruption attempt (file-flash.rules)
 * 1:44897 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner outbound request attempt (malware-cnc.rules)
 * 1:44987 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF font character encoding out of bounds write attempt (file-pdf.rules)
 * 1:44921 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager manageApplications.do SQL injection attempt (server-webapp.rules)
 * 1:44922 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager manageApplications.do SQL injection attempt (server-webapp.rules)
 * 1:44923 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF Bezier curve out of bounds read attempt (file-other.rules)
 * 1:44924 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF Bezier curve out of bounds read attempt (file-other.rules)
 * 1:44972 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection attempt (malware-cnc.rules)
 * 1:44971 <-> DISABLED <-> SERVER-OTHER QNAP transcode server command injection attempt (server-other.rules)
 * 1:44975 <-> ENABLED <-> MALWARE-CNC Php.Dropper.Mayhem cnc communication attempt (malware-cnc.rules)
 * 1:44976 <-> DISABLED <-> FILE-PDF Adobe Reader ActualText attribute type confusion attempt (file-pdf.rules)
 * 1:44973 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection attempt (malware-cnc.rules)
 * 1:44969 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF EmfPlusFont memory corruption attempt (file-image.rules)
 * 1:44970 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF EmfPlusFont memory corruption attempt (file-image.rules)
 * 1:44977 <-> DISABLED <-> FILE-PDF Adobe Reader ActualText attribute type confusion attempt (file-pdf.rules)
 * 1:44887 <-> ENABLED <-> FILE-FLASH Adobe Flash Player bitmap hitTest integer overflow attempt (file-flash.rules)
 * 3:44910 <-> ENABLED <-> SERVER-OTHER Altiris Express Server Engine stack buffer overflow attempt (server-other.rules)
 * 3:44908 <-> ENABLED <-> FILE-OTHER KeyView SDK WordPerfect parsing stack buffer overflow attempt (file-other.rules)
 * 3:44986 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0486 attack attempt (server-other.rules)
 * 3:44909 <-> ENABLED <-> FILE-OTHER KeyView SDK WordPerfect parsing stack buffer overflow attempt (file-other.rules)

Modified Rules:


 * 1:44060 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt (file-image.rules)
 * 1:44062 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt (file-image.rules)
 * 1:44059 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt (file-image.rules)
 * 1:44061 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt (file-image.rules)
 * 1:43448 <-> DISABLED <-> FILE-PDF malformed embedded JPEG2000 image information disclosure attempt (file-pdf.rules)
 * 1:43447 <-> DISABLED <-> FILE-PDF malformed embedded JPEG2000 image information disclosure attempt (file-pdf.rules)
 * 1:43918 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt (file-pdf.rules)
 * 1:43921 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt (file-pdf.rules)
 * 1:43446 <-> DISABLED <-> FILE-PDF malformed embedded JPEG2000 image information disclosure attempt (file-pdf.rules)
 * 1:42318 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream width out of bounds read attempt (file-pdf.rules)
 * 1:43445 <-> DISABLED <-> FILE-PDF malformed embedded JPEG2000 image information disclosure attempt (file-pdf.rules)
 * 1:42475 <-> DISABLED <-> FILE-PDF malformed embedded JPEG2000 image information disclosure attempt (file-pdf.rules)
 * 1:42476 <-> DISABLED <-> FILE-PDF malformed embedded JPEG2000 image information disclosure attempt (file-pdf.rules)
 * 1:42342 <-> DISABLED <-> FILE-PDF Adobe PDF CFF font parsing memory corruption vulnerability attempt (file-pdf.rules)
 * 1:42344 <-> DISABLED <-> FILE-PDF Adobe PDF CFF font parsing memory corruption vulnerability attempt (file-pdf.rules)
 * 1:39498 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer header tag HTML injection remote code execution attempt (browser-ie.rules)
 * 1:39497 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer header tag HTML injection remote code execution attempt (browser-ie.rules)
 * 1:42317 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream width out of bounds read attempt (file-pdf.rules)