Talos Rules 2017-12-21
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-firefox, browser-ie, browser-other, browser-plugins, file-flash, file-java, file-multimedia, file-office, file-other, malware-cnc, policy-other, protocol-scada, server-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-12-21 18:29:49 UTC

Snort Subscriber Rules Update

Date: 2017-12-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45254 <-> DISABLED <-> SERVER-OTHER Polycom HDX Series remote code execution attempt (server-other.rules)
 * 1:45257 <-> DISABLED <-> BROWSER-OTHER IBM Notes denial of service attempt (browser-other.rules)
 * 1:45256 <-> DISABLED <-> BROWSER-OTHER IBM Notes denial of service attempt (browser-other.rules)
 * 1:45255 <-> ENABLED <-> SERVER-SAMBA Samba tree connect andx memory corruption attempt (server-samba.rules)
 * 1:45258 <-> DISABLED <-> FILE-JAVA Oracle Java strlen denial of service attempt (file-java.rules)
 * 1:45224 <-> DISABLED <-> FILE-FLASH Adobe Flash memory corruption exploit attempt (file-flash.rules)
 * 1:45225 <-> DISABLED <-> FILE-FLASH Adobe Flash memory corruption exploit attempt (file-flash.rules)
 * 1:45226 <-> DISABLED <-> SERVER-WEBAPP FreePBX recording interface file upload code execution attempt (server-webapp.rules)
 * 1:45227 <-> DISABLED <-> SERVER-OTHER Docker Rancher Server remote code execution attempt (server-other.rules)
 * 1:45228 <-> DISABLED <-> SERVER-OTHER Medal Of Honor Allied Assault getinfo buffer overflow attempt (server-other.rules)
 * 1:45229 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - SocStealer (blacklist.rules)
 * 1:45230 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - SocStealer (blacklist.rules)
 * 1:45231 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DDEDownloader variant outbound connection detected (malware-cnc.rules)
 * 1:45232 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CactusTorch download attempt detected (malware-cnc.rules)
 * 1:45233 <-> DISABLED <-> PROTOCOL-SCADA Schneider Modicon Quantum modbus stop command attempt (protocol-scada.rules)
 * 1:45234 <-> DISABLED <-> PROTOCOL-SCADA Schneider Modicon Quantum modbus start command attempt (protocol-scada.rules)
 * 1:45235 <-> ENABLED <-> SERVER-WEBAPP Palo Alto Networks Firewall router.php XML attribute injection attempt (server-webapp.rules)
 * 1:45236 <-> ENABLED <-> SERVER-WEBAPP Palo Alto Networks Firewall cms_changeDeviceContext.esp session injection attempt (server-webapp.rules)
 * 1:45237 <-> DISABLED <-> SERVER-WEBAPP Axis Communications IP camera SSI command injection attempt (server-webapp.rules)
 * 1:45238 <-> DISABLED <-> SERVER-WEBAPP Axis Communications IP camera SSI command injection attempt (server-webapp.rules)
 * 1:45239 <-> ENABLED <-> MALWARE-CNC Win.Malware.Freenki variant outbound connection (malware-cnc.rules)
 * 1:45240 <-> DISABLED <-> SERVER-WEBAPP OpenEMR fax_dispatch.php command injection attempt (server-webapp.rules)
 * 1:45241 <-> DISABLED <-> SERVER-WEBAPP Multiple IP cameras format string exploitation attempt (server-webapp.rules)
 * 1:45242 <-> DISABLED <-> SERVER-WEBAPP Multiple IP cameras format string exploitation attempt (server-webapp.rules)
 * 1:45243 <-> DISABLED <-> POLICY-OTHER ZyXEL PK5001Z modem hardcoded admin password telnet login attempt (policy-other.rules)
 * 1:45244 <-> DISABLED <-> POLICY-OTHER ZyXEL PK5001Z modem hardcoded root password telnet login attempt (policy-other.rules)
 * 1:45245 <-> DISABLED <-> POLICY-OTHER ZyXEL PK5001Z modem hardcoded admin password telnet login attempt (policy-other.rules)
 * 1:45246 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox DOM event handler privilege escalation attempt (browser-firefox.rules)
 * 1:45247 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox DOM event handler privilege escalation attempt (browser-firefox.rules)
 * 1:45249 <-> DISABLED <-> SERVER-WEBAPP UAParser.js library regular expression denial of service attempt (server-webapp.rules)
 * 1:45250 <-> ENABLED <-> SERVER-WEBAPP Delta IEM DIAEnergie file upload attempt (server-webapp.rules)
 * 1:45251 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Spider variant download attempt detected (malware-cnc.rules)
 * 1:45259 <-> DISABLED <-> FILE-JAVA Oracle Java strlen denial of service attempt (file-java.rules)
 * 1:45252 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Spider variant download attempt detected (malware-cnc.rules)
 * 1:45253 <-> DISABLED <-> SERVER-OTHER Dahua DVR hard-coded root login attempt (server-other.rules)
 * 3:45248 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0510 attack attempt (server-other.rules)

