Talos Rules 2018-02-20
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, browser-plugins, file-image, file-multimedia, file-office, file-other, file-pdf, malware-cnc, os-linux, os-other, os-windows, policy-other, protocol-dns and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-02-20 16:06:09 UTC

Snort Subscriber Rules Update

Date: 2018-02-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45687 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro embedded JPEG out of bounds read attempt (file-other.rules)
 * 1:45686 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro embedded JPEG out of bounds read attempt (file-other.rules)
 * 1:45688 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SQL injection attempt (server-webapp.rules)
 * 1:45696 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript XFA engine use after free attempt (file-pdf.rules)
 * 1:45695 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript XFA engine use after free attempt (file-pdf.rules)
 * 1:45694 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.GandCrab outbound connection (malware-cnc.rules)
 * 1:45693 <-> DISABLED <-> SERVER-OTHER NTP crypto-NAK denial of service attempt (server-other.rules)
 * 1:45692 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro tiff parser out of bounds read attempt (file-other.rules)
 * 1:45691 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro tiff parser out of bounds read attempt (file-other.rules)
 * 3:45690 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0527 attack attempt (file-office.rules)
 * 3:45689 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0527 attack attempt (file-office.rules)

Modified Rules:


 * 1:264 <-> DISABLED <-> OS-LINUX x86 Linux overflow attempt (os-linux.rules)
 * 1:262 <-> DISABLED <-> OS-LINUX x86 Linux overflow attempt (os-linux.rules)
 * 1:41390 <-> ENABLED <-> SERVER-WEBAPP Apache Commons Library FileUpload unauthorized Java object upload attempt (server-webapp.rules)
 * 1:41349 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud command injection attempt (server-webapp.rules)
 * 1:41348 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud command injection attempt (server-webapp.rules)
 * 1:41347 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud command injection attempt (server-webapp.rules)
 * 1:41346 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud command injection attempt (server-webapp.rules)
 * 1:41106 <-> ENABLED <-> SERVER-WEBAPP PHPMailer command injection remote code execution attempt (server-webapp.rules)
 * 1:39844 <-> ENABLED <-> OS-WINDOWS Microsoft Windows gdiplus EMF EmrText out of bounds write attempt (os-windows.rules)
 * 1:39843 <-> ENABLED <-> OS-WINDOWS Microsoft Windows gdiplus EMF EmrText out of bounds write attempt (os-windows.rules)
 * 1:36130 <-> DISABLED <-> PROTOCOL-DNS ISC BIND zero length OPENPGPKEY rdata response attempt (protocol-dns.rules)
 * 1:35780 <-> ENABLED <-> FILE-PDF Adobe Reader XML XSL transform exploitation attempt (file-pdf.rules)
 * 1:35779 <-> ENABLED <-> FILE-PDF Adobe Reader XML XSL transform exploitation attempt (file-pdf.rules)
 * 1:34949 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest and tsmRequest command execution attempt (server-webapp.rules)
 * 1:34948 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest and tsmRequest command execution attempt (server-webapp.rules)
 * 1:34923 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima ActiveX function call access (browser-plugins.rules)
 * 1:34922 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima ActiveX function call access (browser-plugins.rules)
 * 1:34921 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima ActiveX function call access (browser-plugins.rules)
 * 1:34920 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima ActiveX clsid access (browser-plugins.rules)
 * 1:34919 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima ActiveX function call access (browser-plugins.rules)
 * 1:34918 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima ActiveX clsid access (browser-plugins.rules)
 * 1:266 <-> DISABLED <-> OS-OTHER x86 FreeBSD overflow attempt (os-other.rules)
 * 1:265 <-> DISABLED <-> OS-LINUX x86 Linux overflow attempt ADMv2 (os-linux.rules)
 * 1:43879 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF polygon heap buffer overflow attempt (file-other.rules)
 * 1:43878 <-> ENABLED <-> FILE-PDF Acrobat Reader PDFDocEncoding object WinAnsiEncoding memory corruption attempt (file-pdf.rules)
 * 1:43877 <-> ENABLED <-> FILE-PDF Acrobat Reader PDFDocEncoding object WinAnsiEncoding memory corruption attempt (file-pdf.rules)
 * 1:43876 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF with malformed embedded JPEG memory corruption attempt (file-other.rules)
 * 1:43875 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF with malformed embedded JPEG memory corruption attempt (file-other.rules)
 * 1:43267 <-> DISABLED <-> SERVER-WEBAPP Novell NetIQ Sentinel Server ReportViewServlet directory traversal attempt directory traversal attempt (server-webapp.rules)
 * 1:43266 <-> DISABLED <-> SERVER-WEBAPP Novell NetIQ Sentinel Server ReportViewServlet directory traversal attempt directory traversal attempt (server-webapp.rules)
 * 1:43265 <-> DISABLED <-> SERVER-WEBAPP Novell NetIQ Sentinel Server ReportViewServlet directory traversal attempt directory traversal attempt (server-webapp.rules)
 * 1:42316 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream tile height out of bounds read attempt (file-pdf.rules)
 * 1:42315 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream tile height out of bounds read attempt (file-pdf.rules)
 * 1:42213 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader embedded JPEG 2000 flst heap overflow attempt (file-pdf.rules)
 * 1:42212 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader embedded JPEG 2000 flst heap overflow attempt (file-pdf.rules)
 * 1:42095 <-> DISABLED <-> SERVER-WEBAPP NetBiter WebSCADA ws100/ws200 directory traversal attempt (server-webapp.rules)
 * 1:42094 <-> DISABLED <-> SERVER-WEBAPP NetBiter WebSCADA ws100/ws200 information gathering attempt (server-webapp.rules)
 * 1:42092 <-> DISABLED <-> POLICY-OTHER NetBiter WebSCADA ws100/ws200 logo modification attempt (policy-other.rules)
 * 1:41813 <-> ENABLED <-> SERVER-WEBAPP PHPMailer command injection remote code execution attempt (server-webapp.rules)
 * 1:43880 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF polygon heap buffer overflow attempt (file-other.rules)
 * 1:43882 <-> DISABLED <-> FILE-PDF Adobe PDF file annotation plugin use after free memory corruption attempt (file-pdf.rules)
 * 1:43881 <-> DISABLED <-> FILE-PDF Adobe PDF file annotation plugin use after free memory corruption attempt (file-pdf.rules)
 * 1:43888 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_BLTBIT record out of bounds access attempt (file-multimedia.rules)
 * 1:43887 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed UTF-16 string memory corruption attempt (file-pdf.rules)
 * 1:43886 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed UTF-16 string memory corruption attempt (file-pdf.rules)
 * 1:43884 <-> ENABLED <-> FILE-PDF Acrobat Reader FontDescriptor object type confusion attempt (file-pdf.rules)
 * 1:43883 <-> ENABLED <-> FILE-PDF Acrobat Reader FontDescriptor object type confusion attempt (file-pdf.rules)
 * 1:43900 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules)
 * 1:43894 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF LZW coding table memory corruption attempt (file-other.rules)
 * 1:43893 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF LZW coding table memory corruption attempt (file-other.rules)
 * 1:43889 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_BLTBIT record out of bounds access attempt (file-multimedia.rules)
 * 1:43901 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules)
 * 1:43907 <-> ENABLED <-> FILE-PDF Adobe Reader XFA loadXML use after free attempt (file-pdf.rules)
 * 1:43906 <-> ENABLED <-> FILE-PDF Adobe Reader XFA loadXML use after free attempt (file-pdf.rules)
 * 1:43905 <-> ENABLED <-> FILE-PDF Adobe Reader execMenuItem buffer overflow attempt (file-pdf.rules)
 * 1:43904 <-> ENABLED <-> FILE-PDF Adobe Reader execMenuItem buffer overflow attempt (file-pdf.rules)
 * 1:43903 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules)
 * 1:43902 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules)
 * 1:43911 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules)
 * 1:43910 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules)
 * 1:43909 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules)
