Talos Rules 2015-05-12
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Security Bulletin MS15-043: Microsoft Internet Explorer suffers from programming errors that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 34379 through 34384, 34391 through 34392, 34405 through 34412, 34415, 34417 through 34425, 34430 through 34433, 34436 through 34437, and 34444 through 34445.

Microsoft Security Bulletin MS15-044: A coding deficiency exists in Microsoft GDI+ that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 34440 through 34441.

Microsoft Security Bulletin MS15-045: A coding deficiency exists in Microsoft Windows Journal that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 34371 through 34372, 34385 through 34390, 34399 through 34400, and 34403 through 34404.

Microsoft Security Bulletin MS15-046: A coding deficiency exists in Microsoft Office that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 34428 through 34429.

Microsoft Security Bulletin MS15-048: A coding deficiency exists in the Microsoft .NET Framework that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 34401 through 34402 and 34434 through 34435.

Microsoft Security Bulletin MS15-051: A coding deficiency exists in Microsoft Kernel-Mode drivers that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 34377 through 34378, 34413 through 34414, and 34442 through 34443.

Microsoft Security Bulletin MS15-052: A coding deficiency exists in the Microsoft Kernel that may lead to a security feature bypass.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 34426 through 34427.

Microsoft Security Bulletin MS15-053: A coding deficiency exists in the Microsoft JScript and VBScript scripting engines that may lead to a security feature bypass.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 34393 through 34394.

Microsoft Security Bulletin MS15-054: A coding deficiency exists in Microsoft Management Console that may lead to a Denial of Service (DoS).

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 34438 through 34439.

Talos has also added and modified multiple rules in the blacklist, browser-ie, file-flash, file-identify, file-office, file-other, malware-cnc, malware-other, malware-tools, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2015-05-12 18:15:00 UTC