Modified Rules:


 * 1:45003 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules)
 * 1:45006 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules)
 * 1:43765 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XUL null menu memory corruption attempt (browser-firefox.rules)
 * 1:45005 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules)
 * 1:45007 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules)
 * 1:45008 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules)
 * 1:45010 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules)
 * 1:45009 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules)
 * 1:45011 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules)
 * 1:45012 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules)
 * 1:18806 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record exploit attempt (file-office.rules)
 * 1:21319 <-> DISABLED <-> FILE-OTHER Multiple products version.dll dll-load exploit attempt (file-flash.rules)
 * 1:21322 <-> DISABLED <-> FILE-OTHER Multiple products version.dll dll-load exploit attempt (file-flash.rules)
 * 1:25074 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banker variant outbound connection (malware-cnc.rules)
 * 1:27234 <-> DISABLED <-> SERVER-OTHER Microsoft Active Directory LDAP search denial of service attempt (server-other.rules)
 * 1:45013 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules)
 * 1:29097 <-> DISABLED <-> BROWSER-PLUGINS HP Application Lifecycle Management XGO.XGoCtrl ActiveX clsid access attempt (browser-plugins.rules)
 * 1:29098 <-> DISABLED <-> BROWSER-PLUGINS HP Application Lifecycle Management XGO.XGoCtrl ActiveX access attempt (browser-plugins.rules)
 * 1:29100 <-> DISABLED <-> BROWSER-PLUGINS HP Application Lifecycle Management XGO.XGoCtrl ActiveX clsid access attempt (browser-plugins.rules)
 * 1:29102 <-> DISABLED <-> BROWSER-PLUGINS HP Application Lifecycle Management XGO.XGoCtrl ActiveX access attempt (browser-plugins.rules)
 * 1:45014 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules)
 * 1:29754 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer style.position use-after-free memory corruption attempt (browser-ie.rules)
 * 1:33565 <-> DISABLED <-> SERVER-OTHER McAfee E-Business Server remote preauth code execution attempt (server-other.rules)
 * 1:35773 <-> DISABLED <-> FILE-MULTIMEDIA Matroska libmatroska track video double free attempt (file-multimedia.rules)
 * 1:35774 <-> DISABLED <-> FILE-MULTIMEDIA Matroska libmatroska track video double free attempt (file-multimedia.rules)
 * 1:45015 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules)
 * 1:35775 <-> DISABLED <-> FILE-MULTIMEDIA Matroska libmatroska track video double free attempt (file-multimedia.rules)
 * 1:35776 <-> DISABLED <-> FILE-MULTIMEDIA Matroska libmatroska track video double free attempt (file-multimedia.rules)
 * 1:35777 <-> DISABLED <-> FILE-MULTIMEDIA Matroska libmatroska track video double free attempt (file-multimedia.rules)
 * 1:45016 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules)
 * 1:35778 <-> DISABLED <-> FILE-MULTIMEDIA Matroska libmatroska track video double free attempt (file-multimedia.rules)
 * 1:36365 <-> DISABLED <-> SERVER-WEBAPP Typo3 CMS show_rechis cross site scripting attempt (server-webapp.rules)
 * 1:36366 <-> DISABLED <-> SERVER-WEBAPP Typo3 CMS index cross site scripting attempt (server-webapp.rules)
 * 1:39157 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record exploit attempt (file-office.rules)
 * 1:43763 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XUL tree node removal memory corruption attempt (browser-firefox.rules)
 * 1:45002 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules)
 * 1:43764 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XUL tree node removal memory corruption attempt (browser-firefox.rules)
 * 1:43766 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XUL null menu memory corruption attempt (browser-firefox.rules)
 * 1:45004 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules)