 * 1:43908 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules)
 * 1:43974 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules)
 * 1:43973 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules)
 * 1:43968 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIERTO16 out of bounds access attempt (file-multimedia.rules)
 * 1:43967 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIERTO16 out of bounds access attempt (file-multimedia.rules)
 * 1:43964 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file kerning data memory corruption attempt (file-other.rules)
 * 1:43963 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file kerning data memory corruption attempt (file-other.rules)
 * 1:43962 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Forms Data Format embedded javascript attempt (file-pdf.rules)
 * 1:43961 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Forms Data Format embedded javascript attempt (file-pdf.rules)
 * 1:43949 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (file-pdf.rules)
 * 1:43948 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (file-pdf.rules)
 * 1:43941 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt (file-multimedia.rules)
 * 1:43940 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt (file-multimedia.rules)
 * 1:43939 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station synotheme_upload.php session forgery attempt (server-webapp.rules)
 * 1:43935 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station PixlrEditorHandler.php directory traversal attempt (server-webapp.rules)
 * 1:43934 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station PixlrEditorHandler.php arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:43925 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader duplicate U3D header memory corruption attempt (file-pdf.rules)
 * 1:43924 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader duplicate U3D header memory corruption attempt (file-pdf.rules)
 * 1:43917 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF sub-block memory corruption attempt (file-other.rules)
 * 1:43916 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF sub-block memory corruption attempt (file-other.rules)
 * 1:43913 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules)
 * 1:43912 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules)
 * 1:44006 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules)
 * 1:44005 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules)
 * 1:44004 <-> DISABLED <-> POLICY-OTHER Cisco DDR2200 ASDL gateway file download detected (policy-other.rules)
 * 1:44000 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed brush object attempt (file-multimedia.rules)
 * 1:43999 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed brush object attempt (file-multimedia.rules)
 * 1:43998 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed TrueType font memory corruption attempt (file-pdf.rules)
 * 1:43997 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed TrueType font memory corruption attempt (file-pdf.rules)
 * 1:43994 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43993 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43992 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43991 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43984 <-> DISABLED <-> FILE-OTHER Adobe Professional JPEG APP1 memory corruption attempt (file-other.rules)
 * 1:43983 <-> DISABLED <-> FILE-OTHER Adobe Professional JPEG APP1 memory corruption attempt (file-other.rules)
 * 1:43980 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43979 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43978 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43977 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:44054 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG file invalid quantization table use-after-free attempt (file-pdf.rules)
 * 1:44007 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules)
 * 1:44053 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG file invalid quantization table use-after-free attempt (file-pdf.rules)
 * 1:44034 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional EMF file JPEG Huffman table memory corrupt attempt (file-other.rules)
 * 1:44033 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional EMF file JPEG Huffman table memory corrupt attempt (file-other.rules)
 * 1:44024 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt (file-image.rules)
 * 1:44023 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt (file-image.rules)
 * 1:44087 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF line segments memory corruption attempt (file-other.rules)
 * 1:44067 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:44066 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:44065 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:44064 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:44056 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt (file-multimedia.rules)
 * 1:44055 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt (file-multimedia.rules)
 * 1:44086 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF line segments memory corruption attempt (file-other.rules)
 * 1:44085 <-> DISABLED <-> SERVER-OTHER FreeRADIUS invalid WiMAX VSA length out of bounds write attempt (server-other.rules)
 * 1:44084 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA field initialization memory corruption attempt (file-pdf.rules)
 * 1:44083 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA field initialization memory corruption attempt (file-pdf.rules)
 * 1:44550 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF memory corruption attempt (file-image.rules)
 * 1:44170 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (file-pdf.rules)
 * 1:44169 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (file-pdf.rules)
 * 1:44145 <-> ENABLED <-> FILE-PDF Adobe Reader XFA event use after free attempt (file-pdf.rules)
 * 1:44144 <-> ENABLED <-> FILE-PDF Adobe Reader XFA event use after free attempt (file-pdf.rules)
 * 1:44122 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record crash attempt (file-other.rules)
 * 1:44121 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record crash attempt (file-other.rules)
 * 1:44120 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record crash attempt (file-other.rules)
 * 1:44119 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record crash attempt (file-other.rules)
 * 1:44115 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44114 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44113 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44112 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44111 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44110 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44109 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44108 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44100 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record out of bounds access attempt (file-multimedia.rules)
 * 1:44099 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record out of bounds access attempt (file-multimedia.rules)
 * 1:44095 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record memory corruption attempt (file-multimedia.rules)
 * 1:44094 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record memory corruption attempt (file-multimedia.rules)
 * 1:45672 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt (file-other.rules)
 * 1:45670 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt (file-other.rules)
 * 1:45645 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent inbound payload download (malware-cnc.rules)
 * 1:45644 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent inbound payload download (malware-cnc.rules)
 * 1:45643 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent inbound payload download (malware-cnc.rules)
 * 1:45093 <-> DISABLED <-> SERVER-WEBAPP Apache Archiva XML server side request forgery attempt (server-webapp.rules)
 * 1:44794 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JPEG2000 codestream memory corruption attempt (file-pdf.rules)
 * 1:44793 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JPEG2000 codestream memory corruption attempt (file-pdf.rules)
 * 1:44603 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SetItem use after free attempt (browser-ie.rules)
 * 1:44602 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SetItem use after free attempt (browser-ie.rules)
 * 1:44551 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF memory corruption attempt (file-image.rules)