Snort Subscriber Rules Update

Date: 2015-05-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:34393 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript regular expression information disclosure attempt (browser-ie.rules)
 * 1:34391 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TextData out of bounds read attempt (browser-ie.rules)
 * 1:34389 <-> ENABLED <-> FILE-OTHER Microsoft Journal out of bounds read attempt (file-other.rules)
 * 1:34360 <-> DISABLED <-> SERVER-WEBAPP ESF pfSense deletefile directory traversal attempt (server-webapp.rules)
 * 1:34387 <-> ENABLED <-> FILE-OTHER Microsoft Journal out of bounds write attempt (file-other.rules)
 * 1:34388 <-> ENABLED <-> FILE-OTHER Microsoft Journal out of bounds write attempt (file-other.rules)
 * 1:34384 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:34386 <-> ENABLED <-> FILE-OTHER Microsoft Journal memory corruption attempt (file-other.rules)
 * 1:34383 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:34362 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mantal variant outbound connection attempt (malware-cnc.rules)
 * 1:34382 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer range use after free attempt (browser-ie.rules)
 * 1:34430 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos object use after free attempt (browser-ie.rules)
 * 1:34434 <-> ENABLED <-> OS-WINDOWS Microsoft Windows .NET XML recursive call denial of service attempt (os-windows.rules)
 * 1:34359 <-> DISABLED <-> SERVER-WEBAPP ESF pfSense deletefile directory traversal attempt (server-webapp.rules)
 * 1:34429 <-> ENABLED <-> FILE-OFFICE Microsoft Word incorrect ptCount element denial of service attempt (file-office.rules)
 * 1:34427 <-> ENABLED <-> OS-WINDOWS Microsoft Windows cng.sys memory leak kernel ASLR bypass attempt (os-windows.rules)
 * 1:34428 <-> ENABLED <-> FILE-OFFICE Microsoft Word incorrect ptCount element denial of service attempt (file-office.rules)
 * 1:34423 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTitleElement object use-after-free attempt (browser-ie.rules)
 * 1:34426 <-> ENABLED <-> OS-WINDOWS Microsoft Windows cng.sys memory leak kernel ASLR bypass attempt (os-windows.rules)
 * 1:34425 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer compatibility mode use after free attempt (browser-ie.rules)
 * 1:34424 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer compatibility mode use after free attempt (browser-ie.rules)
 * 1:34420 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDispScroller object use-after-free attempt (browser-ie.rules)
 * 1:34415 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer dd element use after free attempt (browser-ie.rules)
 * 1:34410 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DOMNodeInserted use-after-free attempt (browser-ie.rules)
 * 1:34405 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer improper copy buffer access information disclosure attempt (browser-ie.rules)
 * 1:34400 <-> ENABLED <-> FILE-OTHER Microsoft Journal file exploitation attempt (file-other.rules)
 * 1:34395 <-> ENABLED <-> FILE-IDENTIFY Microsoft Journal file attachment detected (file-identify.rules)
 * 1:34390 <-> ENABLED <-> FILE-OTHER Microsoft Journal out of bounds read attempt (file-other.rules)
 * 1:34385 <-> ENABLED <-> FILE-OTHER Microsoft Journal memory corruption attempt (file-other.rules)
 * 1:34375 <-> DISABLED <-> SERVER-OTHER PHP zip_cdir_new function integer overflow file download attempt (server-other.rules)
 * 1:34361 <-> DISABLED <-> SERVER-WEBAPP ESF pfSense deletefile directory traversal attempt (server-webapp.rules)
 * 1:34364 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Configuration Management rtrlet.class directory traversal attempt (server-webapp.rules)
 * 1:34438 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Explorer .msc file stack overflow attempt (os-windows.rules)
 * 1:34394 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript regular expression information disclosure attempt (browser-ie.rules)
 * 1:34396 <-> ENABLED <-> FILE-IDENTIFY Microsoft Journal file attachment detected (file-identify.rules)
 * 1:34436 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTitleElement use after free attempt (browser-ie.rules)
 * 1:34437 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTitleElement use after free attempt (browser-ie.rules)
 * 1:34433 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TableGridBlock use after free attempt (browser-ie.rules)
 * 1:34398 <-> ENABLED <-> FILE-IDENTIFY Microsoft Journal file download attempt (file-identify.rules)
 * 1:34435 <-> ENABLED <-> OS-WINDOWS Microsoft Windows .NET XML recursive call denial of service attempt (os-windows.rules)
 * 1:34380 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer protected mode sandbox privilege escalation attempt (browser-ie.rules)
 * 1:34381 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer range use after free attempt (browser-ie.rules)
 * 1:34379 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer protected mode sandbox privilege escalation attempt (browser-ie.rules)
 * 1:34377 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserGetComboBoxInfo information disclosure attempt (os-windows.rules)
 * 1:34378 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserGetComboBoxInfo information disclosure attempt (os-windows.rules)
 * 1:34376 <-> DISABLED <-> SERVER-OTHER PHP zip_cdir_new function integer overflow file download attempt (server-other.rules)
 * 1:34399 <-> ENABLED <-> FILE-OTHER Microsoft Journal file exploitation attempt (file-other.rules)
 * 1:34374 <-> DISABLED <-> SERVER-OTHER PHP zip_cdir_new function integer overflow file download attempt (server-other.rules)
 * 1:34373 <-> DISABLED <-> SERVER-OTHER PHP zip_cdir_new function integer overflow file download attempt (server-other.rules)
 * 1:34401 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Calendar object heap corruption attempt (os-windows.rules)
 * 1:34372 <-> ENABLED <-> FILE-OTHER Microsoft Journal memory corruption attempt (file-other.rules)
 * 1:34402 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Calendar object heap corruption attempt (os-windows.rules)
 * 1:34371 <-> ENABLED <-> FILE-OTHER Microsoft Journal memory corruption attempt (file-other.rules)
 * 1:34403 <-> ENABLED <-> FILE-OTHER Microsoft Journal out of bounds read attempt (file-other.rules)
 * 1:34370 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mymoney.000a.de - Win.Trojan.Fareit (blacklist.rules)
 * 1:34404 <-> ENABLED <-> FILE-OTHER Microsoft Journal out of bounds read attempt (file-other.rules)
 * 1:34368 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload variant outbound connection (malware-cnc.rules)
 * 1:34367 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload variant outbound connection (malware-cnc.rules)
 * 1:34406 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer improper copy buffer access information disclosure attempt (browser-ie.rules)
 * 1:34366 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beebone outbound connection attempt (malware-cnc.rules)
 * 1:34407 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer protected mode sandbox bypass attempt (browser-ie.rules)
 * 1:34365 <-> ENABLED <-> SERVER-WEBAPP Magento remote code execution attempt (server-webapp.rules)