2017-12-21 18:29:49 UTC

Snort Subscriber Rules Update

Date: 2017-12-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45258 <-> DISABLED <-> FILE-JAVA Oracle Java strlen denial of service attempt (file-java.rules)
 * 1:45257 <-> DISABLED <-> BROWSER-OTHER IBM Notes denial of service attempt (browser-other.rules)
 * 1:45254 <-> DISABLED <-> SERVER-OTHER Polycom HDX Series remote code execution attempt (server-other.rules)
 * 1:45252 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Spider variant download attempt detected (malware-cnc.rules)
 * 1:45253 <-> DISABLED <-> SERVER-OTHER Dahua DVR hard-coded root login attempt (server-other.rules)
 * 1:45250 <-> ENABLED <-> SERVER-WEBAPP Delta IEM DIAEnergie file upload attempt (server-webapp.rules)
 * 1:45251 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Spider variant download attempt detected (malware-cnc.rules)
 * 1:45247 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox DOM event handler privilege escalation attempt (browser-firefox.rules)
 * 1:45249 <-> DISABLED <-> SERVER-WEBAPP UAParser.js library regular expression denial of service attempt (server-webapp.rules)
 * 1:45245 <-> DISABLED <-> POLICY-OTHER ZyXEL PK5001Z modem hardcoded admin password telnet login attempt (policy-other.rules)
 * 1:45246 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox DOM event handler privilege escalation attempt (browser-firefox.rules)
 * 1:45243 <-> DISABLED <-> POLICY-OTHER ZyXEL PK5001Z modem hardcoded admin password telnet login attempt (policy-other.rules)
 * 1:45244 <-> DISABLED <-> POLICY-OTHER ZyXEL PK5001Z modem hardcoded root password telnet login attempt (policy-other.rules)
 * 1:45241 <-> DISABLED <-> SERVER-WEBAPP Multiple IP cameras format string exploitation attempt (server-webapp.rules)
 * 1:45242 <-> DISABLED <-> SERVER-WEBAPP Multiple IP cameras format string exploitation attempt (server-webapp.rules)
 * 1:45239 <-> ENABLED <-> MALWARE-CNC Win.Malware.Freenki variant outbound connection (malware-cnc.rules)
 * 1:45240 <-> DISABLED <-> SERVER-WEBAPP OpenEMR fax_dispatch.php command injection attempt (server-webapp.rules)
 * 1:45237 <-> DISABLED <-> SERVER-WEBAPP Axis Communications IP camera SSI command injection attempt (server-webapp.rules)
 * 1:45238 <-> DISABLED <-> SERVER-WEBAPP Axis Communications IP camera SSI command injection attempt (server-webapp.rules)
 * 1:45235 <-> ENABLED <-> SERVER-WEBAPP Palo Alto Networks Firewall router.php XML attribute injection attempt (server-webapp.rules)
 * 1:45236 <-> ENABLED <-> SERVER-WEBAPP Palo Alto Networks Firewall cms_changeDeviceContext.esp session injection attempt (server-webapp.rules)
 * 1:45234 <-> DISABLED <-> PROTOCOL-SCADA Schneider Modicon Quantum modbus start command attempt (protocol-scada.rules)
 * 1:45232 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CactusTorch download attempt detected (malware-cnc.rules)
 * 1:45233 <-> DISABLED <-> PROTOCOL-SCADA Schneider Modicon Quantum modbus stop command attempt (protocol-scada.rules)
 * 1:45230 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - SocStealer (blacklist.rules)
 * 1:45231 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DDEDownloader variant outbound connection detected (malware-cnc.rules)
 * 1:45228 <-> DISABLED <-> SERVER-OTHER Medal Of Honor Allied Assault getinfo buffer overflow attempt (server-other.rules)
 * 1:45229 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - SocStealer (blacklist.rules)
 * 1:45226 <-> DISABLED <-> SERVER-WEBAPP FreePBX recording interface file upload code execution attempt (server-webapp.rules)
 * 1:45227 <-> DISABLED <-> SERVER-OTHER Docker Rancher Server remote code execution attempt (server-other.rules)
 * 1:45224 <-> DISABLED <-> FILE-FLASH Adobe Flash memory corruption exploit attempt (file-flash.rules)
 * 1:45225 <-> DISABLED <-> FILE-FLASH Adobe Flash memory corruption exploit attempt (file-flash.rules)
 * 1:45259 <-> DISABLED <-> FILE-JAVA Oracle Java strlen denial of service attempt (file-java.rules)
 * 1:45255 <-> ENABLED <-> SERVER-SAMBA Samba tree connect andx memory corruption attempt (server-samba.rules)
 * 1:45256 <-> DISABLED <-> BROWSER-OTHER IBM Notes denial of service attempt (browser-other.rules)
 * 3:45248 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0510 attack attempt (server-other.rules)