2018-02-20 16:06:09 UTC

Snort Subscriber Rules Update

Date: 2018-02-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45695 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript XFA engine use after free attempt (file-pdf.rules)
 * 1:45692 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro tiff parser out of bounds read attempt (file-other.rules)
 * 1:45686 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro embedded JPEG out of bounds read attempt (file-other.rules)
 * 1:45696 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript XFA engine use after free attempt (file-pdf.rules)
 * 1:45693 <-> DISABLED <-> SERVER-OTHER NTP crypto-NAK denial of service attempt (server-other.rules)
 * 1:45688 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SQL injection attempt (server-webapp.rules)
 * 1:45694 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.GandCrab outbound connection (malware-cnc.rules)
 * 1:45687 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro embedded JPEG out of bounds read attempt (file-other.rules)
 * 1:45691 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro tiff parser out of bounds read attempt (file-other.rules)
 * 3:45689 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0527 attack attempt (file-office.rules)
 * 3:45690 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0527 attack attempt (file-office.rules)

Modified Rules:


 * 1:44066 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:44084 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA field initialization memory corruption attempt (file-pdf.rules)
 * 1:44067 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:262 <-> DISABLED <-> OS-LINUX x86 Linux overflow attempt (os-linux.rules)
 * 1:264 <-> DISABLED <-> OS-LINUX x86 Linux overflow attempt (os-linux.rules)
 * 1:265 <-> DISABLED <-> OS-LINUX x86 Linux overflow attempt ADMv2 (os-linux.rules)
 * 1:266 <-> DISABLED <-> OS-OTHER x86 FreeBSD overflow attempt (os-other.rules)
 * 1:34918 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima ActiveX clsid access (browser-plugins.rules)
 * 1:34919 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima ActiveX function call access (browser-plugins.rules)
 * 1:34920 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima ActiveX clsid access (browser-plugins.rules)
 * 1:34921 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima ActiveX function call access (browser-plugins.rules)
 * 1:34922 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima ActiveX function call access (browser-plugins.rules)
 * 1:34923 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima ActiveX function call access (browser-plugins.rules)
 * 1:34948 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest and tsmRequest command execution attempt (server-webapp.rules)
 * 1:34949 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest and tsmRequest command execution attempt (server-webapp.rules)
 * 1:35779 <-> ENABLED <-> FILE-PDF Adobe Reader XML XSL transform exploitation attempt (file-pdf.rules)
 * 1:35780 <-> ENABLED <-> FILE-PDF Adobe Reader XML XSL transform exploitation attempt (file-pdf.rules)
 * 1:36130 <-> DISABLED <-> PROTOCOL-DNS ISC BIND zero length OPENPGPKEY rdata response attempt (protocol-dns.rules)
 * 1:39843 <-> ENABLED <-> OS-WINDOWS Microsoft Windows gdiplus EMF EmrText out of bounds write attempt (os-windows.rules)
 * 1:39844 <-> ENABLED <-> OS-WINDOWS Microsoft Windows gdiplus EMF EmrText out of bounds write attempt (os-windows.rules)
 * 1:41106 <-> ENABLED <-> SERVER-WEBAPP PHPMailer command injection remote code execution attempt (server-webapp.rules)
 * 1:41346 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud command injection attempt (server-webapp.rules)
 * 1:41347 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud command injection attempt (server-webapp.rules)
 * 1:41348 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud command injection attempt (server-webapp.rules)
 * 1:41349 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud command injection attempt (server-webapp.rules)
 * 1:41390 <-> ENABLED <-> SERVER-WEBAPP Apache Commons Library FileUpload unauthorized Java object upload attempt (server-webapp.rules)
 * 1:41813 <-> ENABLED <-> SERVER-WEBAPP PHPMailer command injection remote code execution attempt (server-webapp.rules)
 * 1:42092 <-> DISABLED <-> POLICY-OTHER NetBiter WebSCADA ws100/ws200 logo modification attempt (policy-other.rules)
 * 1:42094 <-> DISABLED <-> SERVER-WEBAPP NetBiter WebSCADA ws100/ws200 information gathering attempt (server-webapp.rules)
 * 1:42095 <-> DISABLED <-> SERVER-WEBAPP NetBiter WebSCADA ws100/ws200 directory traversal attempt (server-webapp.rules)
 * 1:42212 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader embedded JPEG 2000 flst heap overflow attempt (file-pdf.rules)
 * 1:42213 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader embedded JPEG 2000 flst heap overflow attempt (file-pdf.rules)
 * 1:42315 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream tile height out of bounds read attempt (file-pdf.rules)
 * 1:42316 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream tile height out of bounds read attempt (file-pdf.rules)
 * 1:43265 <-> DISABLED <-> SERVER-WEBAPP Novell NetIQ Sentinel Server ReportViewServlet directory traversal attempt directory traversal attempt (server-webapp.rules)
 * 1:43266 <-> DISABLED <-> SERVER-WEBAPP Novell NetIQ Sentinel Server ReportViewServlet directory traversal attempt directory traversal attempt (server-webapp.rules)
 * 1:43267 <-> DISABLED <-> SERVER-WEBAPP Novell NetIQ Sentinel Server ReportViewServlet directory traversal attempt directory traversal attempt (server-webapp.rules)
 * 1:43875 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF with malformed embedded JPEG memory corruption attempt (file-other.rules)
 * 1:43876 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF with malformed embedded JPEG memory corruption attempt (file-other.rules)
 * 1:43877 <-> ENABLED <-> FILE-PDF Acrobat Reader PDFDocEncoding object WinAnsiEncoding memory corruption attempt (file-pdf.rules)
 * 1:43878 <-> ENABLED <-> FILE-PDF Acrobat Reader PDFDocEncoding object WinAnsiEncoding memory corruption attempt (file-pdf.rules)
 * 1:43879 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF polygon heap buffer overflow attempt (file-other.rules)
 * 1:43880 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF polygon heap buffer overflow attempt (file-other.rules)
 * 1:43881 <-> DISABLED <-> FILE-PDF Adobe PDF file annotation plugin use after free memory corruption attempt (file-pdf.rules)
 * 1:43882 <-> DISABLED <-> FILE-PDF Adobe PDF file annotation plugin use after free memory corruption attempt (file-pdf.rules)
 * 1:43883 <-> ENABLED <-> FILE-PDF Acrobat Reader FontDescriptor object type confusion attempt (file-pdf.rules)
 * 1:43884 <-> ENABLED <-> FILE-PDF Acrobat Reader FontDescriptor object type confusion attempt (file-pdf.rules)
 * 1:43886 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed UTF-16 string memory corruption attempt (file-pdf.rules)
 * 1:43887 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed UTF-16 string memory corruption attempt (file-pdf.rules)
 * 1:43888 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_BLTBIT record out of bounds access attempt (file-multimedia.rules)
 * 1:43889 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_BLTBIT record out of bounds access attempt (file-multimedia.rules)
 * 1:43893 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF LZW coding table memory corruption attempt (file-other.rules)
 * 1:43894 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF LZW coding table memory corruption attempt (file-other.rules)
 * 1:43900 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules)
 * 1:43901 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules)
 * 1:43902 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules)
 * 1:43903 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules)
 * 1:43904 <-> ENABLED <-> FILE-PDF Adobe Reader execMenuItem buffer overflow attempt (file-pdf.rules)
 * 1:43905 <-> ENABLED <-> FILE-PDF Adobe Reader execMenuItem buffer overflow attempt (file-pdf.rules)
 * 1:43906 <-> ENABLED <-> FILE-PDF Adobe Reader XFA loadXML use after free attempt (file-pdf.rules)
 * 1:43907 <-> ENABLED <-> FILE-PDF Adobe Reader XFA loadXML use after free attempt (file-pdf.rules)
 * 1:43908 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules)
 * 1:43909 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules)