 * 1:34408 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer protected mode sandbox bypass attempt (browser-ie.rules)
 * 1:34409 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DOMNodeInserted use-after-free attempt (browser-ie.rules)
 * 1:34411 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSecurityContext type confusion use after free attempt (browser-ie.rules)
 * 1:34412 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSecurityContext type confusion use after free attempt (browser-ie.rules)
 * 1:34413 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserGetScrollBarInfo information disclosure attempt (os-windows.rules)
 * 1:34392 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TextData out of bounds read attempt (browser-ie.rules)
 * 1:34397 <-> ENABLED <-> FILE-IDENTIFY Microsoft Journal file download request (file-identify.rules)
 * 1:34414 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserGetScrollBarInfo information disclosure attempt (os-windows.rules)
 * 1:34416 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer IE8 compatibility mode enable attempt (browser-ie.rules)
 * 1:34417 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer dd element use after free attempt (browser-ie.rules)
 * 1:34418 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Element object use-after-free attempt (browser-ie.rules)
 * 1:34419 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Element object use-after-free attempt (browser-ie.rules)
 * 1:34421 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDispScroller object use-after-free attempt (browser-ie.rules)
 * 1:34422 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTitleElement object use-after-free attempt (browser-ie.rules)
 * 1:34445 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer TableGridBlock object use after free attempt (browser-ie.rules)
 * 1:34441 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k TrueType Font parsing out of bounds attempt (os-windows.rules)
 * 1:34443 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NTUserGetTitleBarInfo information disclosure attempt (os-windows.rules)
 * 1:34444 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer TableGridBlock object use after free attempt (browser-ie.rules)
 * 1:34442 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NTUserGetTitleBarInfo information disclosure attempt (os-windows.rules)
 * 1:34439 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Explorer .msc file stack overflow attempt (os-windows.rules)
 * 1:34440 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k TrueType Font parsing out of bounds attempt (os-windows.rules)
 * 1:34432 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TableGridBlock use after free attempt (browser-ie.rules)
 * 1:34356 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt (file-flash.rules)
 * 1:34354 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt (file-flash.rules)
 * 1:34355 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt (file-flash.rules)
 * 1:34431 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos object use after free attempt (browser-ie.rules)
 * 1:34358 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWALL SonicOS macIpSpoofView cross site scripting attempt (server-webapp.rules)
 * 1:34350 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt (server-other.rules)
 * 1:34353 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt (server-other.rules)
 * 1:34351 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt (server-other.rules)
 * 1:34349 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt (server-other.rules)
 * 1:34352 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt (server-other.rules)
 * 1:34363 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Configuration Management GetStoredResult.class SQL injection attempt (server-webapp.rules)
 * 1:34357 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt (file-flash.rules)
 * 3:34369 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Central command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:34238 <-> DISABLED <-> SERVER-OTHER PHP zip_cdir_new function integer overflow file upload attempt (server-other.rules)
 * 1:34239 <-> DISABLED <-> SERVER-OTHER PHP zip_cdir_new function integer overflow file upload attempt (server-other.rules)
 * 1:5789 <-> DISABLED <-> BLACKLIST User-Agent known malicious user agent - ActMon (blacklist.rules)
 * 1:30989 <-> ENABLED <-> BLACKLIST DNS request for known malware domain help.2012hi.hk (blacklist.rules)
 * 1:33770 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserfnINSTRINGNULL memory leak kernel ASLR bypass attempt (os-windows.rules)
 * 1:33769 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserfnINSTRINGNULL memory leak kernel ASLR bypass attempt (os-windows.rules)
 * 1:30990 <-> ENABLED <-> MALWARE-CNC Shiqiang Gang malicious XLS targeted attack detection (malware-cnc.rules)
 * 1:30991 <-> ENABLED <-> MALWARE-CNC Shiqiang Gang malicious XLS targeted attack detection (malware-cnc.rules)
 * 1:28362 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string SUiCiDE/1.5 (blacklist.rules)
 * 1:28482 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Terminator RAT variant outbound connection (malware-cnc.rules)
 * 1:28480 <-> DISABLED <-> BLACKLIST DNS request for known malware domain liumingzhen.myftp.org (blacklist.rules)
 * 1:28481 <-> DISABLED <-> BLACKLIST DNS request for known malware domain catlovers.25u.com (blacklist.rules)
 * 1:28479 <-> DISABLED <-> BLACKLIST DNS request for known malware domain liumingzhen.zapto.org (blacklist.rules)
 * 1:27968 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:28323 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:27981 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - /botnet/tasks.php?uid= (blacklist.rules)
 * 1:28247 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper variant outbound connection (malware-cnc.rules)
 * 1:27980 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - /botnet/adduser.php?uid= (blacklist.rules)
 * 1:26382 <-> DISABLED <-> MALWARE-OTHER UTF-8 BOM in zip file attachment detected (malware-other.rules)
 * 1:27967 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:26850 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt (browser-ie.rules)
 * 1:27966 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:26381 <-> DISABLED <-> MALWARE-OTHER UTF-8 BOM in zip file attachment detected (malware-other.rules)
 * 1:26837 <-> ENABLED <-> MALWARE-CNC BitBot Idle C2 response (malware-cnc.rules)
 * 1:26380 <-> DISABLED <-> MALWARE-OTHER UTF-8 BOM in zip file attachment detected (malware-other.rules)
 * 1:20439 <-> DISABLED <-> MALWARE-TOOLS THC SSL renegotiation DOS attempt (malware-tools.rules)
 * 1:26295 <-> ENABLED <-> FILE-OTHER Watering Hole Campaign applet download (file-other.rules)
 * 1:26294 <-> ENABLED <-> FILE-OTHER Watering Hole Campaign applet download (file-other.rules)
 * 1:20438 <-> DISABLED <-> MALWARE-TOOLS THC SSL renegotiation DOS attempt (malware-tools.rules)
 * 1:20436 <-> DISABLED <-> MALWARE-TOOLS THC SSL renegotiation DOS attempt (malware-tools.rules)
 * 1:20437 <-> DISABLED <-> MALWARE-TOOLS THC SSL renegotiation DOS attempt (malware-tools.rules)