Modified Rules:


 * 1:18806 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record exploit attempt (file-office.rules)
 * 1:21319 <-> DISABLED <-> FILE-OTHER Multiple products version.dll dll-load exploit attempt (file-flash.rules)
 * 1:21322 <-> DISABLED <-> FILE-OTHER Multiple products version.dll dll-load exploit attempt (file-flash.rules)
 * 1:25074 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banker variant outbound connection (malware-cnc.rules)
 * 1:27234 <-> DISABLED <-> SERVER-OTHER Microsoft Active Directory LDAP search denial of service attempt (server-other.rules)
 * 1:29097 <-> DISABLED <-> BROWSER-PLUGINS HP Application Lifecycle Management XGO.XGoCtrl ActiveX clsid access attempt (browser-plugins.rules)
 * 1:29098 <-> DISABLED <-> BROWSER-PLUGINS HP Application Lifecycle Management XGO.XGoCtrl ActiveX access attempt (browser-plugins.rules)
 * 1:29100 <-> DISABLED <-> BROWSER-PLUGINS HP Application Lifecycle Management XGO.XGoCtrl ActiveX clsid access attempt (browser-plugins.rules)
 * 1:29102 <-> DISABLED <-> BROWSER-PLUGINS HP Application Lifecycle Management XGO.XGoCtrl ActiveX access attempt (browser-plugins.rules)
 * 1:29754 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer style.position use-after-free memory corruption attempt (browser-ie.rules)
 * 1:45006 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules)
 * 1:33565 <-> DISABLED <-> SERVER-OTHER McAfee E-Business Server remote preauth code execution attempt (server-other.rules)
 * 1:35773 <-> DISABLED <-> FILE-MULTIMEDIA Matroska libmatroska track video double free attempt (file-multimedia.rules)
 * 1:35774 <-> DISABLED <-> FILE-MULTIMEDIA Matroska libmatroska track video double free attempt (file-multimedia.rules)
 * 1:35775 <-> DISABLED <-> FILE-MULTIMEDIA Matroska libmatroska track video double free attempt (file-multimedia.rules)
 * 1:35776 <-> DISABLED <-> FILE-MULTIMEDIA Matroska libmatroska track video double free attempt (file-multimedia.rules)
 * 1:35777 <-> DISABLED <-> FILE-MULTIMEDIA Matroska libmatroska track video double free attempt (file-multimedia.rules)
 * 1:35778 <-> DISABLED <-> FILE-MULTIMEDIA Matroska libmatroska track video double free attempt (file-multimedia.rules)
 * 1:36365 <-> DISABLED <-> SERVER-WEBAPP Typo3 CMS show_rechis cross site scripting attempt (server-webapp.rules)
 * 1:36366 <-> DISABLED <-> SERVER-WEBAPP Typo3 CMS index cross site scripting attempt (server-webapp.rules)
 * 1:39157 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record exploit attempt (file-office.rules)
 * 1:45008 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules)
 * 1:45009 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules)
 * 1:45005 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules)
 * 1:43763 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XUL tree node removal memory corruption attempt (browser-firefox.rules)
 * 1:43764 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XUL tree node removal memory corruption attempt (browser-firefox.rules)
 * 1:43765 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XUL null menu memory corruption attempt (browser-firefox.rules)
 * 1:45007 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules)
 * 1:45010 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules)
 * 1:45011 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules)
 * 1:45012 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules)
 * 1:45013 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules)
 * 1:45014 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules)
 * 1:45015 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules)
 * 1:45016 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules)
 * 1:45004 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules)
 * 1:45002 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules)
 * 1:43766 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XUL null menu memory corruption attempt (browser-firefox.rules)
 * 1:45003 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules)