 * 1:43910 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules)
 * 1:43911 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules)
 * 1:43912 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules)
 * 1:43913 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules)
 * 1:43916 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF sub-block memory corruption attempt (file-other.rules)
 * 1:43917 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF sub-block memory corruption attempt (file-other.rules)
 * 1:43924 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader duplicate U3D header memory corruption attempt (file-pdf.rules)
 * 1:43925 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader duplicate U3D header memory corruption attempt (file-pdf.rules)
 * 1:43934 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station PixlrEditorHandler.php arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:43935 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station PixlrEditorHandler.php directory traversal attempt (server-webapp.rules)
 * 1:43939 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station synotheme_upload.php session forgery attempt (server-webapp.rules)
 * 1:43940 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt (file-multimedia.rules)
 * 1:43941 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt (file-multimedia.rules)
 * 1:43948 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (file-pdf.rules)
 * 1:43949 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (file-pdf.rules)
 * 1:43961 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Forms Data Format embedded javascript attempt (file-pdf.rules)
 * 1:43962 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Forms Data Format embedded javascript attempt (file-pdf.rules)
 * 1:43963 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file kerning data memory corruption attempt (file-other.rules)
 * 1:44087 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF line segments memory corruption attempt (file-other.rules)
 * 1:43964 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file kerning data memory corruption attempt (file-other.rules)
 * 1:43967 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIERTO16 out of bounds access attempt (file-multimedia.rules)
 * 1:43968 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIERTO16 out of bounds access attempt (file-multimedia.rules)
 * 1:43973 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules)
 * 1:43974 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules)
 * 1:43977 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43978 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43979 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43980 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43983 <-> DISABLED <-> FILE-OTHER Adobe Professional JPEG APP1 memory corruption attempt (file-other.rules)
 * 1:43984 <-> DISABLED <-> FILE-OTHER Adobe Professional JPEG APP1 memory corruption attempt (file-other.rules)
 * 1:43991 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43992 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43993 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43994 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43997 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed TrueType font memory corruption attempt (file-pdf.rules)
 * 1:43998 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed TrueType font memory corruption attempt (file-pdf.rules)
 * 1:43999 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed brush object attempt (file-multimedia.rules)
 * 1:44000 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed brush object attempt (file-multimedia.rules)
 * 1:44004 <-> DISABLED <-> POLICY-OTHER Cisco DDR2200 ASDL gateway file download detected (policy-other.rules)
 * 1:44005 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules)
 * 1:44086 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF line segments memory corruption attempt (file-other.rules)
 * 1:44085 <-> DISABLED <-> SERVER-OTHER FreeRADIUS invalid WiMAX VSA length out of bounds write attempt (server-other.rules)
 * 1:44083 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA field initialization memory corruption attempt (file-pdf.rules)
 * 1:44006 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules)
 * 1:44007 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules)
 * 1:44023 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt (file-image.rules)
 * 1:44024 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt (file-image.rules)
 * 1:44033 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional EMF file JPEG Huffman table memory corrupt attempt (file-other.rules)
 * 1:44034 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional EMF file JPEG Huffman table memory corrupt attempt (file-other.rules)
 * 1:44053 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG file invalid quantization table use-after-free attempt (file-pdf.rules)
 * 1:44054 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG file invalid quantization table use-after-free attempt (file-pdf.rules)
 * 1:44055 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt (file-multimedia.rules)
 * 1:44056 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt (file-multimedia.rules)
 * 1:44110 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44109 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44108 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44100 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record out of bounds access attempt (file-multimedia.rules)
 * 1:44099 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record out of bounds access attempt (file-multimedia.rules)
 * 1:44095 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record memory corruption attempt (file-multimedia.rules)
 * 1:44094 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record memory corruption attempt (file-multimedia.rules)
 * 1:44114 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44113 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44112 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44111 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44115 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44144 <-> ENABLED <-> FILE-PDF Adobe Reader XFA event use after free attempt (file-pdf.rules)
 * 1:44122 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record crash attempt (file-other.rules)
 * 1:44121 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record crash attempt (file-other.rules)
 * 1:44120 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record crash attempt (file-other.rules)
 * 1:44119 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record crash attempt (file-other.rules)
 * 1:44603 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SetItem use after free attempt (browser-ie.rules)
 * 1:44145 <-> ENABLED <-> FILE-PDF Adobe Reader XFA event use after free attempt (file-pdf.rules)
 * 1:44602 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SetItem use after free attempt (browser-ie.rules)
 * 1:44551 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF memory corruption attempt (file-image.rules)
 * 1:44550 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF memory corruption attempt (file-image.rules)
 * 1:44170 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (file-pdf.rules)
 * 1:44169 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (file-pdf.rules)
 * 1:45644 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent inbound payload download (malware-cnc.rules)
 * 1:45643 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent inbound payload download (malware-cnc.rules)
 * 1:45093 <-> DISABLED <-> SERVER-WEBAPP Apache Archiva XML server side request forgery attempt (server-webapp.rules)
 * 1:44794 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JPEG2000 codestream memory corruption attempt (file-pdf.rules)
 * 1:44793 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JPEG2000 codestream memory corruption attempt (file-pdf.rules)
 * 1:45645 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent inbound payload download (malware-cnc.rules)
 * 1:44065 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:45672 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt (file-other.rules)
 * 1:45670 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt (file-other.rules)
 * 1:44064 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)