2015-05-12 18:15:00 UTC

Snort Subscriber Rules Update

Date: 2015-05-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:34356 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt (file-flash.rules)
 * 1:34357 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt (file-flash.rules)
 * 1:34362 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mantal variant outbound connection attempt (malware-cnc.rules)
 * 1:34366 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beebone outbound connection attempt (malware-cnc.rules)
 * 1:34367 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload variant outbound connection (malware-cnc.rules)
 * 1:34368 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload variant outbound connection (malware-cnc.rules)
 * 1:34370 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mymoney.000a.de - Win.Trojan.Fareit (blacklist.rules)
 * 1:34422 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTitleElement object use-after-free attempt (browser-ie.rules)
 * 1:34420 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDispScroller object use-after-free attempt (browser-ie.rules)
 * 1:34419 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Element object use-after-free attempt (browser-ie.rules)
 * 1:34417 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer dd element use after free attempt (browser-ie.rules)
 * 1:34418 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Element object use-after-free attempt (browser-ie.rules)
 * 1:34415 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer dd element use after free attempt (browser-ie.rules)
 * 1:34413 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserGetScrollBarInfo information disclosure attempt (os-windows.rules)
 * 1:34414 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserGetScrollBarInfo information disclosure attempt (os-windows.rules)
 * 1:34410 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DOMNodeInserted use-after-free attempt (browser-ie.rules)
 * 1:34412 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSecurityContext type confusion use after free attempt (browser-ie.rules)
 * 1:34409 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DOMNodeInserted use-after-free attempt (browser-ie.rules)
 * 1:34407 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer protected mode sandbox bypass attempt (browser-ie.rules)
 * 1:34408 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer protected mode sandbox bypass attempt (browser-ie.rules)
 * 1:34405 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer improper copy buffer access information disclosure attempt (browser-ie.rules)
 * 1:34403 <-> ENABLED <-> FILE-OTHER Microsoft Journal out of bounds read attempt (file-other.rules)
 * 1:34404 <-> ENABLED <-> FILE-OTHER Microsoft Journal out of bounds read attempt (file-other.rules)
 * 1:34402 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Calendar object heap corruption attempt (os-windows.rules)
 * 1:34400 <-> ENABLED <-> FILE-OTHER Microsoft Journal file exploitation attempt (file-other.rules)
 * 1:34399 <-> ENABLED <-> FILE-OTHER Microsoft Journal file exploitation attempt (file-other.rules)
 * 1:34397 <-> ENABLED <-> FILE-IDENTIFY Microsoft Journal file download request (file-identify.rules)
 * 1:34398 <-> ENABLED <-> FILE-IDENTIFY Microsoft Journal file download attempt (file-identify.rules)
 * 1:34395 <-> ENABLED <-> FILE-IDENTIFY Microsoft Journal file attachment detected (file-identify.rules)
 * 1:34394 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript regular expression information disclosure attempt (browser-ie.rules)
 * 1:34393 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript regular expression information disclosure attempt (browser-ie.rules)
 * 1:34392 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TextData out of bounds read attempt (browser-ie.rules)
 * 1:34390 <-> ENABLED <-> FILE-OTHER Microsoft Journal out of bounds read attempt (file-other.rules)
 * 1:34388 <-> ENABLED <-> FILE-OTHER Microsoft Journal out of bounds write attempt (file-other.rules)
 * 1:34389 <-> ENABLED <-> FILE-OTHER Microsoft Journal out of bounds read attempt (file-other.rules)
 * 1:34385 <-> ENABLED <-> FILE-OTHER Microsoft Journal memory corruption attempt (file-other.rules)
 * 1:34387 <-> ENABLED <-> FILE-OTHER Microsoft Journal out of bounds write attempt (file-other.rules)
 * 1:34384 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:34382 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer range use after free attempt (browser-ie.rules)
 * 1:34380 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer protected mode sandbox privilege escalation attempt (browser-ie.rules)
 * 1:34381 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer range use after free attempt (browser-ie.rules)
 * 1:34378 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserGetComboBoxInfo information disclosure attempt (os-windows.rules)
 * 1:34379 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer protected mode sandbox privilege escalation attempt (browser-ie.rules)
 * 1:34377 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserGetComboBoxInfo information disclosure attempt (os-windows.rules)
 * 1:34375 <-> DISABLED <-> SERVER-OTHER PHP zip_cdir_new function integer overflow file download attempt (server-other.rules)
 * 1:34376 <-> DISABLED <-> SERVER-OTHER PHP zip_cdir_new function integer overflow file download attempt (server-other.rules)
 * 1:34349 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt (server-other.rules)
 * 1:34350 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt (server-other.rules)
 * 1:34351 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt (server-other.rules)
 * 1:34352 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt (server-other.rules)
 * 1:34353 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt (server-other.rules)
 * 1:34354 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt (file-flash.rules)
 * 1:34355 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt (file-flash.rules)
 * 1:34365 <-> ENABLED <-> SERVER-WEBAPP Magento remote code execution attempt (server-webapp.rules)
 * 1:34364 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Configuration Management rtrlet.class directory traversal attempt (server-webapp.rules)
 * 1:34361 <-> DISABLED <-> SERVER-WEBAPP ESF pfSense deletefile directory traversal attempt (server-webapp.rules)
 * 1:34359 <-> DISABLED <-> SERVER-WEBAPP ESF pfSense deletefile directory traversal attempt (server-webapp.rules)
 * 1:34360 <-> DISABLED <-> SERVER-WEBAPP ESF pfSense deletefile directory traversal attempt (server-webapp.rules)
 * 1:34371 <-> ENABLED <-> FILE-OTHER Microsoft Journal memory corruption attempt (file-other.rules)
 * 1:34372 <-> ENABLED <-> FILE-OTHER Microsoft Journal memory corruption attempt (file-other.rules)
 * 1:34373 <-> DISABLED <-> SERVER-OTHER PHP zip_cdir_new function integer overflow file download attempt (server-other.rules)
 * 1:34358 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWALL SonicOS macIpSpoofView cross site scripting attempt (server-webapp.rules)
 * 1:34374 <-> DISABLED <-> SERVER-OTHER PHP zip_cdir_new function integer overflow file download attempt (server-other.rules)