2017-12-21 18:29:49 UTC

Snort Subscriber Rules Update

Date: 2017-12-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45224 <-> DISABLED <-> FILE-FLASH Adobe Flash memory corruption exploit attempt (file-flash.rules)
 * 1:45225 <-> DISABLED <-> FILE-FLASH Adobe Flash memory corruption exploit attempt (file-flash.rules)
 * 1:45226 <-> DISABLED <-> SERVER-WEBAPP FreePBX recording interface file upload code execution attempt (server-webapp.rules)
 * 1:45227 <-> DISABLED <-> SERVER-OTHER Docker Rancher Server remote code execution attempt (server-other.rules)
 * 1:45228 <-> DISABLED <-> SERVER-OTHER Medal Of Honor Allied Assault getinfo buffer overflow attempt (server-other.rules)
 * 1:45229 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - SocStealer (blacklist.rules)
 * 1:45230 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - SocStealer (blacklist.rules)
 * 1:45231 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DDEDownloader variant outbound connection detected (malware-cnc.rules)
 * 1:45232 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CactusTorch download attempt detected (malware-cnc.rules)
 * 1:45233 <-> DISABLED <-> PROTOCOL-SCADA Schneider Modicon Quantum modbus stop command attempt (protocol-scada.rules)
 * 1:45234 <-> DISABLED <-> PROTOCOL-SCADA Schneider Modicon Quantum modbus start command attempt (protocol-scada.rules)
 * 1:45235 <-> ENABLED <-> SERVER-WEBAPP Palo Alto Networks Firewall router.php XML attribute injection attempt (server-webapp.rules)
 * 1:45236 <-> ENABLED <-> SERVER-WEBAPP Palo Alto Networks Firewall cms_changeDeviceContext.esp session injection attempt (server-webapp.rules)
 * 1:45237 <-> DISABLED <-> SERVER-WEBAPP Axis Communications IP camera SSI command injection attempt (server-webapp.rules)
 * 1:45238 <-> DISABLED <-> SERVER-WEBAPP Axis Communications IP camera SSI command injection attempt (server-webapp.rules)
 * 1:45239 <-> ENABLED <-> MALWARE-CNC Win.Malware.Freenki variant outbound connection (malware-cnc.rules)
 * 1:45256 <-> DISABLED <-> BROWSER-OTHER IBM Notes denial of service attempt (browser-other.rules)
 * 1:45240 <-> DISABLED <-> SERVER-WEBAPP OpenEMR fax_dispatch.php command injection attempt (server-webapp.rules)
 * 1:45241 <-> DISABLED <-> SERVER-WEBAPP Multiple IP cameras format string exploitation attempt (server-webapp.rules)
 * 1:45242 <-> DISABLED <-> SERVER-WEBAPP Multiple IP cameras format string exploitation attempt (server-webapp.rules)
 * 1:45259 <-> DISABLED <-> FILE-JAVA Oracle Java strlen denial of service attempt (file-java.rules)
 * 1:45258 <-> DISABLED <-> FILE-JAVA Oracle Java strlen denial of service attempt (file-java.rules)
 * 1:45257 <-> DISABLED <-> BROWSER-OTHER IBM Notes denial of service attempt (browser-other.rules)
 * 1:45243 <-> DISABLED <-> POLICY-OTHER ZyXEL PK5001Z modem hardcoded admin password telnet login attempt (policy-other.rules)
 * 1:45244 <-> DISABLED <-> POLICY-OTHER ZyXEL PK5001Z modem hardcoded root password telnet login attempt (policy-other.rules)
 * 1:45245 <-> DISABLED <-> POLICY-OTHER ZyXEL PK5001Z modem hardcoded admin password telnet login attempt (policy-other.rules)
 * 1:45246 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox DOM event handler privilege escalation attempt (browser-firefox.rules)
 * 1:45247 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox DOM event handler privilege escalation attempt (browser-firefox.rules)
 * 1:45249 <-> DISABLED <-> SERVER-WEBAPP UAParser.js library regular expression denial of service attempt (server-webapp.rules)
 * 1:45250 <-> ENABLED <-> SERVER-WEBAPP Delta IEM DIAEnergie file upload attempt (server-webapp.rules)
 * 1:45251 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Spider variant download attempt detected (malware-cnc.rules)
 * 1:45252 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Spider variant download attempt detected (malware-cnc.rules)
 * 1:45253 <-> DISABLED <-> SERVER-OTHER Dahua DVR hard-coded root login attempt (server-other.rules)
 * 1:45254 <-> DISABLED <-> SERVER-OTHER Polycom HDX Series remote code execution attempt (server-other.rules)
 * 3:45248 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0510 attack attempt (server-other.rules)