2018-02-20 16:06:09 UTC

Snort Subscriber Rules Update

Date: 2018-02-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45688 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SQL injection attempt (snort3-server-webapp.rules)
 * 1:45686 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro embedded JPEG out of bounds read attempt (snort3-file-other.rules)
 * 1:45694 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.GandCrab outbound connection (snort3-malware-cnc.rules)
 * 1:45692 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro tiff parser out of bounds read attempt (snort3-file-other.rules)
 * 1:45695 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript XFA engine use after free attempt (snort3-file-pdf.rules)
 * 1:45693 <-> DISABLED <-> SERVER-OTHER NTP crypto-NAK denial of service attempt (snort3-server-other.rules)
 * 1:45687 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro embedded JPEG out of bounds read attempt (snort3-file-other.rules)
 * 1:45691 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro tiff parser out of bounds read attempt (snort3-file-other.rules)
 * 1:45696 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript XFA engine use after free attempt (snort3-file-pdf.rules)

Modified Rules:


 * 1:44110 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (snort3-file-other.rules)
 * 1:44109 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (snort3-file-other.rules)
 * 1:44067 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (snort3-file-other.rules)
 * 1:44083 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA field initialization memory corruption attempt (snort3-file-pdf.rules)
 * 1:44066 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (snort3-file-other.rules)
 * 1:44056 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt (snort3-file-multimedia.rules)
 * 1:44111 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (snort3-file-other.rules)
 * 1:44108 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (snort3-file-other.rules)
 * 1:44084 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA field initialization memory corruption attempt (snort3-file-pdf.rules)
 * 1:44112 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (snort3-file-other.rules)
 * 1:44086 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF line segments memory corruption attempt (snort3-file-other.rules)
 * 1:44100 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record out of bounds access attempt (snort3-file-multimedia.rules)
 * 1:44085 <-> DISABLED <-> SERVER-OTHER FreeRADIUS invalid WiMAX VSA length out of bounds write attempt (snort3-server-other.rules)
 * 1:44169 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (snort3-file-pdf.rules)
 * 1:44145 <-> ENABLED <-> FILE-PDF Adobe Reader XFA event use after free attempt (snort3-file-pdf.rules)
 * 1:44095 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record memory corruption attempt (snort3-file-multimedia.rules)
 * 1:43924 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader duplicate U3D header memory corruption attempt (snort3-file-pdf.rules)
 * 1:44144 <-> ENABLED <-> FILE-PDF Adobe Reader XFA event use after free attempt (snort3-file-pdf.rules)
 * 1:44122 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record crash attempt (snort3-file-other.rules)
 * 1:44121 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record crash attempt (snort3-file-other.rules)
 * 1:44120 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record crash attempt (snort3-file-other.rules)
 * 1:44119 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record crash attempt (snort3-file-other.rules)
 * 1:44115 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (snort3-file-other.rules)
 * 1:44094 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record memory corruption attempt (snort3-file-multimedia.rules)
 * 1:44114 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (snort3-file-other.rules)
 * 1:44087 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF line segments memory corruption attempt (snort3-file-other.rules)
 * 1:44099 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record out of bounds access attempt (snort3-file-multimedia.rules)
 * 1:44113 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (snort3-file-other.rules)
 * 1:45672 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt (snort3-file-other.rules)
 * 1:45670 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt (snort3-file-other.rules)
 * 1:45645 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent inbound payload download (snort3-malware-cnc.rules)
 * 1:45644 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent inbound payload download (snort3-malware-cnc.rules)
 * 1:45643 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent inbound payload download (snort3-malware-cnc.rules)
 * 1:45093 <-> DISABLED <-> SERVER-WEBAPP Apache Archiva XML server side request forgery attempt (snort3-server-webapp.rules)
 * 1:44794 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JPEG2000 codestream memory corruption attempt (snort3-file-pdf.rules)
 * 1:44793 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JPEG2000 codestream memory corruption attempt (snort3-file-pdf.rules)
 * 1:44603 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SetItem use after free attempt (snort3-browser-ie.rules)
 * 1:44602 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SetItem use after free attempt (snort3-browser-ie.rules)
 * 1:44551 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF memory corruption attempt (snort3-file-image.rules)
 * 1:44550 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF memory corruption attempt (snort3-file-image.rules)
 * 1:44170 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (snort3-file-pdf.rules)
 * 1:264 <-> DISABLED <-> OS-LINUX x86 Linux overflow attempt (snort3-os-linux.rules)
 * 1:266 <-> DISABLED <-> OS-OTHER x86 FreeBSD overflow attempt (snort3-os-other.rules)
 * 1:34919 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima ActiveX function call access (snort3-browser-plugins.rules)
 * 1:34921 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima ActiveX function call access (snort3-browser-plugins.rules)
 * 1:35779 <-> ENABLED <-> FILE-PDF Adobe Reader XML XSL transform exploitation attempt (snort3-file-pdf.rules)
 * 1:36130 <-> DISABLED <-> PROTOCOL-DNS ISC BIND zero length OPENPGPKEY rdata response attempt (snort3-protocol-dns.rules)
 * 1:41106 <-> ENABLED <-> SERVER-WEBAPP PHPMailer command injection remote code execution attempt (snort3-server-webapp.rules)
 * 1:41347 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud command injection attempt (snort3-server-webapp.rules)
 * 1:41348 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud command injection attempt (snort3-server-webapp.rules)
 * 1:41390 <-> ENABLED <-> SERVER-WEBAPP Apache Commons Library FileUpload unauthorized Java object upload attempt (snort3-server-webapp.rules)
 * 1:42213 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader embedded JPEG 2000 flst heap overflow attempt (snort3-file-pdf.rules)
 * 1:42316 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream tile height out of bounds read attempt (snort3-file-pdf.rules)
 * 1:43265 <-> DISABLED <-> SERVER-WEBAPP Novell NetIQ Sentinel Server ReportViewServlet directory traversal attempt directory traversal attempt (snort3-server-webapp.rules)
 * 1:42095 <-> DISABLED <-> SERVER-WEBAPP NetBiter WebSCADA ws100/ws200 directory traversal attempt (snort3-server-webapp.rules)
 * 1:42094 <-> DISABLED <-> SERVER-WEBAPP NetBiter WebSCADA ws100/ws200 information gathering attempt (snort3-server-webapp.rules)
 * 1:43875 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF with malformed embedded JPEG memory corruption attempt (snort3-file-other.rules)
 * 1:43876 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF with malformed embedded JPEG memory corruption attempt (snort3-file-other.rules)
 * 1:43877 <-> ENABLED <-> FILE-PDF Acrobat Reader PDFDocEncoding object WinAnsiEncoding memory corruption attempt (snort3-file-pdf.rules)
 * 1:43878 <-> ENABLED <-> FILE-PDF Acrobat Reader PDFDocEncoding object WinAnsiEncoding memory corruption attempt (snort3-file-pdf.rules)
 * 1:43882 <-> DISABLED <-> FILE-PDF Adobe PDF file annotation plugin use after free memory corruption attempt (snort3-file-pdf.rules)
 * 1:43887 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed UTF-16 string memory corruption attempt (snort3-file-pdf.rules)
 * 1:43901 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (snort3-file-other.rules)
 * 1:43902 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (snort3-file-image.rules)
 * 1:43903 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (snort3-file-image.rules)
 * 1:43906 <-> ENABLED <-> FILE-PDF Adobe Reader XFA loadXML use after free attempt (snort3-file-pdf.rules)
 * 1:43907 <-> ENABLED <-> FILE-PDF Adobe Reader XFA loadXML use after free attempt (snort3-file-pdf.rules)
 * 1:43910 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (snort3-file-image.rules)
 * 1:43911 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (snort3-file-image.rules)
 * 1:43916 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF sub-block memory corruption attempt (snort3-file-other.rules)
 * 1:43917 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF sub-block memory corruption attempt (snort3-file-other.rules)
 * 1:43925 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader duplicate U3D header memory corruption attempt (snort3-file-pdf.rules)
 * 1:43935 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station PixlrEditorHandler.php directory traversal attempt (snort3-server-webapp.rules)
 * 1:43940 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt (snort3-file-multimedia.rules)
 * 1:43948 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (snort3-file-pdf.rules)
 * 1:43961 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Forms Data Format embedded javascript attempt (snort3-file-pdf.rules)