 * 1:34383 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:34386 <-> ENABLED <-> FILE-OTHER Microsoft Journal memory corruption attempt (file-other.rules)
 * 1:34391 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TextData out of bounds read attempt (browser-ie.rules)
 * 1:34396 <-> ENABLED <-> FILE-IDENTIFY Microsoft Journal file attachment detected (file-identify.rules)
 * 1:34401 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Calendar object heap corruption attempt (os-windows.rules)
 * 1:34406 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer improper copy buffer access information disclosure attempt (browser-ie.rules)
 * 1:34411 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSecurityContext type confusion use after free attempt (browser-ie.rules)
 * 1:34416 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer IE8 compatibility mode enable attempt (browser-ie.rules)
 * 1:34421 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDispScroller object use-after-free attempt (browser-ie.rules)
 * 1:34423 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTitleElement object use-after-free attempt (browser-ie.rules)
 * 1:34424 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer compatibility mode use after free attempt (browser-ie.rules)
 * 1:34425 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer compatibility mode use after free attempt (browser-ie.rules)
 * 1:34426 <-> ENABLED <-> OS-WINDOWS Microsoft Windows cng.sys memory leak kernel ASLR bypass attempt (os-windows.rules)
 * 1:34427 <-> ENABLED <-> OS-WINDOWS Microsoft Windows cng.sys memory leak kernel ASLR bypass attempt (os-windows.rules)
 * 1:34428 <-> ENABLED <-> FILE-OFFICE Microsoft Word incorrect ptCount element denial of service attempt (file-office.rules)
 * 1:34429 <-> ENABLED <-> FILE-OFFICE Microsoft Word incorrect ptCount element denial of service attempt (file-office.rules)
 * 1:34445 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer TableGridBlock object use after free attempt (browser-ie.rules)
 * 1:34444 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer TableGridBlock object use after free attempt (browser-ie.rules)
 * 1:34443 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NTUserGetTitleBarInfo information disclosure attempt (os-windows.rules)
 * 1:34442 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NTUserGetTitleBarInfo information disclosure attempt (os-windows.rules)
 * 1:34441 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k TrueType Font parsing out of bounds attempt (os-windows.rules)
 * 1:34440 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k TrueType Font parsing out of bounds attempt (os-windows.rules)
 * 1:34439 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Explorer .msc file stack overflow attempt (os-windows.rules)
 * 1:34438 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Explorer .msc file stack overflow attempt (os-windows.rules)
 * 1:34437 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTitleElement use after free attempt (browser-ie.rules)
 * 1:34436 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTitleElement use after free attempt (browser-ie.rules)
 * 1:34435 <-> ENABLED <-> OS-WINDOWS Microsoft Windows .NET XML recursive call denial of service attempt (os-windows.rules)
 * 1:34434 <-> ENABLED <-> OS-WINDOWS Microsoft Windows .NET XML recursive call denial of service attempt (os-windows.rules)
 * 1:34433 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TableGridBlock use after free attempt (browser-ie.rules)
 * 1:34432 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TableGridBlock use after free attempt (browser-ie.rules)
 * 1:34431 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos object use after free attempt (browser-ie.rules)
 * 1:34430 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos object use after free attempt (browser-ie.rules)
 * 1:34363 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Configuration Management GetStoredResult.class SQL injection attempt (server-webapp.rules)
 * 3:34369 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Central command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:5789 <-> DISABLED <-> BLACKLIST User-Agent known malicious user agent - ActMon (blacklist.rules)
 * 1:34238 <-> DISABLED <-> SERVER-OTHER PHP zip_cdir_new function integer overflow file upload attempt (server-other.rules)
 * 1:34239 <-> DISABLED <-> SERVER-OTHER PHP zip_cdir_new function integer overflow file upload attempt (server-other.rules)
 * 1:33769 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserfnINSTRINGNULL memory leak kernel ASLR bypass attempt (os-windows.rules)
 * 1:33770 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserfnINSTRINGNULL memory leak kernel ASLR bypass attempt (os-windows.rules)
 * 1:30990 <-> ENABLED <-> MALWARE-CNC Shiqiang Gang malicious XLS targeted attack detection (malware-cnc.rules)
 * 1:30991 <-> ENABLED <-> MALWARE-CNC Shiqiang Gang malicious XLS targeted attack detection (malware-cnc.rules)
 * 1:28482 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Terminator RAT variant outbound connection (malware-cnc.rules)
 * 1:30989 <-> ENABLED <-> BLACKLIST DNS request for known malware domain help.2012hi.hk (blacklist.rules)
 * 1:28480 <-> DISABLED <-> BLACKLIST DNS request for known malware domain liumingzhen.myftp.org (blacklist.rules)
 * 1:28481 <-> DISABLED <-> BLACKLIST DNS request for known malware domain catlovers.25u.com (blacklist.rules)
 * 1:28362 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string SUiCiDE/1.5 (blacklist.rules)
 * 1:28479 <-> DISABLED <-> BLACKLIST DNS request for known malware domain liumingzhen.zapto.org (blacklist.rules)
 * 1:28247 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper variant outbound connection (malware-cnc.rules)
 * 1:28323 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:27980 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - /botnet/adduser.php?uid= (blacklist.rules)
 * 1:27981 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - /botnet/tasks.php?uid= (blacklist.rules)
 * 1:27967 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:27968 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:26850 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt (browser-ie.rules)
 * 1:27966 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:26382 <-> DISABLED <-> MALWARE-OTHER UTF-8 BOM in zip file attachment detected (malware-other.rules)
 * 1:26837 <-> ENABLED <-> MALWARE-CNC BitBot Idle C2 response (malware-cnc.rules)
 * 1:26380 <-> DISABLED <-> MALWARE-OTHER UTF-8 BOM in zip file attachment detected (malware-other.rules)
 * 1:26381 <-> DISABLED <-> MALWARE-OTHER UTF-8 BOM in zip file attachment detected (malware-other.rules)
 * 1:26294 <-> ENABLED <-> FILE-OTHER Watering Hole Campaign applet download (file-other.rules)
 * 1:26295 <-> ENABLED <-> FILE-OTHER Watering Hole Campaign applet download (file-other.rules)
 * 1:20438 <-> DISABLED <-> MALWARE-TOOLS THC SSL renegotiation DOS attempt (malware-tools.rules)
 * 1:20439 <-> DISABLED <-> MALWARE-TOOLS THC SSL renegotiation DOS attempt (malware-tools.rules)
 * 1:20436 <-> DISABLED <-> MALWARE-TOOLS THC SSL renegotiation DOS attempt (malware-tools.rules)
 * 1:20437 <-> DISABLED <-> MALWARE-TOOLS THC SSL renegotiation DOS attempt (malware-tools.rules)