Modified Rules:


 * 1:43766 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XUL null menu memory corruption attempt (browser-firefox.rules)
 * 1:45003 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules)
 * 1:45012 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules)
 * 1:45013 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules)
 * 1:18806 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record exploit attempt (file-office.rules)
 * 1:21319 <-> DISABLED <-> FILE-OTHER Multiple products version.dll dll-load exploit attempt (file-flash.rules)
 * 1:21322 <-> DISABLED <-> FILE-OTHER Multiple products version.dll dll-load exploit attempt (file-flash.rules)
 * 1:25074 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banker variant outbound connection (malware-cnc.rules)
 * 1:27234 <-> DISABLED <-> SERVER-OTHER Microsoft Active Directory LDAP search denial of service attempt (server-other.rules)
 * 1:45009 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules)
 * 1:45007 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules)
 * 1:45011 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules)
 * 1:29097 <-> DISABLED <-> BROWSER-PLUGINS HP Application Lifecycle Management XGO.XGoCtrl ActiveX clsid access attempt (browser-plugins.rules)
 * 1:29098 <-> DISABLED <-> BROWSER-PLUGINS HP Application Lifecycle Management XGO.XGoCtrl ActiveX access attempt (browser-plugins.rules)
 * 1:45005 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules)
 * 1:29100 <-> DISABLED <-> BROWSER-PLUGINS HP Application Lifecycle Management XGO.XGoCtrl ActiveX clsid access attempt (browser-plugins.rules)
 * 1:45006 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules)
 * 1:45004 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules)
 * 1:29102 <-> DISABLED <-> BROWSER-PLUGINS HP Application Lifecycle Management XGO.XGoCtrl ActiveX access attempt (browser-plugins.rules)
 * 1:29754 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer style.position use-after-free memory corruption attempt (browser-ie.rules)
 * 1:43764 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XUL tree node removal memory corruption attempt (browser-firefox.rules)
 * 1:33565 <-> DISABLED <-> SERVER-OTHER McAfee E-Business Server remote preauth code execution attempt (server-other.rules)
 * 1:35773 <-> DISABLED <-> FILE-MULTIMEDIA Matroska libmatroska track video double free attempt (file-multimedia.rules)
 * 1:35774 <-> DISABLED <-> FILE-MULTIMEDIA Matroska libmatroska track video double free attempt (file-multimedia.rules)
 * 1:35775 <-> DISABLED <-> FILE-MULTIMEDIA Matroska libmatroska track video double free attempt (file-multimedia.rules)
 * 1:45014 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules)
 * 1:35776 <-> DISABLED <-> FILE-MULTIMEDIA Matroska libmatroska track video double free attempt (file-multimedia.rules)
 * 1:45010 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules)
 * 1:35777 <-> DISABLED <-> FILE-MULTIMEDIA Matroska libmatroska track video double free attempt (file-multimedia.rules)
 * 1:45008 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules)
 * 1:35778 <-> DISABLED <-> FILE-MULTIMEDIA Matroska libmatroska track video double free attempt (file-multimedia.rules)
 * 1:36365 <-> DISABLED <-> SERVER-WEBAPP Typo3 CMS show_rechis cross site scripting attempt (server-webapp.rules)
 * 1:45015 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules)
 * 1:36366 <-> DISABLED <-> SERVER-WEBAPP Typo3 CMS index cross site scripting attempt (server-webapp.rules)
 * 1:43765 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XUL null menu memory corruption attempt (browser-firefox.rules)
 * 1:39157 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record exploit attempt (file-office.rules)
 * 1:43763 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XUL tree node removal memory corruption attempt (browser-firefox.rules)
 * 1:45002 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules)
 * 1:45016 <-> DISABLED <-> FILE-OTHER Jackson databind deserialization remote code execution attempt (file-other.rules)