 * 1:43967 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIERTO16 out of bounds access attempt (snort3-file-multimedia.rules)
 * 1:43968 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIERTO16 out of bounds access attempt (snort3-file-multimedia.rules)
 * 1:43973 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (snort3-file-other.rules)
 * 1:43974 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (snort3-file-other.rules)
 * 1:43977 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (snort3-file-pdf.rules)
 * 1:43978 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (snort3-file-pdf.rules)
 * 1:43884 <-> ENABLED <-> FILE-PDF Acrobat Reader FontDescriptor object type confusion attempt (snort3-file-pdf.rules)
 * 1:43980 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (snort3-file-pdf.rules)
 * 1:43983 <-> DISABLED <-> FILE-OTHER Adobe Professional JPEG APP1 memory corruption attempt (snort3-file-other.rules)
 * 1:43984 <-> DISABLED <-> FILE-OTHER Adobe Professional JPEG APP1 memory corruption attempt (snort3-file-other.rules)
 * 1:43964 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file kerning data memory corruption attempt (snort3-file-other.rules)
 * 1:43979 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (snort3-file-pdf.rules)
 * 1:43993 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (snort3-file-pdf.rules)
 * 1:43994 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (snort3-file-pdf.rules)
 * 1:43997 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed TrueType font memory corruption attempt (snort3-file-pdf.rules)
 * 1:43998 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed TrueType font memory corruption attempt (snort3-file-pdf.rules)
 * 1:43991 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (snort3-file-pdf.rules)
 * 1:43992 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (snort3-file-pdf.rules)
 * 1:44005 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (snort3-server-webapp.rules)
 * 1:44006 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (snort3-server-webapp.rules)
 * 1:44007 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (snort3-server-webapp.rules)
 * 1:44023 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt (snort3-file-image.rules)
 * 1:44000 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed brush object attempt (snort3-file-multimedia.rules)
 * 1:44024 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt (snort3-file-image.rules)
 * 1:44004 <-> DISABLED <-> POLICY-OTHER Cisco DDR2200 ASDL gateway file download detected (snort3-policy-other.rules)
 * 1:44033 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional EMF file JPEG Huffman table memory corrupt attempt (snort3-file-other.rules)
 * 1:44034 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional EMF file JPEG Huffman table memory corrupt attempt (snort3-file-other.rules)
 * 1:44053 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG file invalid quantization table use-after-free attempt (snort3-file-pdf.rules)
 * 1:44054 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG file invalid quantization table use-after-free attempt (snort3-file-pdf.rules)
 * 1:43999 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed brush object attempt (snort3-file-multimedia.rules)
 * 1:44064 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (snort3-file-other.rules)
 * 1:44065 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (snort3-file-other.rules)
 * 1:44055 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt (snort3-file-multimedia.rules)
 * 1:265 <-> DISABLED <-> OS-LINUX x86 Linux overflow attempt ADMv2 (snort3-os-linux.rules)
 * 1:262 <-> DISABLED <-> OS-LINUX x86 Linux overflow attempt (snort3-os-linux.rules)
 * 1:43900 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (snort3-file-other.rules)
 * 1:34918 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima ActiveX clsid access (snort3-browser-plugins.rules)
 * 1:42315 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream tile height out of bounds read attempt (snort3-file-pdf.rules)
 * 1:42212 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader embedded JPEG 2000 flst heap overflow attempt (snort3-file-pdf.rules)
 * 1:42092 <-> DISABLED <-> POLICY-OTHER NetBiter WebSCADA ws100/ws200 logo modification attempt (snort3-policy-other.rules)
 * 1:41813 <-> ENABLED <-> SERVER-WEBAPP PHPMailer command injection remote code execution attempt (snort3-server-webapp.rules)
 * 1:41349 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud command injection attempt (snort3-server-webapp.rules)
 * 1:41346 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud command injection attempt (snort3-server-webapp.rules)
 * 1:39844 <-> ENABLED <-> OS-WINDOWS Microsoft Windows gdiplus EMF EmrText out of bounds write attempt (snort3-os-windows.rules)
 * 1:39843 <-> ENABLED <-> OS-WINDOWS Microsoft Windows gdiplus EMF EmrText out of bounds write attempt (snort3-os-windows.rules)
 * 1:35780 <-> ENABLED <-> FILE-PDF Adobe Reader XML XSL transform exploitation attempt (snort3-file-pdf.rules)
 * 1:34949 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest and tsmRequest command execution attempt (snort3-server-webapp.rules)
 * 1:34948 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest and tsmRequest command execution attempt (snort3-server-webapp.rules)
 * 1:34923 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima ActiveX function call access (snort3-browser-plugins.rules)
 * 1:34922 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima ActiveX function call access (snort3-browser-plugins.rules)
 * 1:34920 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima ActiveX clsid access (snort3-browser-plugins.rules)
 * 1:43894 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF LZW coding table memory corruption attempt (snort3-file-other.rules)
 * 1:43889 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_BLTBIT record out of bounds access attempt (snort3-file-multimedia.rules)
 * 1:43893 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF LZW coding table memory corruption attempt (snort3-file-other.rules)
 * 1:43888 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_BLTBIT record out of bounds access attempt (snort3-file-multimedia.rules)
 * 1:43883 <-> ENABLED <-> FILE-PDF Acrobat Reader FontDescriptor object type confusion attempt (snort3-file-pdf.rules)
 * 1:43886 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed UTF-16 string memory corruption attempt (snort3-file-pdf.rules)
 * 1:43881 <-> DISABLED <-> FILE-PDF Adobe PDF file annotation plugin use after free memory corruption attempt (snort3-file-pdf.rules)
 * 1:43879 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF polygon heap buffer overflow attempt (snort3-file-other.rules)
 * 1:43880 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF polygon heap buffer overflow attempt (snort3-file-other.rules)
 * 1:43266 <-> DISABLED <-> SERVER-WEBAPP Novell NetIQ Sentinel Server ReportViewServlet directory traversal attempt directory traversal attempt (snort3-server-webapp.rules)
 * 1:43267 <-> DISABLED <-> SERVER-WEBAPP Novell NetIQ Sentinel Server ReportViewServlet directory traversal attempt directory traversal attempt (snort3-server-webapp.rules)
 * 1:43962 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Forms Data Format embedded javascript attempt (snort3-file-pdf.rules)
 * 1:43963 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file kerning data memory corruption attempt (snort3-file-other.rules)
 * 1:43949 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (snort3-file-pdf.rules)
 * 1:43941 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt (snort3-file-multimedia.rules)
 * 1:43939 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station synotheme_upload.php session forgery attempt (snort3-server-webapp.rules)
 * 1:43913 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (snort3-file-other.rules)
 * 1:43934 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station PixlrEditorHandler.php arbitrary PHP file upload attempt (snort3-server-webapp.rules)
 * 1:43912 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (snort3-file-other.rules)
 * 1:43909 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (snort3-file-image.rules)
 * 1:43908 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (snort3-file-image.rules)
 * 1:43905 <-> ENABLED <-> FILE-PDF Adobe Reader execMenuItem buffer overflow attempt (snort3-file-pdf.rules)
 * 1:43904 <-> ENABLED <-> FILE-PDF Adobe Reader execMenuItem buffer overflow attempt (snort3-file-pdf.rules)

2018-02-20 16:06:09 UTC

Snort Subscriber Rules Update

Date: 2018-02-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45687 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro embedded JPEG out of bounds read attempt (file-other.rules)
 * 1:45694 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.GandCrab outbound connection (malware-cnc.rules)
 * 1:45692 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro tiff parser out of bounds read attempt (file-other.rules)
 * 1:45693 <-> DISABLED <-> SERVER-OTHER NTP crypto-NAK denial of service attempt (server-other.rules)
 * 1:45696 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript XFA engine use after free attempt (file-pdf.rules)
 * 1:45695 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript XFA engine use after free attempt (file-pdf.rules)
 * 1:45691 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro tiff parser out of bounds read attempt (file-other.rules)
 * 1:45688 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SQL injection attempt (server-webapp.rules)
 * 1:45686 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro embedded JPEG out of bounds read attempt (file-other.rules)
 * 3:45689 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0527 attack attempt (file-office.rules)
 * 3:45690 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0527 attack attempt (file-office.rules)