2015-05-12 18:15:00 UTC

Snort Subscriber Rules Update

Date: 2015-05-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2972.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:34431 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos object use after free attempt (browser-ie.rules)
 * 1:34430 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos object use after free attempt (browser-ie.rules)
 * 1:34429 <-> ENABLED <-> FILE-OFFICE Microsoft Word incorrect ptCount element denial of service attempt (file-office.rules)
 * 1:34428 <-> ENABLED <-> FILE-OFFICE Microsoft Word incorrect ptCount element denial of service attempt (file-office.rules)
 * 1:34427 <-> ENABLED <-> OS-WINDOWS Microsoft Windows cng.sys memory leak kernel ASLR bypass attempt (os-windows.rules)
 * 1:34426 <-> ENABLED <-> OS-WINDOWS Microsoft Windows cng.sys memory leak kernel ASLR bypass attempt (os-windows.rules)
 * 1:34425 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer compatibility mode use after free attempt (browser-ie.rules)
 * 1:34424 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer compatibility mode use after free attempt (browser-ie.rules)
 * 1:34423 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTitleElement object use-after-free attempt (browser-ie.rules)
 * 1:34422 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTitleElement object use-after-free attempt (browser-ie.rules)
 * 1:34421 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDispScroller object use-after-free attempt (browser-ie.rules)
 * 1:34420 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDispScroller object use-after-free attempt (browser-ie.rules)
 * 1:34419 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Element object use-after-free attempt (browser-ie.rules)
 * 1:34418 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Element object use-after-free attempt (browser-ie.rules)
 * 1:34417 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer dd element use after free attempt (browser-ie.rules)
 * 1:34416 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer IE8 compatibility mode enable attempt (browser-ie.rules)
 * 1:34415 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer dd element use after free attempt (browser-ie.rules)
 * 1:34414 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserGetScrollBarInfo information disclosure attempt (os-windows.rules)
 * 1:34413 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserGetScrollBarInfo information disclosure attempt (os-windows.rules)
 * 1:34412 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSecurityContext type confusion use after free attempt (browser-ie.rules)
 * 1:34411 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSecurityContext type confusion use after free attempt (browser-ie.rules)
 * 1:34410 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DOMNodeInserted use-after-free attempt (browser-ie.rules)
 * 1:34445 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer TableGridBlock object use after free attempt (browser-ie.rules)
 * 1:34444 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer TableGridBlock object use after free attempt (browser-ie.rules)
 * 1:34443 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NTUserGetTitleBarInfo information disclosure attempt (os-windows.rules)
 * 1:34442 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NTUserGetTitleBarInfo information disclosure attempt (os-windows.rules)
 * 1:34441 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k TrueType Font parsing out of bounds attempt (os-windows.rules)
 * 1:34440 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k TrueType Font parsing out of bounds attempt (os-windows.rules)
 * 1:34439 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Explorer .msc file stack overflow attempt (os-windows.rules)
 * 1:34438 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Explorer .msc file stack overflow attempt (os-windows.rules)
 * 1:34437 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTitleElement use after free attempt (browser-ie.rules)
 * 1:34436 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTitleElement use after free attempt (browser-ie.rules)
 * 1:34435 <-> ENABLED <-> OS-WINDOWS Microsoft Windows .NET XML recursive call denial of service attempt (os-windows.rules)
 * 1:34434 <-> ENABLED <-> OS-WINDOWS Microsoft Windows .NET XML recursive call denial of service attempt (os-windows.rules)
 * 1:34433 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TableGridBlock use after free attempt (browser-ie.rules)
 * 1:34432 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TableGridBlock use after free attempt (browser-ie.rules)
 * 1:34409 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DOMNodeInserted use-after-free attempt (browser-ie.rules)
 * 1:34408 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer protected mode sandbox bypass attempt (browser-ie.rules)