Modified Rules:


 * 1:44145 <-> ENABLED <-> FILE-PDF Adobe Reader XFA event use after free attempt (file-pdf.rules)
 * 1:44144 <-> ENABLED <-> FILE-PDF Adobe Reader XFA event use after free attempt (file-pdf.rules)
 * 1:44112 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44122 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record crash attempt (file-other.rules)
 * 1:44120 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record crash attempt (file-other.rules)
 * 1:44121 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record crash attempt (file-other.rules)
 * 1:44111 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44100 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record out of bounds access attempt (file-multimedia.rules)
 * 1:44086 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF line segments memory corruption attempt (file-other.rules)
 * 1:44113 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44114 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44119 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record crash attempt (file-other.rules)
 * 1:44115 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44099 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record out of bounds access attempt (file-multimedia.rules)
 * 1:44066 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:44109 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44067 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:44108 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44085 <-> DISABLED <-> SERVER-OTHER FreeRADIUS invalid WiMAX VSA length out of bounds write attempt (server-other.rules)
 * 1:44065 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:44110 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44087 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF line segments memory corruption attempt (file-other.rules)
 * 1:44169 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (file-pdf.rules)
 * 1:44084 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA field initialization memory corruption attempt (file-pdf.rules)
 * 1:44083 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA field initialization memory corruption attempt (file-pdf.rules)
 * 1:262 <-> DISABLED <-> OS-LINUX x86 Linux overflow attempt (os-linux.rules)
 * 1:44170 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (file-pdf.rules)
 * 1:44094 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record memory corruption attempt (file-multimedia.rules)
 * 1:44095 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record memory corruption attempt (file-multimedia.rules)
 * 1:43939 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station synotheme_upload.php session forgery attempt (server-webapp.rules)
 * 1:264 <-> DISABLED <-> OS-LINUX x86 Linux overflow attempt (os-linux.rules)
 * 1:34918 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima ActiveX clsid access (browser-plugins.rules)
 * 1:43979 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43977 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:34919 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima ActiveX function call access (browser-plugins.rules)
 * 1:43964 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file kerning data memory corruption attempt (file-other.rules)
 * 1:34923 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima ActiveX function call access (browser-plugins.rules)
 * 1:34948 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest and tsmRequest command execution attempt (server-webapp.rules)
 * 1:43961 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Forms Data Format embedded javascript attempt (file-pdf.rules)
 * 1:39843 <-> ENABLED <-> OS-WINDOWS Microsoft Windows gdiplus EMF EmrText out of bounds write attempt (os-windows.rules)
 * 1:35779 <-> ENABLED <-> FILE-PDF Adobe Reader XML XSL transform exploitation attempt (file-pdf.rules)
 * 1:41346 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud command injection attempt (server-webapp.rules)
 * 1:41347 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud command injection attempt (server-webapp.rules)
 * 1:41348 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud command injection attempt (server-webapp.rules)
 * 1:43883 <-> ENABLED <-> FILE-PDF Acrobat Reader FontDescriptor object type confusion attempt (file-pdf.rules)
 * 1:43992 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43984 <-> DISABLED <-> FILE-OTHER Adobe Professional JPEG APP1 memory corruption attempt (file-other.rules)
 * 1:43991 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43940 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt (file-multimedia.rules)
 * 1:41390 <-> ENABLED <-> SERVER-WEBAPP Apache Commons Library FileUpload unauthorized Java object upload attempt (server-webapp.rules)
 * 1:42092 <-> DISABLED <-> POLICY-OTHER NetBiter WebSCADA ws100/ws200 logo modification attempt (policy-other.rules)
 * 1:44056 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt (file-multimedia.rules)
 * 1:44055 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt (file-multimedia.rules)
 * 1:44054 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG file invalid quantization table use-after-free attempt (file-pdf.rules)
 * 1:42212 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader embedded JPEG 2000 flst heap overflow attempt (file-pdf.rules)
 * 1:42315 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream tile height out of bounds read attempt (file-pdf.rules)
 * 1:42316 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream tile height out of bounds read attempt (file-pdf.rules)
 * 1:43267 <-> DISABLED <-> SERVER-WEBAPP Novell NetIQ Sentinel Server ReportViewServlet directory traversal attempt directory traversal attempt (server-webapp.rules)
 * 1:44023 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt (file-image.rules)
 * 1:44007 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules)
 * 1:44005 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules)
 * 1:43880 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF polygon heap buffer overflow attempt (file-other.rules)
 * 1:43882 <-> DISABLED <-> FILE-PDF Adobe PDF file annotation plugin use after free memory corruption attempt (file-pdf.rules)
 * 1:43884 <-> ENABLED <-> FILE-PDF Acrobat Reader FontDescriptor object type confusion attempt (file-pdf.rules)
 * 1:43887 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed UTF-16 string memory corruption attempt (file-pdf.rules)
 * 1:43902 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules)
 * 1:43901 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules)
 * 1:43906 <-> ENABLED <-> FILE-PDF Adobe Reader XFA loadXML use after free attempt (file-pdf.rules)
 * 1:43907 <-> ENABLED <-> FILE-PDF Adobe Reader XFA loadXML use after free attempt (file-pdf.rules)
 * 1:43913 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules)
 * 1:43934 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station PixlrEditorHandler.php arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:44064 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:265 <-> DISABLED <-> OS-LINUX x86 Linux overflow attempt ADMv2 (os-linux.rules)
 * 1:43935 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station PixlrEditorHandler.php directory traversal attempt (server-webapp.rules)
 * 1:36130 <-> DISABLED <-> PROTOCOL-DNS ISC BIND zero length OPENPGPKEY rdata response attempt (protocol-dns.rules)
 * 1:43962 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Forms Data Format embedded javascript attempt (file-pdf.rules)
 * 1:43963 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file kerning data memory corruption attempt (file-other.rules)
 * 1:34922 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima ActiveX function call access (browser-plugins.rules)
 * 1:43967 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIERTO16 out of bounds access attempt (file-multimedia.rules)
 * 1:34921 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima ActiveX function call access (browser-plugins.rules)
 * 1:34920 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima ActiveX clsid access (browser-plugins.rules)
 * 1:43968 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIERTO16 out of bounds access attempt (file-multimedia.rules)
 * 1:43973 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules)
 * 1:43974 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules)
 * 1:43978 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43980 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43941 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt (file-multimedia.rules)
 * 1:266 <-> DISABLED <-> OS-OTHER x86 FreeBSD overflow attempt (os-other.rules)
 * 1:34949 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest and tsmRequest command execution attempt (server-webapp.rules)
 * 1:41106 <-> ENABLED <-> SERVER-WEBAPP PHPMailer command injection remote code execution attempt (server-webapp.rules)
 * 1:43949 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (file-pdf.rules)
 * 1:35780 <-> ENABLED <-> FILE-PDF Adobe Reader XML XSL transform exploitation attempt (file-pdf.rules)
 * 1:44000 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed brush object attempt (file-multimedia.rules)
 * 1:43948 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (file-pdf.rules)
 * 1:39844 <-> ENABLED <-> OS-WINDOWS Microsoft Windows gdiplus EMF EmrText out of bounds write attempt (os-windows.rules)
 * 1:44004 <-> DISABLED <-> POLICY-OTHER Cisco DDR2200 ASDL gateway file download detected (policy-other.rules)
 * 1:43999 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed brush object attempt (file-multimedia.rules)
 * 1:43998 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed TrueType font memory corruption attempt (file-pdf.rules)
 * 1:43924 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader duplicate U3D header memory corruption attempt (file-pdf.rules)
 * 1:43916 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF sub-block memory corruption attempt (file-other.rules)
 * 1:43912 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules)
 * 1:43909 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules)
 * 1:43911 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules)
 * 1:43905 <-> ENABLED <-> FILE-PDF Adobe Reader execMenuItem buffer overflow attempt (file-pdf.rules)
 * 1:43904 <-> ENABLED <-> FILE-PDF Adobe Reader execMenuItem buffer overflow attempt (file-pdf.rules)
 * 1:43908 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules)
 * 1:43910 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules)
 * 1:43917 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF sub-block memory corruption attempt (file-other.rules)
 * 1:43894 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF LZW coding table memory corruption attempt (file-other.rules)
 * 1:43900 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules)
 * 1:43903 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules)
 * 1:43893 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF LZW coding table memory corruption attempt (file-other.rules)
 * 1:43886 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed UTF-16 string memory corruption attempt (file-pdf.rules)
 * 1:43889 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_BLTBIT record out of bounds access attempt (file-multimedia.rules)
 * 1:43881 <-> DISABLED <-> FILE-PDF Adobe PDF file annotation plugin use after free memory corruption attempt (file-pdf.rules)
 * 1:43878 <-> ENABLED <-> FILE-PDF Acrobat Reader PDFDocEncoding object WinAnsiEncoding memory corruption attempt (file-pdf.rules)
 * 1:43879 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF polygon heap buffer overflow attempt (file-other.rules)
 * 1:43888 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_BLTBIT record out of bounds access attempt (file-multimedia.rules)
 * 1:43877 <-> ENABLED <-> FILE-PDF Acrobat Reader PDFDocEncoding object WinAnsiEncoding memory corruption attempt (file-pdf.rules)
 * 1:44006 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules)
 * 1:43876 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF with malformed embedded JPEG memory corruption attempt (file-other.rules)
 * 1:43875 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF with malformed embedded JPEG memory corruption attempt (file-other.rules)
 * 1:44024 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt (file-image.rules)
 * 1:44034 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional EMF file JPEG Huffman table memory corrupt attempt (file-other.rules)
 * 1:43266 <-> DISABLED <-> SERVER-WEBAPP Novell NetIQ Sentinel Server ReportViewServlet directory traversal attempt directory traversal attempt (server-webapp.rules)
 * 1:43265 <-> DISABLED <-> SERVER-WEBAPP Novell NetIQ Sentinel Server ReportViewServlet directory traversal attempt directory traversal attempt (server-webapp.rules)
 * 1:44053 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG file invalid quantization table use-after-free attempt (file-pdf.rules)
 * 1:44033 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional EMF file JPEG Huffman table memory corrupt attempt (file-other.rules)
 * 1:42213 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader embedded JPEG 2000 flst heap overflow attempt (file-pdf.rules)
 * 1:42095 <-> DISABLED <-> SERVER-WEBAPP NetBiter WebSCADA ws100/ws200 directory traversal attempt (server-webapp.rules)
 * 1:42094 <-> DISABLED <-> SERVER-WEBAPP NetBiter WebSCADA ws100/ws200 information gathering attempt (server-webapp.rules)
 * 1:41813 <-> ENABLED <-> SERVER-WEBAPP PHPMailer command injection remote code execution attempt (server-webapp.rules)
 * 1:43983 <-> DISABLED <-> FILE-OTHER Adobe Professional JPEG APP1 memory corruption attempt (file-other.rules)
 * 1:43994 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:41349 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud command injection attempt (server-webapp.rules)
 * 1:43993 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43997 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed TrueType font memory corruption attempt (file-pdf.rules)
 * 1:45672 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt (file-other.rules)
 * 1:45645 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent inbound payload download (malware-cnc.rules)
 * 1:45670 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt (file-other.rules)
 * 1:45643 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent inbound payload download (malware-cnc.rules)
 * 1:45644 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent inbound payload download (malware-cnc.rules)
 * 1:44794 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JPEG2000 codestream memory corruption attempt (file-pdf.rules)
 * 1:45093 <-> DISABLED <-> SERVER-WEBAPP Apache Archiva XML server side request forgery attempt (server-webapp.rules)
 * 1:44603 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SetItem use after free attempt (browser-ie.rules)
 * 1:44793 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JPEG2000 codestream memory corruption attempt (file-pdf.rules)
 * 1:44551 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF memory corruption attempt (file-image.rules)
 * 1:44602 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SetItem use after free attempt (browser-ie.rules)
 * 1:44550 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF memory corruption attempt (file-image.rules)
 * 1:43925 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader duplicate U3D header memory corruption attempt (file-pdf.rules)