 * 1:34407 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer protected mode sandbox bypass attempt (browser-ie.rules)
 * 1:34406 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer improper copy buffer access information disclosure attempt (browser-ie.rules)
 * 1:34405 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer improper copy buffer access information disclosure attempt (browser-ie.rules)
 * 1:34404 <-> ENABLED <-> FILE-OTHER Microsoft Journal out of bounds read attempt (file-other.rules)
 * 1:34403 <-> ENABLED <-> FILE-OTHER Microsoft Journal out of bounds read attempt (file-other.rules)
 * 1:34402 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Calendar object heap corruption attempt (os-windows.rules)
 * 1:34401 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Calendar object heap corruption attempt (os-windows.rules)
 * 1:34400 <-> ENABLED <-> FILE-OTHER Microsoft Journal file exploitation attempt (file-other.rules)
 * 1:34399 <-> ENABLED <-> FILE-OTHER Microsoft Journal file exploitation attempt (file-other.rules)
 * 1:34398 <-> ENABLED <-> FILE-IDENTIFY Microsoft Journal file download attempt (file-identify.rules)
 * 1:34397 <-> ENABLED <-> FILE-IDENTIFY Microsoft Journal file download request (file-identify.rules)
 * 1:34396 <-> ENABLED <-> FILE-IDENTIFY Microsoft Journal file attachment detected (file-identify.rules)
 * 1:34395 <-> ENABLED <-> FILE-IDENTIFY Microsoft Journal file attachment detected (file-identify.rules)
 * 1:34394 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript regular expression information disclosure attempt (browser-ie.rules)
 * 1:34393 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript regular expression information disclosure attempt (browser-ie.rules)
 * 1:34392 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TextData out of bounds read attempt (browser-ie.rules)
 * 1:34391 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TextData out of bounds read attempt (browser-ie.rules)
 * 1:34390 <-> ENABLED <-> FILE-OTHER Microsoft Journal out of bounds read attempt (file-other.rules)
 * 1:34389 <-> ENABLED <-> FILE-OTHER Microsoft Journal out of bounds read attempt (file-other.rules)
 * 1:34388 <-> ENABLED <-> FILE-OTHER Microsoft Journal out of bounds write attempt (file-other.rules)
 * 1:34387 <-> ENABLED <-> FILE-OTHER Microsoft Journal out of bounds write attempt (file-other.rules)
 * 1:34386 <-> ENABLED <-> FILE-OTHER Microsoft Journal memory corruption attempt (file-other.rules)
 * 1:34385 <-> ENABLED <-> FILE-OTHER Microsoft Journal memory corruption attempt (file-other.rules)
 * 1:34384 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:34383 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:34382 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer range use after free attempt (browser-ie.rules)
 * 1:34381 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer range use after free attempt (browser-ie.rules)
 * 1:34380 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer protected mode sandbox privilege escalation attempt (browser-ie.rules)
 * 1:34379 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer protected mode sandbox privilege escalation attempt (browser-ie.rules)
 * 1:34378 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserGetComboBoxInfo information disclosure attempt (os-windows.rules)
 * 1:34377 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserGetComboBoxInfo information disclosure attempt (os-windows.rules)
 * 1:34376 <-> DISABLED <-> SERVER-OTHER PHP zip_cdir_new function integer overflow file download attempt (server-other.rules)
 * 1:34375 <-> DISABLED <-> SERVER-OTHER PHP zip_cdir_new function integer overflow file download attempt (server-other.rules)
 * 1:34374 <-> DISABLED <-> SERVER-OTHER PHP zip_cdir_new function integer overflow file download attempt (server-other.rules)
 * 1:34373 <-> DISABLED <-> SERVER-OTHER PHP zip_cdir_new function integer overflow file download attempt (server-other.rules)
 * 1:34372 <-> ENABLED <-> FILE-OTHER Microsoft Journal memory corruption attempt (file-other.rules)
 * 1:34371 <-> ENABLED <-> FILE-OTHER Microsoft Journal memory corruption attempt (file-other.rules)
 * 1:34370 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mymoney.000a.de - Win.Trojan.Fareit (blacklist.rules)
 * 1:34368 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload variant outbound connection (malware-cnc.rules)
 * 1:34367 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload variant outbound connection (malware-cnc.rules)
 * 1:34366 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beebone outbound connection attempt (malware-cnc.rules)
 * 1:34365 <-> ENABLED <-> SERVER-WEBAPP Magento remote code execution attempt (server-webapp.rules)
 * 1:34364 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Configuration Management rtrlet.class directory traversal attempt (server-webapp.rules)