2018-02-20 16:06:09 UTC

Snort Subscriber Rules Update

Date: 2018-02-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45687 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro embedded JPEG out of bounds read attempt (file-other.rules)
 * 1:45691 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro tiff parser out of bounds read attempt (file-other.rules)
 * 1:45694 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.GandCrab outbound connection (malware-cnc.rules)
 * 1:45695 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript XFA engine use after free attempt (file-pdf.rules)
 * 1:45688 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SQL injection attempt (server-webapp.rules)
 * 1:45692 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro tiff parser out of bounds read attempt (file-other.rules)
 * 1:45686 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro embedded JPEG out of bounds read attempt (file-other.rules)
 * 1:45696 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript XFA engine use after free attempt (file-pdf.rules)
 * 1:45693 <-> DISABLED <-> SERVER-OTHER NTP crypto-NAK denial of service attempt (server-other.rules)
 * 3:45689 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0527 attack attempt (file-office.rules)
 * 3:45690 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0527 attack attempt (file-office.rules)

Modified Rules:


 * 1:44145 <-> ENABLED <-> FILE-PDF Adobe Reader XFA event use after free attempt (file-pdf.rules)
 * 1:44120 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record crash attempt (file-other.rules)
 * 1:44066 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:44121 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record crash attempt (file-other.rules)
 * 1:44113 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44067 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:44108 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44122 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record crash attempt (file-other.rules)
 * 1:44005 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules)
 * 1:44100 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record out of bounds access attempt (file-multimedia.rules)
 * 1:44109 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44084 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA field initialization memory corruption attempt (file-pdf.rules)
 * 1:44099 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record out of bounds access attempt (file-multimedia.rules)
 * 1:44110 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44085 <-> DISABLED <-> SERVER-OTHER FreeRADIUS invalid WiMAX VSA length out of bounds write attempt (server-other.rules)
 * 1:44114 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44087 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF line segments memory corruption attempt (file-other.rules)
 * 1:44111 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44094 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record memory corruption attempt (file-multimedia.rules)
 * 1:44115 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:43266 <-> DISABLED <-> SERVER-WEBAPP Novell NetIQ Sentinel Server ReportViewServlet directory traversal attempt directory traversal attempt (server-webapp.rules)
 * 1:44119 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record crash attempt (file-other.rules)
 * 1:44112 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44065 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:43909 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules)
 * 1:44144 <-> ENABLED <-> FILE-PDF Adobe Reader XFA event use after free attempt (file-pdf.rules)
 * 1:44064 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:44055 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt (file-multimedia.rules)
 * 1:44056 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt (file-multimedia.rules)
 * 1:44053 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG file invalid quantization table use-after-free attempt (file-pdf.rules)
 * 1:44054 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG file invalid quantization table use-after-free attempt (file-pdf.rules)
 * 1:44033 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional EMF file JPEG Huffman table memory corrupt attempt (file-other.rules)
 * 1:44034 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional EMF file JPEG Huffman table memory corrupt attempt (file-other.rules)
 * 1:44023 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt (file-image.rules)
 * 1:44024 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt (file-image.rules)
 * 1:44006 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules)
 * 1:44007 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules)
 * 1:44086 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF line segments memory corruption attempt (file-other.rules)
 * 1:44095 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record memory corruption attempt (file-multimedia.rules)
 * 1:44169 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (file-pdf.rules)
 * 1:44170 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (file-pdf.rules)
 * 1:44550 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF memory corruption attempt (file-image.rules)
 * 1:44551 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF memory corruption attempt (file-image.rules)
 * 1:44602 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SetItem use after free attempt (browser-ie.rules)
 * 1:44603 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SetItem use after free attempt (browser-ie.rules)
 * 1:44793 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JPEG2000 codestream memory corruption attempt (file-pdf.rules)
 * 1:44794 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JPEG2000 codestream memory corruption attempt (file-pdf.rules)
 * 1:45093 <-> DISABLED <-> SERVER-WEBAPP Apache Archiva XML server side request forgery attempt (server-webapp.rules)
 * 1:45643 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent inbound payload download (malware-cnc.rules)
 * 1:45644 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent inbound payload download (malware-cnc.rules)
 * 1:45645 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent inbound payload download (malware-cnc.rules)
 * 1:45670 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt (file-other.rules)
 * 1:45672 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt (file-other.rules)
 * 1:34923 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima ActiveX function call access (browser-plugins.rules)
 * 1:43267 <-> DISABLED <-> SERVER-WEBAPP Novell NetIQ Sentinel Server ReportViewServlet directory traversal attempt directory traversal attempt (server-webapp.rules)
 * 1:43880 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF polygon heap buffer overflow attempt (file-other.rules)
 * 1:43882 <-> DISABLED <-> FILE-PDF Adobe PDF file annotation plugin use after free memory corruption attempt (file-pdf.rules)
 * 1:43879 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF polygon heap buffer overflow attempt (file-other.rules)
 * 1:43881 <-> DISABLED <-> FILE-PDF Adobe PDF file annotation plugin use after free memory corruption attempt (file-pdf.rules)
 * 1:264 <-> DISABLED <-> OS-LINUX x86 Linux overflow attempt (os-linux.rules)
 * 1:43902 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules)
 * 1:43907 <-> ENABLED <-> FILE-PDF Adobe Reader XFA loadXML use after free attempt (file-pdf.rules)
 * 1:43905 <-> ENABLED <-> FILE-PDF Adobe Reader execMenuItem buffer overflow attempt (file-pdf.rules)
 * 1:262 <-> DISABLED <-> OS-LINUX x86 Linux overflow attempt (os-linux.rules)
 * 1:43900 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules)
 * 1:266 <-> DISABLED <-> OS-OTHER x86 FreeBSD overflow attempt (os-other.rules)
 * 1:43998 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed TrueType font memory corruption attempt (file-pdf.rules)
 * 1:34920 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima ActiveX clsid access (browser-plugins.rules)
 * 1:34918 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima ActiveX clsid access (browser-plugins.rules)
 * 1:43888 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_BLTBIT record out of bounds access attempt (file-multimedia.rules)
 * 1:34948 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest and tsmRequest command execution attempt (server-webapp.rules)
 * 1:34949 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest and tsmRequest command execution attempt (server-webapp.rules)
 * 1:43993 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:39843 <-> ENABLED <-> OS-WINDOWS Microsoft Windows gdiplus EMF EmrText out of bounds write attempt (os-windows.rules)
 * 1:39844 <-> ENABLED <-> OS-WINDOWS Microsoft Windows gdiplus EMF EmrText out of bounds write attempt (os-windows.rules)
 * 1:41106 <-> ENABLED <-> SERVER-WEBAPP PHPMailer command injection remote code execution attempt (server-webapp.rules)
 * 1:43980 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43979 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:41346 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud command injection attempt (server-webapp.rules)
 * 1:43974 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules)
 * 1:43973 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules)
 * 1:41349 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud command injection attempt (server-webapp.rules)
 * 1:43967 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIERTO16 out of bounds access attempt (file-multimedia.rules)
 * 1:42094 <-> DISABLED <-> SERVER-WEBAPP NetBiter WebSCADA ws100/ws200 information gathering attempt (server-webapp.rules)
 * 1:43962 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Forms Data Format embedded javascript attempt (file-pdf.rules)
 * 1:43963 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file kerning data memory corruption attempt (file-other.rules)
 * 1:41390 <-> ENABLED <-> SERVER-WEBAPP Apache Commons Library FileUpload unauthorized Java object upload attempt (server-webapp.rules)
 * 1:43961 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Forms Data Format embedded javascript attempt (file-pdf.rules)
 * 1:41813 <-> ENABLED <-> SERVER-WEBAPP PHPMailer command injection remote code execution attempt (server-webapp.rules)
 * 1:34919 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima ActiveX function call access (browser-plugins.rules)
 * 1:43948 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (file-pdf.rules)
 * 1:42092 <-> DISABLED <-> POLICY-OTHER NetBiter WebSCADA ws100/ws200 logo modification attempt (policy-other.rules)
 * 1:43964 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file kerning data memory corruption attempt (file-other.rules)
 * 1:43949 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (file-pdf.rules)
 * 1:43935 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station PixlrEditorHandler.php directory traversal attempt (server-webapp.rules)
 * 1:43941 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt (file-multimedia.rules)
 * 1:42095 <-> DISABLED <-> SERVER-WEBAPP NetBiter WebSCADA ws100/ws200 directory traversal attempt (server-webapp.rules)
 * 1:43910 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules)
 * 1:42315 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream tile height out of bounds read attempt (file-pdf.rules)
 * 1:43940 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt (file-multimedia.rules)
 * 1:43917 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF sub-block memory corruption attempt (file-other.rules)
 * 1:43916 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF sub-block memory corruption attempt (file-other.rules)
 * 1:42213 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader embedded JPEG 2000 flst heap overflow attempt (file-pdf.rules)
 * 1:43924 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader duplicate U3D header memory corruption attempt (file-pdf.rules)
 * 1:43912 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules)
 * 1:43925 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader duplicate U3D header memory corruption attempt (file-pdf.rules)
 * 1:43911 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules)
 * 1:43913 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules)
 * 1:42316 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream tile height out of bounds read attempt (file-pdf.rules)
 * 1:43934 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station PixlrEditorHandler.php arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:35779 <-> ENABLED <-> FILE-PDF Adobe Reader XML XSL transform exploitation attempt (file-pdf.rules)
 * 1:44083 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA field initialization memory corruption attempt (file-pdf.rules)
 * 1:43886 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed UTF-16 string memory corruption attempt (file-pdf.rules)
 * 1:43893 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF LZW coding table memory corruption attempt (file-other.rules)
 * 1:43876 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF with malformed embedded JPEG memory corruption attempt (file-other.rules)
 * 1:43901 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules)
 * 1:43894 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF LZW coding table memory corruption attempt (file-other.rules)
 * 1:265 <-> DISABLED <-> OS-LINUX x86 Linux overflow attempt ADMv2 (os-linux.rules)
 * 1:43939 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station synotheme_upload.php session forgery attempt (server-webapp.rules)
 * 1:42212 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader embedded JPEG 2000 flst heap overflow attempt (file-pdf.rules)
 * 1:43991 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43992 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:35780 <-> ENABLED <-> FILE-PDF Adobe Reader XML XSL transform exploitation attempt (file-pdf.rules)
 * 1:43994 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43999 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed brush object attempt (file-multimedia.rules)
 * 1:43997 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed TrueType font memory corruption attempt (file-pdf.rules)
 * 1:43265 <-> DISABLED <-> SERVER-WEBAPP Novell NetIQ Sentinel Server ReportViewServlet directory traversal attempt directory traversal attempt (server-webapp.rules)
 * 1:43875 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF with malformed embedded JPEG memory corruption attempt (file-other.rules)
 * 1:43889 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_BLTBIT record out of bounds access attempt (file-multimedia.rules)
 * 1:43904 <-> ENABLED <-> FILE-PDF Adobe Reader execMenuItem buffer overflow attempt (file-pdf.rules)
 * 1:43877 <-> ENABLED <-> FILE-PDF Acrobat Reader PDFDocEncoding object WinAnsiEncoding memory corruption attempt (file-pdf.rules)
 * 1:43878 <-> ENABLED <-> FILE-PDF Acrobat Reader PDFDocEncoding object WinAnsiEncoding memory corruption attempt (file-pdf.rules)
 * 1:43883 <-> ENABLED <-> FILE-PDF Acrobat Reader FontDescriptor object type confusion attempt (file-pdf.rules)
 * 1:43884 <-> ENABLED <-> FILE-PDF Acrobat Reader FontDescriptor object type confusion attempt (file-pdf.rules)
 * 1:43887 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed UTF-16 string memory corruption attempt (file-pdf.rules)
 * 1:34921 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima ActiveX function call access (browser-plugins.rules)
 * 1:34922 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima ActiveX function call access (browser-plugins.rules)
 * 1:44000 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed brush object attempt (file-multimedia.rules)
 * 1:44004 <-> DISABLED <-> POLICY-OTHER Cisco DDR2200 ASDL gateway file download detected (policy-other.rules)
 * 1:43908 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules)
 * 1:43903 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules)
 * 1:43906 <-> ENABLED <-> FILE-PDF Adobe Reader XFA loadXML use after free attempt (file-pdf.rules)
 * 1:43968 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIERTO16 out of bounds access attempt (file-multimedia.rules)
 * 1:41348 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud command injection attempt (server-webapp.rules)
 * 1:41347 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud command injection attempt (server-webapp.rules)
 * 1:43977 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43984 <-> DISABLED <-> FILE-OTHER Adobe Professional JPEG APP1 memory corruption attempt (file-other.rules)
 * 1:43978 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43983 <-> DISABLED <-> FILE-OTHER Adobe Professional JPEG APP1 memory corruption attempt (file-other.rules)
 * 1:36130 <-> DISABLED <-> PROTOCOL-DNS ISC BIND zero length OPENPGPKEY rdata response attempt (protocol-dns.rules)