 * 1:34363 <-> DISABLED <-> SERVER-WEBAPP Novell ZENworks Configuration Management GetStoredResult.class SQL injection attempt (server-webapp.rules)
 * 1:34362 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mantal variant outbound connection attempt (malware-cnc.rules)
 * 1:34361 <-> DISABLED <-> SERVER-WEBAPP ESF pfSense deletefile directory traversal attempt (server-webapp.rules)
 * 1:34360 <-> DISABLED <-> SERVER-WEBAPP ESF pfSense deletefile directory traversal attempt (server-webapp.rules)
 * 1:34359 <-> DISABLED <-> SERVER-WEBAPP ESF pfSense deletefile directory traversal attempt (server-webapp.rules)
 * 1:34358 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWALL SonicOS macIpSpoofView cross site scripting attempt (server-webapp.rules)
 * 1:34357 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt (file-flash.rules)
 * 1:34356 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt (file-flash.rules)
 * 1:34355 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt (file-flash.rules)
 * 1:34354 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt (file-flash.rules)
 * 1:34353 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt (server-other.rules)
 * 1:34352 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt (server-other.rules)
 * 1:34351 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt (server-other.rules)
 * 1:34350 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt (server-other.rules)
 * 1:34349 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt (server-other.rules)
 * 3:34369 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Central command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:34239 <-> DISABLED <-> SERVER-OTHER PHP zip_cdir_new function integer overflow file upload attempt (server-other.rules)
 * 1:5789 <-> DISABLED <-> BLACKLIST User-Agent known malicious user agent - ActMon (blacklist.rules)
 * 1:33770 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserfnINSTRINGNULL memory leak kernel ASLR bypass attempt (os-windows.rules)
 * 1:34238 <-> DISABLED <-> SERVER-OTHER PHP zip_cdir_new function integer overflow file upload attempt (server-other.rules)
 * 1:30991 <-> ENABLED <-> MALWARE-CNC Shiqiang Gang malicious XLS targeted attack detection (malware-cnc.rules)
 * 1:33769 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserfnINSTRINGNULL memory leak kernel ASLR bypass attempt (os-windows.rules)
 * 1:30989 <-> ENABLED <-> BLACKLIST DNS request for known malware domain help.2012hi.hk (blacklist.rules)
 * 1:30990 <-> ENABLED <-> MALWARE-CNC Shiqiang Gang malicious XLS targeted attack detection (malware-cnc.rules)
 * 1:28481 <-> DISABLED <-> BLACKLIST DNS request for known malware domain catlovers.25u.com (blacklist.rules)
 * 1:28482 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Terminator RAT variant outbound connection (malware-cnc.rules)
 * 1:28479 <-> DISABLED <-> BLACKLIST DNS request for known malware domain liumingzhen.zapto.org (blacklist.rules)
 * 1:28480 <-> DISABLED <-> BLACKLIST DNS request for known malware domain liumingzhen.myftp.org (blacklist.rules)
 * 1:28362 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string SUiCiDE/1.5 (blacklist.rules)
 * 1:28323 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:27981 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - /botnet/tasks.php?uid= (blacklist.rules)
 * 1:28247 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper variant outbound connection (malware-cnc.rules)
 * 1:27968 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:27980 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - /botnet/adduser.php?uid= (blacklist.rules)
 * 1:27966 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:27967 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:26837 <-> ENABLED <-> MALWARE-CNC BitBot Idle C2 response (malware-cnc.rules)
 * 1:26850 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt (browser-ie.rules)
 * 1:26381 <-> DISABLED <-> MALWARE-OTHER UTF-8 BOM in zip file attachment detected (malware-other.rules)
 * 1:26382 <-> DISABLED <-> MALWARE-OTHER UTF-8 BOM in zip file attachment detected (malware-other.rules)
 * 1:26295 <-> ENABLED <-> FILE-OTHER Watering Hole Campaign applet download (file-other.rules)
 * 1:26380 <-> DISABLED <-> MALWARE-OTHER UTF-8 BOM in zip file attachment detected (malware-other.rules)
 * 1:20439 <-> DISABLED <-> MALWARE-TOOLS THC SSL renegotiation DOS attempt (malware-tools.rules)
 * 1:26294 <-> ENABLED <-> FILE-OTHER Watering Hole Campaign applet download (file-other.rules)
 * 1:20437 <-> DISABLED <-> MALWARE-TOOLS THC SSL renegotiation DOS attempt (malware-tools.rules)
 * 1:20438 <-> DISABLED <-> MALWARE-TOOLS THC SSL renegotiation DOS attempt (malware-tools.rules)
 * 1:20436 <-> DISABLED <-> MALWARE-TOOLS THC SSL renegotiation DOS attempt (malware-tools.rules)